28 Décembre2008 Changes (HHH) ------------------------------ 1. Action: Test handling of ads.ami-admin.com aliases Added: BadNetworks[i++] = "216.109.89.3, 255.255.255.255"; // PRIVUS ads.ami-admin.com Reason: I have no blocks of the primes host (ads.ami-admin.com) in my PHTTPD logs and we have precious few aliases - ads.fitpregnancy.com, ads.flexonline.com, ads.muscleandfitness.com, ads.muscleandfitnesshers.com, ads.nationalenquirer.com ads.starmagazine.com. There has to more than these. { 2010-01-23: Rule was removed } 2. Action: Changed status of "codec" rule from passive to active From: // BadHostParts[i++] = "codec"; // YOUR CHOICE - TROJAN To: BadHostParts[i++] = "codec"; // YOUR CHOICE - TROJAN Reason: Not one month goes by without new ones. The hpHosts file has 82 host names with the pattern "codec" in them. MalwareDomainList has 96. MVPHosts has only 11. Airelle has 308 in hosts.rsk and 487 in hosts.web. 3. Action: Adding pseudo anti-malware pattern Added: BadHostParts[i++] = "antispy"; // YOUR CHOICE - 2008-12-01 Reason: 80 with that pattern at MalwareDomainList, and Airelle has hosts.rsk : 127, hosts.web : 303. Good Enough? Bring on the false positives so I can add the white-list rules! 4. Action: Adding pseudo anti-malware pattern Added: BadHostParts[i++] = "antivir"; // YOUR CHOICE - 2008-12-01 Reason: 138 with that pattern at MalwareDomainList, and Airelle has hosts.rsk : 184, hosts.web : 763. Good Enough? Bring on the false positives so I can add the white-list rules! 5. Action: Changed rule back the way it was. From: // GoodDomains[i++] = ".live.com"; To: GoodDomains[i++] = ".live.com"; Reason: There is no live rule, no block that I can see in the host file for shared.live.com, and I even tried this URL that was blocked somehow: shared.live.com/w0cBUAeJzxpl2BKWb!s3qg/header.js IT ISN'T BLOCKED. I AM JUST GOING TO PLAY IT SAFE. 6. Action: Had to change dwnld1.com IP address rules From: BadNetworks[i++] = "67.228.177.143, 255.255.255.255"; // dwnld1.com_1 - 2008-11-13 BadNetworks[i++] = "67.228.177.146, 255.255.255.255"; // dwnld1.com_2 - 2008-11-13 To: BadNetworks[i++] = "78.46.88.202, 255.255.255.255"; // dwnld1.com_1 - 2008-12-02 BadNetworks[i++] = "85.17.4.200, 255.255.255.255"; // dwnld1.com_2 - 2008-12-02 BadNetworks[i++] = "88.198.8.15, 255.255.255.255"; // dwnld1.com_3 - 2008-12-02 Reason: Its IP addresses changed. They will continue to come up with new ones. 7. Action: Had to add old dwnld1.com IP address rules back in Added: BadNetworks[i++] = "67.228.177.143, 255.255.255.255"; // dwnld1.com_4 - 2008-12-02 BadNetworks[i++] = "67.228.177.146, 255.255.255.255"; // dwnld1.com_5 - 2008-12-02 Reason: I accidentally removed the hosts bestvirusremover2008.com, www.bestvirusremover2008.com, download.bestvirusremover2008.com, download.pcvirusremover2008.com, pcvirusremover2008.com, www.pcvirusremover2008.com, download.powerfulvirusremover2008.com, powerfulvirusremover2008.com, and www.powerfulvirusremover2008.com - when I removed: download.virusremover2008.com, virusremover2008.com, www.virusremover2008.com. - SO, I had to add the ones I accidentally removed all back into the hosts file. All went well for all of the *best* hosts with the download host being the new dwnld1.com addresses. but when I did a DNS lookup on download.pcvirusremover2008.com the old IP addresses came back. We will see how many they have now, won't we? I AM JUST AS STUBBORN AS THEY ARE! BTW, THEY HAVE BEEN MAKING THREATENING PHONE CALLS TO ME! I have left my phone turned off - phooey. The game is afoot! 8. Action: instacontent rules Removed: BadNetworks[i++] = "64.191.192.0, 255.255.255.0"; // instacontent_3 BadNetworks[i++] = "65.216.116.0, 255.255.255.0"; // instacontent_1 // YOUR CHOICE - instacontent - comment out first and uncomment second BadNetworks[i++] = "216.38.160.0, 255.255.240.0"; // instacontent_2 // BadNetworks[i++] = "216.38.160.0, 255.255.248.0"; // instacontent_2_ALT BadDomains[i++] = ".instacontent.net"; // AdServer Reason: cache.boston.com 9. Action: PANTHER rule Removed: BadNetworks[i++] = "66.114.48.0, 255.255.240.0"; // YOUR CHOICE PANTHER2 Reason: Conflict with www.livejournal.com. It ends up blocking both p-stat.livejournal.com and p-userpic.livejournal.com which makes the site useless. I may have to remove the other PANTHER rule in the future. That is why these rules were listed "VOTRE CHOIX". 