search

MISP / misp-warninglists

Warning lists to inform users of MISP about potential false-positives or other information in indicators
http://misp.github.io/misp-warninglists/
517 stars 168 forks source link

Suspicious or not responding domains in Alexa #50

Open cgi1 opened 6 years ago

cgi1 commented 6 years ago

Hi *,

during an evaluation of a project I did some evaluation where I found out, that some of the Alexa domains should not be on warninglist. I understand the warning list more as a whitelist.

Two examples:

04dn8g4f.space srvr.work

The first one is mainly spreading adware and the second one is not resolving.

04dn8g4f_google

cgi1 commented 6 years ago

Wrote some qnd script to check alexa top 1000. Result:


Domains not resolving to an IP:
-------------------------------
absoluteclickscom.com
banvenez.com
blogimg.jp
bp.blogspot.com
clotraiam.website
cloudfront.net
doorblog.jp
googleusercontent.com
japanpost.jp
livedoor.biz
mediaprovide.com
nhk.or.jp
nyaa.se
reddituploads.com
redirectvoluum.com
shink.in
srvr.work
trackingclick.net
uidai.net.in
witchcraftcash.com
wixsite.com
ytimg.com
zytpirwai.net

Script:


"""
Script to check Alexa Top1000 websites for domains which does not return any IP
author: CGi Christoph Giese
"""

import socket
import os

def get_ips_for_host(host):
    try:
        ips = socket.gethostbyname_ex(host)
    except socket.gaierror:
        ips = []

    if len(ips) == 0:
        print("%s" % host)
    elif '62.138.239.45' in ips[2] or '62.138.238.45' in ips[2]:
        # Telekom DNS responding to NXDomains
        print("%s" % host)

    return ips

#get_ips_for_host('srvr.work')

file_path = os.getcwd() + '/alexa_top_1000.txt'

print("Domains not resolving to an IP:")
print("-------------------------------")

with open(file_path) as fin:
    for line in fin:
        get_ips_for_host(line.rstrip())