brent saner on 21 Oct 2017 18:35:03 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
Re: [PLUG] Obfuscated domain names |
Trying again with another one of the obfuscated domain names:
brent timothy saner replied that the xe's and xf's in the "domain name"
below are hex:
\xe7\xe0\xe3\xf0\xe0\xed\xef\xe0\xf1\xef\xee\xf0\xf2-\xe2-\x ec\xee\xf1\xea\xe2\xe5.\xf0\xf 4/
Alas, there is still a matter of interpretation; I attempted my
interpretation three different ways:
231224227240224237239224241239238240242-226-2362382412342262 29.240244/
%e7%e0%e3%f0%e0%ed%ef%e0%f1%ef%ee%f0%f2-%e2-%ec%ee%f1%ea%e2% e5.%f0%f4/
e7e0e3f0e0edefe0f1efeef0f2-e2-eceef1eae2e5.f0f4/
Aha ! The third one of these is accepted by nslookup: 92.242.140.21,
but _that_ IP address is for the well-known server going by the name
"barefruit error handling." I kinda think it's a catchall for badly
converted "hidden" domains. I've run across them before when I mis-type
an IPV4 address. Note that the actual alphanumeric domain name is not
revealed by nslookup. Whois outright rejects the hex data.
Happily, стройка.kz and xn--80ardojfh.kz both go to the same webpage.
\xd1\x81\xd1\x82\xd1\x80\xd0\xbe\xd0\xb9\xd0\xba\xd0\xb0.kz
by my interpretation becomes d181d182d180d0bed0b9d0bad0b0.kz ,
which flunks the nslookup test ...
But a hexadecimal conversion to text gives стройка.kz, a plain-Jane
Russian-language website that whois interprets as xn--80ardojfh.kz,
A.K.A. vns.hoster.kz, with the primary IP address.....: 185.98.6.6,
whose server covers IPV4's 185.98.6.0 to 185.98.6.255 with AS200532.
I had no luck with the other two domains in my original email.
George Langford
___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug