viewers
viewers
viewers
viewers
viewersClaria Recruiting Installations through Spyware-Delivered
Popups - Packet Log
Claria Shows Ads Through Exploit-Delivered Popups - Ben Edelman
This page gives a packet log of example traffic from spyware (installed without notice or consent) promoting installations of Claria screensavers (with bundled Claria advertising software).
Traffic begins with ContextPlus (orange highlighting) noticing a popup just delivered by DealHelper (blue). ContextPlus decides to show a popup obtained from clickandtrack.net (first HTTP transaction). Clickandtrack.net forwards me to Venus123.com. Venus123 embeds multiple ads from ad.yieldmanager.com. After a lengthy series of redirects (presented here in part; additional traffic omitted), yieldmanager.com instructs that my browser open a script from 02320.net, which in turn calls for a page from zedo.com. Zedo then provides a series of further embeddings. Finally, Zedo loads a Claria Belnk.com ad placement.
Throughout, yellow highlighting marks redirect instructions, and green highlighting marks the next step in the advertisement chain.
Traffic Originating at ContextPlus, Loading Clickandtrack.net
GET /services/AdChannelServer?site=CP.AOP&uid={X2e59e2a-abaa-4243-3906
c12f03a20589}&size=aamsz%3D%2F&rnd=41_1129583182_421875&v=1.0.226&b=6.0.2600.0&o=5.1.2600+%28%29+PI%3D2
HTTP/1.1
Referer: http://ads.dealhelper.com/adserver/ad1.php?gmiurl=http://69.20
.94.234/search.php?keyword=computers&partner=abc_tk&ret=http%3A%2F%2Fme
dia.fastclick.net%2Fw%2Fpop.cgi%3Fsid%3D18665%26m%3D2%26CK%3DN%26JS%3DN %26c%3D1129583183&gmititle=&gmih=600&gmiw=800&gmip=middle&gmif=popunder
Accept: application/vnd.pop.ad.channel.redirect, application/vnd.pop.ad.creative.html
Cookie: freq_caps4=HpEPQymQD0MekQ9DHpEPQxAAAACuGAAAAAAAAAEAAAAShw9D0BgA AAAAAAABAAAAdocPQ7cZAAAAAAAAAQAAACmQD0OsGgAAAAAAAAEAAABniw9DahsAAAAAAAA
BAAAAHpEPQ+8bAAAAAAAAAQAAADaPD0P/GwAAAAAAAAEAAACbiw9DBRwAAAAAAAABAAAAUY kPQw8cAAAAAAAAAQAAAFmMD0ODHAAAAQAAAAAAAACEHAAAAQAAAAAAAAATHQAAAAAAAAEAA
ACUhw9DLx0AAAAAAAABAAAATI0PQ2UdAAAAAAAAAQAAANaQD0N3HQAAAAAAAAEAAAB0jg9D hB0AAAAAAAABAAAAc4oPQwItbp8|||||;
freq_caps4=BXYgQ5d1IEMFdiBDBXYgQxgAAAC3GQAAAAAAAAEAAADcZCBDrBoAAAAAAAAB AAAA+1sgQxsbAAAAAAAAAQAAAKFuIEMtHAAAAQAAAAAAAABUHAAAAAAAAAEAAADiWiBDgxw
AAAAAAAABAAAAA2EgQ4QcAAABAAAAAAAAABMdAAAAAAAAAQAAAK1aIEMvHQAAAAAAAAIAAA AOYCBDKWcgQzUdAAABAAAAAAAAAEsdAAAAAAAAAQAAAGNlIENOHQAAAAAAAAEAAADpXCBDV
B0AAAEAAAAAAAAAVx0AAAAAAAABAAAA5WAgQ1wdAAAAAAAAAQAAAJd1IENqHQAAAAAAAAIA AABaXCBDqlwgQ3cdAAAAAAAAAQAAAHxhIEN9HQAAAAAAAAIAAADcZSBDwm8gQ4QdAAAAAAA
AAQAAACNdIEOGHQAAAAAAAAEAAAAbdSBDqx0AAAAAAAABAAAAXG4gQ7EdAAABAAAAAAAAAN gdAAAAAAAAAQAAAGFgIEPbHQAAAQAAAAAAAAAcs3iQ||||
User-Agent: Apropos
Host: adchannel.contextplus.net
HTTP/1.1 200 OK
Date: Mon, 17 Oct 2005 21:06:38 GMT
Server: Apache
