Author Topic: Suspicious ga domain not alerted? (Read 4697 times)

polonus · « **on:** December 09, 2017, 02:38:24 PM »

Background read: https://isc.sans.edu/forums/diary/Suspicious+Domains+Tracking+Dashboard/23046/

Example here: https://urlquery.net/report/b9c1efa5-e0ef-4842-872b-ef9cc36ebd11
and VT does not flag: https://www.virustotal.com/nl/url/3ed14de6e9364ec95c9bfdbc548e8702e6d716f10cc6182f4aa5332b606cacfd/analysis/1512825846/
Sucuri does not flag, but Quttera has it as malicious: https://quttera.com/sitescan/rafsangkuntio.ga

polonus

polonus · « **Reply #1 on:** December 10, 2017, 12:31:58 AM »

Another such an alert for a website that seems down now - alert: ET INFO Suspicious Domain (*.cf) in TLS SNI
see: https://urlquery.net/report/f250c985-bd0c-4a42-b845-3072d5465f0d

See recent update: https://www.proofpoint.com/us/daily-ruleset-update-summary-20171204

another one alerted:
https://urlquery.net/report/669c1833-50de-4699-b6bc-1ecf0ddac06d

On domain name rules: https://www.watchguard.com/help/docs/fireware/12/en-US/Content/en-US/proxies/https/https_domain_names_c.html

pol

polonus · « **Reply #2 on:** December 10, 2017, 12:11:27 PM »

More of such alerts could be for instance be for top domains, mostly hostile, like:
https://registrydb.com/a2mhpalaibsfjs.top AliBaba Cloud computing abuse, server exploitable nginx version info proliferation.

Re: https://urlquery.net/report/47b4ff33-2103-4bec-a34d-5d79cd575322 & https://www.virustotal.com/nl/url/6370b3b7260d631494c4f2c9d37f21caec5a7004a97d42355b06fb426f1f4b85/analysis/1512903014/

Website errors: https://sitecheck.sucuri.net/results/a2xlgvpuibsujs.top

See also: -https://www.threatminer.org/ssls.php?q=information%20systems&t=15
Do not click links in there, because they can be suspicious/malicious.

pol

polonus · « **Reply #3 on:** December 12, 2017, 12:31:23 AM »

Accumulated CloudFlare abuse:

Another example of a suspicious top domain: http://urlquery.net/report/3f3c4028-3050-4cc6-98b8-4c69707ac5d9

On IP we find various instances of streaming malware detected: https://www.virustotal.com/#/ip-address/104.31.74.68
consider: https://app.cymon.io/search/url/http%3A%2F%2Fv-detector.top

Read: https://malwarebreakdown.com/2017/04/24/eitest-leads-to-rig-ek-at-188-225-36-196-and-drops-quant-loader-zloaderzbot/

Phishing/trackers listed on that IP: https://cymon.io/104.31.74.67

polonus

polonus · « **Reply #4 on:** December 12, 2017, 12:49:31 AM »

And here an alert for a suspicious "ml" domain, most likely hostile, also on an IP we discussed above, and again CloudFlare abuse:
http://urlquery.net/report/786c26e6-b102-49e2-b89c-483661488739

Apparently no one flags here so far: https://www.virustotal.com/#/url/7ee0c7eb14f77468ebaa6ceab32eb24ab334302a7a200d38b7798231baf27d7f/detection

URLs that redirect found in: -https://blockchainrobot.ml/

1: -http://www.celibatairesduweb.com/img/GrandFormat/alger-rencontre_gratuite-274218.jpeg ->
-https://www.celibatairesduweb.com/img/GrandFormat/alger-rencontre_gratuite-274218.jpeg
2: -http://www.dziriya.net/societe/femme-algerienne/lina-doranG.jpg -> -http://dziriya.net/societe/femme-algerienne/lina-doranG.jpg

Suspicious code, why isn't it detected, given as txt attached -

polonus (volunteer website security analyst and website error-hunter)

P.S. Not all streaming malware from sub-links followed, like this one from AliExpress: https://aw-snap.info/file-viewer/?protocol=not-secure&tgt=shopeasy.by%2Fredirect%2Fcpa%2Fo%2Fp088yh78y8epbb5vs7d4cuk4v8n2wgld%2F&ref_sel=GSP2&ua_sel=ff&fs=1
errors in code

Quote

found JavaScript
error: undefined variable insertBefore
error: undefined variable firstChild
error: undefined function insertBefore
info: [element] URL=-s.click.aliexpress.com/undefined

