How is "0x43.0x9e.0x87.0xa9" a valid domain?

I got a phish in my inbox today, leading to a PayPal spoof site at:


http://0x43.0x9e.0x87.0xa9/images/macromedia/Configuration/W ebServices/index.html

What I don't understand is, how is this even a valid URL? .0xa9 isn't
any valid top-level domain as far as I can tell, yet when I paste the
above into Firefox, it cheerfully shows me the spoofer's page.
WHOIS.net rejects it as invalid. nslookup reports "server can't find
0x43.0x9e.0x87.0xa9: NXDOMAIN". dig reports something cryptic (I admit
to being mostly baffled by the dig command -- please be gentle, I'm new
to this) that doesn't seem to include an IP address. Yet something
like ping or traceroute goes right to 67.158.135.169 (as does Firefox,
apparently).

Can anyone explain to me how this works? How did the scammer here
construct a domain name that's not known to the WHOIS servers or lookup
tools, yet resolves to a valid IP for other tools?

Thanks,
- Joe

Re: How is "0x43.0x9e.0x87.0xa9" a valid domain?

Joe wrote:
> http://0x43.0x9e.0x87.0xa9/images/macromedia/Configuration/W ebServices/index.html
>
> What I don't understand is, how is this even a valid URL? .0xa9 isn't
> any valid top-level domain as far as I can tell, yet when I paste the

Welcome to the wonderful world of the standard C library. One of the
things that happens when a hostname can't be translated to an IP address
is that the resolver tries to parse it as a numeric IP address. It does
that by tokenizing on '.' and converting the segments into numbers
(assuming that the number of segments fits into the 1-4 range allowed
for IPv4 and each segment's value is in the legal range). The C
functions that convert from character strings to integers typically
automatically recognize certain patterns to indicate the base of a
number: a leading "0x" indicates a hex number, a leading "0"
octal. Translating hex to decimal, the host is 67.158.135.169.

Note that this works for a lot of things. "hostnames" of the form
"n.n.Y", "n.Z" and "N" (where n is in the 0-255 range, Y in the 0-65535
range (16-bit integer), Z is in the 0 - (2^24)-1 range (24-bit integer)
and N is a number in the 0 - (2^32)-1 range (32-bit integer)) also get
treated as numeric IPs. n, Y, Z and N can be in decimal, octal (with a
leading '0') or hex (with a leading '0x').

--
death.net: because for some problems there's only one solution.

Re: How is "0x43.0x9e.0x87.0xa9" a valid domain?

Never mind, I apparently need more coffee this morning. I now see that
this is simply a numeric IP, given in hexadecimal form. I hadn't
realized that this was something tools would generally recognize, but
it's pretty obvious now that I see it.

Best,
- Joe

Re: How is "0x43.0x9e.0x87.0xa9" a valid domain?

"Joe" writes:

>I got a phish in my inbox today, leading to a PayPal spoof site at:


>http://0x43.0x9e.0x87.0xa9/images/macromedia/Configuration/ WebServices/index.html

In more usual language that is
67.158.135.169
Whetehr any browser would decode it is less clear.

( what is wierd is that it is an electric company, and on the front page
they have a hand crancked radio and flashlight for sale. Are they trying to
tell us something?)



>What I don't understand is, how is this even a valid URL? .0xa9 isn't
>any valid top-level domain as far as I can tell, yet when I paste the
>above into Firefox, it cheerfully shows me the spoofer's page.

Not in my firefox!

>WHOIS.net rejects it as invalid. nslookup reports "server can't find
>0x43.0x9e.0x87.0xa9: NXDOMAIN". dig reports something cryptic (I admit
>to being mostly baffled by the dig command -- please be gentle, I'm new
>to this) that doesn't seem to include an IP address. Yet something
>like ping or traceroute goes right to 67.158.135.169 (as does Firefox,
>apparently).

>Can anyone explain to me how this works? How did the scammer here
>construct a domain name that's not known to the WHOIS servers or lookup
>tools, yet resolves to a valid IP for other tools?

Because it is just a number. In hex ( which is what the 0x means).

Re: How is "0x43.0x9e.0x87.0xa9" a valid domain?

This is not compliant with the specifications of [RFC1738] (Uniform
Resource Locators).

"...
3.1. Common Internet Scheme Syntax
....
host
The fully qualified domain name of a network host, or its IP
address as a set of four decimal digit groups separated by
".".
"

Oooooops,

Kind regards
Ludovic Joly

Re: How is "0x43.0x9e.0x87.0xa9" a valid domain?

Unruh wrote:

> "Joe" writes:
>
>...
>
> Because it is just a number. In hex ( which is what the 0x means).

Took one look at that and, 'Oh. Hex. OK, translate to decimal and see what
comes up'. But, why encode it that way? someone trying to obscure the IP
address [like a kitten covering up on the linoleum]?

Someone puzzle me that one???

Re: How is "0x43.0x9e.0x87.0xa9" a valid domain?

In article ,
"M. Trimble" wrote:

> Unruh wrote:
>
> > "Joe" writes:
> >
> >...
> >
> > Because it is just a number. In hex ( which is what the 0x means).
>
> Took one look at that and, 'Oh. Hex. OK, translate to decimal and see what
> comes up'. But, why encode it that way? someone trying to obscure the IP
> address [like a kitten covering up on the linoleum]?
>
> Someone puzzle me that one???

It probably gets around some security programs, which know how to
recognize dotted-decimal addresses and block them, but don't recognize
the hex.

--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***