Set-Cookie: freq_caps4=YRJUQ2ESVEMFdiBDYRJUQwMAAACEHAAAAAAAAAEAAABhElRDNR0AAAEAAAAAAAAAVB0AAAEAAAAAAAAANzBEZQ||||||;
expires=Thu, 15-Oct-2015 21:6:41 GMT; path=/services/
Cache-Control: no-cache
AM-AD-CREATIVE-CATEGORY: RON
AM-AD-CREATIVE-TYPE: popunder
Set-Cookie: freq_caps4=na; expires=Sun, 17-Oct-2004 21:6:41 GMT; path=/services/AdChannelServer
P3P: CP="NOI DSP LAW CURa DEVa TAIa PSAa PSDa OUR STP BUS UNI COM NAV INT"
Content-Length: 360
Connection: close
Content-Type: application/vnd.pop.ad.creative.html
<html>
<body>
<script type="text/javascript" language="JavaScript">
popWin = open('http://hits.clickandtrack.net/cgi-bin/hit?page=12107-1123182578320194','_blank','width=800,height=600,resizable=no,scrollbars=yes');
if(popWin) {
popWin.blur();
window.focus();
if("") {
var tp_img = new Image();
tp_img.src = "";
}
}
</script>
</body>
</html>
Clickandtrack.net redirects to Venus123.com
GET /cgi-in/hit?page=12107-123182578320194
HTTP/1.1
Accept: */*
Accept-Language: en us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {DB5CC11C-030D-2BEC-A311-6B43D6FCBF02})
Host: hits.clickandtrack.net
Connection: Keep-Alive
HTTP/1.1 302 Moved
Date: Mon, 17 Oct 2005 21:06:47 GMT
Server: Apache/2.0.40 (Red Hat Linux)
P3P: policyref="/w3c/p3p.xml", CP="NOI CUR ADM DEV OUR BUS NAV"
Set-Cookie: SW_12107 1123182578320194=1129583207; path=/; expires=Wed, 16-Nov-2005
21:06:47 GMT
Set-Cookie: CF_12107 1123182578320194=1129583207; path=/; expires=Tue, 18-Oct-2005
21:06:47 GMT
Location: http://www.Venus123.com/homepage.precision.asp?group=See
d3eVenus&lpt=18&pops=yes&pop=no&float=yes&poponlpt=no&floatonlpt=yes&cb=70
Content-Length: 342
Connection: close
Content Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Moved</title>
</head><body>
<h1>Moved</h1>
<p>The document has moved <a href="http://www.Venus123.com/homepage.precision.asp?
group=Seed3eVenus&lpt=18&pops=yes&pop=no&float=yes&poponlpt=no
&floatonlpt=yes&cb=70">here</a>.</p>
</body></html>
Venus123.com Embeds Multiple Yieldmanager.com Ads
GET /homepage.precision.asp?group=Seed3eVenus&lpt=18&pops=yes&pop=no&float=yes&poponlpt=no&floatonlpt=yes&cb=70
HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {DB5CC11C-030D-2BEC-A311-6B43D6FCBF02})
Host: www.venus123.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Connection: close
Date: Mon, 17 Oct 2005 21:06:49 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 26354
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQQTBBBDR=JMHNDDMBJHJKJLOKMPCOPBDH; path=/
Cache-control: private
<html>
<head>
<title>Venus123</title>
...
<SCRIPT TYPE='text/javascript' SRC='http://ad.yieldmanager.com/rmtag2.js'></SCRIPT><SCRIPT
language='JavaScript'>var rm_host = 'http://ad.yieldmanager.com';var rm_site_id
= 2578;var rm_section_code =4400;var rm_banned_pop_types = 23;var rm_prepopped_width
= 720;var rm_prepopped_height = 300;var rm_pop_frequency = 0;rmShowPop();</script>
...
<iframe src="728x90.asp?jscode=<SCRIPT TYPE='text/javascript' SRC='http://ad.yieldmanager.com/rmtag2.js'></SCRIPT><SCRIPT
language='JavaScript'>var rm_host = 'http://ad.yieldmanager.com';var rm_site_id
= 2578;var rm_section_code =4400;var rm_iframe_tags = 1;rmShowAd('728x90');</script>&lpt=18"
width=728 height=90 frameborder=0 scrolling=no></iframe>
...
<iframe src="300x250.asp?jscode=<SCRIPT TYPE='text/javascript' SRC='http://ad.yieldmanager.com/rmtag2.js'></SCRIPT><SCRIPT
language='JavaScript'>var rm_host = 'http://ad.yieldmanager.com';var rm_site_id
= 2578;var rm_section_code =4400;var rm_iframe_tags = 1;rmShowAd('300x250');</script>&lpt=18"
width=300 height=250 frameborder=0 scrolling=no></iframe>
...
<iframe src="160x600.asp?jscode=<SCRIPT TYPE='text/javascript' SRC='http://ad.yieldmanager.com/rmtag2.js'></SCRIPT><SCRIPT
language='JavaScript'>var rm_host = 'http://ad.yieldmanager.com';var rm_site_id
= 2578;var rm_section_code =4400;var rm_promote_sizes = 1;rmShowAd('120x600/160x600');</script>&lpt=18"
width=120 height=600 frameborder=0 scrolling=no></iframe>
...
<iframe src="468x60.asp?jscode=<SCRIPT TYPE='text/javascript' SRC='http://ad.yieldmanager.com/rmtag2.js'></SCRIPT><SCRIPT
language='JavaScript'>var rm_host = 'http://ad.yieldmanager.com';var rm_site_id
= 2578;var rm_section_code =4400;var rm_iframe_tags = 1;rmShowAd('468x60');</script>&lpt=18"
width=468 height=60 frameborder=0 scrolling=no></iframe>
...
</body>
</html>
Multiple Yieldmanager.com File-Loads, JavaScripts, and Redirects
GET /rmtag2.js HTTP/1.1
Accept: */*
Referer: http://www.venus123.com/homepage.precision.asp?group=Seed3eVenus&lpt=18&pops=yes&pop=no&float=yes&poponlpt=no&floatonlpt=yes&cb=70
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {DB5CC11C-030D-2BEC-A311-6B43D6FCBF02})
Host: ad.yieldmanager.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Connection: close
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP COR NID CURa ADMa DEVa
PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: max-age=86400
Content-Type: application/x-javascript
Content-Length: 11980
[extended JavaScript code omitted]
GET /160x600.asp?jscode=<SCRIPT%20TYPE='text/javascript'%20SRC='http:// ad.yieldmanager.com/rmtag2.js'></SCRIPT><SCRIPT%20language='JavaScript'
>var%20rm_host%20=%20'http://ad.yieldmanager.com';var%20rm_site_id%20=% 202578;var%20rm_section_code%20=4400;var%20rm_promote_sizes%20=%201;
rmShowAd('120x600/160x600');</script>&lpt=18 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash,
*/*
Referer: http://www.venus123.com/homepage.precision.asp?group= Seed3eVenus&lpt=18&pops=yes&pop=no&float=yes&poponlpt=no&floatonlpt=yes&cb=70
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {DB5CC11C-030D-2BEC-A311-6B43D6FCBF02})
Host: www.venus123.com
Connection: Keep-Alive
Cookie: ASPSESSIONIDQQTBBBDR=JMHNDDMBJHJKJLOKMPCOPBDH; flashInstalled=7.0expires=Mon,
31 Oct 2005 21:06:41 UTC
HTTP/1.1 200 OK
Connection: close
Date: Mon, 17 Oct 2005 21:07:06 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 750
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSSRBADRS=GGLGPMIBFIBGBPENIOMHNFON; path=/
Cache-control: private
<html>
<head>
<meta http-equiv="Refresh" content="url=160x600.asp?jscode=<SCRIPT%20TYPE='text/javascript'
%20SRC='http://ad.yieldmanager.com/rmtag2.js'></SCRIPT><SCRIPT%20language='JavaScript'>var
