New malware at work? Fake referrer 11m.php and trying various .asp URLs.
Dan Garthwaite
dan at garthwaite.org
Wed Dec 2 11:57:17 EST 2015
afraid.org is a community-driven dynamic DNS provider.
You can donate domain names to it and they make subdomains of those domain
names available to everyone.
That said - it is certainly abused by bad guys, too.
-dan
On Wed, Dec 2, 2015 at 11:50 AM, Joshua Judson Rosen <rozzin at hackerposse.com
> wrote:
> On 2015-12-02 08:41, Ric Werme wrote:
> > Oh how cute. After a break yesterday AM, the "assault" resumed. One
> new actor
> > is from abuser.eu. My guess is that's an official site that is
> investigating
> > the malware, as the registration info is impossibly brief:
> >
> > $ whois abuser.eu
> >
> > Domain: abuser.eu
> >
> > Registrant:
> > NOT DISCLOSED!
> > Visit www.eurid.eu for webbased whois.
> [...]
> > Oh - that's just boilerplate and probably prints on all queries
>
> The info in the `webbased whois' is a little weird, too:
>
> Registrant:
> Language: English
> Email: abuser.eu at gmail.com
>
> Onsite:
> Name: Hostmaster Of The Day
> Organisation: InterNetworX Ltd. & Co. KG
>
>
> Either it's actually owned/operated by InterNetworX, or
> whoever owns that domain is effectively behind two layers
> of `registrant privacy' obfuscation (one being the .eu
> `we really do whois--go see the website instead' thing;
> the second layer being the lack of real info from the registrar).
>
> Information that we _can_ glean from the absuer.eu whois data
> is that their DNS is hosted by afraid.org. Not sure what that
> tells us. If it's just forward DNS, I'd take the afraid.org DNS
> as suggesting that it's probably a personal machine on a consumer
> internet connection. But if you're getting "abuser.eu" from a
> *reverse* lookup, that's presumably not the case.
>
> But if a major organisation (InterNetworX?) actually owns the domain,
> why is the contact address something at gmail.com?
>
> --
> "Don't be afraid to ask (λf.((λx.xx) (λr.f(rr))))."
> _______________________________________________
> gnhlug-discuss mailing list
> gnhlug-discuss at mail.gnhlug.org
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.gnhlug.org/pipermail/gnhlug-discuss/attachments/20151202/7638056f/attachment.html
More information about the gnhlug-discuss
mailing list