10. Action: Counteract Russian rule Added: GoodDomains[i++] = "livejournal.ru"; // RUSSIA - 2008-12-07 Reason: aqua.livejournal.ru - do not ask me why somebody wants to keep a journal where everybody can see it. Most teens get mad if their parents read their journal. But far be it from me to stop them. 11. Action: Downgraded "celeb" rule. From: BadURL_Parts[i++] = "celeb"; To: BadHostParts[i++] = "celeb"; // MALWARE - 2008-12-07 Reason: 1.bp.blogspot.com, 2.bp.blogspot.com, 3.bp.blogspot.com, 4.bp.blogspot.com all had some sort of *celeb*.png or *celeb*.jpg files. It retains its URL status in pornproxy.txt 12. Action: Altered "cul" rule. From: BadURL_Parts[i++] = "[^aeilnos]cul[^it]"; // YOUR CHOICE To: BadURL_Parts[i++] = "[^aeilnors]cul[^it]"; // YOUR CHOICE Reason: i.i.com.com/cnwk.1d/Ads/common/css/circular/circular.css I preferred adding the consonant r rather than the vowel a. Now Hercule Poirot is allowed through too. 13. Action: Altered "teen" rule but only in proxy.txt / dbgproxy.txt From: BadURL_WordStarts[i++] = "teen"; To: BadURL_WordStarts[i++] = "teen[^y]"; Reason: cdn.overstock.com/img/mxc/20081129_teenysearchD.gif 14. Action: miva.com Added: BadDomains[i++] = ".miva.com"; // MALWARE - 2008-12-08 Reason: Cleaning up what we did for November. 15. Action: One more dwnld1.com rule Added: BadNetworks[i++] = "80.10.246.5, 255.255.255.255"; // dwnld1.com_6 - 2008-12-09 Reason: THREATENING PHONE CALLS BE DAMNED! I AM GOING TO STOP THEM EVEN IF I AM RANKED 367,XXX SOMETHING OR OTHER. That means practically zero people visit my web site. Oops. That means I rank in the top ten. Maybe that means the Russian hackers have mounted a low level DDOS attack against me. Up until then I was probably 3,750,000 or something like that. 16. Action: "*.3322.org" AND "*.8866.org" Added: BadDomains[i++] = ".3322.org"; // Malware - 2008-12-14 BadDomains[i++] = ".8866.org"; // Malware - 2008-12-14 Reason: 10 at MalwareDomainList at the first and who knows how many we don't know about for both. This is what happens when instead of careful monitoring by a registrar we have the exact opposite in China. Here are URLs on it: http://securityreason.com/news/11/41 http://tinyurl.com/439jtw (previous is a businessweek.com article) http://isc.sans.org/diary.html?storyid=3266 I am surprised I didn't do this before now. I am now coming to the conclusion China is doing it. 17. Action: "*.popunder.ru" Added: BadDomains[i++] = ".popunder.ru"; // DNSWCD - WebBug Reason: MVPHosts has: anrysys.popunder.ru, basterr.popunder.ru bizbor.popunder.ru, kinofree.popunder.ru, and milioner.popunder.ru. MalwareDomainList has: blackchek.popunder.ru, and kinofree.popunder.ru. I added what MalwareDomainList had but also found saloboy.popunder.ru at flowgaleria.org. I am going to add it but it would be nice to just block all of them. Also, it IS a DNSWCD! HOW CAN YOU TELL WHEN THE HOST NO LONGER IS USED? You cannot just use DNS - dns kdfhasdjkfkask.popunder.ru ---> 80.93.49.192 18. Action: "tube" Added: BadHostParts[i++] = "tube"; // YOUR CHOICE - MalWare Reason: [hhhobbit@gandalf MalwareDomainList]$ grep -c tube hosts 174 [hhhobbit@gandalf rlwpx.free.fr_WPFF]$ grep -c tube hosts.* hosts.pub:13 hosts.rsk:31 hosts.sex:316 hosts.trc:18 hosts.web:473 It is the hosts.rsk I am mainly worried about. Okay, give me the false positives to white-list. 19. Action: "128.168.208.2" SPAMMER Added: BadNetworks[i++] = "128.168.208.2, 255.255.255.255"; // SPAM - 2008-12-17 Reason: unchangedwandered.net/vip/77778204/hhhobbit@comcast.net link in email message. 20. Action: "*.mylongtail.com" DNSWCD - Traqueur Added: BadDomains[i++] = ".mylongtail.com"; // DNSWCD - Traqueur Reason: Airelle has 117, 317, 327, 505, and 582. It doesn't take a genius to figure out they probably started with number 100 for their first customer and give each one a number. So where are the clients 100 ... 116, 118 ... 316, 318 ... 326, 328 ... 504, 506 ... 581? Who knows how many are beyond 582. Now they could have not gone linearly, but only oddballs like me would do that to throw you off the track if I am spying on you. Let's stop all of them. The way they have it set up could be altered with a PHP script to allow for aliases, in which case I would think about an IP address rule. 21. Action: "*.information.com" Added: BadDomains[i++] = ".information.com"; // PRIVUS RULE - 2008-12-20 Reason: This rule is fraught with danger. Yes, nothing but one host after another is used to have you redirected to it for the searchportal / information.com domain. Airelle has only the following hosts in this domain: dp.information.com search.information.com searchportal.information.com sp2.information.com spcn01.information.com sprw.information.com www.ireland.information.com - I have had to add