| | Oontack in the Brute Skimming Business now? | |
| | Author | Message |
---|
ESCGoat * * * * * * *
Posts : 158 Join date : 2009-07-10 Location : USA
| Subject: Oontack in the Brute Skimming Business now? Wed 21 Oct 2009, 04:02 | |
| Well, we all know that Brutal Combo takes roughly 10% gratuity pupils for masters the authors select... that comes stated from the outset... nothing sneaky or shady about it and they're generally very good about keeping that ratio. For most people that can use BC, this is quite fair. This post isn't about BC though... it's about oontack.fr and their very handy Greasemonkey Script, simulator,etc (which I use frequently and generally have their script loaded in GM all the time up until now). After doing something completely unrelated using the Tamper Data plugin for Firefox today, I accidentally left it open monitoring all outgoing requests from my browser (GETs and POSTs). When I went to close that dialogue I quickly scanned back through the history and noticed something very odd: My browser had posted data to labrute.fr, creating this pupil: http://0g1dr0m1y.labrute.fr/cellule for this master: http://mpif-feoe.labrute.fr/cellule I have full details of the transaction and I can assure you this was not done by me but seems to have been generated in the background. It even tried to set a password for the pupil (though that must have failed since I block all cookies by default). Looking at the pupil's high level BL master you should notice a couple of things immediately: First, it's the pupil of the brute directly linked to on oontack's website, and second, it's collecting quite a few of these oddly named pupils fairly quickly (none seem to go beyond level one despite lots giving exp for creation). I don't have time to look into this myself at the moment but it all seems a bit fishy to me. If oontack is in fact skimming pupils for levelling up their own master brute, I've never seen any kind of notice of any sort about this. Seems more like perhaps the sneaky/shady route is being taken. Anyone have a clue about this? Here's the tamper data info for anyone interested: - Spoiler:
18:34:59.587[598ms][total 598ms] Status: 200[OK] POST http://mpif-feoe.labrute.fr/create Load Flags[LOAD_BYPASS_CACHE LOAD_BACKGROUND ] Content Size[-1] Mime Type[text/html] Request Headers: Host[mpif-feoe.labrute.fr] User-Agent[Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.14) Gecko/2009082707 Firefox/3.0.14 (.NET CLR 3.5.30729)] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[en-us,en;q=0.5] Accept-Encoding[gzip,deflate] Accept-Charset[ISO-8859-1,utf-8;q=0.7,*;q=0.7] Keep-Alive[300] Connection[keep-alive] Content-Type[application/x-www-form-urlencoded; charset=UTF-8] X-Http-Magic[b8ef74c53f1b] Content-Length[193] Pragma[no-cache] Cache-Control[no-cache] Post Data: name[0g1dr0m1y] gfx[0%3B0%3B11%3B39%3B49%3B32%3B71%3B37%3B86%3B71%3B65%3B64%3B78%3B33%3B26%3B73] k[62cd5a1541e4] cpl[xdSapJ0V1u4pBY33wUiWimVrq3bXiXHG] m[n9irfO%3Dfq%3Dn%5DT9DjDh%40J%5BTsOktMT%3Af7S] Response Headers: Date[Tue, 20 Oct 2009 22:35:00 GMT] Server[Apache/1.3.41 (Unix) PHP/5.0.4] X-Real-Server[pop1.motion-twin.com] P3P[CP="ALL DSP COR NID CURa OUR STP PUR"] Set-Cookie[tpass_0g1dr0m1y=xdSapJ0V1u4pBY33wUiWimVrq3bXiXHG; expires=jeu., 19-nov.-2009 23:35:00 GMT; domain=labrute.fr; path=/;] Keep-Alive[timeout=1, max=100] Connection[Keep-Alive] Transfer-Encoding[chunked] Content-Type[text/html]
