All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Security Events Related to LowEndTalk Website
I recently redeployed a firewall appliance, and I noticed that it is logging many intrusion protection events. They happen only when I am connected to the LowEndTalk website and no other times. It took time to figure out that the events are associated with LowEndTalk. I am certain it is LowEndTalk. I can make the events start by opening web pages in LowEndTalk, and make them stop the instant I quit the browser. No other website does it. Whether the events are real security issues or just an overprotective firewall is a worth discussing, and I would like to know your opinions. The firewall complains about two things:
Many of these messages:
"Suspicious .pw dns query [...] A Network Trojan was Detected"
and a few of these messages:
"BLACKLIST DNS request for known malware domain chickenkiller.com"
I haven't figured out how to get more detailed information from the firewall yet.
Has anyone else noticed them? Can someone suggest an explanation? Should I care? (Should you care?)
Comments
Don't worry about it, it's properly an embedded image somewhere.
I'm more interested in hearing about this. What did you deploy?
I would prefer not to say. Perhaps in the future. Sorry.
I would rather discuss the reported intrusion protection events for now.
Google suggests it's some sort of Snort under the hood.
My browser is giving me an error. Could you help me fix it? I won't tell you what browser I'm using, though.
Anyways... chickenkiller.com is one of Afraid.org's FreeDNS redirection domains. Free subdomain services are easily abused and it would seem that whatever blacklist you use listed the whole domain instead of specific problem subdomains.
Nonetheless, there's nothing wrong with the domain itself. Like all the Afraid.org domains it can be used by good or bad people.
Yes. Snort under the hood.
Not exactly. I have not asked for a fix. I asked about why any generic firewall might object to something from an unspecified .pw domain, where the firewall says that a network trojan was detected, and where I have determined that it is coming from this website.
I also want to share potential security concerns with other users who may be interested. They can check their own firewalls for similar messages, for example, and share them if they wish for comparison.
>
Your comment about chickenkiller.com is very helpful. When I looked it up the first time using whois, I did not notice that it was one of afraid.org's domains. You are right, they are available to anyone and everyone. Unfortunately the error message does not show the subdomain, so I can't tell if the firewall is overreacting to all "chickenkiller.com" subdomains, or it knows about a specific subdomain of concern and is not providing more information. (Or I have not found where to get additional information yet.)
false positive. ESET Smart Security 8 aint bugging me about it so that means whatever you posted is bullshit. whatever you have running is adjusted too sensitive and causes alot false positives without malicious code.
Intrusion detection systems are often far too heavy by default. If you're not used to running one on a regular basis I recommend not letting anything scare you too much until you've obtained a good feel for what is normal.
Granted I don't know what you're used to so my advice may be irrelevant.
I believe both @Mark_R and @Jar are correct when they interpret the messages as false positives. It is useful to note that this is the ONLY website that generates any kind of IPS messages at all. No other activity or website does it, false positives or not.
I am certainly not panicked or scared or anything of the sort. I am merely sharing some interesting observations and asking for opinions about how to interpret them. So far, everyone has been helpful, and I appreciate the assistance.
LET is one of the sites where you can embed most things from the Internet in a post or a reply so that will give allt of DNS hits from all over.
I would say that in most cases it will be a false positive but you will never know ...
I think it's probably the whole domain. I use the Web of Trust browser extension and it warns me about the root domain being on a "third-party blacklist" as well. WOT doesn't say which blacklist either, though.