Weird activity on 1.1.1.1

Hi there,

Recently ive seen some weird reports stating that 1.1.1.1 or one.one.one.one domains are dangerous.

both on ANY.RUN and virustotal.

What could be the reason for this? Could someone explain?

Thanks in advance.

Welcome to the Cloudflare Community. :logodrop:

What specific elements on those sites are convincing you of that? I see nothing in either of those reports to suggest the presence of any actual malware.

Hi there,

The following concerns me:

The execution of wmpnscfg.exe ( windows Media Player ) there has been a CVE’s that enable a hacker to execute remote code.

Companies like Sophos and Hitman pro protect against them since its a common tactic.

The other thing that concerns me is the http request for CRX3 files. Ive seen many domains hijack WPAD to modify browser register keys

The last thing that concerns me is the activity on port 137,138 and 1900 which are known for SMB and UPNP and the use of the 224.0.0.0 range.

Of course it could be average activity since any.run acts like a end user machine.

Regards.

My point is that none of those things have any actual connection to Cloudflare or 1.1.1.1. There is a lot of inaccurate and irrelevant nonsense in both of the pages you shared, although the latter contained substantially more.

On its own, no.

Not in the slightest.

Its rather a question if 1.1.1.1 suffers some form of incident.

Most of the data is average activity on a windows machine.

This is normal since its a honey pot that acts as a end user and records any activity when binary’s are executed or when sites are visited

I don’t see anything in those reports that indicates 1.1.1.1 had an incident. Can you point out what concerns you and how you believe it relates to an issue with Cloudflare’s public DNS resolver?

1 Like

It relates to Cloudflare’s public dns resolver since these signs where seen on a honey pot windows machine when it visited the 1.1.1.1 website. Any windows computer that visits the site gets those activities.

My question is rather simple:

Is this normal ( as in, normal behaviour since this honey pot ( any.run) acts as a windows device)

Or is it a sign of a incident / compremise by a third party?

Regards.

You have shown nothing that supports this claim.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.