%20rm_host%20=%20'http://ad.yieldmanager.com'-var%20rm_site_id%20=%202578-var%20rm_section_code%20=4400-var%20rm_promote_sizes%20=%201-rmShowAd('120x600/160x600')-</script>&lpt=17">
</head>
<body leftmargin=0 rightmargin=0 topmargin=0 bottommargin=0 >
<SCRIPT TYPE='text/javascript' SRC='http://ad.yieldmanager.com/rmtag2.js'>
</SCRIPT><SCRIPT language='JavaScript'>var rm_host = 'http://ad.yieldmanager.com';var
rm_site_id = 2578;var rm_section_code =4400;var rm_promote_sizes = 1;rmShowAd('120x600/160x600');</script>
</body>
</html>
GET /imp?z=10&i=2578&S=4400&p=1&u=http%3A%2F%2Fwww.venus123.com%2F
homepage.precision.asp%3Fgroup%3DSeed3eVenus%26lpt%3D18%26pops%3Dyes&r=0
HTTP/1.1
Accept: */*
Referer: http://www.venus123.com/160x600.asp?jscode=<SCRIPT TYPE='text/javascript'
SRC='http://ad.yieldmanager.com/rmtag2.js'></SCRIPT><SCRIPT language='JavaScript'>var
rm_host = 'http://ad.yieldmanager.com';var rm_site_id = 2578;var rm_section_code
=4400;var rm_promote_sizes = 1;rmShowAd('120x600/160x600');</script>&lpt=18
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {DB5CC11C-030D-2BEC-A311-6B43D6FCBF02})
Host: ad.yieldmanager.com
Connection: Keep-Alive
Cookie: testbounce="testing"; lf="b!!!!$!!#Td!!!!#!!$7m!!!!$";
lh="b!!!!%!!#Td8ZL[s!!$7m8ZL[l!!$7m8ZL[j"; ih="b!!!!$!!!Tq!!!!#8Z@`J!!'DI!!!!$8Z@`C";
BSUID=1
HTTP/1.1 200 OK
Connection: close
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP COR NID CURa ADMa DEVa
PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Set-Cookie: cf="b"; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: hi="b"; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: cr="b"; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: ch="b"; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: lf="b!!!!%!!#Rj!!!!#!!#Td!!!!#!!$7m!!!!$"; path=/; expires=Mon,
14-Aug-2017 00:00:00 GMT
Set-Cookie: lh="b!!!!'!!#Rj8ZL[u!!#Td8ZL[s!!$7m8ZL[l!!$7m8ZL[j"; path=/;
expires=Mon, 14-Aug-2017 00:00:00 GMT
Set-Cookie: pv1="b"; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: pc1="b"; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: ih="b!!!!%!!!Tq!!!!#8Z@`J!!'$I!!!!#8Z@`L!!'DI!!!!$8Z@`C";
path=/; expires=Mon, 14-Aug-2017 00:00:00 GMT
Set-Cookie: vh="b"; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: bh="b"; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: ia="b"; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: BSUID=""; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Content-Type: application/x-javascript
Content-Length: 371
document.write('<iframe scrolling="no" marginwidth="0"
marginheight="0" frameborder="0" height="600"
width="120" src="http://ad.yieldmanager.com/iframe3?AAAAAAQeAACzcQAAHxkAAAAAAA
AAAP8AAP8CEgEACgHEKwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJqZmZmZ mck.mpmZmZmZyT8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA91GQJJ8BibE="></iframe>');
GET /iframe3?AAAAAAQeAACzcQAAHxkAAAAAAAAAAP8AAP8CEgEACgHEKwAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJqZmZmZmck.mpmZmZmZyT8AAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAA91GQJJ8BibE=
HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash,
*/*
Referer: http://www.venus123.com/160x600.asp?jscode=<SCRIPT TYPE='text/javascript'
SRC='http://ad.yieldmanager.com/rmtag2.js'></SCRIPT><SCRIPT language='JavaScript'>var
