Author Topic: Site url resolving to IP 127.0.0.2 should be blocked!  (Read 2543 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Site url resolving to IP 127.0.0.2 should be blocked!
« on: February 12, 2014, 11:25:11 PM »
CyberCrime site: work.panthera.ca/V3asd4s2ew/cp.php?m=login  should resolve to 92.55.82.245
but goes here: http://urlquery.net/report.php?id=9415796 -> ordinarily implemented using only 127.0.0.1/32 for loopback, but no addresses within this block should ever appear on any network anywhere [RFC1700, page 5].
92.55.82.245   3 connections First seen   5 months ago Last seen   46 hours ago   Threat AlienVault Danger level 4
-> http://urlquery.net/report.php?id=9415886 -> not analyzed get a failure....
Domainn work.panthera.ca/IN doesn't exist - failed to look for Parent - delegation not found at parent! -> http://dnscheck.sidn.nl/?time=1392243498&id=1735553&view=basic&test=standard -> http://totalhash.com/network/ip:92.55.82.245
-> https://zeustracker.abuse.ch/monitor.php?host=work.panthera.ca
Should be blocked by avast because of Nameserver(s):   ns1.afraid dot org | ns2.afraid dot org | ns3.afraid dot org | ns4.afraid dot org
Might be a SplitDNS misconfiguration! 127.0.0.2 myhost myhost.mydomain -> http://jsunpack.jeek.org/?report=1368f4734499c3b4f369f1d818b79cce8def670a

polonus
« Last Edit: February 13, 2014, 12:27:49 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: Site url resolving to IP 127.0.0.2 should be blocked!
« Reply #1 on: February 12, 2014, 11:58:09 PM »
Here we come up with quite some answers: http://totalhash.com/network/dnsrr:*127.0.0.2*%20or%20ip:127.0.0.2
What is the common denominator here? Detected a Dynamic DNS URL!
Spam mail bots? -> https://www.mywot.com/en/scorecard/quowesuqbbb.mooo.com
Botnet C&C?  Seen with worms like W32/Parite! They should fix their stuff!
Here is the final word and IDS alert: http://urlquery.net/report.php?id=9210970  IDS alert for ET TROJAN Known Sinkhole Response Header
Also read here: http://seclists.org/snort/2013/q4/665
and also study this paper here: http://www.sans.org/reading-room/whitepapers/dns/dns-sinkhole-33523?show=dns-sinkhole-33523&cat=dns
article author Guy Bruneau advisor Rick Wanner

polonus
« Last Edit: February 13, 2014, 12:51:00 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!