1

My computer does a lot of queries to strange domains such as:

56cea5c2b408989ab067adcb787d0f99209bbe07.mydomain.com

The strange thing is that 56cea5c2b408989ab067adcb787d0f99209bbe07 is the SHA1 of the string "Ebay.com"

Is it a malware? It seems to build hidden queries to well known web site.

---- EDIT ----

This is not the only SHA1 domain prefix that I found, another one exist for "Twitter.com".

Another factor I have to add to the discussion is that when you find an HEX string of length of 16, or 20 is very likely it is an hash. The first thing you can do is a search on Google. There are many web sites that collect hashes (MD5 or SHA1) strings. Try to put the HEX string in google and see :)

robob
  • 243
  • 2
  • 8
  • Okay, exactly *how* did you figure this one out? – Iszi Feb 15 '12 at 22:23
  • How did you know this was the SHA1 of the domain name? – makerofthings7 Feb 15 '12 at 22:48
  • What application is the request coming from? – Steve Feb 15 '12 at 22:54
  • as for finding that this sha1 is of `ebay.com`, there are some websites ([here's one](http://www.stringfunction.com/sha1-decrypter.html)) that store and allow reverse hash lookups. – Yoav Aner Feb 15 '12 at 23:30
  • 1
    @makerofthings7 There's a [webapp for inverting cryptographic hashes](http://google.com/) (it's also good for a few other things). – Gilles 'SO- stop being evil' Feb 15 '12 at 23:59
  • @Gilles not sure if you intended to paste the URL of google, but I would assume that string is a GUID, would never think of SHA1-ing, or MD5ing domain names to see if it matched the prefix. I want to see robob's train of thought – TLDR Feb 16 '12 at 00:36
  • 1
    @TLDR I can't speak for robob, but I do use Google whenever I investigate something that involves a mysterious 32-digit or 40-digit or 64-digit hex string. – Gilles 'SO- stop being evil' Feb 16 '12 at 00:48
  • I'm with @TLDR. Actually, my first thought was some sort of ASCII-to-Hex or -Unicode conversion. – Iszi Feb 16 '12 at 02:40
  • It needs only a fast search on Google for the hex string. Typically (as in this case) if it exists in Google it means is a collected (and decrypted) Hash. – robob Feb 16 '12 at 06:18
  • Try this URL: http://xdecrypt.com/google-sha1-56ce-3 and find the hex string :) – robob Feb 16 '12 at 06:23
  • @robob - Can you tell us where you are seeing those queries? i.e. in which log file they appear. Also, what do you see in your logs when you try to do something like `nslookup 392ee8650a9563b96d8d4620db7ac3ac68a9756e`? – Yoav Aner Feb 16 '12 at 10:01
  • it's a not mine machine. I cannot do these tests.. – robob Feb 16 '12 at 10:02
  • @robob didn't you say "My computer"? Where do you see those queries then? In which log file / firewall / tcpdump trace? – Yoav Aner Feb 16 '12 at 10:11
  • It was an abstraction ;) – robob Feb 16 '12 at 10:33
  • To clarify a few things: is `mydomain.com` a domain related to you or not? What responses do the requests get? Are there any other suspicious or unusual requests around the same time? – Gilles 'SO- stop being evil' Feb 16 '12 at 19:27
  • yes the mydomain.com is my domain (it is an Intranet). With these kind of requests there are random string as domain name. Not hash, but random string with .org .net .biz .ru (!) – robob Feb 16 '12 at 21:48
  • 2
    @robob - if you want some more serious answers, I think you should try to provide more details, test a few things etc. Less abstractions, more concrete info. – Yoav Aner Feb 18 '12 at 09:23
  • @Yoav you are right but I cannot give you more details, sorry. When I posted this question I thought it could be more simple the answer. But what I can see is that is not so common. For me It's an answer. – robob Feb 19 '12 at 05:14

3 Answers3

2

Pure speculation, but I had to give it a try (always fun playing Sherlock Holmes every once in a while - the pre-Hollywood version obviously).

First of all, it's possible, or even likely that .domainname.com is being automatically added by your Operating System. It's quite common to append a domain suffix for DNS queries for a hostname without extesion. My hypothesis is therefore based on the fact that some program simply tried to resolve 56cea5c2b408989ab067adcb787d0f99209bbe07 without any extension. This part of the theory is easy to check on your computer though.

