Avast community forum
Home
Help
Search
Login
Register
Avast WEBforum
»
Other
»
Viruses and worms
(Moderators:
Maxx_original
,
misak
) »
Site url resolving to IP 127.0.0.2 should be blocked!
« previous
next »
Print
Pages: [
1
]
Go Down
Author
Topic: Site url resolving to IP 127.0.0.2 should be blocked! (Read 2632 times)
0 Members and 1 Guest are viewing this topic.
polonus
Avast Überevangelist
Probably Bot
Posts: 34065
malware fighter
Site url resolving to IP 127.0.0.2 should be blocked!
«
on:
February 12, 2014, 11:25:11 PM »
CyberCrime site: work.panthera.ca/V3asd4s2ew/cp.php?m=login should resolve to 92.55.82.245
but goes here:
http://urlquery.net/report.php?id=9415796
-> ordinarily implemented using only 127.0.0.1/32 for loopback, but no addresses within this block should ever appear on any network anywhere [RFC1700, page 5].
92.55.82.245 3 connections First seen 5 months ago Last seen 46 hours ago Threat AlienVault Danger level 4
->
http://urlquery.net/report.php?id=9415886
-> not analyzed get a failure....
Domainn work.panthera.ca/IN doesn't exist - failed to look for Parent - delegation not found at parent! ->
http://dnscheck.sidn.nl/?time=1392243498&id=1735553&view=basic&test=standard
->
http://totalhash.com/network/ip:92.55.82.245
->
https://zeustracker.abuse.ch/monitor.php?host=work.panthera.ca
Should be blocked by avast because of Nameserver(s): ns1.afraid dot org | ns2.afraid dot org | ns3.afraid dot org | ns4.afraid dot org
Might be a SplitDNS misconfiguration! 127.0.0.2 myhost myhost.mydomain ->
http://jsunpack.jeek.org/?report=1368f4734499c3b4f369f1d818b79cce8def670a
polonus
«
Last Edit: February 13, 2014, 12:27:49 AM by polonus
»
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.
Use NoScript, a limited user account and a virtual machine and be safe(r)!
polonus
Avast Überevangelist
Probably Bot
Posts: 34065
malware fighter
Re: Site url resolving to IP 127.0.0.2 should be blocked!
«
Reply #1 on:
February 12, 2014, 11:58:09 PM »
Here we come up with quite some answers:
http://totalhash.com/network/dnsrr
:*127.0.0.2*%20or%20ip:127.0.0.2
What is the common denominator here? Detected a Dynamic DNS URL!
Spam mail bots? ->
https://www.mywot.com/en/scorecard/quowesuqbbb.mooo.com
Botnet C&C? Seen with worms like W32/Parite! They should fix their stuff!
Here is the final word and IDS alert:
http://urlquery.net/report.php?id=9210970
IDS alert for ET TROJAN Known Sinkhole Response Header
Also read here:
http://seclists.org/snort/2013/q4/665
and also study this paper here:
http://www.sans.org/reading-room/whitepapers/dns/dns-sinkhole-33523?show=dns-sinkhole-33523&cat=dns
article author Guy Bruneau advisor Rick Wanner
polonus
«
Last Edit: February 13, 2014, 12:51:00 AM by polonus
»
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.
Use NoScript, a limited user account and a virtual machine and be safe(r)!
Print
Pages: [
1
]
Go Up
« previous
next »
Avast WEBforum
»
Other
»
Viruses and worms
(Moderators:
Maxx_original
,
misak
) »
Site url resolving to IP 127.0.0.2 should be blocked!