Author Topic: TK and blogspot.com domain removals  (Read 8173 times)

0 Members and 1 Guest are viewing this topic.

January 10, 2012, 05:12:28 pm
Read 8173 times

hhhobbit

  • Special Access
  • Full Member

  • Offline
  • *

  • 54
Date:  2012-01-10 16:26 UTC

In the past few days I did the usual of adding what you add and removing what you removed if I had it.  The last 5-6 times I have done this I noticed that all of the removals were what I just added.  So I took the opportunity to attempt to add everything you people had that I didn't have.  The results are in the "TwoAdds" folder here:

http://www.securemecca.com/public/Changes4Hosts/2012-01-09.7z
http://www.securemecca.com/public/Changes4Hosts/2012-01-09.7z.sig
(you can get to these now from a link on the home page)

Specifically, you will want to read the this first (I give the slashes in forward slash notation which is what Microsoft should have used):

2012-01-09/0-ReadMe.txt

Then go into this folder:

2012-01-09/Risk/TwoAdds

BlogSpot.com:
There is a folder inside of it named "BlogSpot/".  ALL OF THE FILES IN IT ARE IN LF FORMAT ONLY.  If you are on Windows use NotePad++, psPad, or what I use which is gvim.  But if all you want is the names they are in the RmsBlogSpot.txt file and also in the omnibus removal file named AllRms.txt in the "TwoAdds/" folder.  That isn't the point.  Any *.blogspot.com host yields an IP address from DNS since it is a DNSWCD (DNS WildCard Domain):

$ hdns  kdfjsdkjafkakdf.blogspot.com
kdfjsdkjafkakdf.blogspot.com is an alias for blogspot.l.google.com.
blogspot.l.google.com has address 74.125.127.132

You can not use DNS (which I didn't even do) because any host returns an IP address which at present is this one.   Don't worry - they use load balancing and hold the IP address constant.  It has been this same IP address since at least 2011-10-10.  But another part is that you cannot use a success or fail of wget.  Their messages blog removed or blog does not exist and is blocked have wget return a success.  Even though that is in the script it is the other conditions that trigger the pass or fail.  This script and the program is available for you to use to determine when blogspot.com hosts fall out because Google removed the blogs.  ALL of them you had that I didn't have are no longer a threat.  IOW, all of them need to be removed.

TK Domain:
This is is similar in some ways.  When they go to IP addresses 93.170.52.20 & 93.170.52.30 (these have changed in the past and may change in the future)  they all seem to be parked.  They have been that way for over nine months now.  I have more latitude than you do.  I block the entire TK domain in the PAC filter and will continue to do it unless they have a review process for the submission of redirects.  That is a ratther dubious proposition since what is to prevent somebody from submitting a safe URL and once it is accepted, making the redirect URL nasty?  Nothing prevents that from happening.  Invariably a domain like this leads to abuses.  I tested every one of your blocked hosts manually.  That is because I didn't have the list and had to get each URL through your web interface, one at a time.  At one time TK used Sedo but has stabilized on using searchdiscovered.com for well over six months now.  I cannot verify what happens on WIndows, but even if I am not blocking searchdiscovered.com on Linux I get nothing but a blank white screen.  I would be cautious because what you get with the browser is not the same as what I get with wget.  IOW, it is only the initial redirecting without knowing whether it goes to good or bad that is throwing them from PARK to FALSE-PARK status for me.  I identified the ones to look at using my siftOutDFP.sh script and all of the hosts in this domain were in the RmsFalse.txt file.  But as I worked through threm I put the ones that were safe for me on Linux into not just the AllRms.txt file but also in the RmsTk.txt file.  But I also identified HOW you can test for whether or not they are safe.  Again, this is due to the behavior on LInux.  It may be different on Windows.  The first part of that test is encapsulated in the TestTK.sh.  Because you have rather messy URLs, the safest way of having bash, ksh, or sh not expanding the URLs is to encapsulate them in double quotes.  But although that helps you get rid of the URLs that are no longer a threat, it leaves you a step shy of what is needed for input to the second PruneTK.sh script.  You need some way of stripping out just the host names for a remove script.

THREE WARNINGS HERE:   Again, the  TestTK.sh and PruneTK.sh scripts are in LF format only.  Second, I noticed the TK servers (park servers) showing behavior like they felt they were being attacked.  Thus the minute delay times between one domain and the next in TestTK.sh.  Unlike blogspot.com where I have reached the optimum delay to avoid the blogspot.com servers to treat me as hostile (erring slightly on the avoid being marked as an attacker), on this one I don't know where it is at.  I did the tests using Firefox 9.01 on Ubuntu 10.04 Linux, and an additional test of TestTk.sh (it worked).  Third, you should have the same behavior in IE on Windows but that was not verified.  I would verify it before going further.  All I know is that in the Firefox on Linux I have a white screen and what was in the page view was different than what wget got.  But the TestTk.sh script isn't looking at that.  It is looking at the log of the wget to determine if that one went to searchdiscovered.com.  If you have a worry about  searchdiscovered leading to malware, block it.  I block it.

If nothing else, remove the RmsDead.txt hosts.  If it was me I would just remove everything in AllRms.txt from your hosts.txt file. You have an OpenPGP signature  to verify I really did do all of that work.  That is better than being jabbed with a sharp stick.