rm_host = 'http://ad.yieldmanager.com';var rm_site_id = 2578;var rm_section_code
=4400;var rm_promote_sizes = 1;rmShowAd('120x600/160x600');</script>&lpt=18
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {DB5CC11C-030D-2BEC-A311-6B43D6FCBF02})
Host: ad.yieldmanager.com
Connection: Keep-Alive
Cookie: testbounce="testing"; lf="b!!!!%!!#Rj!!!!#!!#Td!!!!#!!$7m!!!!$";
lh="b!!!!'!!#Rj8ZL[u!!#Td8ZL[s!!$7m8ZL[l!!$7m8ZL[j"; ih="b!!!!%!!!Tq!!!!#8Z@`J!!'$I!!!!#8Z@`L!!'DI!!!!$8Z@`C";
BSUID=1
HTTP/1.1 200 OK
Connection: close
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP COR NID CURa ADMa DEVa
PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Set-Cookie: cf="b"; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: hi="b"; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: cr="b"; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: ch="b"; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: lf="b!!!!%!!#Rj!!!!$!!#Td!!!!#!!$7m!!!!$"; path=/; expires=Mon,
14-Aug-2017 00:00:00 GMT
Set-Cookie: lh="b!!!!(!!#Rj8ZL[w!!#Rj8ZL[u!!#Td8ZL[s!!$7m8ZL[l!!$7m8ZL[j";
path=/; expires=Mon, 14-Aug-2017 00:00:00 GMT
Set-Cookie: pv1="b"; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: pc1="b"; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: ih="b!!!!%!!!Tq!!!!#8Z@`J!!'$I!!!!$8Z@`N!!'DI!!!!$8Z@`C";
path=/; expires=Mon, 14-Aug-2017 00:00:00 GMT
Set-Cookie: vh="b"; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: bh="b"; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: ia="b"; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: BSUID=""; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Content-Type: text/html
Content-Length: 671
<html><body style="margin-left: 0%; margin-right: 0%; margin-top:
0%; margin-bottom: 0%"><!-- BEGIN: AdSolution-Website-Tag 4.3 : huladirect
/ 120x600 -->
<script type="text/javascript" language="javascript"
src="http://a.as-us.falkag.net/dat/dlv/aslmain.js"></script>
<script language="javascript" type="text/javascript">
Ads_kid=0;Ads_bid=0;Ads_xl=120;Ads_yl=600;Ads_xp='';Ads_yp=''; Ads_xp1='';Ads_yp1='';Ads_opt=0;Ads_wrd='';Ads_prf='';
Ads_par='';Ads_cnturl='';Ads_sec=0;Ads_channels='';
</script>
<script type="text/javascript" language="javascript"
src="http://a.as-us.falkag.net/dat/cjf/00/12/18/12.js"></script>
<!-- END:AdSolution-Tag 4.3 --></body></html>
[omitted: encoded traffic to falkag.net and 02320.net]
02320.net Redirects to Zedo.com
GET /services/AdChannelServer?app=PS&v=1.2.2&site=PS.DHELIX&size=120x600&rnd=7084447&referer=http%3A%2F%2Fwww.venus123.com%2F160x600.asp%3Fjscode%3D%3CSCRIPT%20TYPE%3D'text%2Fjavascript'%20SRC%&xinfopsid=0&format=js&btop=0&xinfopsbase=http%3A%2F%2Fps-s.02320.net%2Fps%2FPS.DHELIX%2F&prck=0&glbfcap=0
HTTP/1.1
Accept: */*
Referer: http://ad.yieldmanager.com/iframe3?AAAAAAQeAACzcQAAHxkAAAAAAAAAAP8AAP8CEgEACgHEKwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJqZmZmZmck.mpmZmZmZyT8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA91GQJJ8BibE=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {DB5CC11C-030D-2BEC-A311-6B43D6FCBF02})
Host: adchannel.02320.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Mon, 17 Oct 2005 21:07:41 GMT
Server: Apache
Set-Cookie: freq_caps4=AAAAAAAAAAAAAAAAnRJUQwEAAADZHgAAAAAAAAEAAACdElRDTZVCGA||||||;
expires=Thu, 15-Oct-2015 21:7:41 GMT; path=/services/
