Author Topic: 216.130.162.145 query and new hosts  (Read 4577 times)

0 Members and 1 Guest are viewing this topic.

November 25, 2008, 02:06:15 pm
Read 4577 times

hhhobbit

  • Special Access
  • Full Member

  • Offline
  • *

  • 54
I would be interested if there any more hosts than this one:

xbarre.com
www.xbarre.com

that are noted as bad at this IP address.  I heard from somebody helping me that www.calendarofupdates.com identified the IP address as bad but I can't find it anywhere.  This host (xbarre.com) distributes adware as indicated by this scan:

http://www.securemecca.com/public/xbarresetup.exe.pdf

I also don't like any of these toolbars:

*.communitytoolbars.com
*.forumtoolbar.com
*.greattoolbars.com
*.loyaltytoolbar.com
*.media-toolbar.com
*.myblogtoolbar.com
*.mycitytoolbar.com
*.mycollegetoolbar.com
*.myfamilytoolbar.com
*.myforumtoolbar.com
*.mylibrarytoolbar.com
*.myradiotoolbar.com
*.mystoretoolbar.com
*.myteamtoolbar.com
*.mytowntoolbar.com
*.myuniversitytoolbar.com
*.myxangatoolbar.com
*.ourchurchtoolbar.com
*.ourtoolbar.com

Why not?  THEY TURN MY PAC FILTER OFF!  I don't know if they turn it off at install time or removal time but their removal is sloppy and leaves you contacting their services until you clean it up yourself.  If you allowed them on your toolbar in Firefox it is left that way.  The full list of hosts is here:

http://www.securemecca.com//MalwareDomainList/ToolBars.txt

Now I don't regret these rules I added to the PAC filter:

// next rule - all *.*toolbar.com hosts redirect to hosting.conduit.com
BadNetworks[i++] = "66.77.197.154,      255.255.255.255"; // 2008-11-24
BadDomains[i++] = "toolbar.com";          // DNSWCDs - *.*toolbar.com

I don't know if it escalates to the point of malware but I am pretty steamed about it turning my PAC filter off (it completely erases the string).  That means it is making unwanted modifications to my browser, and ones that most people cannot clean up manually themselves.  Your choice - add the hosts or point them to our PAC filter.  I don't know if LeVerso has added this pattern or not but he should.  The service hosts it keeps contacting are:

cetrk.com  # they just use a script there
conduit.com
www.conduit.com
hosting.conduit.com
my.conduit.com
search.conduit.com
services.conduit.com
storage.conduit.com
ticker.conduit.com
translation.conduit.com
users.conduit.com
weather.conduit.com

The script they are using at cetrk.com is:

cetrk.com/pages/scripts/0009/1342.js

I hope that helps.  I am going to block all of those hosts for all machines because the damage was done on Linux, not on Windows.  Let's say that again - the damage is done on all operating systems in Firefox!  I cannot speak for what it does to IE on Windows or what it does to Opera.  I am late to my day job.

November 25, 2008, 02:27:05 pm
Reply #1

hhhobbit

  • Special Access
  • Full Member

  • Offline
  • *

  • 54
I forgot to give credit where credit is due.  The back-end of what is happening at securemecca.com / hostsfile.org is a guy named Rodney with collaboration by Airelle in France.  Rodney is doing a wonderful job of the domain analysis.  If you want to contact him personally his email is domainanalysis  caseyatthebat  yahoo.com.  Kudos!  I like it because it does it on all OS platforms and targets moi.  I doubt the attack is personal but you never know.  Rodney is the one that discovered these *toolbar.com hosts from my perspective.  I think we better tell Airelle to move those 4,000+ hosts into hosts.rsk.  I will be adding the server hosts to my hosts file by the end of the week (or sooner if possible).  As always, why add 4,000+ hosts when two rules contains them?  Now you know why a PAC filter makes sense.  I always did like band-saws (PAC filter) over coping saws (blocking hosts file).