-
-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pythonanywhere.com #579
Comments
@g0d33p3rsec For another time, if you come in doubt on the template, just try your best and we take it from there. I have very big patience on people who tries, but not that much on people who doesn't care and gives a damn and do not even try...
|
Awesome, thanks! I saw the null entry comment in my email, which is why there was an open and closed issue before I noticed the related link to this in the web app. |
LOL. As I just mentioned in |
I've enumerated some additional subdomains and added them to Phishing-Database/phishing#422. Would you like for me to initiate a separate ticket or would you prefer to update this entry? I will try to follow up with some related infrastructure later today if time allows. |
One issue = one domain 😄 that makes it:
You should try open this issue with the API, now that you can code, I'm not gonna spoil it for you, but... 🍨 |
so, even though they are subdomains of the issue mentioned here, treat them as separate domains for the purpose of issues? I think that is what I was confused about. I wasn't sure if they should be appended to this entry. |
Lost in translation... Any records about As you can see, Even I have forgotten to add new records here... Maybe you could check them for phishing for me? something tells me they are not adware.. Search results from Matrix blacklist project source/adware/domains.list:abobelnejgbeghrbghkbshgbshkfb.pythonanywhere.com
source/adware/domains.list:adobebeiownwkjngrjwkenfjkewnf.pythonanywhere.com
source/adware/domains.list:adobepewjgronjgnwkengkjwengrj.pythonanywhere.com
source/adware/domains.list:borsbrietjblrenlgbrlenhjt.pythonanywhere.com
source/adware/domains.list:iengjwklengkhwebhfceref.pythonanywhere.com
source/adware/domains.list:jkrngjkernghernhgtehjnhk.pythonanywhere.com
source/adware/domains.list:pesjidgnojensjgerkhvjefdvs.pythonanywhere.com
source/phishing/domains.list:abobelnejgbeghrbghkbshgbshkfb.pythonanywhere.com
source/phishing/domains.list:adobebeiownwkjngrjwkenfjkewnf.pythonanywhere.com
source/phishing/domains.list:adobepewjgronjgnwkengkjwengrj.pythonanywhere.com Found these RPZ records from My Privacy DNS id domain records type content
24845727 abobelnejgbeghrbghkbshgbshkfb.pythonanywhere.com.phishing.mypdns.cloud CNAME .
24845729 adobebeiownwkjngrjwkenfjkewnf.pythonanywhere.com.phishing.mypdns.cloud CNAME .
24845726 adobepewjgronjgnwkengkjwengrj.pythonanywhere.com.phishing.mypdns.cloud CNAME .
24845724 borsbrietjblrenlgbrlenhjt.pythonanywhere.com.phishing.mypdns.cloud CNAME .
24845721 iengjwklengkhwebhfceref.pythonanywhere.com.phishing.mypdns.cloud CNAME .
24845719 jkrngjkernghernhgtehjnhk.pythonanywhere.com.phishing.mypdns.cloud CNAME .
24845705 pesjidgnojensjgerkhvjefdvs.pythonanywhere.com.phishing.mypdns.cloud CNAME . +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ The only thing we do not server, but we might is the sub-path (URI) |
@g0d33p3rsec you can now reopen issues as you needs to 😉 |
Awesome, thanks! I'll look over the other domains mentioned above this afternoon. |
Looking over the items currently labeled as adware:
|
Hmm it just strikes me, that the addresses you returns are from |
https://urlscan.io/result/a380ebcf-b0cd-405d-8b23-916d74b861af/#transactions
|
then from the pages.dev site comes the second stage
url decodes as
which includes some urlencoded html & js
the var _$_bc3b contains the following hex encoded string
|
Yep, and then we are in #607 😉 So the answer is, yes they redirect to phishing sites. right? |
Sort of. It's not a 302, it's done via the html and js served from the first site. There is an activity group too, since there are multiple pairs of such combinations with identical subdomain names. |
Super... thanks a lot for your effort. I have another batch from my external-source searcher.... Will be changes in time I learn Rust Yggdrasil will arise width all it's wisdom or what ever the name will be... Have found that there is a network builder with the same name... yggdrasil-network. name suggestions are welcome Search result from External Hosts-Sources@mypdns's External Hosts-Sources can be found here data/UltimateHostsBlacklist0.txt:disablegoogleplussync.pythonanywhere.com
