Back to Bogus Warning

Show me the Source, Eric!

Okay, okay, here we go: the source code to the page, annotated:


<?php
// This is a script in PHP, http://www.php.net
// This is one of the easiest ways to quickly hack together CGI
// (Common Gateway Interface) server-side web applications. The guys at
// Robin Hood Software use another method that is very similar to this.
// Everything between < ?     and ? > is a PHP script (take the space
// out from between the ? and the < or >). Everything outside is plain old
// HTML which is rendered by your browser.

// This is an excellent example of parsing out CGI variables and headers
// and doing, uhm, interesting things to them. Somehow I suspect the
// creators of CGI didn't expect their creation to be so abused by
// scam artists, though!

// Now to start:
// get all the headers sent by the browser into a single place.
$headers getallheaders();
// then issue the correct document type to tell browsers what they're
// getting in return.
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
  <head>

   <!-- signal some keywords for web crawlers -->

   <meta name="keywords" contents="evidence eliminator, robin hood software">

   <!-- and give our page a title. -->   

    <title>You do NOT have a big problem!</title>
  </head>

<!-- let the games begin: start the body of the page, white on black
    text (opposite of my usual color scheme)
-->

  <body bgcolor='black' text='white'>
<!-- put the little blurb in italics -->
<i>
Hi there, this is a bogus scare-tactic web application
[<a href="show-source.php">source</a>] similar
to the <a href="http://www.evidence-eliminator.com/go.shtml?A=">scare  page</a> that those posers at Robin Hood Software use to try to
trick you into buying their bloated spam-ware. </i>

<!-- ************************************************************
     The $SERVER_NAME environment variable is the name of the web
     server running the application. I think the EE guys use the
     ISP name instead, but the server name is scarier.
     ***********************************************************
-->
<h1> 401 <?php echo $SERVER_NAME?> Browser Warning - Please DON'T Wait
</h1>
Your computer has NOT been tracked.
<p>
Your IP is NOT under investigation:
<ul>
<li><?php
   
// The HTTP_X_FORWARDED_FOR header is set by some ISP proxies,
   // to tell who really initiated the request (since the REMOTE_ADDR
   // variable will have the proxy's address, not the person's.
   
if (getenv(HTTP_X_FORWARDED_FOR)) {
              
$ip   getenv('HTTP_X_FORWARD_FOR');
          if (
$ip "127.0.0.1") {
    
// The REMOTE_ADDR variable is set by the web server as the IP
    // address of the machine that sent the request. The web server has
    // to know this in order to send the page back. Note that Evidence
    // Eliminator will NOT do anything about this: you'll need to use
    // an anonymous proxy service (one that does not set the X_FORWARD_FOR
    // header).
              
$ip=getenv('REMOTE_ADDR');
         }
   } else {
         
$ip   getenv('REMOTE_ADDR');
   }    

echo 
$ip?> (This is the REMOTE_ADDR CGI variable sent to CGI scripts
by web servers).
</ul>
<p>
Your ISP
"<? 
  
// Now we do a reverse lookup on the IP address to get the name of the
  // machine that is connecting to us. This doesn't always work, because
  // not all ISP's have enabled their reverse lookups, so we must
  // test the resulting host name to make sure it's not blank.
  
$host=gethostbyaddr($ip);
  if (
"$host" == "") {
    
$host $ip;  // sigh, they have no reverse lookup.
  
}
  
// Now we will simply shift the hostname over to the left until
  // there's only one dot left in it. Thus if my hostname
  // was ip-99-54-87.roadrunner.com , what I'll be left with is
  // roadrunner.com as the final "ISP name". Note that this does not
  // work on foreign names that have their own equivalent of a
  // "dot-com" subdomain. E.g., foo.demon.co.uk will end up saying
  // "co.uk" as the ISP, when the real ISP is Demon Internet (i.e.,
  //  "demon.co.uk"). But Robin Hood Software's own web applet has the
  // same sorts of problems. I *could* make it smarter and make it account
  // for various country endings like .uk .au .ca etc and bump
  // the dot-count upwards for those to preserve TWO dots in the ISP name,
  // but I've already spent too much time on this!   
  
$isp=$host;
  while (
substr_count($isp,".")>1) {
     
$tmp=strstr($isp,".");
     
$isp=substr($tmp,1);
  }
  echo 
$isp;
?>" has NOT handed
over all the info:
<p>
<ul>

<!-- *******************************************************
     print out the result of that great big old lookup up there
     ******************************************************
-->

<li><? echo $host?> (This is a reverse lockup of the $REMOTE_ADDR variable sent to CGI scripts by
web servers).
</ul>
<br>
They do NOT know you are using:

<!-- ********************************************************************
     I could parse out the User-Agent header into the OS name, the browser
     name, the hardware string, etc., but I'm feeling too lazy. You ought
     to get the idea by now anyhow. The User-Agent header is used mostly
     so that the web server can send special browser-specific codings
     to you. Things that look great on IE look lousy on Netscape, and
     vice-versa, and Macs have their own issues. Evidence Eliminator will
     NOT stop your browser from sending a User-Agent header. They claim
     that they can "stop this investigation". They lie. You can either
     use a browser like Opera that allows you to set the User-Agent header
     to whatever you want, or use an anonymizing proxy service that will
     set the User-Agent header to something, well, anonymous.
     ********************************************************************
-->

