Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Block various domains accessed by trojan #538

Closed
Somebodyisnobody opened this issue Feb 16, 2020 · 2 comments
Closed

Block various domains accessed by trojan #538

Somebodyisnobody opened this issue Feb 16, 2020 · 2 comments

Comments

@Somebodyisnobody
Copy link
Member

Somebodyisnobody commented Feb 16, 2020
edited
Loading

After executing a trojan on an isolated host system I got following domains on my dns-server:
lodddd01.info
jload01.info
rifat01.info
Some other requested domains were already blocked, I assume they are here in the list.
Attached a traffic capture where you can see which files are being downloaded (e.g. stream 3 where "jload01.info/downfiles/1.exe" is called or stream 0 where a zip with

 ....I^..I^..I^{.{?.PK..........PP................Browsers/_FileForms.txtUT
....I^..I^..I^{.{?.PK..........PP................Browsers/_FilePasswords.txtUT
....I^..I^..I^{.{?.PK..........PP................_FilePasswords.txtUT
....I^..I^..I^{.{?.PK..........PP............	..._Info.txtUT

is being uploaded to rifat01.info. The zip attached is extracted from the stream)

trojan_filtered.zip (wireshark capture file)
index.php.zip
trojan.zip (only download if you know how to handle a trojan, password "trojan")
@Somebodyisnobody Somebodyisnobody changed the title Block various domains: Block various domains from trojan Feb 16, 2020
@Somebodyisnobody Somebodyisnobody changed the title Block various domains from trojan Block various domains accessed by trojan Feb 16, 2020
@spirillen
Copy link
Contributor

spirillen commented Feb 17, 2020
edited
Loading

May I suggest you to add a password to the trojan.zip rather than just redistribute it as is and at the same time ensuring people not execute it by mistakes?

spirillen added a commit to mypdns/matrix that referenced this issue Feb 17, 2020
@spirillen
lodddd01.info
e365d80 
`jload01.info`
`rifat01.info`

Domains used by TrojanHorse. Reportet by https://github.com/Somebodyisnobody
at Ultimate-Hosts-Blacklist/Ultimate.Hosts.Blacklist#538

Signed-off-by: Spirillen <[email protected]>
@ghost ghost mentioned this issue Feb 22, 2020
Closed
@ghost ghost deleted a comment from funilrys Feb 22, 2020
@ghost
Copy link

ghost commented Feb 22, 2020

This issue was moved by funilrys to Ultimate-Hosts-Blacklist/blacklist#1.

@ghost ghost closed this as completed Feb 22, 2020
Somebodyisnobody added a commit to Ultimate-Hosts-Blacklist/blacklist that referenced this issue Mar 27, 2020
@Somebodyisnobody
Remove lodddd01.info, lodddd01.info, rifat01.info
047f7e5 
No A-Record anymore
Ultimate-Hosts-Blacklist/Ultimate.Hosts.Blacklist#538
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Somebodyisnobody @spirillen