<div dir="ltr"><div><div><div><a href="http://afraid.org">afraid.org</a> is a community-driven dynamic DNS provider. <br></div>You can donate domain names to it and they make subdomains of those domain names available to everyone.<br><br></div>That said - it is certainly abused by bad guys, too.<br><br></div> -dan<br><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Dec 2, 2015 at 11:50 AM, Joshua Judson Rosen <span dir="ltr"><<a href="mailto:rozzin@hackerposse.com" target="_blank">rozzin@hackerposse.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 2015-12-02 08:41, Ric Werme wrote:<br>
> Oh how cute. After a break yesterday AM, the "assault" resumed. One new actor<br>
> is from <a href="http://abuser.eu" rel="noreferrer" target="_blank">abuser.eu</a>. My guess is that's an official site that is investigating<br>
> the malware, as the registration info is impossibly brief:<br>
><br>
> $ whois <a href="http://abuser.eu" rel="noreferrer" target="_blank">abuser.eu</a><br>
><br>
> Domain: <a href="http://abuser.eu" rel="noreferrer" target="_blank">abuser.eu</a><br>
><br>
> Registrant:<br>
> NOT DISCLOSED!<br>
> Visit <a href="http://www.eurid.eu" rel="noreferrer" target="_blank">www.eurid.eu</a> for webbased whois.<br>
</span>[...]<br>
<span class="">> Oh - that's just boilerplate and probably prints on all queries<br>
<br>
</span>The info in the `webbased whois' is a little weird, too:<br>
<br>
Registrant:<br>
Language: English<br>
Email: <a href="mailto:abuser.eu@gmail.com">abuser.eu@gmail.com</a><br>
<br>
Onsite:<br>
Name: Hostmaster Of The Day<br>
Organisation: InterNetworX Ltd. & Co. KG<br>
<br>
<br>
Either it's actually owned/operated by InterNetworX, or<br>
whoever owns that domain is effectively behind two layers<br>
of `registrant privacy' obfuscation (one being the .eu<br>
`we really do whois--go see the website instead' thing;<br>
the second layer being the lack of real info from the registrar).<br>
<br>
Information that we _can_ glean from the <a href="http://absuer.eu" rel="noreferrer" target="_blank">absuer.eu</a> whois data<br>
is that their DNS is hosted by <a href="http://afraid.org" rel="noreferrer" target="_blank">afraid.org</a>. Not sure what that<br>
tells us. If it's just forward DNS, I'd take the <a href="http://afraid.org" rel="noreferrer" target="_blank">afraid.org</a> DNS<br>
as suggesting that it's probably a personal machine on a consumer<br>
internet connection. But if you're getting "<a href="http://abuser.eu" rel="noreferrer" target="_blank">abuser.eu</a>" from a<br>
*reverse* lookup, that's presumably not the case.<br>
<br>
But if a major organisation (InterNetworX?) actually owns the domain,<br>
why is the contact address something at <a href="http://gmail.com" rel="noreferrer" target="_blank">gmail.com</a>?<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
"Don't be afraid to ask (λf.((λx.xx) (λr.f(rr))))."<br>
</font></span><div class="HOEnZb"><div class="h5">_______________________________________________<br>
gnhlug-discuss mailing list<br>
<a href="mailto:gnhlug-discuss@mail.gnhlug.org">gnhlug-discuss@mail.gnhlug.org</a><br>
<a href="http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/" rel="noreferrer" target="_blank">http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/</a><br>
</div></div></blockquote></div><br></div>