the following: sp15.information.com sp17.information.com - I have never saw the last one of his. It is just that they are adding so many hosts SOMEBODY has to see if they have others. This IS a DNSWCD! IOW, this PRIVUS rule may become EVERYBODY's rule fairly quickly. Oh yes, proof that sp15.information.com is being used is at shaohen6677.com if you hurry and that causes me to add two more IP addresses to the PARK list that I don't have. { 2010-01-23: Rule was removed } 22. Action: Removed searchportal.information.com IP rule Removed: BadNetworks[i++] = "208.73.210.32, 255.255.255.255"; // PARK-IP Reason: The searchportal.information.com host has moved to IP address 208.73.210.121. I don't have time to keep up with it. You can't broaden the block because it looks live Oversee.net sprinkles their park IPs all over the place and there is no guarantee where the aliases to the searchportal.information.com host will end up next. I will try to see if it changes since the IP address for it is in in my parked.sh and isparked.c files. The problem is that they are NOT aliasing to it very much any more. 23. Action: "209.62.20.245" Added: BadNetworks[i++] = "209.62.20.245, 255.255.255.255"; // Suspicious IP - 2008-12-22 Reason: A smattering of hosts at MalwareDomainList died, and then rather than being parked showed up here. THEY ARE NEITHER PARKED, NOR DO THEY HAVE THE ORIGINAL EXPLOITS. I AM moving them back into the blocking hosts file. I expect this rule to die within a month or so. There were two other IPs showing up that were also not parked: 60.29.240.77, and 124.42.34.172. I also found one more - 94.103.4.83. They are not park IPs, and they don't have a web server. Because they don't have a web server I am not going to worry about them. 24. Action: "[^g]free[^d]" From: // BadHostParts[i++] = "[^g]free[^d]"; // YOUR CHOICE To: // BadHostParts[i++] = "[^g]free[^bd]"; // YOUR CHOICE Reason: I realize it is an optional rule, but I have to eanble much of the time. I got tired of FreeBSD this and that being blocked. 25. Action: "freebsd" Removed: GoodDomains[i++] = ".freebsd.org"; Reason: See previous change. More may follow, but this one just kept killing me since FreeBSD is the BEST OS for network utilities. It is infinitely better than Linux or other versions of Unix in the depth and breadth of networking utilities. I may put it back on a new machine if I can get VMWare to load it. I can't remember the GRUB info I used but the UFS file system is nice since it only requires one hardware partition. It's partitions are really just slices within that partition. 26. Action: PARK SPAM Added: BadNetworks[i++] = "208.73.210.0, 255.255.255.128"; // PARK SPAM -2008-12-22 Reason: The pesky spammers are at it again. Since they actually redirected to searchportal.information.com, I made this rule which is fighting the PARK SPAMMERS? It doesn't make sense, but that was what happened. One of the host names was [www.]sensualismedited.net and they all mapped to the IP address 208.73.210.50. So if this rule causes problems then we will just have to back off to that IP address. 27. Action: "smarttargetting.com" aliases into "intellitxt.com" domain Added: BadDomains[i++] = ".smarttargetting.com"; // Tracker - 2008-12-25 Reason: All but one of the aliases in the Intellitxt.com domain are in this pseudo-domain. Maybe there are more. 28. Action: PERSONAL "college" rule. Removed: BadHostParts[i++] = "college"; // PRIVUS PROXY - 2007-11-11 Reason: Too many blocks of innocents. Some of them are: northcarolina.collegesonline.net media.collegepublisher.com collegesnow.info www.fordcollege.info www.gatewaycollege.no { 2010-01-23: Rule was removed - may be an issue with the pornproxy* but not with proxy* } 29. Action: "thumb" rule Removed: BadHostParts[i++] = "thumb"; Reason: Too many false positives. It stays in the pornproxy file, but it goes away here. See the next rule where I had to add two more white-list rules to the pornproxy file. 30. Action: False positives for the "thumb" rule. Added: GoodDomains[i++] = ".nameintel.com"; // thumb - 2008-12-25 GoodDomains[i++] = "websitethumbnail.de"; // thumb - 2008-12-25 Reason: "thumb" rule. This rule is still in the pornproxy.txt file but is gone in the normal proxy file. There are just too many thumb servers to enumerate all of them. 28 Décembre 2008 UNresolved False Positives (HHH) ------------------------------------------------- X. Pattern: Rules: Reason: 28 Décembre 2008 RESOLVED False Positives (HHH) ----------------------------------------------- X. Pattern: Rules: Reason: Solution: