Are they just an issue with wefwef or trying to use an exploit

  • tarjeezy
    link
    fedilink
    English
    arrow-up
    21
    ·
    1 year ago

    The encoded string contains the URL zelensky dot zip. Zip is one of the newer top-level domains. It itself is not a zip file, but I am not going to visit that site to find out whatever treasures it has to offer…

      • tarjeezy
        link
        fedilink
        English
        arrow-up
        6
        arrow-down
        1
        ·
        1 year ago

        Yea I’ve got both .zip and .mov blocked on my pihole

        • Snipe_AT@lemmy.atay.dev
          link
          fedilink
          arrow-up
          1
          arrow-down
          18
          ·
          1 year ago

          sorry i’m missing it. why this specific TLD? can’t they just use any TLD for this and achieve the same thing? is there something special with .mov?

          • Thassar@lemmy.blahaj.zone
            link
            fedilink
            arrow-up
            4
            ·
            1 year ago

            It’s because it can cause confusion. The only difference between example.com/file.zip and example.com.file.zip is one uses a . and the other a / but both are valid domains. If somebody isn’t paying much attention or they don’t know much about domain names, they could click thinking to get a zip file from a legitimate site and end up going somewhere malicious instead. No other TLDs have this issue (well, I guess .com technically has it but who the hell is downloading and running com files these days) and they’re pretty much exclusively used for this reason so it’s a good idea to block them just to be safe.

            • assa123@lemmy.world
              link
              fedilink
              arrow-up
              2
              ·
              1 year ago

              sorry, I didn’t saw your answer and also replied! I didn’t remember that (.)COM was also a file extension, but now, thanks to your reminder, I will play some DOS games ;)

          • assa123@lemmy.world
            link
            fedilink
            arrow-up
            2
            ·
            1 year ago

            since .zip and .mov are recognizable file extensions, a url of the form google.com.docs.zelensky.zip could make people think that the domain is google.com pointing to a zip instead of the true domain, zelensky (dot) zip which probably would serve malicious content under that subdomain.

      • Snipe_AT@lemmy.atay.dev
        link
        fedilink
        arrow-up
        1
        arrow-down
        18
        ·
        edit-2
        1 year ago

        sorry i’m missing it. why this specific TLD? can’t they just use any TLD for this and achieve the same thing? why is this a reason to block it?

          • Snipe_AT@lemmy.atay.dev
            link
            fedilink
            arrow-up
            1
            arrow-down
            18
            ·
            1 year ago

            i think i understand that part but why is this specific event “another reason to block this TLD”? can’t they just use any TLD for this and achieve the same thing? is there another inherit security issue with .zip that doesn’t exist with other domains?

    • 𝙚𝙧𝙧𝙚@feddit.win
      link
      fedilink
      English
      arrow-up
      6
      ·
      1 year ago

      Curl didn’t return anything. They’re likely just using it to log requests since the request path contains the data they need.

    • Gellis12
      link
      fedilink
      arrow-up
      3
      ·
      1 year ago

      Not just that, it looks for a navAdmin cookie in your browser and sends that to zelensky(dot)zip/save/<your cookie here> in the form of a GET request.