honeypalace.cn

Just a little while ago, I was browsing the internet and decided to check Yahoo for the news. Then I decided to go back to the previous page I was at,www.vgcats.com (a video game based web comic), to double check something first. When I went back to vgcats.com I noticed "Waiting for http://honeypalace.cn..." in the task bar. My first thought was "Oh, crap..." Just yesterday, I read about the new hole in IE that is largely being exploited by Chinese websites. Though, the first thing I did today when I turned my (XP) computer on was go to Windows update and download and install the patch.

From what little I can find about honeypalace.cn from Yahoo and Google searches, they seem to be ad servers that are displayed on websites. On vgcats.com, it definitely seems to be one of the ads, as IE doesn't display "Waiting for http://honeypalace.cn..." in the task bar every time I go to the page and it doesn't show in my firewall log every time I go to the page. xn--18ba.xxxxx.org also shows up in my firewall log, though, I don't know if it's related, as I can't find any info on it.

I haven't been to vgcats.com on either my XP or Vista computer in about a week or so, but I don't know how long the ads or whatnot from honeypalace.cn have been displayed, so that has me a bit worried. Today is the first time I noticed "Waiting for http://honeypalace.cn..." in the task bar. Like I said, I installed the patch first thing after I turned my XP computer on today, but I was at vgcats.com on both my XP and Vista computers before the patch was released(still need to patch Vista, actually).

So, do you guys think there is anything I need to worry about?

Not from what I can see. When you normally click on a page the ads load very quickly (esp assuming you're on hispeed) and the ad would appear so quickly you wouldn't usually see it in the activity bar at the bottom. If the ad server was down or being hammered/slowed for some reason then you would see that message. It is from China so that may explain delays.

If you view the source of the page you normally visit you'll probably see that address as part of it's html coding if it's still getting its ads from there. (view>source) Use the find function to look for it because the source page may be quite large.


Having said all that I wouldn't be particularly pleased to see web ads from China appear on a site I visit regularly since ad servers can and have been known to be hijacked and be infected with malware (China being one of the worlds biggest distributors of viruses and all) . My inclination would be to put that address in the hosts file to block it just as a matter of being security conscious.

I think I'll check the source after putting the addresses in my HOSTS file. I did some more researching and found a site named threatexpert.com with info on malware that referenced honeypalace.cn(it seems, from the info on the site, that an .exe is downloaded from the site). It lists filenames and registry modifications. None were present on either computer, though, I'm still a bit paranoid. Also, it seems you modified your post since I last checked the site. You mentioned that the ad servers wouldn't show up in a firewall log. I use Sygate on my XP computer and as fas as I can tell, every connection a program makes or attempts to make is shown in the log. For example, I see IE connections while browsing for atdmt.com, doublclick.net and various other ad servers.

After adding those two mentioned sites to my HOSTS file, I went to vgcats.com to check the source. Neither site was listed, but there were different ads being displayed this time. The ads that were displayed when I noticed "Waiting for http://honeypalace.cn..." in the task bar in were for various free to play MMORPGs. I'm going to run a scan with AVG, Spybot and Windows Defender to be on the safe side.

Interesting info on the honeypalace site. I'd run malwarebytes scanner. It's free and one of the best around right now. I deleted that sentence because it was incorrect (mostly).

http://www.malwarebytes.org/mbam.php

real interesting.
http://www.threatexpert.com/report.a...fc8b4717241020

scroll to the bottom then scrool back up and read down.

That is a good one to block.

Fink is right in checking thins out.

Yea, Train, that was the page I was talking about that referenced honeypalace.cn.

After some searching, I found a site called keenspot.com that had two threads mentioning honeypalace.cn. It seems that the site had ads either displayed from honeypalace.cn or ad servers that had been compromised by honeypalace. Visitors were getting notices from their browsers about keenspot.com having elements from honeypalace.cn or their A/V programs were flagging files as they browsed the site. They said it is indeed related to the newly discovered hole in IE. They have since taken down most of their ads as a safe measure. As for vgcats.com, I'm not sure if it has been taken care of there.

