Avast WEBforum

Other => Viruses and worms => Topic started by: polonus on April 22, 2020, 02:42:23 PM

Title: Is this being blocked for us?
Post by: polonus on April 22, 2020, 02:42:23 PM

Saw connections out to proxdevtool dot com.
Re: https://otx.alienvault.com/indicator/domain/proxdevcool.com
& https://any.run/report/7ed8f1aa848dc1ec0c355ba7269c9f799b8d56da4cc0983670f5c45d62e2b34b/7224d412-b1ab-4848-8cd8-8738e31f7dc9
& https://hybrid-analysis.com/sample/243e4816414487543312cd01abfca23f546918d01eb53f082c22e61f5da36f6d?environmentId=100
consider: https://www.robtex.com/dns-lookup/proxdevcool.com
& https://www.virustotal.com/gui/url/691de8d415fe718a79a5747288b9de0325f293a5246e7667f228a454789bcb09/detection
& https://www.joesandbox.com/analysis/143737/0/executive

polonus

Title: Re: Is this being blocked for us?
Post by: polonus on April 22, 2020, 04:53:36 PM

How come I get these "green" results here? -> https://urlscan.io/result/4d94b842-9ab4-4183-9f8b-9019ce03f458
See: https://www.shodan.io/host/23.111.228.4
Website servers dot com is insecure by default
100% of the trackers on this site could be protecting you from NSA snooping.

 All trackers
At least 10 third parties know you are on this webpage.

 -www.servers.com
 -shaaaaaaaaaaaaa.com
 -s3.amazonaws.com
 -proxdevcool.com
 -portal.servers.com
 -Google
 -www.googletagmanager.com
 -static-resource.com
 -cdn-javascript.net
-code.jivosite.com -code.jivosite.com

 Tracker could be tracking safely if this site was secure.

polonus

Title: Re: Is this being blocked for us?
Post by: polonus on April 22, 2020, 05:15:46 PM

Another one and where we have found it: https://urlhaus.abuse.ch/host/modcloudserver.eu/
Re: https://app.any.run/tasks/d7263bfb-3b62-4d5a-81e6-e60dbeb7f9b6/
Re: https://cybercrime-tracker.net/index.php?search=modcloudserver.eu/anyisouth/panel/admin.php
Re: https://www.azorult-tracker.net/s/asn/AS50673
& https://www.virustotal.com/gui/ip-address/104.237.252.50/detection
& https://www.virustotal.com/gui/ip-address/104.237.252.50/relations

pol

Title: Re: Is this being blocked for us?
Post by: Pondus on April 22, 2020, 05:59:02 PM

Quote from: polonus on April 22, 2020, 04:53:36 PM

How come I get these "green" results here? -> https://urlscan.io/result/4d94b842-9ab4-4183-9f8b-9019ce03f458
See: https://www.shodan.io/host/23.111.228.4
Website servers dot com is insecure by default
100% of the trackers on this site could be protecting you from NSA snooping.

 All trackers
At least 10 third parties know you are on this webpage.

 -www.servers.com
 -shaaaaaaaaaaaaa.com
 -s3.amazonaws.com
 -proxdevcool.com
 -portal.servers.com
 -Google
 -www.googletagmanager.com
 -static-resource.com
 -cdn-javascript.net
-code.jivosite.com -code.jivosite.com

 Tracker could be tracking safely if this site was secure.

polonus

a check should always start with ... is it up or down   ;)    https://downforeveryoneorjustme.com/proxdevcool.com

Title: Re: Is this being blocked for us?
Post by: polonus on April 22, 2020, 10:10:46 PM

Hi Pondus,

If that only were that easy.

Main http()s site is down and/or blocked, but occasionally bad malware uri's come from that domain IP.
Malware does not last long as an average, a couple of hours and it may be gone,
persisting malcode is seen seldomly or it might be coming spread by/from a bulletproof hoster.

This one is up now or was some hour ago: https://www.virustotal.com/gui/url/845c7983126bf74ac652b1645dc54801cf528dc1547eb290ab5fdccbf9fa132d/detection

15 engines detect, alas not avast did.

IP kicking up malware, also for mentioned domain:
https://www.virustotal.com/gui/ip-address/88.218.16.218/relations
considering the vulnerabilities at the hoster in Dronten: https://www.shodan.io/host/88.218.16.218
see flaws there and know bootstrap is a can of worms that is exploitable big time

Malware is being taken down as soon as it is being reported and flagged,
does not mean to say that IP is not kicking up new malware like GuLoader and Loki.

polonus