Page 1 of 1

Cachechu 1.6 released

PostPosted: 10 Jan 2016 01:17
by kevogod

Re: Cachechu 1.6 released

PostPosted: 10 Jan 2016 06:30
by raspopov

Re: Cachechu 1.6 released

PostPosted: 09 Feb 2016 06:39
by ale5000
The client with User-Agent "LimeWire/4.21.1" and GWC query "?get=1&net=gnutella&client=LIME&version=1.1.1.6" is a virus.

I have just found it: https://totalhash.cymru.com/analysis/?9 ... bb5db61130

Re: Cachechu 1.6 released

PostPosted: 11 Feb 2016 01:33
by ale5000

Re: Cachechu 1.6 released

PostPosted: 30 Mar 2016 12:08
by ale5000
Serious security problem, this apparent GWC url "http://udp-host-cache.com/gwc/" with IP "52.49.1.53" that appears sometimes as "Skulls 0.3.2c" and sometimes as "Cachechu 1.6" get inserted inside Cachechu urls list.

The domain udp-host-cache.com is reported by Firefox as malicious.
The IP belond to Amazon Technologies Inc.
The Amazon Cloud can be rented and it is often used by malicious people.

Edit: the site redirect to another url, that when scanned give this: https://www.virustotal.com/it/url/da3c4 ... 459336622/

Edit2: Loading the url now doesn't appears a valid GWebCache, so I wonder how it get inserted; it appears only on Cachechu caches and not in other caches so it possibly use a Cachechu vulnerability or just targetting Cachechu.

Edit3: The domain now point to the IP "195.22.26.248" that belong "ESOTERICA (VIA NET.WORKS Portugal - Tecnologias de Informa,cao, SA)" that resolve to https://www.anubisnetworks.com/
It is really ironic.


See:
1.png

2.png

Re: Cachechu 1.6 released

PostPosted: 30 Mar 2016 17:58
by raspopov
IMHO Need to implement an url checking by WOT or by something similar service.

Re: Cachechu 1.6 released

PostPosted: 30 Mar 2016 18:55
by ale5000
In Skulls for GWC urls I have blocking by domain and by url (that I update often enough).
For hosts I have IP blocking (with a blocklist bundled), probably in the future version I will also use the blocklist to check IP address of urls submitted to be more sure and I will include the range 52.48.0.0/14.

But the problem is that it doesn't seems a normal submission.
I haven't seen the problem when it is happened but only later so I don't know the details.
It could also be a sort of DNS exploit or other vulnerabilities.