Page 1 of 2 12 LastLast
Results 1 to 10 of 11
  1. #1
    Newbie
    Join Date
    Jun 2019
    Posts
    12

    Default starfield tech - malware site?

    I got a notification of a blocked web event and I am not yet sure what to make of it.

    webfilterblocked.JPG

    This is on a server, fresh OS install and only a couple of programs recently installed/running. I am suspecting a specific software program, but not sure how to trace it back to that yet.

    I did a whois only to learn the site is redirected, hosted at godaddy, has a lot of abuse/complaints and is just plain suspicious.

    Anyone see this before?

    Thanks

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    8,164

    Default

    Typical of an ad snippet on a web page visited.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Newbie
    Join Date
    Jun 2019
    Posts
    12

    Default

    No one is logged into this server, no one is at the office today. It is a Win 10 OS used as a server for a specific program and it is a fresh OS install, I stripped it down and cleaned it up best I could, from all the bloatware, disallowing whatever background apps I could, etc..
    I haven't yet been able to find anything in logs or anywhere else that might point me to what initiated this.

    Trying to do a little research I found this wiki, assuming it is the same (seems to be).
    Seems to me this is a possible backdoor and I am happy UT blocked it.
    I guess I will just add the star tech site to the block list.

    https://en.wikipedia.org/wiki/Starfield_Technologies
    Last edited by tangledtech; 09-01-2019 at 06:16 PM.

  4. #4
    Newbie
    Join Date
    Aug 2017
    Posts
    10

    Default

    This is interesting, I've been having the same alerts for the last few weeks and have failed to track the source down.

    Also seeing this one pop up quite a lot:
    o.ss2.us

    Glad that they are being blocked, just would like to work out where they are coming from.

  5. #5
    Newbie
    Join Date
    Jun 2019
    Posts
    12

    Default

    All I have been able to figure out so far:

    Starfield tech is affiliated with GoDaddy and has something to do with certificates, at least.

    OCSP (ocsp.starfield...) is an Online Certificate Status Protocol, whatever that really means.

    My only concern at the moment is why and what program on this clean install is making a 'web call' without anyone logged in and why does it seem to be so discreet.

  6. #6
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    1,538

    Default

    WAT, Windows 10 doesn't do telemetry?
    I get it too, by the way, Win10 on a laptop.

  7. #7
    Newbie
    Join Date
    Jun 2019
    Posts
    12

    Default

    Quote Originally Posted by Jim.Alles View Post
    WAT, Windows 10 doesn't do telemetry?
    I get it too, by the way, Win10 on a laptop.
    What type of situation? While you are on the laptop, browsers going?

    I have 22 other Win 10 stations going and none have gotten this block but this clean install with 3 specific programs doing their thing and I get this flag that can't be traced to a source. It would be nice to know the source.

  8. #8
    Newbie
    Join Date
    Oct 2019
    Posts
    1

    Default

    Quote Originally Posted by Fred59 View Post
    This is interesting, I've been having the same alerts for the last few weeks and have failed to track the source down.

    Also seeing this one pop up quite a lot:
    o.ss2.us

    Glad that they are being blocked, just would like to work out where they are coming from.
    I'm seeing both of these sites as well. Haven't figured out the source yet for either one.

  9. #9
    Newbie
    Join Date
    Jun 2018
    Posts
    1

    Default

    I am seeing traffic to the original poster's link as well as a URL on o.ss2.us:

    MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D

    I don't know if the URL is the same as Fred59 but the server is the same. On the o.ss2.us link that is appearing alongside the starfieldtech traffic, there is a post on the malwarebytes forum suggesting the link's appearance on the blocklist is a false positive (sorry, insufficient rep to post the link), but that isn't enough for me to drop it.

    Anyone see anything further of interest as is or after unblocking?

  10. #10
    Newbie
    Join Date
    Nov 2019
    Posts
    1

    Default

    I also am getting constant alerts for o.ss2.us and have seen starfield in my logs.

    Does the support staff monitor this? I found a post about a competitive product that stated this was a false positive... if it is, can we get it rectified?

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2