Jump to content


Cryptoware/Cryptowall Warning and WGC

WGC Malware Cryptoware

  • Please log in to reply
9 replies to this topic

Mr_Deo #1 Posted 30 July 2019 - 03:28 PM

    Lieutenant

  • Player
  • 43551 battles
  • 1,841
  • [ESAF] ESAF
  • Member since:
    01-30-2012

Seems the WGC is trying to make outbound connections to a server in Germany that was once used for Cryptoware/Ransomware/Cryptowall (circa  late 2014 early 2015 until unknown).

148.251.128.156 is the IP, 6881 is the port.  What I can find/see is that in 2014/2015 it was used as a tor node specifically for this type of Malware.  After 2015 it was used to serve websites that were - again - malware laden.  After 2017/2018 I am not sure.  Ownership of the IP seems to have been in the same place since 2015 so I honestly wouldn't trust it.

 

It (the IP) seems to have about 15 listening services.  Multiple Database services, multiple proxy services, multiple torrent services, a few obscure file download services.

Many of the software packages I can see running are all 2-6 years out of date.

 

So Basically... WGC is trying to connect to a server once used to Tor malware, later used to serve malware, and now has a huge amount of crap on it that would indicate it's either a honeypot or totally compromised.

 

I have not looked at what data the WGC is sending.  The server itself seems to have a lot of issues.  WG should be ashamed to be using such a server.  The Port (6881) that WGC is trying to reach is either stealthed or non-functioning either, as it doesn't seem to listen.  Port 6881 is most likely the modified Torrent that WG is using for their downloads, not blacklisting that IP is a bad move.

 

Those who can block this IP range should.  Those who cant block it just suck it up :P.... 



Nishi_Kinuyo #2 Posted 30 July 2019 - 05:02 PM

    Lieutenant General

  • Player
  • 8849 battles
  • 6,066
  • [GUP] GUP
  • Member since:
    05-28-2011

Have you actually checked who owns that IP and what they do?

It is owned by Hetzner Online GmbH, a datacenter.

Location? Bavaria.

Which is precisely where EU1 Server is located.

https://www.hetzner.com/colocation

 

GJ on raising false alarms.


Edited by Nishi_Kinuyo, 30 July 2019 - 05:17 PM.


onderschepper #3 Posted 30 July 2019 - 05:12 PM

    Warrant Officer

  • Player
  • 2168 battles
  • 698
  • [BOF] BOF
  • Member since:
    05-17-2019
Interesting, my checks show the IP in question to possess a low threat level. :confused:

Mr_Deo #4 Posted 30 July 2019 - 10:03 PM

    Lieutenant

  • Player
  • 43551 battles
  • 1,841
  • [ESAF] ESAF
  • Member since:
    01-30-2012

Hetzner and GcoreLabs are not the same company - even if they are roughly in the same location.  So it is not EU1 or EU2.  As said, It's likely a seed server or something of that ilk for the updates.

 

The IP itself has bad history, the fact that it's been used (and no, I am not saying it's Hetzner, nor WG) for many years to do bad stuff is bad.

 

Assuming all ports on that IP are pointed at the same appliance, then there's some seriously bad maintenance issues.

 

XVM Does/Did use Hetzner, tho I don't know about now.  It is a cheap/budget provider.

 

I have no doubt a lot of other people will naturally be blocking this IP as it's not needed.  I doubt that WG are trying to spread malware/whatever but it's still a bad idea for a company as large as WG to use a IP that is(or was until recently at least) on global blocklist.  Hetzner will have no choice but to cycle the IP around for various services and users, but that IP Assignment could easily be rejected if WG wanted it to be.

 

 



Balc0ra #5 Posted 30 July 2019 - 10:21 PM

    Field Marshal

  • Player
  • 71585 battles
  • 20,063
  • [WALL] WALL
  • Member since:
    07-10-2012
This again? It's the server they use for updates, and to show the clan page etc in game. It's been researched to death in other topics when this did appear first.

Mr_Deo #6 Posted 31 July 2019 - 01:40 AM

    Lieutenant

  • Player
  • 43551 battles
  • 1,841
  • [ESAF] ESAF
  • Member since:
    01-30-2012

View PostBalc0ra, on 30 July 2019 - 09:21 PM, said:

This again? It's the server they use for updates, and to show the clan page etc in game. It's been researched to death in other topics when this did appear first.