18:35:00.209[460ms][total 460ms] Status: 200[OK] GET http://0g1dr0m1y.labrute.fr/init Load Flags[LOAD_BACKGROUND ] Content Size[-1] Mime Type[text/html] Request Headers: Host[0g1dr0m1y.labrute.fr] User-Agent[Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.14) Gecko/2009082707 Firefox/3.0.14 (.NET CLR 3.5.30729)] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[en-us,en;q=0.5] Accept-Encoding[gzip,deflate] Accept-Charset[ISO-8859-1,utf-8;q=0.7,*;q=0.7] Keep-Alive[300] Connection[keep-alive] Response Headers: Date[Tue, 20 Oct 2009 22:35:01 GMT] Server[Apache/1.3.39 (Unix) PHP/5.0.4] X-Real-Server[gimme4.motion-twin.com] Cache-Control[no-store, no-cache, must-revalidate] Pragma[no-cache] Expires[Mon, 26 Jul 1997 05:00:00 GMT] P3P[CP="ALL DSP COR NID CURa OUR STP PUR"] Keep-Alive[timeout=1, max=100] Connection[Keep-Alive] Transfer-Encoding[chunked] Content-Type[text/html; Charset=UTF-8]
18:35:00.743[111ms][total 111ms] Status: 302[Found] POST http://0g1dr0m1y.labrute.fr/setPass Load Flags[LOAD_BYPASS_CACHE LOAD_BACKGROUND ] Content Size[-1] Mime Type[text/html] Request Headers: Host[0g1dr0m1y.labrute.fr] User-Agent[Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.14) Gecko/2009082707 Firefox/3.0.14 (.NET CLR 3.5.30729)] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[en-us,en;q=0.5] Accept-Encoding[gzip,deflate] Accept-Charset[ISO-8859-1,utf-8;q=0.7,*;q=0.7] Keep-Alive[300] Connection[keep-alive] Content-Type[application/x-www-form-urlencoded; charset=UTF-8] Content-Length[28] Pragma[no-cache] Cache-Control[no-cache] Post Data: pass[73f0d507] pass2[73f0d507] Response Headers: Date[Tue, 20 Oct 2009 22:35:01 GMT] Server[Apache/1.3.39 (Unix) PHP/5.0.4] X-Real-Server[gimme4.motion-twin.com] Location[/cellule] Keep-Alive[timeout=1, max=99] Connection[Keep-Alive] Transfer-Encoding[chunked] Content-Type[text/html]
18:35:00.855[116ms][total 116ms] Status: 200[OK] GET http://0g1dr0m1y.labrute.fr/cellule Load Flags[LOAD_BYPASS_CACHE LOAD_BACKGROUND LOAD_REPLACE ] Content Size[-1] Mime Type[text/html] Request Headers: Host[0g1dr0m1y.labrute.fr] User-Agent[Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.14) Gecko/2009082707 Firefox/3.0.14 (.NET CLR 3.5.30729)] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[en-us,en;q=0.5] Accept-Encoding[gzip,deflate] Accept-Charset[ISO-8859-1,utf-8;q=0.7,*;q=0.7] Keep-Alive[300] Connection[keep-alive] Pragma[no-cache] Cache-Control[no-cache] Response Headers: Date[Tue, 20 Oct 2009 22:35:01 GMT] Server[Apache/1.3.39 (Unix) PHP/5.0.4] X-Real-Server[gimme4.motion-twin.com] Cache-Control[no-store, no-cache, must-revalidate] Pragma[no-cache] Expires[Mon, 26 Jul 1997 05:00:00 GMT] P3P[CP="ALL DSP COR NID CURa OUR STP PUR"] Keep-Alive[timeout=1, max=98] Connection[Keep-Alive] Transfer-Encoding[chunked] Content-Type[text/html; Charset=UTF-8]
| |
| | | taitoune * *
Posts : 13 Join date : 2009-10-16 Age : 47
| Subject: Re: Oontack in the Brute Skimming Business now? Wed 21 Oct 2009, 19:32 | |
| This is really surprising. Moreover it's strange that he would not give xp to his usual brute "braffre-gueule". But it's almost sure mpif-feoe belongs to oontack. So it can't be anyone but oontack who is creating thos pupils.
I know he decompiled brutal combo. So I checked the http request from tamper data in case he had used part of the brual combo code to create pupils. But some headers are not right. There is no way these requests could be launched by a "custom version" of brutal combo.
I know he wanted to get some benefit from his bookmarklet (very nice stuff by the way). He must have succeeded at launching pupil creation from his bookmarklet. Probably by using an old technique: storing canceled brute creation requests with tamper data. I checked the code of his greasemonkey script => I haven't found any suspicious line. I checked the cell of mybrutes using firebug when oontack's bookmarklet is enabled => no creation request So we have no proof yet, only a very supcious brute...
