19 Avril 2009 Changes (HHH) --------------------------- 1. Action: ".lb-revsci.net" Added: BadDomains[i++] = ".lb-revsci.net"; // PRIVUS Tracker - 2009-02-09 Reason: I forgot about this one when I added the rules for the ".revenuescience.net" and ".revsci.net" but it is part of the same group of trackers. As I said before, we just lost two of their tracker hosts but foolish me for not realizing they were gbl13.lb-revsci.net and gbl17.lb-revsci.net. Also as I said before I just want to catch any new ones if they show up and ADD THEM TO THE HOSTS FILE BECAUSE THAT IS WHERE THEY SHOULD BE. I will NEVER give these rules to anybody else. { 2010-01-23: Rule deprecated and removed by revsci rule in the URL itself. } 2. Action: antivirusyellowpages.com Added: GoodDomains[i++] = "antivirusyellowpages.com"; // 2009-02-12 Reason: Exclusion to the "antivir" rule. What I really need is the ones for the REAL AntiVirus companies. I did not see for example something at Avira whos product is "Antivir" which matches the pattern EXACTLY. 3. Action: ".edu.cn" & ".ac.uk" Added: GoodDomains[i++] = ".edu.cn"; // 2009-02-17 GoodDomains[i++] = ".ac.uk"; // 2009-02-17 Reason: http://www.pku.edu.cn/academic/research/computer-center/tc/html/TC0306.html http://www.ox.ac.uk/ http://www.cam.ac.uk/ Trust the Chinese like the UK to come up with their own EDU domain. But for UK it is ".ac.uk". Now what is it in France? OOPS. Just ".fr". They will have to add themselves. Or, sorbonne.fr, what are the others? Oops again for the Paris system since most of them are numbers: "univ-paris#.fr" Omit one and you sleight them all - let THEM add them. Anybody want a "ac.fr" domain they are all under? I WOULD! 4. Action: Forgot to remove IP proxy rule from English file Removed: BadNetworks[i++] = "67.159.35.59, 255.255.255.255"; // 42 Reason: No longer valid. Eventually I am going to throw out all IP proxy rules. It is too easy for them to pick up things and move them elsewhere. 5. Action: Added numbers to all of the RealMedia rules and dates From: without numbers and dates To: numbers and dates with REALMEDIA now in CAPS Reason: Make it easier to find them 6. Action: New REALMEDIA rule for new range. Added: BadNetworks[i++] = "8.14.193.9, 255.255.255.128"; // VOTRE CHOIX REALMEDIA-5 - 2009-02-23 Reason: There was only one flyer out of the range which was 66. so it is a gamble and thus a choice for the user. If that causes problems we will have to scale the last byte of the netmask to 192 which takes us to 63. 7. Action: Allow people to be scanned. Added: GoodDomains[i++] = ".techguy.org"; // 2009-02-23 Reason: Originally I though the "hot" (optional rule) in of the static.techguy.org was a false positive. But now I find that it is an alias to techguy.cachefly.net and is thus part of an advertising service. I looked at their stuff though and they need the image (it is NOT a 1x1 tracker) to make sense of the page. ads.techguy.org is still blocked by the hosts file. 8. Action: Block a lot of hosts that are all aliased to wfb.zoneedit.com Added: BadNetworks[i++] = "69.72.142.98, 255.255.255.255"; // wfb.zoneedit.com-1 2009-02-14 BadNetworks[i++] = "216.98.141.250, 255.255.255.255"; // wfb.zoneedit.com-2 2009-02-14 Reason: A lot of them here have exploits and trojans, all from same group of people. I want to stop them. 9. Action: Modified IP rule because I didn't omit leading '0' From: BadNetworks[i++] = "212.113.031.48, 255.255.255.248"; // ... To: BadNetworks[i++] = "212.113.31.48, 255.255.255.248"; // ... Reason: 10. Action: Modified the recently added REALMEDIA-5 rule From: BadNetworks[i++] = "8.14.193.9, 255.255.255.128"; // VOTRE CHOIX REALMEDIA-5 - 2009-02-23 To: // BadNetworks[i++] = "8.14.193.9, 255.255.255.192"; // YOUR CHOICE REALMEDIA-5 - 2009-02-23 Reason: wwwimages.adobe.com, i.pcworld.com, ai.pricegrabber.com They are NOT RealMedia hosts but are in the IP range. Actually, the rule was blocking past 127 and I do not know why. But I am going to have to live with it for a while. By that I mean only I am going to live with it for a while and give others the option but I had to reduce the hosts it blocks from 8.14.193.9 ... 8.14.193.127 to 8.14.193.9 ... 8.14.193.63. I am still having problems with the rule. 11. Action: Exclusion for "filter" rule Added: GoodDomains[i++] = "antispamfilterblocker.com"; // 2009-03-06 Reason: To evade the "filter" proxy rule. 12. Action: Exclusion for the "antivir" rule: Added: GoodDomains[i++] = "pcantivirusreviews.com"; // 2009-03-11 Reason: Itself. 