On 2015-12-02 08:41, Ric Werme wrote: > Oh how cute. After a break yesterday AM, the "assault" resumed. One new > actor > is from abuser.eu. My guess is that's an official site that is investigating > the malware, as the registration info is impossibly brief: > > $ whois abuser.eu > > Domain: abuser.eu > > Registrant: > NOT DISCLOSED! > Visit www.eurid.eu for webbased whois. [...] > Oh - that's just boilerplate and probably prints on all queries
The info in the `webbased whois' is a little weird, too: Registrant: Language: English Email: abuser...@gmail.com Onsite: Name: Hostmaster Of The Day Organisation: InterNetworX Ltd. & Co. KG Either it's actually owned/operated by InterNetworX, or whoever owns that domain is effectively behind two layers of `registrant privacy' obfuscation (one being the .eu `we really do whois--go see the website instead' thing; the second layer being the lack of real info from the registrar). Information that we _can_ glean from the absuer.eu whois data is that their DNS is hosted by afraid.org. Not sure what that tells us. If it's just forward DNS, I'd take the afraid.org DNS as suggesting that it's probably a personal machine on a consumer internet connection. But if you're getting "abuser.eu" from a *reverse* lookup, that's presumably not the case. But if a major organisation (InterNetworX?) actually owns the domain, why is the contact address something at gmail.com? -- "Don't be afraid to ask (λf.((λx.xx) (λr.f(rr))))." _______________________________________________ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/