Also, I ran Malwarebytes on both of my computers and the results were clean, but after I scanned with HijackThis again, I saw something odd:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:22:38 AM, on 12/20/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clansilverfox.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: # Copyright (c) 1993-1999 Microsoft Corp.
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: APC UPS Status.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1229090271076
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1229090223388
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--

The O1 hosts entry was never there before. I added honeypalce.cn, the other site I mentioned and another site I go to regularly. I then navigated to that site just to make certain things were being blocked(I'm paranoid). Then I went to vgcats.com to again, to check things out. I didn't re-enable Sypbot's hosts file lock when I did so, so I thought maybe something from honeypalace.cn had modified it some way. That doesn't seem to be the case though. I rolled back the HOSTS file to before I modified it to add honeypalace.cn, using Spybot and as I figured, that entry didn't show up in my HijackThis log. I then modified the hosts file again, and boom, it was in the HijackThis log again. Also, it shows in Spbot's hosts file viewer at the top of the list. I thought this just might be a quirk I've never noticed before. Like maybe that entry goes away every time I update Spybot and new hosts file entries are added after I immunize. I wasn't able to reproduce these results on my Vista computer or my dad's XP computer. Both my Vista computer and my dad's computer both have the newest version of Spybot, while I only have 1.5.2 on my XP computer, though, I don't know if that even makes a difference. So, does anyone know what's up with that?

I attached a pic of the Spybot hosts viewer to show what I was talking about. The odd characters that are shown in the Spybot screen are also displayed in the HijackThis scan screen and the .txt file that it saves, but for some reason, when I post it here, they aren't displayed.

Here's a pic of the HijackThis scan screen to show what I'm talking about. Funny thing about that is when I actually open up the hosts file in notepad, I don't see those characters at the top of the log, in front of "Copyright".

1999, WinMe or 98SE would have a date like that, not XP.

Good point. So what I think is happening is that hijackthis is seeing that line that seems to be incorrect for XP and is flagging it as a potential problem. It may also be seeing those extra characters before the # and getting confused.

It isn't a problem, not only is it just a wrong date or an altered line, which is not an issue, but the # in front of it renders the line inert anyway (comment tag.. any message or info can be typed in there without effect). The important entries are the ones that start with 127.0.0.0 or 0.0.0.0

You have a few choices.. ignore it, delete it or fix it to one that would be officially correct which I think is..

# Copyright (c) 2004 Microsoft Corp. (most recent one I found)

(edited typo on date)

Did you get that hostsfile from another source? Maybe installed/altered from some other antispyware or ad blocking program?

Out of curiosity I checked the hosts and hosts.sam files on 3 different computers and about half have the 1999 date and half have a more recent date (200x)... I've used many different hosts programs on all of them so I've no way of guessing which one changed the dates.

EDIT 2... I ran hijackthis on XP with the 1999 date and it didn't flag it so it must be seeing the odd characters on yours. Could be a bit of corruption as well.

Well, I'll be. . . .

Here is a unmodified, I.E. just installed it, HOSTS file.


# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost


So it is the right date. My bad it looks like. But as noted, the date is commented out.

Then it has to be the odd characters before the #. I'd delete it with hijackthis and forget about it.

I would too.

That O1 entry has to be fixed.
Your best way to do it...
Download HostsXpert ( http://www.majorgeeks.com/Hoster_d4626.html ) and then follow the steps below:

* Unzip HostsXpert.zip
* It will create a folder named HostsXpert in whatever folder you extract it to.
* Run HostsXpert.exe by double clicking on it.
* click Restore MS Hosts File and then click OK.
* Click the X to exit the program

To answer your question about my hosts file, Fink, I modified it using Spybot.

I have a few questions about using HostsXpert, Broni. Won't that accomplish the same thing as restoring the hosts file to a previous date using Spybot like I've already done? Also, if it accomplishes the same thing, won't adding my own entries and/or Spybot's entries make the 01 entry show up again? I'm also still wondering why the 01 entry shows up in the first place. Like I said, it wasn't there until the day I added honeypalace.cn to my hosts file. Also, is there a way to block all sites that end in a certain suffix, using the hosts file? I'd like to block all .cn and .ru sites.