Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Bing Searches generate GET request to pre.footprintpredict.com - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Bing Searches generate GET request to pre.footprintpredict.com
I have seen logs where a small group of users Bing searches generate GET request to a gif file located on the above domain. This only occurs when users generate a search with Bing and does not occur with every user. It appears the above domain is affilated with Microsoft but not really sure. Also, as of last night if you were to go to footprintpredict.com you would have been redirected to the bing search engine. Blue Coat proxy identifies the above domain as Malicious and there is a snipet of information on Virustotal but other than that, nothing. Anonymous

Interesting. Thank you for sharing. Please do let us know if this continues and/or if any further insights come to light. Alex Stanford

136 Posts
The server seems to be connected with either the DOD or someone attempting to spoof the DOD. In any event, I have confirmed that the server is malicious, as it was confirmed to be associated with hacking, based upon our router log comparisons.(timing of the access was incidental to timing of a failed R-Login attack, and several attempted DDoS-ACK attacks, and was also suspicious of attempting to modifying NAT firewall rules.)It always seems to be associated with a raw IP address, in proximity to it, usually one to three requests down the list from it. The raw IP's usually host an nginx server on port 80, based on Port Scans, and never contain an index.html file, or anything else, in the root directory, instead the server returns a 404. IP and DNS lookups fail to resolve a host name. This server was also caught trying to attack Tor exit nodes. It is recomended that this server be blocked via your router's firewall. Anonymous

-

Sign Up for Free or Log In to start participating in the conversation!