I can't blame him for trying to get rewarded for the work he has done as we do it with BC. But if he is really using his bookmarklet to win pupils he should have warned us on his site. How many pupils ? When ? etc.
I am a bit disappointed by this sneaky stuff especially since I lend him a hand for improving some little stuff.
Taitoune | |
| | | ESCGoat * * * * * * *
Posts : 158 Join date : 2009-07-10 Location : USA
| Subject: Re: Oontack in the Brute Skimming Business now? Wed 21 Oct 2009, 23:07 | |
| - taitoune wrote:
I can't blame him for trying to get rewarded for the work he has done as we do it with BC. But if he is really using his bookmarklet to win pupils he should have warned us on his site. How many pupils ? When ? etc.
I am a bit disappointed by this sneaky stuff especially since I lend him a hand for improving some little stuff.
Taitoune Exactly. I think they did a great job with a tremendously useful GM script and I wouldn't have an issue if this was set forth like you guys do with BC but nobody likes stuff going on in the background without being aware of what, why, and in this case the things you mentioned. Any chance one of the swfs they host could be triggering it or perhaps one the other files that gets called on their server? For instance, I noticed in POST requests being made to http://oontack.fr/brutes/stats_/index.php for which the source returned was: - Code:
-
L'ip 11 22 159 233 a déjà servi.<br /> <b>Warning</b>: mysql_close(): no MySQL-Link resource supplied in <b>/mounted-storage/home122a/sub003/sc68056-QBGV/www/brutes/stats_/index.php</b> on line <b>161</b><br />
The ip is was mine (though for this example I replaced the real digits of the first two octets with 11 and 22) so the question becomes why would it be checking to see if my ip had been used already? I'd see what happens with a new ip but I'm packing up for a trip. In any case, thanks for the input Taitoune. It's really good to see you here. As I mentioned, I'm about to pack things up here and I'll be gone for a bit less than a week but I hope you'll continue checking in when you can. Cheers, esc-g edit: I'm not certain, but it occurred to me shortly after I wrote this post that the above code block could simply be a web-statistics package tracking unique hits. Then again, it still seems a little odd to me especially given the circumstances.
Last edited by ESCGoat on Wed 11 Nov 2009, 09:45; edited 1 time in total | |
| | | ESCGoat * * * * * * *
Posts : 158 Join date : 2009-07-10 Location : USA
| Subject: Re: Oontack in the Brute Skimming Business now? Wed 04 Nov 2009, 00:11 | |
| Update for Nov 3rd...
Oontack was down for a few days and during those days I noticed a ton of leveling up existing pupils for mpif-feoe but none of the massive amounts of new pupils (as described above) being created.
Well, today Oontack is back online, mpif-feoe is back in action, and tons of those strangely named new pupils are being created again (and not levelled up after creation). I'm sold that something's up here...
Left a message on their blog but I believe it's going through moderation and isn't likely to appear.
edit: the message did get posted on the blog and Oontack responded quite promptly stating that it wasn't a coincidence and there would be an explanation forthcoming soon but he needed a translator for it. At least we know for sure that it was created by Oontack and not some other random rogue mybrute script or malware, hehe. It was also good of Oontack to respond so quickly.
esc-g | |
| | | bamb@m * * * * * * * * *
Posts : 692 Join date : 2009-08-13 Location : under a palm tree ┏ ( ・o・) ┛♪
| Subject: Re: Oontack in the Brute Skimming Business now? Thu 12 Nov 2009, 09:18 | |
| I just got an e-mail from the french forum, confirming your suspicions: original french - Spoiler:
Bonjour,
Ce message a été envoyé a tout les membre du Forum La Brute : http://forumlabrute.forumactif.org
Nous vous envoyons ce message pour vous prévenir de ne plus utiliser le Bookmarklet de Oontack, il crée des élèves avec votre adresse ip à votre insu !
Voici un autre bookmarket : http://brutetools.eg2.fr/scriptbook.php
Vous pouvez être sûr, que celui ci ne crée pas d'élèves a une autre brute dans votre do.