Damian

polonus · « **Reply #5 on:** December 16, 2017, 12:12:34 AM »

Another series of top domain abuse at Amazon's: http://urlquery.net/report/9b3c58c0-acc8-4d44-b3df-a25347699ab9
Re: https://toolbar.netcraft.com/site_report?url=a1apfnyflhedlp.top%2Fc1
= kicking up a 404 not found: https://toolbar.netcraft.com/site_report?url=ec2-52-22-130-96.compute-1.amazonaws.com

Quote

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found.</p>

-> https://aw-snap.info/file-viewer/?protocol=not-secure&tgt=a1apfnyflhedlp.top&ref_sel=GSP2&ua_sel=ff&fs=1

alerted: ET DNS Query to a *.top domain - Likely Hostile & ET INFO HTTP Request to a *.top domain (request for -ec2-18-194-99-115.eu-central-1.compute.amazonaws.com -> 80/tcp open http nginx 1.12.1 ; nginx is prone to a remote integer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.

Attackers can exploit this issue to obtain sensitive information or may crash the application resulting in a denial-of-service condition.

polonus (volunteer website security analyst and website error-hunter)

polonus · « **Reply #6 on:** December 18, 2017, 10:58:10 PM »

This time an IDs alert for a source Client IP - ET INFO HTTP Request to a *.pw domain:
Missed here: https://www.virustotal.com/nl/url/a160c303e65fdf24abf35f989ab0359919f93a7530dc0c3cef05df063a548abb/analysis/1513633157/
Missed here as well: https://sitecheck.sucuri.net/results/ce-14-7.pw and here: https://quttera.com/detailed_report/ce-14-7.pw

nor here: https://aw-snap.info/file-viewer/?protocol=not-secure&tgt=ce-14-7.pw%2F&ref_sel=GSP2&ua_sel=ff&fs=1

on test.page

Quote

<script>if (e = document.getElementById('ifr')) e.src += '?' + Date.now();</script>

polonus

polonus · « **Reply #7 on:** December 19, 2017, 10:00:48 PM »

Another one here alerts for a suspicious .gq domain.
Re: https://aw-snap.info/file-viewer/?protocol=not-secure&tgt=northerntrust.gq&ref_sel=GSP2&ua_sel=ff&fs=1

Look here:

Quote

-northerntrust.gq/cgi-sys/defaultwebpage.cgi
status
info: [img] -northerntrust.gq/img-sys/IP_changed.png
info: [img] -northerntrust.gq/img-sys/misconfigured.png
info: [img] -northerntrust.gq/img-sys/moved.png
info: [img] -northerntrust.gq/img-sys/cpanel.svg

Re: http://urlquery.net/report/6d11a7d3-27e6-442c-8368-872d486044bd

polonus

polonus · « **Reply #8 on:** December 29, 2017, 10:39:53 PM »

Another such domain could be a .ml domain.
Example: https://urlquery.net/report/d7edfbd6-aedf-4b97-8c08-066a3b79ae30
Also consider: https://privacyscore.org/site/36139/
Site does not direct to HTTPS although this connection being available.
Vulnerable to theLUCKY13 attack and several security headers not being implemented.
Vulnerable jQuery library detected: http://retire.insecurity.today/#!/scan/da03d718b4dee1c39f0f9b734320cdf80a0eb4b9886b33233e0249340c25e624
with an error there

Quote

found JavaScript
error: undefined variable

F-grade security status and recommendations: https://observatory.mozilla.org/analyze.html?host=penpaper.ml
Privacy impact grade given as B-status: https://webcookies.org/cookies/penpaper.ml/11439807

Server version info proliferation: X-Powered-By: PHP/7.1.12, PleskLin
Various security headers not being set. Various warnings for: Resource insecurely loaded over plaintext HTTP. This is OK on non-TLS pages, but should never happen on TLS sites.

polonus (volunteer website security analyst and website error-hunter)

polonus · « **Reply #9 on:** December 30, 2017, 04:38:15 PM »

Another such domain is a -tc domain: https://urlquery.net/report/9ce3c19e-035c-4094-884c-d43ab219b080
Re: https://aw-snap.info/file-viewer/?protocol=not-secure&tgt=management.online.tc%2Fsitekey%2F&ref_sel=GSP2&ua_sel=ff&fs=1 redirecting....
Re: https://privacyscore.org/site/36315/ & https://webcookies.org/cookies/management.online.tc/11472198

polonus