Web Nexus Sending Traffic Directly to Hula's Inqwire - Packet Log
Banner Farms in the Crosshairs - Ben Edelman
This page gives packet log proof of traffic passing from Web Nexus (spyware widely installed without consent, yellow) directly to Hula's Clickandtrack.net (green) and on to Hula's Inqwire (blue).
Because this packet log shows traffic flowing directly from Web Nexus spyware to Hula's ClickAndTrack tracking server, this log serves as strong evidence that Hula knew, or reasonably should have known, that it was receiving traffic from notorious spyware such as Web Nexus. See also other examples.
I observed this occurrence and prepared this packet log on October 26, 2005.
GET /cp.php?loc=238&cid=4001457&u=c3VwZXJicmV3YXJkcy5jb20vcmRfcD9wPTExMTkyMiZjPT EyMDkwLWlwb2RuYW5vX2VtY19kMzImYT1CUC1OYW5vP1BhZ2VfTnVtYmVyPTEmZW1haWw9JnByb2R1Y3 RfaWQ9JmZpcnN0bmFtZT0mbGFzdG5hbWU9JmFkZHJlc3M9JmNpdHk9JnN0YXRlPSZ6aXA9JnBob25lMT 0mcGhvbmUyPSZwaG9uZTM9JmJpcnRoZGF5X209JmJpcnRoZG&en=&pt=3&app_src=update&app_run =reg_run&crc=D5A523DEDDB0BADF&cc=US&dp=YnA9MDtzcD0wO2NwYz0yMDU7Y3ByPTA7bmJyPTA7Z mg9MA== HTTP/1.1
Accept: text/*, application/*, */*
QoolShown-Popups: 000
QoolShown-Popups-nt: 000
User-Agent: z_v4.1.6
Host: stech.web-nexus.net
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 27 Oct 2005 02:13:03 GMT
Server: Apache
Accept-Ranges: bytes
X-Powered-By: PHP/4.3.2
Pragma: no-cache
Cache-Control: private
Connection: close
Transfer-Encoding: chunked
Content-Type: text/plain; charset=UTF-8
url=http://stech.web-nexus.net/sp.php/5637/NT/238/4001457/
type=1
show=0
size=0
style=0
height=636
width=808
title=Sinaloa | Search Inqwire
pid=5637
scroll=0
validity=24
traka_height=18
traka_url=http://stech.web-nexus.net/lm.html
GET /sp.php/5637/NT/238/4001457/ HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {DB5CC11C-030D-2BEC-A311-...})
Host: stech.web-nexus.net
Connection: Keep-Alive
HTTP/1.1 302 Found
Date: Thu, 27 Oct 2005 02:13:06 GMT
Server: Apache
Accept-Ranges: bytes
X-Powered-By: PHP/4.3.2
Pragma: no-cache
Cache-Control: private
Location: http://hits.clickandtrack.net/cgi-bin/hit?page=9648-1123181396316693
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
GET /cgi-bin/hit?page=9648-1123181396316693 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {DB5CC11C-030D-2BEC-A311-...})
Host: hits.clickandtrack.net
Connection: Keep-Alive
Cookie: ...
HTTP/1.1 302 Moved
Date: Thu, 27 Oct 2005 02:13:09 GMT
Server: Apache/2.0.40 (Red Hat Linux)
P3P: policyref="/w3c/p3p.xml", CP="NOI CUR ADM DEV OUR BUS NAV"
Set-Cookie: SW_9648-1123181396316693=1130379189; path=/; expires=Sat, 26-Nov-2005 02:13:09 GMT
Set-Cookie: CF_9648-1123181396316693=1130379189; path=/; expires=Thu, 27-Oct-2005 02:18:09 GMT
Location: http://www.inqwire.com/homepage.precision.asp?group=Seed3d&lpt=18&pops=yes &pop=no&float=yes&poponlpt=no&floatonlpt=yes&cb=70
Content-Length: 336
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Moved</title>
</head><body>
<h1>Moved</h1>
<p>The document has moved <a href="http://www.inqwire.com/homepage.precision.asp?group=Seed3d&lpt=18 &pops=yes&pop=no&float=yes&poponlpt=no&floatonlpt=yes&cb=70">here</a>
</p>
</body></html>