data/UltimateHostsBlacklist1.txt:googlegetmyphotos.pythonanywhere.com
data/UltimateHostsBlacklist1.txt:googlegetmysyncphotos.pythonanywhere.com
data/UltimateHostsBlacklist1.txt:googlegetphotos.pythonanywhere.com
data/UltimateHostsBlacklist2.txt:sotimnehenim.pythonanywhere.com
data/UltimateHostsBlacklist2.txt:swingersphotos.pythonanywhere.com
data/UltimateHostsBlacklist2.txt:wiadomoscionet.pythonanywhere.com
data/badmojr1Hosts.txt:freshloader.eu.pythonanywhere.com
data/badmojr1Hosts.txt:www.freshloader.eu.pythonanywhere.com
data/badmojr1Hosts.txt:quicknotice.eu.pythonanywhere.com
data/badmojr1Hosts.txt:www.quicknotice.eu.pythonanywhere.com
data/badmojr1Hosts.txt:thenoticememoir.pythonanywhere.com
data/badmojr1Hosts.txt:www.thenoticememoir.pythonanywhere.com
data/badmojr1Hosts.txt:wiadomoscionet.pythonanywhere.com
data/badmojr1Hosts.txt:www.wiadomoscionet.pythonanywhere.com Sorted resultdisablegoogleplussync.pythonanywhere.com
freshloader.eu.pythonanywhere.com
googlegetmyphotos.pythonanywhere.com
googlegetmysyncphotos.pythonanywhere.com
googlegetphotos.pythonanywhere.com
quicknotice.eu.pythonanywhere.com
sotimnehenim.pythonanywhere.com
swingersphotos.pythonanywhere.com
thenoticememoir.pythonanywhere.com
wiadomoscionet.pythonanywhere.com
www.freshloader.eu.pythonanywhere.com
www.quicknotice.eu.pythonanywhere.com
www.thenoticememoir.pythonanywhere.com
www.wiadomoscionet.pythonanywhere.com |
|
Fix #579 A HUGE THANKS to @g0d33p3rsec for investigating these domains for us ---- Thanks to jetBrains for sponsoring IntelliJ (Ultimate Edition) For non-commercial open source. This helps My Privacy DNS to develop tools and maintain the blacklists.
Ref mypdns/matrix#579 All credit to @g0d33p3rsec
You are the guy to these jobs. you seems passionate about digging into these kind of things |
Thanks, they are my favorite sort of rabbit holes. That's why I'm planning to move towards CTI once I get a little more schooling out of the way. Also, it offered a good way to take out some aggression while waiting to get my truck into the shop because of the CDK Global attack forcing my mechanic to fall back to paper and operate in continuity mode. I haven't seen anything that suggests CDK was due to BEC but have seen some speculation that it could be related to the Snowflake breach, but nothing conclusive. Consider the number of other victims to have previously been targeted due to Snowflake and the public Snowflake extension visible in CDK's GitHub repo. It does get the gears turning. Anything phishing related brings out a bit of a predatory drive. I want to kill it with fire. I've been tracking the group in most of my commits to the phishing db since last August when they compromised a pair of accounts belonging to my classmates. When I saw the same URI twice from different victims, I knew other opsec mistakes would follow. |
You know shot hands... I hate them, you never know what they stands for https://acronyms.thefreedictionary.com/CTI So which of these are you pointing at 😏
Thanks god I did choose a '99 BMW 5'er 11 years ago, still running you know, no microsoft... only nixCraft 🤣
Sounds like a good friend, You should just learn from us old dudes with no hair... we used to have hair 👀 So remember to breath once in a while to keep the power to continue the hunt. |
Cyber threat intelligence, though threat research and related domains are also attractive. BEC is business email compromise.
That's one I'm still working on. |
Comments
While investigating a separate domain I came across these malicious URI's, which were hosted at
pythonanywhere.com
. Virus total reports Zillya results for the related URI's as "Trojan.HEURKryptik.JS.134"See also details in Phishing-Database/phishing#420
Wildcard domain records
Sub-Domain records
Hosts (RFC:953) specific records, not used by DNS RPZ firewalls
SeafeSearch records
Screenshots
Screenshot
Links to external sources
logs from uBlock Origin
N/A
The text was updated successfully, but these errors were encountered: