DenyList for all domains and sub domains from i-soon.net

[nabendu1]

Which domain(s) should be blocked?

http://www.i-soon.net/ctf.html ( General Users avoid accessing the link as it is not known what all information it can access )

Why should these domain(s) be blocked?

There has been a leak dumped on github https://github.com/I-S00N/I-S00N

This dump is about Anxun Information Technology Company ( I-Soon ) based on the documents seems to be a spyware vendor .
Refer OP post https://twitter.com/AzakaSekai_/status/1759326049262019025?t=gMR-naDvsHMlCk4awqUG2g
https://infosec.exchange/@still/111954824463349757

All domains / subdomains should be blocked . Currently based on the latest Ultimate the domain is not in the blocklist

[xRuffKez]

i-soon.com[.]cn

[hagezi]

Thanks, missed ...

[nabendu1]

@hagezi could you also check these domains . Seems some CTF competition hosting website https://github.com/D0g3-Lab

https://ctf.d0g3.cn/

https://ctf.dao.ge/

blog.d0g3.cn

[hagezi]

@xRuffKez Can you please assist? Thank you ...

[hagezi]

Thanks @xRuffKez

If you create a PR to add domains, I've added the two domains here:

https://github.com/hagezi/dns-blocklists/blob/main/submit_pullrequest_here/deny_tif.txt
https://github.com/hagezi/dns-blocklists/blob/main/submit_pullrequest_here/deny_light-ultimate.txt

[xRuffKez]

@hagezi could you also check these domains . Seems some CTF competition hosting website https://github.com/D0g3-Lab

https://ctf.d0g3.cn/

https://ctf.dao.ge/

blog.d0g3.cn

I've digged alot.
Those Domains are related to DogeCoin.
CTF means Crypto Trading Fund. I've checked some Py, Ruby and PHP Code and they are related to NFT Game stuff and other Crypto stuff.
It might be connected to i-soon, but i see no evidence, therefore I'm not blacklisting them.

[hagezi]

Thank you @xRuffKez, we'll leave it at that for now.

[nabendu1]

@xRuffKez @hagezi

https://github.com/D0g3-Lab Profile Info Animal Kingdom of Cybersecurity

1. CTF Stands for Capture the Flag in Cybersecurity competitions . D0g3-Lab repositories are linked to Anxun Cup title program supposedly an annual competition to recruit upcoming graduating students to Anxun
2. Neko Malware is in this Github folder link https://github.com/D0g3-Lab/i-SOON_CTF_2018/tree/master/Pwn
   Meow seems a ransomware
   ( https://www.f-secure.com/v-descs/neko.shtml )
3. Path RE/一个没什么用的病毒 literally means a useless virus on Google Translation

Hive repository seems to collect questions from various CFT competitions and provides a contanarized docker environment.

The additional domains seem to have some direct/ indirect links to I-Soon or overall cybersecurity community based out of China

[xRuffKez]

@nabendu1 then, let the hunt begin!

[xRuffKez]

#2194
some domains

[Mosney]

LMAO, obvious a lot false alarm in #2194 .

The additional domains seem to have some direct/ indirect links to I-Soon or overall cybersecurity community based out of China

What should you guys do if they reference google.com or github.com? Should Google and GitHub also be blocked?

[Miigon]

#2194 Under # D0G3 and his i-soon ctf friends a lot of innocent personal blogs and researcher websites with no real connection to i-soon got blocked. Many of which are second-degree/third-degree connection (or even higher than that) to d0g3, which itself is just a CTF competition site, not a malware distribution site.

I don't think the blocking of these websites purely on the basis of "having a (very indirect) link path to d0g3" is justified considering how small the CTF and cybersecurity community is and you would've literally blocked the whole community with only a few more degrees of separation traced.

I would request all the websites under # D0G3 and his i-soon ctf friends be reverted, and we should only reconsider blocking if any of them is individually proven harmful otherwise.

[Miigon]

"a website (with no sign of containing malware) that maybe having an indirect multi-degree connection to a competition hosting website (that itself is harmless) that hosted a competition that might be related to a certain security company on the news(whose website is not yet proven to contain any malware in and of itself)"

is not a good enough reason to block that website, full stop.

[hagezi]

I'll take care of it right away.

[ryan4yin]

@nabendu1 then, let the hunt begin! -- @xRuffKez

It's ridiculous. Do you think it's funny and exciting?
Look how many innocent people you hurt.

[xRuffKez]

I apologize, for reporting those Domains.
I just acted for a request from @nabendu1 and acted a bit too quick indeed.

It's indeed unjustified to block domains, which are obviously not malicious and a direct link to i-soon can not be proven.

I also apologize for interfering with your project, by falsely accuse those domains. @ryan4yin

[danielchim]

This seems to be more like a personal attack, and by using dns blocklist to achieving it is unethical.

[ryan4yin]

I apologize, for reporting those Domains.
I just acted for a request from @nabendu1 and acted a bit too quick indeed.

@xRuffKez
My wording is a little intense, mainly because I was really angry yesterday. However, since you have apologized, I hope you know that I have forgiven you. I hope you can think more about your responsibilities when submitting PRs.