Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How to decide what IP to block?


  • Please log in to reply
4 replies to this topic

#1 tos226

tos226

    BleepIN--BleepOUT


  • Members
  • 1,574 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:07:12 PM

Posted 29 June 2009 - 11:47 AM

Bottom line first since this is a long post: how can we tell whether an item in various IP block lists, used in some firewalls and other applications, is false positive or whether a website has been hacked?. I hit a real example recently, on a totally reputable site) and collected some data today. While I don't need the download link since already use PG2, still I'd like to come to grips with approach.

In this help screen for PeerGuardian
http://wiki.phoenixlabs.org/wiki/Running_P..._system_service
is a section with two download links

Requirements
Windows 2000/XP/2003
Administrator priviliges on the machine
PeerGuardian 2 (latest version from HERE)
The Windows 2003 Resource Kit Tools (available HERE)
Step-by-step installation


Link to the first HERE has double // inside URL (http://http://phoenixlabs.org/pg2/)and goes to IP=205.234.170.212.
This IP is in several well crafted IP block lists, but might be false positive.
In anycase, ironically, their own PeerGuardian blocks the download as follows:

09:42:55; download.antispyware2009.com; 192.168.2.60:1185; 205.234.170.212:80; TCP; Blocked
09:42:58; download.antispyware2009.com; 192.168.2.60:1185; 205.234.170.212:80; TCP; Blocked
09:43:04; download.antispyware2009.com; 192.168.2.60:1185; 205.234.170.212:80; TCP; Blocked
09:43:15; download.antispyware2009.com; 192.168.2.60:1188; 205.234.170.212:80; TCP; Blocked


NSLOOKUP says:

Name: systems.tiggee.net
Address: 205.234.170.212


DNSstuff says:

Server Central Network SCN-4 (NET-205-234-128-0-1)
205.234.128.0 - 205.234.255.255
Tiggee LLC SCNET-205-234-170-0 (NET-205-234-170-0-1)
205.234.170.0 - 205.234.170.255


Karen's WhoIs says

WhoIs Lookup performed by Karen's WhoIs
http://www.karenware.com/

OrgName: Server Central Network
OrgID: SCN-18
Address: 209 W. Jackson Blvd.
Address: Suite 700
City: Chicago
StateProv: IL
PostalCode: 60606
Country: US

ReferralServer: rwhois://rwhois.servercentral.net:4321

NetRange: 205.234.128.0 - 205.234.255.255
CIDR: 205.234.128.0/17
NetName: SCN-4
NetHandle: NET-205-234-128-0-1
Parent: NET-205-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.SCSERVERS.COM
NameServer: NS2.SCSERVERS.COM
Comment:
RegDate: 2004-04-29
Updated: 2005-03-07
OrgAbuseHandle: ABUSE1669-ARIN
OrgAbuseName: Abuse Department
OrgAbusePhone: +1-312-829-1111
OrgAbuseEmail: abuse@servercentral.net

OrgNOCHandle: NETWO1779-ARIN
OrgNOCName: Network Operations
OrgNOCPhone: +1-312-829-1111
OrgNOCEmail: support@servercentral.net

OrgTechHandle: NETWO1779-ARIN
OrgTechName: Network Operations
OrgTechPhone: +1-312-829-1111
OrgTechEmail: support@servercentral.net

OrgName: Tiggee LLC
OrgID: TIGGE
Address: 11513 Sunset Hills Rd.
City: Reston
StateProv: VA
PostalCode: 20190
Country: US

NetRange: 205.234.170.0 - 205.234.170.255
CIDR: 205.234.170.0/24
NetName: SCNET-205-234-170-0
NetHandle: NET-205-234-170-0-1
Parent: NET-205-234-128-0-1
NetType: Reallocated
NameServer: NS0.DNSMADEEASY.COM
NameServer: NS1.DNSMADEEASY.COM
NameServer: NS2.DNSMADEEASY.COM
NameServer: NS3.DNSMADEEASY.COM
NameServer: NS4.DNSMADEEASY.COM
Comment:
RegDate: 2006-04-18
Updated: 2006-04-18

OrgAbuseHandle: ABUSE699-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-703-636-4198
OrgAbuseEmail: abuse@tiggee.com

OrgTechHandle: TECH140-ARIN
OrgTechName: Tech
OrgTechPhone: +1-703-935-1598
OrgTechEmail: tech@tiggee.com

