DEV Community

loading...

Discussion on: Crypto-mining attack in my GitHub actions through Pull Request

Collapse
daniel15 profile image
Daniel Lo Nigro • Edited

I think that dns.google is not a nasty domain, but honestly I'm not sure and haven't much investigated this.

dns.google is Google's public DNS server. They're just using its HTTP API to do a DNS lookup for poolio.magratmail.xyz and get its IP address. Although, since their script installed curl via apt, I wonder why they didn't just install dnsutils and use nslookup or dig 🤔

Collapse
bakies profile image
Jon Bakies

It may be an easy way to avoid being stopped by a security tool watching outbound DNS traffic and flagging lookups to suspicious sites. .xyz is a suspicious TLD andpoolio.magratmail.xyz may get flagged. The http request to dns.google is encrypted, you don't know what they're resolving by inspecting the wire.

Collapse
daniel15 profile image
Daniel Lo Nigro

That's a great point! I didn't even consider that. Pretty clever if that's the case.