Thanks.

Can you link me to any of those topics?  They are as elusive as the EU1 server that isn't hosted by GCoreLabs.

 

The forum search yields no results, and Google only leads to a few post of people talking about hetzner as a service.

 

Google Search site:"forum.worldoftanks.eu" "hetzner" -vBaddict

Google Search site:"forum.worldoftanks.eu" "148.251.128.156"

 

I did search the forums (ru, us, eu), reddit, and a few other places.

 

Side note...  That IP being blocked doesn't stop updates.

Side note...  Wargaming Support Article doesn't list port 6881 as a required port to keep open.

 

 



eekeeboo #7 Posted 31 July 2019 - 06:51 PM

    EU Video Content Manager

  • WG Staff
  • 46914 battles
  • 2,435
  • Member since:
    07-25-2010

Obvious boop of nope on this, I get it's on off-topic but the answer is above and there is no crypto mining. 

 

Cheers, 

eek. 



Mr_Deo #8 Posted 31 July 2019 - 07:37 PM

    Lieutenant

  • Player
  • 43551 battles
  • 1,841
  • [ESAF] ESAF
  • Member since:
    01-30-2012

View Posteekeeboo, on 31 July 2019 - 05:51 PM, said:

Obvious boop of nope on this, I get it's on off-topic but the answer is above and there is no crypto mining. 

 

Cheers, 

eek. 


Thanks for that.

Your the first to mention cryptomining, but I cant say I suspected that at all, nor has there been any sign of the ip/sever being used for that legit or not.

 

There's another 100~ odd words that start with "Crypto" that also do not relate to what I am saying.

 

It would be a lot easier if you could simply pop a question to someone in the know... Why is/(was) the WGC reaching out to 148.251.128.156:6881...



Nishi_Kinuyo #9 Posted 31 July 2019 - 09:20 PM

    Lieutenant General

  • Player
  • 8849 battles
  • 6,066
  • [GUP] GUP
  • Member since:
    05-28-2011

View PostMr_Deo, on 31 July 2019 - 07:37 PM, said:

There's another 100~ odd words that start with "Crypto" that also do not relate to what I am saying.

 

It would be a lot easier if you could simply pop a question to someone in the know... Why is/(was) the WGC reaching out to 148.251.128.156:6881...

Cryptozoölogy is one of such words.

The study of animals that don't exist.

Neither does the threat.

 

And again, as concluded above, it is either one of Wargaming's game servers, or update servers.

What we do know is that:

1: EU1 server is in Bavaria, Germany.

2: The IP address you mention is registered to a datacentre in Bavaria, Germany.

 

Put 1 and 1 together and the logical conclusion is the above.

 

Try using Occam's razor instead of trying to find a convoluted conclusion while a simpler answer is likely more valid.



Mr_Deo #10 Posted 01 August 2019 - 12:57 PM

    Lieutenant

  • Player
  • 43551 battles
  • 1,841
  • [ESAF] ESAF
  • Member since:
    01-30-2012

View PostNishi_Kinuyo, on 31 July 2019 - 08:20 PM, said:

Cryptozoölogy is one of such words.

The study of animals that don't exist.

Neither does the threat.

 

And again, as concluded above, it is either one of Wargaming's game servers, or update servers.

What we do know is that:

1: EU1 server is in Bavaria, Germany.

2: The IP address you mention is registered to a datacentre in Bavaria, Germany.

 

Put 1 and 1 together and the logical conclusion is the above.

 

Try using Occam's razor instead of trying to find a convoluted conclusion while a simpler answer is likely more valid.


Just because there's a server in Bavaria, Germany and the EU1 server is in Bavaria, Germany does not mean that they are the same.

As explained, WG uses GCoreLabs, Data passing to GCoreLabs WG servers do not ever pass through Hetzner (That can be seen).  Your making a really odd assumption.

The Peering Points to Hetzner and the GCoreLabs servers are also not the same.

Bavaria is a huge place with lots of hosting providers.  Perhaps I could put it this way and get it through to you.

G-Core Labs (EU1) is in/near Frankfurt

Hetzner (that IP) is in Nuremberg

That's ~190km away from each other...

So as you can see.. 1+1 does not equal 3... 






1 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users