# ARIN WHOIS database, last updated 2009-06-28 20:00
# Enter ? for additional hints on searching ARIN's WHOIS database.


OPERA SOURCE view of the page says:

<a name="Requirements"></a><h2> <span class="mw-headline"> Requirements </span></h2>
<ol><li>Windows 2000/XP/2003
</li><li>Administrator priviliges on the machine
</li><li>PeerGuardian 2 (latest version from <a href="http://http://phoenixlabs.org/pg2/" class="external text" title="http://http://phoenixlabs.org/pg2/" rel="nofollow">HERE</a>)
</li><li>The Windows 2003 Resource Kit Tools (available <a href="http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&amp;displaylang=en" class="external text" title="http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&amp;displaylang=en" rel="nofollow">HERE</a>)
</li></ol>
<a name="Step-by-step_installation"></a><h2> <span class="mw-headline"> Step-by-step installation </span></h2>
<a name="Step_1"></a><h3> <span class="mw-headline"> Step 1 </span></h3>


Privoxy log just reflects no connection since PG2 zapped it

Jun 29 09:38:55.921 00000ecc Request: wiki.phoenixlabs.org/wiki/Running_PeerGuardian_2_as_a_system_service
Jun 29 09:38:55.921 00000764 Request: sitecheck2.opera.com/?host=wiki.phoenixlabs.org&hdn=GF6IdIu044rjLK3Ddk8lNA==
Jun 29 09:38:56.500 000005ac Request: wiki.phoenixlabs.org/skins/common/shared.css?97
Jun 29 09:38:56.500 00000500 Request: wiki.phoenixlabs.org/skins/common/commonPrint.css?97
Jun 29 09:38:56.500 0000073c Crunch: Blocked: http://wiki.phoenixlabs.org/favicon.ico
Jun 29 09:38:56.515 000004b8 Request: wiki.phoenixlabs.org/index.php?title=MediaWiki:Monobook.css&usemsgcache=yes&action=raw&ctype=text/css&smaxage=18000
Jun 29 09:38:56.515 0000020c Request: wiki.phoenixlabs.org/skins/monobook/main.css?97
Jun 29 09:38:56.531 000004e4 Request: wiki.phoenixlabs.org/index.php?title=MediaWiki:Common.css&usemsgcache=yes&action=raw&ctype=text/css&smaxage=18000
Jun 29 09:38:56.531 000004b0 Request: wiki.phoenixlabs.org/index.php?title=-&action=raw&gen=css&maxage=18000
Jun 29 09:38:57.625 00000860 Request: wiki.phoenixlabs.org/skins/monobook/headbg.jpg
Jun 29 09:38:57.625 00000888 Request: wiki.phoenixlabs.org/skins/monobook/bullet.gif
Jun 29 09:38:57.625 0000088c Request: wiki.phoenixlabs.org/skins/monobook/external.png
Jun 29 09:38:57.640 00000190 Request: wiki.phoenixlabs.org/skins/monobook/user.gif
Jun 29 09:38:57.640 00000870 Request: wiki.phoenixlabs.org/skins/common/images/wiki.png
Jun 29 09:38:57.656 00000250 Request: wiki.phoenixlabs.org/skins/common/images/poweredby_mediawiki_88x31.png
Jun 29 09:38:57.656 000004cc Request: creativecommons.org/images/public/somerights20.png
Jun 29 09:42:55.671 00000acc Request: www.http.com/
Jun 29 09:43:15.687 00000b80 Request: www.http.com//phoenixlabs.org/pg2/
Jun 29 09:43:15.687 00000b84 Request: sitecheck2.opera.com/?host=www.http.com&hdn=ts6Wke0oD6xaAKJaQvk7Yw==
Jun 29 09:43:17.109 00000acc Crunch: Connection failure: http://www.http.com/
Jun 29 09:43:36.828 00000b80 Crunch: Connection failure: http://www.http.com//phoenixlabs.org/pg2/
Jun 29 09:43:36.906 00000d10 Crunch: CGI Call: http://config.privoxy.org/error-favicon.ico


Needless to say, AV would kick in on bad download. Still, what if I ignored the pre-download alerts?