<ul>
<li><? echo $headers["User-Agent"]; ?> [I'm too lazy to parse your User-Agent header!]
</ul>
<p>



  

Your computer is:
<p>
<? echo $headers["User-Agent"]; ?> [I'm too lazy to parse your User-Agent header!]
<p>

You are NOT trying to hide that you were browsing:
<ul>

<li><?php  
  
// The Referer: header is sent by your web browser to the web server in
  // order to let the web server know from whence you came. Most web sites
  // merely log that information so that they can know how effective
  // their advertising is, but Robin Hood Software's "investigation"
  // prints it out in an attempt to scare you into buying their software.
  // Needless to say, their software, a disk file cleaning program,
  // won't stop your web browser from sending Referer: headers. Note that
  // all that I see is the last page you viewed -- I do *NOT* see your
  // complete web browsing history, as is implied by Robin Hood Software's
  // carefully deceptive juxtaposition of "Your complete web browsing
  // history is recorded" and this printout of the Referer: header.
  
$ref=getenv("HTTP_Referer");


  
// note that it's possible that the Referer: header is blank, if
  // you typed in the URL rather than click through from another site.
  // Oh well. Note that Robin Hood Software's own web applet has the same
  // problem. Try clicking through from somewhere and you'll see a URL
  // there, type in a URL and it'll say something like "The web site you
  //  were last visiting".
  
if ("$ref" == "") { 
    echo 
"I dunno, dude. Your Referrer: header wasn't set.";
    } else {
      echo 
$ref;
      echo 
" (Your referrer header's value) ";
       }
?>
</ul>
<p>
Your risk status for further investigation:<p>
<ul>
<li>VERY HIGH RISK (if you're stupid enough to go to evidence-eliminator.com,
or browse pornography from work!)
</ul>

<p>
Your computer is NOT full of evidence. You do NOT need help now (unless
you're stupid enough to buy Evidence Eliminator, or stupid enough
to download child pornography, or stupid enough to browse porn from work).
<p>
Years of Internet data could be used by the police if you're stupid
enough to download child pornography. So don't do it.
<p>
Time of latest "investigation" (run of this stupid cheesy little
web application that I wrote in an hour's time this morning):
<?php

// doh, build a date. Unfortunately the data is in U.S. format below,
// not UK/Canada/Rest Of World. Oh well, I don't feel like browsing the
// User-Agent header to find out the locale/date format.
 
$today getdate();
  
$day=$today['mday'];
  
$month=$today['mon'];
  
$year=$today['year'];

  echo 
"Today, $month/$day/$year";
?>
<p>

  <a href="scare-technotes.html">Click Here Now</a> For an explanation of how
this bogus "Investigation" works, and why you should not be worried.
<p>
<a href="show-source.php">Click Here Now</a> for the complete source
code for this bogus warning, completely commented so that you know
exactly how the boys at Robin Hood Software are doing their tricks.

<?php
   
// well, I'm going to parse out their  OS name anyhow, to later use
   // to "display the hard drive": yep, if they're using IE on Windows,
   // I'm going to "send their hard drive" to Spammingham (grin), the
   // exact same way the boys do it -- by opening up an iframe (inline
   // frame) with a source URL of file:c:\, woo, it displays my own hard
   // drive to me without sending it over the Internet, I'm soo scared!
   
$i=strpos($headers["User-Agent"],"Windows");
   if (
$i === false) {
    
$os="Unknown";
   } else {
    
$os="Windows";
   }

   
// now get their browsername:
   
$i=strpos($headers["User-Agent"],"MSIE");
   if (
$i == false) {
    
$browser="Unknown";
   } else {
    
$browser="Internet Explorer";
   }

   if (
$browser == "Internet Explorer" && $os == "Windows") {
?>       

<p>
Whoops, forgot the last trick in this one-trick pony show: showing
you the hard drive if you're running Windows! This trick is just creating an inline frame with

its source as "file:\c:", oooh, it shows me my own hard drive without
sending it over the Internet, I'm so scared!
<p>
<iframe name="I1" src="file:///C|/" width="400" height="212">
Your browser does not support inline frames or is currently configured not
to display inline frames.
</iframe>
<?php
   
} else {
?>
<p>
If you were running IE on Windows, you would have seen the last trick in this
one-trick pony show: Showing you the contents of C:! This trick is just
creating an inline frame with its source as "file:\c:", oooh, it shows me my
own hard drive without sending it over the Internet, I'm so scared!
<?php ?>
Of course, the Evidence Eliminator people claim to be looking
at your hard drive over the Internet (and offer the above as "proof"), and
claim that their software will "stop this investigation".
Just another lie from the Boys in Spammingham.  

<p>
<table>
<tr>
<td>
<i>You are NOT going to
go to jail! It was a trick, a low-down dirty trick!</i>
</td>
</tr>
<tr>
<td>
<img src="criminal.gif">
</td>
</tr>
</table>
</body>
</html>


Copyright 2002 Eric Lee Green All Rights Reserved