Need Help With Network Virus/Exploit

[SkilletSkool]

Finally getting at the nitty gritty here:  https://www.virustotal.com/gui/domain/twelvehorses.com/relations
Infested:
hxtp://twelvehorses.com/mm/Clickthrough/23317062/27021558/23333143/uBn6_sdjVJ8Dmr08mYuLuACBQH4A/*http:/www.tesco.ie/register/unsubscribe.asp  see also the communicating flle detections there.

So you are saying this website is illicit/malicous then, correct?

I don't see anything malicious in FRST logs. Can you check configured TP Link hostname?

I assume you are talking about my router host name I assign?  It is 'Wilkinsons'.  I attached a screenshot of the router page.  Note, I had to freshly reset my router and set it all back up as well I had to use a different computer.  That is explained in my post above this one.

Anyhow, If I am reading Polunus correctly and the site is infected then something is defintly going on.


My next question is how would they be re-directing me and only my ISP's webmail server detecting the 'twelvehorses' IP and all other tools (What Is My IP, etc) show the information that normally would show?  Did I stumble acorss a whole new type of re-direct or exploitation method?

Is it possible my router FW has been flashed and I am only using a shell FW settings page, meanwhile underneath the exploited FW is running using a weird VPN setup?  How would I be able to even check for that and still how would it be fooling all attempts to detect like 'what is my ip' site and such?

That is like they are sending me through them but not through them.

While we think about this, I am attempting to find out just how my ISP webmail server queries the last known location as it seems to be on top of everything in detecting the malicious URL.

EDIT:  Just wanted to add my ISP's webmail server is still detecting the weird 12 horses IP as my last login location using the router, even after resetting again.

[Michael (alan1998)]

What is that networking setup (from ipconfig /all)?

Your DHCP and Gateway are pointed to an IP in Egypt.

[SkilletSkool]

What is that networking setup (from ipconfig /all)?

Your DHCP and Gateway are pointed to an IP in Egypt.

Yes.  That is the ipconfig /all ran through a command prompt.

The IP you are looking at is my LAN side gateway IP of my router not my actual fiber gateway from my ISP.  So its one I set up.  It is not my public IP.

That keeps confusing people but it is nothing to be concerned over as its only on the LAN side of the router (the IP address range used for my local 'in-house' network).  It has nothing to do with any outbound WAN side traffic.

I change it from the default 192.168.0.1 to the one currently showing in the picture (the other router that worked fine had the same setting so that is not the cause of what is happening).  Its just an extra security measure most dont take and has no effect on WAN side traffic.

It should not have denied me from connecting either, like it was.  Now its allowing me to log in after the factory reset and then resetting all my personal settings.

When I search my public IP it comes up what it should be and this is why this weird re-direct that XMission is detecting is so suspicious in that it doesn't match with 'What Is My IP'. 

It will be very helpful when I can get the exact way XMission webmail server is querying my last login location.  Maybe the query they use is something different than 'What Is My IP' and will show a better way to track the re-direct.

[SkilletSkool]

WHEW!!!

So in contacting my ISP today, I got someone who did more checking into things than the last agent I was working with.

As it turns out, the webmail server was doing a basic IP check then using a reverse domain lookup to verify.  12 horses was a very old client which they let go, probably due to 12 horses being malicious in their activities.  The IP they had been assigned via static IP had just not been cleared out of the naming system on XMission's side  . 

When the webmail server did the IP check and reverse domain check it then probably noted the old record on XMission server that hadn't been fully audited and that's why it gave me the 12 horses.  As well, ICANN may still hold old records which may have also attributed to the bad reverse domain lookup results.

They assigned my router MAC a different IP in the DHCP assignments (reserved DHCP) and I got a different last known login location using the same router.

They thanked me for helping them see they needed some further auditing on some of the older IP ranges they have used.  I wish I could have gotten this agent from the start but hey... we did uncover a domain somehow doing something illicit  !  It's also weird that I had the issues logging into the router after Polunus and Alan did their extensive checking in the 12 horses domain... even after fully resetting the router... but that is something I will just qualify as a 'murphyism' I guess .

I am very relieved to know I wasn't dealing with some new NextGen exploit and ended up a target, yet after @Polunus research on the parked domain showing it is infected, that might be something Avast would want to either further investigate or report to ICANN.

Either way... THANK YOU TO ALL WHO WORKED ON THIS.

[Michael (alan1998)]

Thank-you for the update.

Glad to hear the issue has been resolved with your ISP. I still think that networking setup is wack, but oh well. (A 10.* or 172.16.*.* -> 172.32.*.* network would serve a better purpose).

[SkilletSkool]

Thank-you for the update.

Glad to hear the issue has been resolved with your ISP. I still think that networking setup is wack, but oh well. (A 10.* or 172.16.*.* -> 172.32.*.* network would serve a better purpose).

Yea, I get that.  It throws some for a loop and has in the past.  I dont like using the usual ones either, mainly as an over abundance of security precaution.

As far as I am aware, one can give their LAN side IP range anything they want.  Most corporate and government servers use 10.x.x.x.   Comcast routers have a set of 3 or 4 range IP's you can set (both the ones you state are in their choices too).

Thanks again for all the help on all of this!  I do hope to hear about Avast being credited for finding out what is happening on the illicit 12 horses URL too!

Oorah and Semper Fi!

[polonus]

Hi SkilletSkool,

That is called responsible behavior. Hadn't you reported, I would not have looked into it via VirusTotal and especially the IP relations data they come up with, a real treasure chest, as sec domains and URLs & uri's become more and more of an intransparent item in Cloud driven land, as you grasp what I mean. So because you complained about, we looked further into it (Michael (allan19980 & little old me, and we certainly have stumbled upon something that needs to be eliminated or at least understood. Always question code, know loads of things comes to us via cutting and pasting (time pressure - time is money for manager and developer alike), no time for Retire.js, for linting, for fuzzing for passing through a tool like plunker's for instance, do the DOM-XSS routines and as I use your vast experience of doing nothing else in this field for over 12 years now. "Learn to know, then know how to do, and success will be your reward" as my grandfather told us.

polonus (3rd party cold recon website security analyst and website error-hunter)

P.S. Plunker for the curious: https://plnkr.co/edit/?p=preview 
and also a case to study (not repeat!): https://alf.nu/StealingTokensWithHarmony   
together with: https://javascript.info/onload-onerror

Damian