New malware at work? Fake referrer 11m.php and trying various .asp URLs.

[Joshua Judson Rosen]

On 2015-12-02 08:41, Ric Werme wrote:
> Oh how cute.  After a break yesterday AM, the "assault" resumed.  One new actor
> is from abuser.eu.  My guess is that's an official site that is investigating
> the malware, as the registration info is impossibly brief:
> 
> $ whois abuser.eu
> 
>   Domain: abuser.eu
> 
>   Registrant:
>           NOT DISCLOSED!
>           Visit www.eurid.eu for webbased whois.
[...]
> Oh - that's just boilerplate and probably prints on all queries

The info in the `webbased whois' is a little weird, too:

	Registrant:
		Language: English
		Email: abuser.eu at gmail.com

	Onsite:
		Name: Hostmaster Of The Day
		Organisation: InterNetworX Ltd. & Co. KG


Either it's actually owned/operated by InterNetworX, or
whoever owns that domain is effectively behind two layers
of `registrant privacy' obfuscation (one being the .eu
`we really do whois--go see the website instead' thing;
the second layer being the lack of real info from the registrar).

Information that we _can_ glean from the absuer.eu whois data
is that their DNS is hosted by afraid.org. Not sure what that
tells us. If it's just forward DNS, I'd take the afraid.org DNS
as suggesting that it's probably a personal machine on a consumer
internet connection. But if you're getting "abuser.eu" from a
*reverse* lookup, that's presumably not the case.

But if a major organisation (InterNetworX?) actually owns the domain,
why is the contact address something at gmail.com?

-- 
"Don't be afraid to ask (λf.((λx.xx) (λr.f(rr))))."