Author Topic: host that host file wont stop  (Read 4985 times)

0 Members and 1 Guest are viewing this topic.

March 30, 2009, 07:01:05 pm
Read 4985 times

thoreau

  • Newbie

  • Offline
  • *

  • 4
I keep getting thyis thing trying to do something and it makes my computer hang up.
A check of the URL says go-daddy but your site said it was something fake.
What the heck is this thing.   thanks.
linhost212.prod.mesa1.secureserver.net

2008/08/30_22:10   russlhommedieu.com/fake   


64.202.163.179
   

linhost212.prod.mesa1.secureserver.net   Exchanger   N/A ???

March 31, 2009, 12:22:02 am
Reply #1

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
The /fake you refer to, is the directory, not the description. The description is Exchanger, which is a trojan.

Looking at the sites source, shows a fake 404, that loads 3 more files, one called "dochelp1.html" via a poorly obfuscated script. The second stat.html and the third, counter.html. All seem to be returning the same code for me for some reason (not entirely sure why at present) so can't investigate further.
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

March 31, 2009, 12:25:05 am
Reply #2

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
I forgot to ask, you mentioned it kept coming up, but didn't mention when it was actually occuring? Is it whilst loading a particular website?

First and foremost, check for an active infection, run Malwarebytes Anti-Malware and then follow the instructions at;

http://www.malwarebytes.org/forums/index.php?showtopic=9573
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

March 31, 2009, 01:43:26 am
Reply #3

thoreau

  • Newbie

  • Offline
  • *

  • 4
I clicked on a page, might have been Yahoo email, and the page half loaded (progress bar) and hung, that happens a lot on Yahoo.  Anyhow I looked in the firewall log to see what was the hold up and found it was
64.202.163.179  ....GoDaddy.com, Inc.,  64.202.160.0 - 64.202.191.255

So I figured it was some data miner or some such and I would put it in the host file so it could call its self.

I went to: http://www.selfseo.com/find_host_by_ip.php  to get the host name from the IP addy...it was

linhost212.prod.mesa1.secureserver.net     so I gave it the usual 127.0.0.1  and put it in the host file but it continued to hang.

A day or so before I had emailed Alex van Eesteren over at the IXQUICK search engine site, and told him that go-daddy seemed to be slowing the search engine down a good bit.

He replied that they use go-daddy certificates for the HTTPS tunnel.  I turned off the HTTPS and it was O.K. then.

But the IP address of the IXQUICK go-daddy was 72.167.239.239. I wonder if there could be a connection? ???

I hope this helps untangle this mystery I would sure like to know if my computer has been been recruited into the April Fools Virus Army. I have 26 hours to wait to find out ...LOL !

Thanks for the interest, it is appreciated.   


March 31, 2009, 02:03:07 am
Reply #4

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
I've never been a fan of IXQuick, so my first recommendation is to ditch them. My second, is to add the following to the firewall filter rules to completely block it (there are alot of hosts on that block, none of which look entirely good);

64.202.160.0 - 64.202.191.255

Again however, to help determine if your machine is infected, please follow the instructions in my previous post.

You can also use Fiddler to help determine if and where, any outgoing traffic is flowing to;

www.fiddlertool.com
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

March 31, 2009, 02:21:22 am
Reply #5

thoreau

  • Newbie

  • Offline
  • *

  • 4
Thanks Steve I will do as you advise, thanks for the fiddler tool.

While I was gone I found a store with the same name at a self publishing site called Lulu

http://stores.lulu.com/russlhommedieu

I wonder if this could be a source of the Exchanger trojan. 

O.K. I go to execute the instructions, Thanks again.


March 31, 2009, 02:33:39 am
Reply #6

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
It's certainly possible, but unfortunately I cannot verify whether or not this is the case as I don't have the cash to spend on finding out (would need to pay for whatever it is they're selling before I could analyze it).
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

March 31, 2009, 04:10:20 am
Reply #7

thoreau

  • Newbie

  • Offline
  • *

  • 4
Looks like he sells books, I clicked and got about 1400 packets saved to the desktop from there.

March 31, 2009, 04:19:32 am
Reply #8

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Can you zip them up and post them here please?
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net