Tag Archives: malware

Connection counting on your *nix based router/appliance

At my work in the past we’ve had to hunt down infected systems that have caused networks to come to a near standstill and their WAN IP/email DNS name to become blacklisted. On routers with dd-wrt, there’s a nice feature where you can see a connection count per each system. A majority of the time we have discovered that systems with very high connection counts tend to be infected and cause network issues. Unfortunately, dd-wrt doesn’t really cut it anymore for our needs and we had to shift over toward different firmware alternatives (like http://tomato.groov.pl/?page_id=164 or https://www.snbforums.com/threads/fork-asuswrt-merlin-374-43-lts-releases-v22e4-23b8.18914/ ). However, these alternatives tend to not have a connection count feature. After some googling, I’ve found a work around if you can get ssh or telnet access to the device:

cat /proc/net/ip_conntrack | awk '{print $5}'| cut -d: -f1 | sort | uniq -c | sort -nr | fgrep "$(ifconfig br0 | grep "inet addr" | awk '{print $2}' | sed 's/addr://g' | cut -d. -f1-3)"

You can download from my website and run it this way:

wget http://zitstif.no-ip.org/concount; watch -n 1 ‘/bin/sh concount’

THENEWLIST.txt update (THENEWLISTupdated.txt)

I’ve compiled another HOSTS block list for those who want to block crap. If you’re not sure how to add the list to your hosts file, check out:

http://zitstif.no-ip.org/?p=570

You can download the updated HOSTS block list from here:

http://zitstif.no-ip.org/THENEWLISTupdated.txt

shasum: f94c3aee2e1483bc945e6a728ba8c70df821f5c3

Here’s a mirror:

http://s000.tinyupload.com/index.php?file_id=15983907671280562742

Enjoy less crap on the internet!

WARNING: I have tested adding this to my Windows 10 hosts and I have noticed svchost.exe (owned by NETWORK SERVICE) spikes up in CPU usage and DNS functionality stops responding momentarily until the mentioned process calms down in CPU usage. On my work computer running Windows 7 Professional in a domain environment the same service would spike up and seem to cause a DOS condition with DNS functionality and would not respond. USE WITH CAUTION AND TEST BEFORE DEPLOYING IN PRODUCTION ENVIRONMENTS.

#Update 10/9/2015

After testing and much consideration I do not recommend adding these hosts to your hosts list on Windows based systems unless they are higher end systems with cpu scores of like 8000 from https://www.cpubenchmark.net/

#Update 12/28/2015

This updated blacklist also causes issues with tennis.com comments section and Nexon account registration.

I kind of regret having ads on my website…

Today I decided to take a look at my website without any ad blocking software through Internet Explorer 11. With my web history cleared and with no cookies for Google’s ad service to create targeted ads for me, I was served a suspicious ad with this link:

hxxp://file-downloads.net/download/?pi=zitstif.no-ip.org&gclid=CJLtkeHr97wCFcURMwodTnQAtg

That looks legit!

Let’s see what VirusTotal says about this URL:

https://www.virustotal.com/en/url/f0e704606da846903a630c56cee42812a7a943b897fa550a50db0e0bbb19fccd/analysis/1393900872/

It’s too legit to quit now!

Upon visiting this link I was served up immediately an EXE file with the title, “7zip_14381_stn.exe”… how wonderful. Why don’t we just upload this to VirusTotal?

https://www.virustotal.com/en/file/fc80f6307596ce2d6139710873be7ede8693a65681067c75b9bf17617a1af070/analysis/

Granted this piece of software isn’t necessarily malicious per se but it’s the kind of crap I get sick of seeing on Windows systems. Here are some tools I strongly recommend using when dealing with this kind of junkware:

http://www.bleepingcomputer.com/download/rkill/
http://www.bleepingcomputer.com/download/junkware-removal-tool/
http://www.bleepingcomputer.com/download/adwcleaner/

In addition, I recently found a tool that is kind of equivalent to having a portable version of VirusTotal:

http://www.herdprotect.com/downloads.aspx

Even though it doesn’t delete/quarantine/cure anything, use the herdprotect scanner with care because it can throw off false positives but it is still very useful. Anyways, I wish Google’s ad service would stop referring people to crapware, but they’re paying customers too and no, you won’t offend me if you use ad blocking software on my website.

THELIST.txt update (THENEWLIST.txt)

In this post I am simply  doing an update to the ‘THELIST.txt’ file which is essentially a blacklist of web servers that are ad servers or have been found to be malicious. I have added more servers (mostly ad web servers). The file is accessible here:

http://zitstif.no-ip.org/THENEWLIST.txt
SHA1 (THENEWLIST.txt) = 02a2e93167f680a09f5047ef1b081483b680bfde

You can then download this file and append the output of ‘THENEWLIST.txt” to your hosts file.

For Microsoft Windows you will most likely have to do the following:

1.) iexplore http://zitstif.no-ip.org/THENEWLIST.txt
2.) Save the file to a location
3.) Run CMD.exe as an Administrator
4.) ‘cd’ to the directory where you saved ‘THENEWLIST.txt’
5.) Execute the following command: attrib -R C:\WINDOWS\system32\drivers\etc\hosts
6.) Then execute this command: type THENEWLIST.txt >> C:\WINDOWS\system32\drivers\etc\hosts
7.) Execute the following command: attrib +R C:\WINDOWS\system32\drivers\etc\hosts

For *nix hosts do:

1.) Gain root via: su or sudo -i
2.) chmod a+rw /etc/hosts
3.) printf “GET /THENEWLIST.txt HTTP/1.0\n\r\n” | nc -vv zitstif.no-ip.org 80 2>&1 | egrep -v ‘HTTP|Apache|Date:|ETag:|Accept-Ranges:|Content-|Connection:|Modified:|Connection’  >> /etc/hosts
4.) chmod a+r/etc/hosts && chmod a-w /etc/hosts

I hope this is useful to you. I think most people would like nearly ad free web browsing.  In addition to that, legitimate ad servers have been known to serve up malware:

http://news.cnet.com/8301-27080_3-20000898-245.html

So by using this file in tandem with the Adblock extension/plugin you can get for Firefox/Google-Chrome, you will be less annoyed by ads and not have to be too concerned about ads serving up malware for you.

If you have any questions, comments, or concerns feel free to contact me.