13. Action: Dropped scope of "suck" rule From: BadURL_Parts[i++] = "suck"; To: BadHostParts[i++] = "suck"; Reason: http://www.peereboom.us/adsuck/ http://www.openbsd.org/cgi-bin/cvsweb/ports/net/adsuck/ 14. Action: BadNetworks rule for former malware hosts Added: BadNetworks[i++] = "61.145.126.204, 255.255.255.255"; // MALWARE - 2009-03-12 Reason: There are a lot of hosts like [www.]italissa.cn. It was originally at IP address 058.221.032.162 and active. I got the host from MalWareDomainList. Then the host was parked at IP address 061.145.126.204. Then it changes to IP address 066.186.033.060. When I got the home page I have the following URLs in it: 61.145.126.204:81/stats.htm?d=italissa.cn tongji.hupo.com/stat.php?id=6 Port 81 is known as the RemoConChubo Trojan (SANS lists) so I am blocking all of these addresses for now. I had already blocked the tongji.hupo.com tracker. I assume this is a new kind of tracker, but why port 81? It is better to be safe rather than sorry. 15. Action: checkoutfree.com & ussearch.com Added: GoodDomains[i++] = "checkoutfree.com"; // ussearch.com Reason: Was used by a reverse phone number to check out but is not needed unless you uncomment the "free" rule. This is not in the French file (not needed). 16. Action: click-new-download.com Added: BadDomains[i++] = ".click-new-download.com"; // P2P - 2009-03-24 Reason: Airelle has them for frostwire, limewire, morpheus et al. But vital HEALTH RECORD INFORMATION IS BEING PUMPED OUT ON THE INTERNET DUE TO THESE DAMN PROGRAMS. So, I am adding this rule and the main host to the hosts file. 17. Action: Rogue-Ware prevention Added: BadURL_Parts[i++] = "av2008"; // Rogue-Ware 2009-03-28 BadURL_Parts[i++] = "av2009"; // Rogue-Ware 2009-03-28 Reason: They encrypt your files and extort $50 out of you to pay to have them decrypted. SANS highlighted them as a threat and these are the main files so I blocked them. 18. Action: Removed optional RealMedia rule Removed: // BadNetworks[i++] = "8.14.193.9, 255.255.255.192"; // YOUR CHOICE REALMEDIA-5 - 2009-02-23 Reason: It caused too many problems. 19. Action: ccbill.com is a DNSWCD tracker Added: BadDomains[i++] = ".ccbill.com"; // DNSWCD Tracker - 2009-03-30 Reason: Airelle has front1r.ccbill.com, and the host name kjasdhadjkfjkask.ccbill.com returns an IP address. I didn't get ccbill.com until recently with an extended URL through privateproxysoftware.com and one of its links got blocked by googleads.g.doubleclick.net and refer.ccbill.com was in it. I suspect there are more. 20. Action: esomniture.com is a DNSWCD tracker Added: BadDomains[i++] = ".esomniture.com"; // DNSWCD Tracker - 2009-03-30 Reason: Airelle's hosts lists show that almost anything goes and since I don't have ANYTHING in my logs I am adding this rule and blocking the cookie as well - just in case they do cross cookie setting. 21. Action: warez FALSE POSITIVE From: BadURL_Parts[i++] = "warez"; To: BadURL_Parts[i++] = "warez[^o]"; // MALWARE 2009-04-02 Reason: www.emsisoft.es/images/awards/securitysoftwarezone_5stars_120.jpg 22. Action: BIGGIE ADS RULE Added: BadHostWordStarts[i++] = "ads\."; // YOUR CHOICE ADS - 2009-04-02 Reason: MVPHosts added several more and I don't have time to look at the FALSE POSITIVE (actually it is an exclusion) the the ABP EZ-List has. Will handle it when we come to it. 23. Action: *.edu.tw GoodDomains rule Added: GoodDomains[i++] = ".edu.tw"; // 2009-04-07 Reason: dmm.tit.edu.tw BUT it was doing a radmin probe (well I ASSUME it was a probe) so if I keep seeing more of the same there may be an IP block. On that point, I am backing away on WAN-SCAN IP blocks unless there are some extensive scanning from that I block 24. Action: removed all of the dwnld1.com IP addresses Removed: BadNetworks[i++] = "67.228.177.143, 255.255.255.255"; // dwnld1.com_4 - 2008-12-02 BadNetworks[i++] = "67.228.177.146, 255.255.255.255"; // dwnld1.com_5 - 2008-12-02 BadNetworks[i++] = "78.46.88.202, 255.255.255.255"; // dwnld1.com_1 - 2008-12-02 BadNetworks[i++] = "80.10.246.5, 255.255.255.255"; // dwnld1.com_6 - 2008-12-09 BadNetworks[i++] = "85.17.4.200, 255.255.255.255"; // dwnld1.com_2 - 2008-12-02 BadNetworks[i++] = "88.198.8.15, 255.255.255.255"; // dwnld1.com_3 - 2008-12-02 Reason: They are gone. I kept it for about a month in case they came back. That is long enough. 