New malware at work? Fake referrer 11m.php and trying various .asp URLs.

Dan Garthwaite dan at garthwaite.org
Wed Dec 2 11:57:17 EST 2015


afraid.org is a community-driven dynamic DNS provider.
You can donate domain names to it and they make subdomains of those domain
names available to everyone.

That said - it is certainly abused by bad guys, too.

  -dan


On Wed, Dec 2, 2015 at 11:50 AM, Joshua Judson Rosen <rozzin at hackerposse.com
> wrote:

> On 2015-12-02 08:41, Ric Werme wrote:
> > Oh how cute.  After a break yesterday AM, the "assault" resumed.  One
> new actor
> > is from abuser.eu.  My guess is that's an official site that is
> investigating
> > the malware, as the registration info is impossibly brief:
> >
> > $ whois abuser.eu
> >
> >   Domain: abuser.eu
> >
> >   Registrant:
> >           NOT DISCLOSED!
> >           Visit www.eurid.eu for webbased whois.
> [...]
> > Oh - that's just boilerplate and probably prints on all queries
>
> The info in the `webbased whois' is a little weird, too:
>
>         Registrant:
>                 Language: English
>                 Email: abuser.eu at gmail.com
>
>         Onsite:
>                 Name: Hostmaster Of The Day
>                 Organisation: InterNetworX Ltd. & Co. KG
>
>
> Either it's actually owned/operated by InterNetworX, or
> whoever owns that domain is effectively behind two layers
> of `registrant privacy' obfuscation (one being the .eu
> `we really do whois--go see the website instead' thing;
> the second layer being the lack of real info from the registrar).
>
> Information that we _can_ glean from the absuer.eu whois data
> is that their DNS is hosted by afraid.org. Not sure what that
> tells us. If it's just forward DNS, I'd take the afraid.org DNS
> as suggesting that it's probably a personal machine on a consumer
> internet connection. But if you're getting "abuser.eu" from a
> *reverse* lookup, that's presumably not the case.
>
> But if a major organisation (InterNetworX?) actually owns the domain,
> why is the contact address something at gmail.com?
>
> --
> "Don't be afraid to ask (λf.((λx.xx) (λr.f(rr))))."
> _______________________________________________
> gnhlug-discuss mailing list
> gnhlug-discuss at mail.gnhlug.org
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.gnhlug.org/pipermail/gnhlug-discuss/attachments/20151202/7638056f/attachment.html 


More information about the gnhlug-discuss mailing list