On 2015-12-02 08:41, Ric Werme wrote:
> Oh how cute. After a break yesterday AM, the "assault" resumed. One new
> actor
> is from abuser.eu. My guess is that's an official site that is investigating
> the malware, as the registration info is impossibly brief:
>
> $ whois abuser.eu
>
> Domain: abuser.eu
>
> Registrant:
> NOT DISCLOSED!
> Visit www.eurid.eu for webbased whois.
[...]
> Oh - that's just boilerplate and probably prints on all queries
The info in the `webbased whois' is a little weird, too:
Registrant:
Language: English
Email: abuser...@gmail.com
Onsite:
Name: Hostmaster Of The Day
Organisation: InterNetworX Ltd. & Co. KG
Either it's actually owned/operated by InterNetworX, or
whoever owns that domain is effectively behind two layers
of `registrant privacy' obfuscation (one being the .eu
`we really do whois--go see the website instead' thing;
the second layer being the lack of real info from the registrar).
Information that we _can_ glean from the absuer.eu whois data
is that their DNS is hosted by afraid.org. Not sure what that
tells us. If it's just forward DNS, I'd take the afraid.org DNS
as suggesting that it's probably a personal machine on a consumer
internet connection. But if you're getting "abuser.eu" from a
*reverse* lookup, that's presumably not the case.
But if a major organisation (InterNetworX?) actually owns the domain,
why is the contact address something at gmail.com?
--
"Don't be afraid to ask (λf.((λx.xx) (λr.f(rr))))."
_______________________________________________
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