25. Action: added AdBureau BadNetworks IP address rules Added: BadNetworks[i++] = "64.74.197.0, 255.255.255.0"; // YOUR CHOICE ADBUREAU-1 - 2009-04-10 Reason: media.zoominfo.com - it showed up in my cookie list. 26. Action: Added exclusion for proxy.org and unblockcity.org Added: GoodDomains[i++] = ".proxy.org"; // Au Revoir PAC - 2009-04-14 GoodDomains[i++] = "unblockcity.org"; // Au Revoir PAC - 2009-04-11 Reason: Goodwill & goodbye to blocking proxies - no time. People will just have to learn the hard way that proxies turn off the PAC filter. Do I care? NO! Do I care if they get the machine they are using infected? If it is their machine, NO. If it is a company machine, YES. But there is very little I can do about it. If it is a school computer and they cause another person like Julie Amero to go through hell? BURN THE LITTLE BRATS IN HELL! This filter is being used voluntarily and not in a school anyway. 27. Action: Tracker rule Removed: BadHostParts[i++] = "stat[(i|s)]"; // YOUR CHOICE - Tracker - 2009-04-12 Reason: Discussion with Marco Peereboom 28. Action: Removed an IP address that is no longer used by 2o7.net Removed: BadNetworks[i++] = "209.85.51.0, 255.255.255.0"; // 2008-09-03 Reason: It is now remapped into the cnomy.com / skenzo.com PARK AREA. I am also going to remove any of the hosts in this 29. Action: Added some more Proxy rules Added: BadHostParts[i++] = "anony"; // PROXY YOUR CHOICE - 2009-04-18 BadHostParts[i++] = "around"; // PROXY YOUR CHOICE - 2009-04-18 // BadHostParts[i++] = "block"; // PROXY YOUR CHOICE - 2009-04-18 BadHostParts[i++] = "firewall"; // PROXY YOUR CHOICE - 2009-04-18 BadHostParts[i++] = "prok[(c|s)]"; // PROXY YOUR CHOICE - 2009-04-18 BadHostWordStarts[i++] = "anon"; // PROXY YOUR CHOICE - 2009-04-18 GoodDomains[i++] = "adblockplus.org"; // block - 2009-04-18 Reason: I have removed all of the proxy hosts. If people want to go through proxies and turn of the PAC filter's protection and get their computer infected at the porn site, LET THEM! This is just a not so subtle reminder that if they use the ones that match a rule they just disabled the PAC filter. It also shows them that if they want better ways of making it through a filter's protection at school or work, pick a better name that a pattern won't match! The pro filters also have access to this PAC filter as well, but I think they all noticed these people aren't very inventive. 30. Action: made some more clear what they were doing From: GoodDomains[i++] = "antispamfilterblocker.com"; // 2009-03-06 GoodDomains[i++] = "antivirusyellowpages.com"; // 2009-02-12 To: GoodDomains[i++] = "antispamfilterblocker.com"; // filter - 2009-03-06 GoodDomains[i++] = "antivirusyellowpages.com"; // antivir - 2009-02-12 Reason: To make it clear what we are counteracting. Actually the second WAS the new way in the FR files. 31. Action: Added an IP address where some WAN Scans are coming from Added: BadNetworks[i++] = "61.139.105.128, 255.255.255.192"; // WAN-SCAN - 2009-04-18 Reason: 061_139_105_128-061_139_105_191.txt file. They have been doing some scanning for quite a while now. I missed capturing some of them because my little D-Link Router / Firewall has a limited log size. I am debating whether to buy a new off the shelf D-Link, or get a small machine and put on OpenBSD and SNORT and get some stuff that is really good (would also need a switch). I have a limited amount of plug space and a limited budget. It will probably be the D-Link. 32. Action: Comments in French files From: Malware / MALWARE To: MALICIELS Reason: More technically correct. 19 Avril 2009 UNresolved False Positives (HHH) ---------------------------------------------- NONE 19 Avril 2009 RESOLVED False Positives (HHH) -------------------------------------------- 1. I THOUGHT I had one with this in my log: http://trupassion.hopfeed.com/script/hopfeed_widget_content.js But it turns out they are involved with this one: http://trupassion.downlod.hop.clickbank.net/?tid=antispam&hopfeed_id=RKVEF8GXNN_2 The passion happened only with the pornproxy filter at: http://antispamfilterblocker.com Since there were no other "passion" blocks in my logs this is a first. Since it is also associated with hop.clickbank.net (I will be adding a block for trupassion.downlod.hop.clickbank.net in the hosts file) it is not a False Positive, but a TRACKER.