Why would a program try to resolve {something_random} or {hash_of_something}? I am guessing just to test whether name resolution works, and also trying to avoid caching or static /etc/hosts records.

Why hash('ebay.com')? That's the strangest part, but perhaps the developer couldn't figure out a better way to generate a random-like value? so they were just feeding some strings into the hash function? This is the odd part for sure, but there could be a simple explanation (i.e. developer just being stupid/silly/quirky).

Yoav Aner
  • 5,329
  • 3
  • 25
  • 37
  • 1
    I have a hard time imagining doing the request on hash(site) for any reason other than hiding the site name to a casual filter or log reader. (For better stealth, this app should use a salt, if perhaps not PKBDF2 for server-side performance reasons :-) And I have a hard time imagining doing this for a purpose that is neither nefarious nor working around a stupid firewall, and the latter doesn't seem applicable here. – Gilles 'SO- stop being evil' Feb 16 '12 at 00:03
  • hiding the site name however does nothing. Can you resolve a hash(ebay.com) and get a response from the dns server? I don't think so. I tend to think there are far more stupid/naive people doing silly or trying-to-be-clever things than evil hackers doing super-sophisticated stuff. In any case, your guess is probably as good as mine without additional info. – Yoav Aner Feb 16 '12 at 09:13
1

Is this a web browser?

Some browsers limit concurrent connections to 2 when accessing a domain name. A performance hack is to create a wildcard DNS name that resolves to the www site.

The when javascript, or a server side app generates URLs to the server, then more concurrent downloads are permitted.

Is it an app?

In addition, the .NET framework limits outbound connections as well. The developer may not know about system.net.servicepointmanager.defaultconnectionlimit, or how to override this on a per-host or per-appdomain. They may be using a similar hack even though it's not needed.

My guess is that something similar applies to Java, etc...

Lastly, it could be something malicious. It depends...

makerofthings7
  • 50,488
  • 54
  • 253
  • 542
  • I don't understand how this relates to the question, this may be due to my ignorance about web development. Why would an application make DNS requests to hash(domain_name).domain.com rather than the domain name itself? – Gilles 'SO- stop being evil' Feb 15 '12 at 22:45
  • @Gilles - Performance... then again the value is typically random, not the SHA1 string. – makerofthings7 Feb 15 '12 at 22:48
  • Sorry @make... but you have to instruct the DNS to resolve these kind of (random or SHA1) DNS names. How is the DNS instructed to understand this? Can you link some references? – robob Feb 16 '12 at 06:27
  • @robob: you just set up a bunch of random-hash subdomains, have them all resolve to the same application on the server: voila, you now have several aliases for your application, allowing you to bypass the per-domain connection limit (you can now make 10 concurrent requests to your server by using 10 different subdomains). – tdammers Feb 16 '12 at 06:54
  • mhh, ok so it could be normal to see these log entry with Ebay.com SHA1ed...It's browser capability to overcome the limits...If I have understood you :) – robob Feb 16 '12 at 07:33
  • @robob - That is the only legitimate purpose I can think of. Also it's possible to create a DNS record of *.ebay.com so any random string is permitted. – makerofthings7 Feb 16 '12 at 11:51
0

I would be interested in seeing the file extension, and perhaps the HTTP headers of the site you're mentioning. Is it actually Ebay.com? How can I reproduce this? More detail would be appreciated.

One way this could be useful is to limit the scope of vulnerability for certain "same origin" attacks present in Javascript, Flash, and other brower plug ins.

For example, images infected with Gifar, or infected documents may invoke javascript to "do things" with data on the same DNS domain. A simple way to protect against this is to serve the files from a different DNS domain.

Examples:

https://96a077f305f5720221b338863ea8e3d7.userfiles.com/tech/SecurityPolicy.docx - OK
https://fd4929a6ea48f85130f5a43f89cb7dd6.userfiles.com/Accounting/budget.xls - OK
https://fd4929a6ea48f85130f5a43f89cb7dd6.userfiles.com/Accounting/Budget.xls  - Fails MD5 Checksum
https://fd4929a6ea48f85130f5a43f89cb7dd6.userfiles.com/Accounting/forecast.xls - Fails MD5 checksum

See some more implementation details here

makerofthings7
  • 50,488
  • 54
  • 253
  • 542