Cache-Control: no-cache
AM-AD-CREATIVE-CATEGORY: RON
AM-AD-CREATIVE-TYPE: 120x600
P3P: CP="NOI DSP LAW CURa DEVa TAIa PSAa PSDa OUR STP BUS UNI COM NAV INT"
Set-Cookie: uid={Z0000000-0000-0000-0000-000000000000}; expires=Thu, 15-Oct-2015
21:7:41 GMT; path=/services/
Content-Length: 129
Connection: close
Content-Type: text/html
zd47f5c1333_PS.show_banner(
0,
"http://c5.zedo.com/jsc/c5/ff2.html?n=350;c=355/6;s=234;d=8;w=120;h=600",
120,
600
);
Multiple Layers of Zedo.com Ad Wrappers
GET /jsc/c5/ff2.html?n=350;c=355/6;s=234;d=8;w=120;h=600
HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash,
*/*
Referer: http://ad.yieldmanager.com/iframe3?AAAAAAQeAACzcQAAHxkAAAAAAAAAAP8AAP8CEgEACgHEKwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJqZmZmZmck.mpmZmZmZyT8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA91GQJJ8BibE=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {DB5CC11C-030D-2BEC-A311-6B43D6FCBF02})
Host: c5.zedo.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: ZEDO 3G
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC",
policyref="/w3c/p3p.xml"
Last-Modified: Wed, 14 Sep 2005 13:59:46 GMT
ETag: "a1b2b-392-43282cd2"
Accept-Ranges: bytes
Content-Length: 914
Content-Type: text/html
Cache-Control: max-age=228321
Expires: Thu, 20 Oct 2005 12:33:04 GMT
Date: Mon, 17 Oct 2005 21:07:43 GMT
Connection: keep-alive
<!-- Copyright (c) 2000-2005 ZEDO Inc. All Rights Reserved.
<html>
<head>
<title>Powered by ZEDO</title>
<script language="JavaScript">
var c3=new Image();
if(document.cookie.indexOf('ZEDOIDX')==-1){
var z2=new Date();
z2.setTime(z2.getTime()+18000000);
document.cookie='ZEDOIDX=1000;expires='+z2.toGMTString()+';domain=.zedo.com;path=/;';
}
if((document.cookie.indexOf('ZEDOIDX')!=-1)&&(document.cookie.indexOf('geo')==-1)){
c3.src='http://g.zedo.com/init/'+Math.random()+'/g.gif';
}
</script>
</head>
<body marginwidth=0 marginheight=0 leftmargin=0 topmargin=0 style="background-color:transparent">
<script language="JavaScript" src="http://c5.zedo.com/bar/v12-500/c5/jsc/iframe2.js"></script>
<noscript>
<iframe src="http://xads.zedo.com/ads2/a?" width=999 height=999
frameborder=0 border=0 marginwidth=0 marginheight=0 scrolling="no"
align="top" allowTransparency="true"></iframe>
</noscript>
</body>
</html>
GET /bar/v12-500/c5/jsc/iframe2.js HTTP/1.1
Accept: */*
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=350;c=355/6;s=234;d=8;w=120;h=600
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {DB5CC11C-030D-2BEC-A311-6B43D6FCBF02})
Host: c5.zedo.com
Connection: Keep-Alive
Cookie: ZEDOIDX=1000
HTTP/1.1 200 OK
Server: ZEDO 3G
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC",
policyref="/w3c/p3p.xml"
Last-Modified: Wed, 14 Sep 2005 14:00:10 GMT
ETag: "349324-2123-43282cea"
Accept-Ranges: bytes
Content-Length: 8483
Content-Type: application/x-javascript
Cache-Control: max-age=2234934
Expires: Sat, 12 Nov 2005 17:56:38 GMT
Date: Mon, 17 Oct 2005 21:07:44 GMT
Connection: keep-alive
[extended JavaScript code omitted]
GET /ads2/d/2077/172/350/355/6/i0.js?z=9419 HTTP/1.1
Accept: */*
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=350;c=355/6;s=234;d=8;w=120;h=600
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {DB5CC11C-030D-2BEC-A311-6B43D6FCBF02})
Host: c4.zedo.com
Connection: Keep-Alive
