Checking connections to suspicious sites while we are browsing

05 Jun 2020 - cr0hn


Every day we visit a lot of sites on the Internet. Each of these sites have a lot of resources and do a lot of connections to external servers, but… how can we check for connections for suspicious sites? And how can we script some actions?

You can install an Antivirus. You can use some additional software that try to “protect” you against this type of sites but you can’t launch any custom action (or shell script!) when you detect them. Why not use APICheck for that?

OK, we must follow these steps:

  • first, we need a list of suspicious sites or IPs. You have a complete list of resources at MalwareDomainList. For this post we downloaded a list with suspicious IPs.
  • Then we’ll need APICheck Proxy to intercept and launch actions each time a request arrives.
  • Make sure you have installed JQ

MalwareDomainList

Finally we need to configure our browser with http://127.0.0.1:8080 proxy and write this command:

$ docker run --rm -i -p 8080:8080 bbvalabs/apicheck-proxy | jq --unbuffered -r '.request.url' |  grep -f ~/Downloads/ip.txt -F
https//103.14.120.121:443
https//200.58.114.51/fake.php

Where:

  • ip.txt is the list of malicious IP downloaded from MalwareDomainList