Hi rickyyeung,
Very legitimate questions about :7k7k.xdwscache.glb0.lxdns dot com,
see:
http://totalhash.com/search/dnsrr:7k7k.xdwscache.glb0.lxdns.comYou probably have read that all VIP corporational computers that now make the trip to mainland China,
will make a one-way-trip only. Not that these managerial computers may be full of malware,
but they cannot go back to be hung into the firm's network on return.
Even computers with just a browser OS, because one visit to facebook or the downgraded Chinese https monitoring sytem (B.F)
make them only fit to be shredded completely - monitoring compromise has sunken in so those computers can no longer be trusted.
I wonder what kind of security these computers will get when making the trip from Hong Kong.
But back on topic now. the site you mentioned is located at an Anonymous Proxy - IP 8.37.230.27
No Snort nor Suricata IDS alerts for resurrected RedKit, Borland Delphi 4.0 heuristic trojans,
and you know yourself how dubious these detections are and they are very FP prone.
General IP badness history:
https://www.virustotal.com/nl/ip-address/8.37.230.27/information/Sites that are blacklisted mainly from Autoshun and via Malware Domain Blocklist.
For the site you mention is hosted from Pasadena USA with this accompanying herdprotect report:
http://www.herdprotect.com/ip-address-8.37.230.27.aspx16 websites to keep an eye on:
http://sameid.net/ip/8.37.230.27/The network analysis:
http://totalhash.com/network/dnsrr:7k7k.xdwscache.glb0.lxdns.comDomain info:
http://whois.domaintools.com/lxdns.comDelegation, Nameserver and SOA errors:
http://dnscheck.sidn.nl/?time=1413635323&id=1775712&view=basic&test=standardThis is really phishy and we could draw some conclusions from this scan.
Parent child nameserver mismatch can point at manipulative behavior on dns level.
Also shown from the hosting history: 3 registrars with 2 drops; 6 changes on 5 unique name servers over 9 years.
Strange results here from Pasadena:
http://toolbar.netcraft.com/site_report?url=http://8.37.230.27 (no results!).
See:
https://www.robtex.com/en/advisory/dns/com/lxdns/Is this from the wsdns.group end in Shanghai, blacklisted by rhsbl.ahbl.org Netcraft risk 9 out of 10 being compromised.
Classification according to Kleissner's VirusTracker: 7k7k.xdwscache.glb0.lxdns.com,8.37.231.19,,Multiple IPs,
So much so far, happy hunt and many thanks for your website analysis reports,
polonus (volunteer website analyst)