New malware at work? Fake referrer 11m.php and trying various .asp URLs.
Ric Werme
ric at wermenh.com
Wed Dec 2 08:41:54 EST 2015
Oh how cute. After a break yesterday AM, the "assault" resumed. One new actor
is from abuser.eu. My guess is that's an official site that is investigating
the malware, as the registration info is impossibly brief:
$ whois abuser.eu
Domain: abuser.eu
Registrant:
NOT DISCLOSED!
Visit www.eurid.eu for webbased whois.
Onsite(s):
NOT DISCLOSED!
Visit www.eurid.eu for webbased whois.
Registrar:
Name: InterNetworX Ltd. & Co. KG
Website: www.inwx.eu
Name servers:
ns2.afraid.org
ns3.afraid.org
ns4.afraid.org
ns1.afraid.org
Please visit www.eurid.eu for more info.
Over at www.eurid.eu, their response includes:
abuser.eu: Not available for registration
You are the holder of this domain name
If the registrant data for your .eu domain name is inaccurate, please contact your registrar (the organisation displayed below) to update your data.
...
Oh - that's just boilerplate and probably prints on all queries as it continues with:
You are not the holder of this domain name
If you believe you have the right to a .eu domain name that is already registered by someone else, you may dispute the registration.
...
Sigh. At least whatever it is isn't spreading quickly, so it remains
not a big deal. I'm surprised there's little to find on Google.
Lloyd Kvam sent me Email to say he hasn't seen this traffic, so perhaps
its reach is limited at the moment.
-Ric
--
ric at WermeNH.com http://WermeNH.com/
More information about the gnhlug-discuss
mailing list