|
One of my customer's systems has been connecting to unusual sites in the .info TLD. These are site names like: expeditertruffleluxury.info daresroutinebroadcast.info fetalhydrantembroider.info jumblejockeyhurler.info The names all seem to be 3 long but obscure English words. They all have similar registration details, in particular the same registrar and creation date. Domain Name: EXPEDITERTRUFFLELUXURY.INFO Registry Domain ID: D503300000043619417-LRMS Registrar WHOIS Server: whois.godaddy.com Registrar URL: http://www.wildwestdomains.com Updated Date: 2017-10-25T20:30:30Z Creation Date: 2017-08-26T02:08:26Z Registry Expiry Date: 2018-08-26T02:08:26Z All resolved addresses point to blocks owned by "Hurricane Electric": 64.62.175.43/32 64.62.197.86/32 64.62.197.88/32 64.71.171.66/32 64.71.171.71/32 64.71.174.47/32 64.71.174.68/32 64.71.174.85/32 64.71.174.86/32 64.71.174.89/32 65.49.126.74/32 65.49.126.83/32 66.160.178.82/32 66.160.199.40/32 66.160.201.55/32 66.160.201.56/32 66.160.201.80/32 72.52.87.74/32 72.52.112.41/32 72.52.112.52/32 72.52.112.88/32 72.52.125.42/32 72.52.125.62/32 72.52.125.78/32 72.52.125.84/32 74.82.4.44/32 74.82.4.83/32 74.82.35.71/32 74.82.35.73/32 74.82.35.83/32 74.82.60.59/32 74.82.60.60/32 74.82.60.66/32 74.82.60.69/32 74.82.60.80/32 The traffic is all HTTPS encrypted. Has anyone seen anything similar? |
jauntysankey 7 Posts |
| thread locked Quote Subscribe |
Nov 16th 2017 4 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
