Site url resolving to IP 127.0.0.2 should be blocked!

[polonus]

CyberCrime site: work.panthera.ca/V3asd4s2ew/cp.php?m=login  should resolve to 92.55.82.245
but goes here: http://urlquery.net/report.php?id=9415796 -> ordinarily implemented using only 127.0.0.1/32 for loopback, but no addresses within this block should ever appear on any network anywhere [RFC1700, page 5].
92.55.82.245   3 connections First seen   5 months ago Last seen   46 hours ago   Threat AlienVault Danger level 4
-> http://urlquery.net/report.php?id=9415886 -> not analyzed get a failure....
Domainn work.panthera.ca/IN doesn't exist - failed to look for Parent - delegation not found at parent! -> http://dnscheck.sidn.nl/?time=1392243498&id=1735553&view=basic&test=standard -> http://totalhash.com/network/ip:92.55.82.245
-> https://zeustracker.abuse.ch/monitor.php?host=work.panthera.ca
Should be blocked by avast because of Nameserver(s):   ns1.afraid dot org | ns2.afraid dot org | ns3.afraid dot org | ns4.afraid dot org
Might be a SplitDNS misconfiguration! 127.0.0.2 myhost myhost.mydomain -> http://jsunpack.jeek.org/?report=1368f4734499c3b4f369f1d818b79cce8def670a

polonus

[polonus]

Here we come up with quite some answers: http://totalhash.com/network/dnsrr:*127.0.0.2*%20or%20ip:127.0.0.2
What is the common denominator here? Detected a Dynamic DNS URL!
Spam mail bots? -> https://www.mywot.com/en/scorecard/quowesuqbbb.mooo.com
Botnet C&C?  Seen with worms like W32/Parite! They should fix their stuff!
Here is the final word and IDS alert: http://urlquery.net/report.php?id=9210970  IDS alert for ET TROJAN Known Sinkhole Response Header
Also read here: http://seclists.org/snort/2013/q4/665
and also study this paper here: http://www.sans.org/reading-room/whitepapers/dns/dns-sinkhole-33523?show=dns-sinkhole-33523&cat=dns
article author Guy Bruneau advisor Rick Wanner

polonus