BC AdBot (Login to Remove)

 


#2 01d5od

01d5od

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:12 PM

Posted 29 June 2009 - 03:27 PM

Repeat the check in karenwhosis again, but this time for 'download.antispyware2009.com'.
Now compare the original previously posted whois results with the lates results.
Notice the very same dns name server in both results?
These ones:
ns0.dnsmadeeasy.com
ns1.dnsmadeeasy.com
ns2.dnsmadeeasy.com
ns3.dnsmadeeasy.com
ns4.dnsmadeeasy.com

We could just skip the www.download part from the url, as the url is properly just 'antispyware2009.com' (another whois lookup will reveal the same info for both download.antispyware2009.com and antispyware2009.com).

See

http://www.robtex.com/dns/tiggee.net.html

and

http://www.robtex.com/dns/antispyware2009.com.html

So yes these are the the actual dns IP for the antispyware2009.com site.
It coincides with the same IP for the tiggee.net.
Both share the same name servers and the same AS16552 (TIGGEE LLC) domain.

By blocking the IPs seen in the PG2 for the spyware2009.com, you are blocking off the name servers and the domain.
This would be the 'home' for this malware server(s).

But the files probably used to be spread out to the web are shown as cached on:

75.125.0.0/16
ThePlanet.com Internet Services, Inc.

(this was seen in the begining) from here:

http://www.robtex.com/dns/antispyware2009.com.html

Theplanet.com is just another 'Content delivery network', albeit theplanet.com is well known for caching and delivering well known malware.
Almost famous for this delivering malware.

Can just theplanet.com IP be blocked off?

It would involvel blocking off the IP 75.125.241.58 seen listed here:

http://www.robtex.com/ip/75.125.241.58.html

This block would work for a while...until the theplanet.com changes the files around or changes the servers around...it probably is not a static ally assigned IP for the antispyware2009.com..it could be moving.
So blocking off the IP of 75.125.241.58 may not work permanently and secondly ther dns lookup would be still be made.

So the final choice to block off 75.125.241.58 is by the name server from tiggee.
This blocks off both the name lookups and their home servers - in whcih case the cached server content may never have a chance.

Richard.
ZA Pro & Avira antivirus & SSM Pro & Privoxy & Protowall & Opera for security. Topped off with a limited user account on fully updated XP HE SP3.

#3 01d5od

01d5od

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:12 PM

Posted 29 June 2009 - 03:46 PM

Checking the phoenixlabs.org/pg2 shows the IP as 208.67.217.132
(did a quick nslookup for 08.67.217.132)

See here:

http://www.robtex.com/ip/208.67.217.132.html

goes to opendns, which is not just a dns server but is also a cached content delivery network. In this case for the phoneixlabs.org.

Where is phonexilabs actually located?
Here:
http://www.robtex.com/ip/72.36.170.34.html

Richard.
ZA Pro & Avira antivirus & SSM Pro & Privoxy & Protowall & Opera for security. Topped off with a limited user account on fully updated XP HE SP3.

#4 tos226

tos226

    BleepIN--BleepOUT

  • Topic Starter

  • Members
  • 1,574 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:07:12 PM

Posted 29 June 2009 - 07:49 PM

Thank you. That's impressive.
This is not easy detective work, is it?
I've followed the links you suggested, and clearly see what you answered.
But, I'm not still 100% sure how to decide the link to the PG2 download (first HERE) is/isn't to the crapware site.
And so that's my problem. Can you connect few more dots for me, please.

And why does the link have that double // in the url? I've never seen one like it. Or perhaps I should ask whether there is any significance to it 'http://http://phoenixlabs.org/pg2/'

Just slightly off topic - the reason I hit this acrticle is because PG2 will only run in admin account and making it a service will permit any user which I'd like to be able to do since I do switch, sometimes.

Edited by tos226, 29 June 2009 - 07:52 PM.


#5 01d5od

01d5od

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:12 PM

Posted 29 June 2009 - 08:49 PM

The correct url is http://phoenixlabs.org/pg2/ of course.

Why the 'double http'?
Do not know, but it is a mistake.
As to whether the author made the mistake by accident or it is an attempt to not show a ftp:// and just show a regular http or perhaps even it is an extra externally added http:// by the site's scripts that automatically adds in a http to every external seen url.
Hard to say which direction this goes.
Richard.
ZA Pro & Avira antivirus & SSM Pro & Privoxy & Protowall & Opera for security. Topped off with a limited user account on fully updated XP HE SP3.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users