Cookie: ZEDOIDX=29; ZEDOIDA=puwokdjrULAAADOeWigAAAAT; geo=497324; FFcat=350,355,8;
FFad=0
HTTP/1.1 200 OK
Server: ZEDO 3G
Edge-Control: dca=esi
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC",
policyref="/w3c/p3p.xml"
Cache-Control: max-age=3600
Content-Type: application/x-javascript
Age: 196
Date: Mon, 17 Oct 2005 21:07:48 GMT
Expires: Mon, 17 Oct 2005 22:04:32 GMT
Content-Length: 3088
Connection: close
[extended JavaScript code omitted]
document.write("<SCRIPT LANGUAGE='JavaScript' SRC='http://c4.zedo.com//ads2/k/"
+ zxa + "/2077/172/0/350000355/350000355//0/350/" + zzSection + "/"
+ "/" + zxv + "/i.js'><\/SCRIPT>");
GET //ads2/k/83990/2077/172/0/350000355/350000355//0/350/234//1000045/i.js
HTTP/1.1
Accept: */*
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=350;c=355/6;s=234;d=8;w=120;h=600
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {DB5CC11C-030D-2BEC-A311-6B43D6FCBF02})
Host: c4.zedo.com
Connection: Keep-Alive
Cookie: ZEDOIDX=29; ZEDOIDA=puwokdjrULAAADOeWigAAAAT; geo=497324; FFcat=350,355,8;
FFad=0
HTTP/1.1 200 OK
Server: ZEDO 3G
Edge-Control: dca=esi
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC",
policyref="/w3c/p3p.xml"
Cache-Control: max-age=2592000
Content-Type: application/x-javascript
Age: 3903
Date: Mon, 17 Oct 2005 21:08:00 GMT
Expires: Wed, 16 Nov 2005 20:02:57 GMT
Content-Length: 343
Connection: close
var zzDate = new Date();
document.write('<script language="JavaScript" src="http://dist.belnk.com/4/placement/1461/
?h=http://xads.zedo.com//ads2/c%3Fa=83990%3Bx=2077%3Bg=172,0%3Bc=350000355,350000355%3Bi=0
%3Bn=350%3Bs=234%3Bp%3D6%3Bf%3D124352%3Bk=http://dist.belnk.com/4/placement/1461/alt_lp/AQ
UATICAREDIRECT.html"><\/script>');
Belnk.Ad Opens Claria Screensaver Ad
GET /4/placement/1461/?h=http://xads.zedo.com//ads2/c%3Fa=83990%3Bx=2077%3Bg=172,0
%3Bc=350000355,350000355%3Bi=0%3Bn=350%3Bs=234%3Bp%3D6%3Bf%3D124352%3Bk= http://dist.belnk.com/4/placement/1461/alt_lp/AQUATICAREDIRECT.html
HTTP/1.1
Accept: */*
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=350;c=355/6;s=234;d=8;w=120;h=600
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {DB5CC11C-030D-2BEC-A311-6B43D6FCBF02})
Host: dist.belnk.com
Connection: Keep-Alive
HTTP/1.1 302 Found
Date: Mon, 17 Oct 2005 21:08:01 GMT
Server: Apache
X-Powered-By: PHP/4.3.3
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 17 Oct 2005 21:08:01 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
P3P: CP="NOI DEVa TAIa OUR BUS UNI", policyref="http://dist.belnk.com/w3c/p3p.xml"
Set-Cookie: MINT128=3445211BA09F60F90000B11BC02E; expires=Thu, 15-Oct-15 21:08:01
GMT; path=/; domain=.belnk.com
Set-Cookie: dPL=1461%3A613%3A1%3A435412b1%3A1; expires=Fri, 16-Dec-05 21:08:01
GMT; path=/; domain=.dist.belnk.com
Set-Cookie: dMS=5883%3A8%3A1%3A435412b1; expires=Fri, 16-Dec-05 21:08:01 GMT;
path=/; domain=.dist.belnk.com
Location: ../../message/5883/?q=cD0xNDYxJmQ9MzU3MTI3JmVsPTEmdz1RMVFTc1Fy NUJwOEFBQnV4RE9JJmFtPTM0NDUyMTFCQTA5RjYwRjkwMDAwQjExQkMwMkU%3D&h=http%3A
%2F%2Fxads.zedo.com%2F%2Fads2%2Fc%3Fa%3D83990%3Bx%3D2077%3Bg%3D172%2C0%3 Bc%3D350000355%2C350000355%3Bi%3D0%3Bn%3D350%3Bs%3D234%3Bp%3D6%3Bf%3D124
352%3Bk%3Dhttp%3A%2F%2Fdist.belnk.com%2F4%2Fplacement%2F1461%2Falt_lp%2F AQUATICAREDIRECT.html
Keep-Alive: timeout=120, max=9978
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html