Cordialement, le Staff du Forum La Brute (http://forumlabrute.forumactif.org)
babelfish translation to english - Spoiler:
Hello, This message was sent has all the member of the Forum the Rough one: http://forumlabrute.forumactif.org We send this message to you to prevent ourselves not to use Bookmarklet more of Oontack, it creates pupils with your address IP without your knowledge! Here another bookmarket: http://brutetools.eg2.fr/scriptbook.php You can be sure, that Ci does not create d' pupils has another rough in your C. Cordially, the Staff of the Forum the Rough one (http://forumlabrute.forumactif.org)
| |
| | | ESCGoat * * * * * * *
Posts : 158 Join date : 2009-07-10 Location : USA
| Subject: Re: Oontack in the Brute Skimming Business now? Thu 12 Nov 2009, 15:47 | |
| lol, "Forum the Rough One" haha... those translations always crack me up. I had no problem reading the French but hopefully others appreciate the translation.
Thanks much for the heads up on the email from the Forum La Brute! :)
The question has become for me why is it that nobody seems to have cared about my warnings (here and elsewhere). Usually when stuff is going on in the background without the users knowledge and this comes to light people get pretty bent and at the least really don't trust it (rightfully so)... and with it using the users ips for pupil creation behind their backs I would think some would be really upset. Personally I just wanted to find out what was going on and why... but I've been really surprised by the complete lack of reaction in any way from other forum members and clan members whenever I've brought up warnings about what Oontack was doing. Selective hearing perhaps? hehehe.
Thanks again for the info bam!
Regards,
esc-g | |
| | | 10b * * * * * * *
Posts : 234 Join date : 2009-07-04 Age : 107 Location : Dark Side Of The Moon
| Subject: Re: Oontack in the Brute Skimming Business now? Thu 12 Nov 2009, 21:00 | |
| [quote="bamb@m"]I just got an e-mail from the french forum, confirming your suspicions: original french - Spoiler:
Bonjour,
Ce message a été envoyé a tout les membre du Forum La Brute : http://forumlabrute.forumactif.org
Nous vous envoyons ce message pour vous prévenir de ne plus utiliser le Bookmarklet de Oontack, il crée des élèves avec votre adresse ip à votre insu !
Voici un autre bookmarket : http://brutetools.eg2.fr/scriptbook.php
Vous pouvez être sûr, que celui ci ne crée pas d'élèves a une autre brute dans votre do.
Cordialement, le Staff du Forum La Brute (http://forumlabrute.forumactif.org)
I've got the same e-mail. Something is definetly fishy about oontack. | |
| | | Subman(R) admin
Posts : 2213 Join date : 2009-07-17 Age : 64 Location : Florida
| Subject: Re: Oontack in the Brute Skimming Business now? Thu 12 Nov 2009, 21:23 | |
| They can create all pupils they want from my static IP Hope I waste their time. | |
| | | Cowdude179 * * * * * * * * * *
Posts : 1175 Join date : 2009-09-01 Age : 34 Location : England
| Subject: Re: Oontack in the Brute Skimming Business now? Thu 12 Nov 2009, 21:26 | |
| Meh, it doesn't really bother me much...because I don't really have any "worth while" brutes in labrute. They can create all the pupils they want because I'm thankful for the great tool they created . | |
| | | bamb@m * * * * * * * * *
Posts : 692 Join date : 2009-08-13 Location : under a palm tree ┏ ( ・o・) ┛♪
| Subject: Re: Oontack in the Brute Skimming Business now? Thu 12 Nov 2009, 23:34 | |
| - ESCGoat wrote:
- ...The question has become for me why is it that nobody seems to have cared about my warnings (here and elsewhere). ... but I've been really surprised by the complete lack of reaction in any way from other forum members and clan members whenever I've brought up warnings about what Oontack was doing. Selective hearing perhaps? hehehe.
yeah, I warned my clanmates before and got no response from all but one, and the one who did respond said "so?". I guess he doesn't want to try finding an FR aprner for bc, and I know he has no FR brutes, so *meh* I just posted again reminding them, and included the post I made about the e-mail, and still got no response | |
| | | Sponsored content
| Subject: Re: Oontack in the Brute Skimming Business now? | |
| |
| | | | Oontack in the Brute Skimming Business now? | |
|
Similar topics | |
|
| Permissions in this forum: | You cannot reply to topics in this forum
| |
| |
| |