Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Help required in decoding suspicious URL Share/Save - My123World.Com!

  1. #1

    Help required in decoding suspicious URL

    Hi Group,
    Need your help on understanding and decoding these URLs that i have got from my proxy.These URLs seems to be obfuscated. Appreciate If anyone could help me in decoding these URLs.

    sample of urls:

    http://i-e-g-n-9-p-2-5-0-9-1-1-b-h-9...fo/VERSION.TXT
    http://3-4-c-9-9-f-2-3-2-6-6-q-j-2-5...fo/VERSION.TXT
    http://v-q-z-q-y-1-o-n-8-u-q-9-v-d-x...fo/VERSION.TXT
    http://8-n-9-0-f-f-u-3-9-0-y-n-9-m-9...fo/VERSION.TXT
    http://4-e-q-o-8-y-w-i-3-r-0-p-q-o-5...fo/VERSION.TXT
    http://s-4-r-d-7-j-m-9-0-9-1-2-5-2-7...fo/VERSION.TXT

    Regards

  2. #2
    Security Researcher fb1h2s's Avatar
    Join Date
    Jul 2010
    Location
    India
    Posts
    616
    Blog Entries
    32
    Unless and until u provide more info on the same we wdnt be able to do anything .
    Hacking Is a Matter of Time Knowledge and Patience

  3. #3
    Hi FB1H2s

    Let me know any specific information that you are looking at. i wud share that. Just to give more background on the issue... One of the desktop seems to be infected with some backdoor or trojan that is trying to send some information out. Going through proxy logs ...system is continuously trying to connect to the URL's as given earlier. These URL's are changing with each request. Iam trying to find malicious program that could be running on this system.
    If anyone could help in decoding or understanding these http links, so that atleast know, what server it is trying to connect.
    Any guidance in this direction is appreciated.

    Regards

  4. #4
    Well these are dynamic addresses. Right now all of them seems to be dead.
    So you need to do a whois on them at the time you find one URL.
    Simple way to do it using some sites like Traceroute, Ping, Domain Name Server (DNS) Lookup, WHOIS.
    Just remove "/VERSION.TXT" and "http://" from the url and put the URL for express lookup on that site or do whois on that string.
    Orkut id: neo1981
    Blog: infosec-neo.blogspot.com
    Nothing is Impossible*


    *Conditions Apply

  5. #5
    Hi Neo,

    Thanks for your comment. I have already done that... but no success..as these URLs are not recognized by search engines as such. getting some info if anyone has come across with URLs in this format or any tool or link to decode to get some direction...
    Anyways thanks for your input.
    Regards,

  6. #6
    Security Researcher
    Join Date
    May 2011
    Location
    Pune, Maharashtra, India
    Posts
    237
    Blog Entries
    1
    not exactly this format but a simmilar kind of a format i have seen as part of malware. This url format was used to get the commands from the remote server. there was a whole bunch of domain names in sequence.
    Website :
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

    Blog :
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

  7. #7
    Super Commando Dhruv abhaythehero's Avatar
    Join Date
    Sep 2010
    Location
    Lucknow/Pune,India
    Posts
    466
    Blog Entries
    2
    I too have the opinion that a malware has benn installed and it is communicating via HTTP using these urls. What perplexes me is that how can be such a url domain be allocated ? even dynamically ? I don't think Lookup tools will work here.

    These URL are encoded. That is for sure. But are they being decoded by the malware itself But Immaturedevil says he got this in his proxy logs
    In the world of 0s and 1s, are you a zero or The One !

  8. #8
    hi Immaturedevil..
    why don't you sniff your connection 1st..I thought it will help you to discover from where to where the information was sent..myb you can use wireshark (just my opinion)

    //sorry for my bad grammar (hope somenone can correct it, if incorrect..thanks in advance

  9. #9
    Security Researcher
    Join Date
    May 2011
    Location
    Pune, Maharashtra, India
    Posts
    237
    Blog Entries
    1
    Quote Originally Posted by abhaythehero View Post
    I too have the opinion that a malware has benn installed and it is communicating via HTTP using these urls. What perplexes me is that how can be such a url domain be allocated ? even dynamically ? I don't think Lookup tools will work here.

    These URL are encoded. That is for sure. But are they being decoded by the malware itself But Immaturedevil says he got this in his proxy logs
    abhay check this out
    Encyclopedia entry: Worm:Win32/Esfury.A - Learn more about malware - Microsoft Malware Protection Center

    Once upon a time in distant past when i was tasked to review websense logs to catch perverts i also happen to stumble upon simmilar kind of request, the attraction factor was around 80K request per month which naturally means a lot more then what i can expect from a human. some deep diving and i was able to pin point on above linked stuff.

    So yes people do comeup with varied means of spreading an infection.
    Website :
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

    Blog :
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

  10. #10
    Super Commando Dhruv abhaythehero's Avatar
    Join Date
    Sep 2010
    Location
    Lucknow/Pune,India
    Posts
    466
    Blog Entries
    2
    Quote Originally Posted by Anant Shrivastava View Post
    abhay check this out
    Encyclopedia entry: Worm:Win32/Esfury.A - Learn more about malware - Microsoft Malware Protection Center

    Once upon a time in distant past when i was tasked to review websense logs to catch perverts i also happen to stumble upon simmilar kind of request, the attraction factor was around 80K request per month which naturally means a lot more then what i can expect from a human. some deep diving and i was able to pin point on above linked stuff.

    So yes people do comeup with varied means of spreading an infection.
    So that means lookup tools must give some information about these url ? Still confused about the domain though ? Are their any non commercial DNS servers that would give them the liberty to take such a url ?
    In the world of 0s and 1s, are you a zero or The One !

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •