** server can’t find http:cstracking1.com: NXDOMAIN (no resource record found for a query - DNS hacking involved?)
trying to find data on htxp://cstracking1.com/cgi-bin/CScash.cgi/etc.
personal site with sites dot google dot com (found as
a second header location redirect…
IDS alert for ET RBN Known Russian Business Network IP (139) severity 3
Of course we have to establish id the server is a dedicated server or not: http://www.robtex.com/ip/
Simply see if there is one site or how many more sites show up.
What is also important is domain registration info and server migrational patterns.
If these data have been collected over a period of time we can do our extrapolations,
Here I checked this unknown_html_RFI_eval malware on: htxp://js.tongji.linezing.com/2259080/tongji.js
HTTP Status 404 - /domain/%20htxp://js.tongji.linezing.com/2259080/tongji.js
header re-direct via Via: htxp/1.1 cn11 (ApacheTrafficServer/3.0.2 [cMsSfW]) (the former Yahoo commercial web-cache server)
DNS server handling your query: localhost
DNS server’s address: 127.0.0.1#53 11004 [11004] Valid name, no data record (check DNS setup)
Next step here is that I will introduce a couple of other resources to combine in our IP investigations. All this data can be combined with data that come from particular malware analysis (wepawet, anubis, comodo site-inspector, non-commercial ones like scumware dot org, safersite.de etc. etc.) Then there are special resources security researchers use and these can be used additionally. First we introduce sitevet at http://sitevet.com/ that can also be used as a researchtool.
Then we have http://hosts-file.net/?s= followed by a particular IP, a resource that is being used by a lot of other resources (e.g. badmalweb).
First we should start out with the data we get from robtex, then we could compare what they have on http://www.ipillion.com/
For attack patterns we could also visit bizimbal’s Offensive IP Database Query Page at http://www.bizimbal.com/
Of-course we google up on the data we stumble upon in combination with other information (logs, IDS alerts, etc. etc.)
Let us start with a suspicious example like: 613843 2012-08-18 goooooooglee dot com 202.59.152.107 38186 htxp://goooooooglee.com/delltvn/
So one thing leads to another…
As an extra something additional about the code in the image attached to my previous posting. There we stumbled on this tool: axad.shinobi.jp
忍者TOOLS and then we land here at this analysis : http://www.threatexpert.com/report.aspx?md5=69114c2bbf4a31701f83b2a1e36632c5
Malware and another interesting resource for us we have here: http://www.projecthoneypot.org/ip_222.88.95.11
And here we get the reward for our searching excavations, we delve up a bad host appearance also for our IP from the previous investigation: http://www.projecthoneypot.org/ip_202.59.152.107 e.g. 1 appearance(s) in spam e-mail or spam post urls and that was 2 weeks ago approx.
So folks, remember this projecthoneypot.org query in your quests and hunts!