Results 1 to 7 of 7
  1. #1
    Newbie
    Join Date
    Jun 2019
    Posts
    12

    Default starfield tech - malware site?

    I got a notification of a blocked web event and I am not yet sure what to make of it.

    webfilterblocked.JPG

    This is on a server, fresh OS install and only a couple of programs recently installed/running. I am suspecting a specific software program, but not sure how to trace it back to that yet.

    I did a whois only to learn the site is redirected, hosted at godaddy, has a lot of abuse/complaints and is just plain suspicious.

    Anyone see this before?

    Thanks

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    7,991

    Default

    Typical of an ad snippet on a web page visited.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Newbie
    Join Date
    Jun 2019
    Posts
    12

    Default

    No one is logged into this server, no one is at the office today. It is a Win 10 OS used as a server for a specific program and it is a fresh OS install, I stripped it down and cleaned it up best I could, from all the bloatware, disallowing whatever background apps I could, etc..
    I haven't yet been able to find anything in logs or anywhere else that might point me to what initiated this.

    Trying to do a little research I found this wiki, assuming it is the same (seems to be).
    Seems to me this is a possible backdoor and I am happy UT blocked it.
    I guess I will just add the star tech site to the block list.

    https://en.wikipedia.org/wiki/Starfield_Technologies
    Last edited by tangledtech; 09-01-2019 at 06:16 PM.

  4. #4
    Newbie
    Join Date
    Aug 2017
    Posts
    10

    Default

    This is interesting, I've been having the same alerts for the last few weeks and have failed to track the source down.

    Also seeing this one pop up quite a lot:
    o.ss2.us

    Glad that they are being blocked, just would like to work out where they are coming from.

  5. #5
    Newbie
    Join Date
    Jun 2019
    Posts
    12

    Default

    All I have been able to figure out so far:

    Starfield tech is affiliated with GoDaddy and has something to do with certificates, at least.

    OCSP (ocsp.starfield...) is an Online Certificate Status Protocol, whatever that really means.

    My only concern at the moment is why and what program on this clean install is making a 'web call' without anyone logged in and why does it seem to be so discreet.

  6. #6
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    1,513

    Default

    WAT, Windows 10 doesn't do telemetry?
    I get it too, by the way, Win10 on a laptop.

  7. #7
    Newbie
    Join Date
    Jun 2019
    Posts
    12

    Default

    Quote Originally Posted by Jim.Alles View Post
    WAT, Windows 10 doesn't do telemetry?
    I get it too, by the way, Win10 on a laptop.
    What type of situation? While you are on the laptop, browsers going?

    I have 22 other Win 10 stations going and none have gotten this block but this clean install with 3 specific programs doing their thing and I get this flag that can't be traced to a source. It would be nice to know the source.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2