« previous next »
Pages: [1]   Go Down

Author Topic: IP spam blacklisted and strangely redirecting....  (Read 1807 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33897
  • malware fighter
IP spam blacklisted and strangely redirecting....
« on: September 27, 2016, 06:09:18 PM »
See this Host Sailor IP: http://urlquery.net/report.php?id=1474990013794
Spam and other malicious activities reported: https://cymon.io/131.72.139.16

On AS: does not  seem to exist according to Sitevet. Then the appearance here is suspicious: https://zeustracker.abuse.ch/monitor.php?as=60117
but currently no zeus tracked there.
IP's pop-up with spam: https://cleantalk.org/blacklists/AS60117

Re: http://toolbar.netcraft.com/site_report?url=131.72.139.19  where IP is redirecting to (was not followed) : http://toolbar.netcraft.com/site_report?url=http%3A%2F%2Fwww.flashtemplatestore.com%2F

What is running at that IP address:  OpenSSH 6.0p1 Debian 4+deb7u6 (protocol 2.0) http-server-header: nginx/1.2.1
OS: Linux; CPE: cpe:/o:linux:linux_kernel

polonus
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33897
  • malware fighter
Re: IP spam blacklisted and strangely redirecting....
« Reply #1 on: September 27, 2016, 09:51:01 PM »
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33897
  • malware fighter
Re: IP spam blacklisted and strangely redirecting....
« Reply #2 on: September 28, 2016, 01:14:02 AM »
Checked this as clean at Payload Security:

September 28 2016, 0:56 (CEST)   
Input
 -http://api.mixpanel.com
HTML document, ASCII text
a103f95d1e852deb1333a7fe95f3825affa2a727ca0139d0f4f1135815b455af
Threat level
no specific threat
Summary
Threat Score: No Threat
AV Multiscan: Marked as clean
Matched 10 Signatures
Countries
-
Environment
Windows 7 32 bit

Suspicious parameters: Installs hooks/patches the running process
details
"iexplore.exe" wrote bytes "e99d9aacfc" to virtual address "0x75813E59" ("SysFreeString@OLEAUT32.DLL")
"iexplore.exe" wrote bytes "e9652bbafc" to virtual address "0x7574ADF9" ("UnhookWindowsHookEx@USER32.DLL")
"iexplore.exe" wrote bytes "e9c20ac7fc" to virtual address "0x7578D274" ("DialogBoxIndirectParamA@USER32.DLL")
"iexplore.exe" wrote bytes "e9e89ab3fc" to virtual address "0x7574E30C" ("SetWindowsHookExW@USER32.DLL")
"iexplore.exe" wrote bytes "e96ff1c5fc" to virtual address "0x7579E9C9" ("MessageBoxExA@USER32.DLL")
"iexplore.exe" wrote bytes "e9b943a9fc" to virtual address "0x75763B9B" ("DialogBoxParamW@USER32.DLL")
"iexplore.exe" wrote bytes "e937f2c5fc" to virtual address "0x7579E963" ("MessageBoxIndirectW@USER32.DLL")
"iexplore.exe" wrote bytes "e9e9f0c5fc" to virtual address "0x7579E9ED" ("MessageBoxExW@USER32.DLL")
"iexplore.exe" wrote bytes "e93954b8fc" to virtual address "0x758793FC" ("OleCreatePropertyFrameIndirect@OLEAUT32.DLL")
"iexplore.exe" wrote bytes "e9fda4befc" to virtual address "0x75814731" ("SysAllocStringByteLen@OLEAUT32.DLL")
"iexplore.exe" wrote bytes "e98b8ebefc" to virtual address "0x75815DEE" ("VariantChangeType@OLEAUT32.DLL")
"iexplore.exe" wrote bytes "e9ee7e7ffc" to virtual address "0x75C06143" ("OleLoadFromStream@OLE32.DLL")
"iexplore.exe" wrote bytes "e99ac3a0fc" to virtual address "0x759F2694" ("PageSetupDlgW@COMDLG32.DLL")
"iexplore.exe" wrote bytes "40532a7758582b77186a2b77653c2c770000000000bffb750000000056ccfb75000000007ccafb7500000000376867756a2c2c77d62d2c7700000000206967750000000029a6fb7500000000a48d677500000000f70efb7500000000" to virtual address "0x773E1000" (part of module "NSI.DLL")
"iexplore.exe" wrote bytes "e9b29667fc" to virtual address "0x75C49D0B" ("CoCreateInstance@OLE32.DLL")
"iexplore.exe" wrote bytes "e9b090aefc" to virtual address "0x7574ABE1" ("CallNextHookEx@USER32.DLL")
"iexplore.exe" wrote bytes "e9efb912fe" to virtual address "0x742D388E" ("PropertySheetW@COMCTL32.DLL")
"iexplore.exe" wrote bytes "e955a5acfc" to virtual address "0x75813EAE" ("VariantClear@OLEAUT32.DLL")
"iexplore.exe" wrote bytes "e954a1c8fc" to virtual address "0x75773B7F" ("DialogBoxIndirectParamW@USER32.DLL")
"iexplore.exe" wrote bytes "e9b34bb7fc" to virtual address "0x7574EC7C" ("CreateWindowExW@USER32.DLL")
source
Hook Detection
relevance
10/10

Spawns new processes
details
Spawned process "iexplore.exe" with commandline "SCODEF:3152 CREDAT:79873" (UID: 00026078-00003128)
source
Monitored Target
relevance
3/10

Dropped files
details
"~DF175A8626CC8DB743.TMP" has type "data"
"frameiconcache.dat" has type "data"
"RecoveryStore.{34CD6363-8554-11E6-9DE2-0A00279826D4}.dat" has type "Composite Document File V2 Document No summary info"
"{06183630-8556-11E6-9DE2-0A00279826D4}.dat" has type "Composite Document File V2 Document No summary info"
"~DF3699B9C8E178BCFA.TMP" has type "data"
source
Extracted File
relevance
3/10

polonus

P.S. Benign as we find here: https://forum.avast.com/index.php?topic=170897.0

D
« Last Edit: September 28, 2016, 01:16:04 AM by polonus »
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!
Pages: [1]   Go Up
« previous next »