Thanks for the help with this! Turns out this had a not so malicious resolution for now: The IP address is used for numerous "spelling error" domains aka "typo squatting". The company/person behind this ip address is redirecting a large number of domains to the IP address which then displays a "yellow pages" look alike called "yellow book". Nothing malicious as far as I can tell for now, but some may not like this practice. ----- Alex wrote in a short time ago seeing "www.citrix.com" resolving to 208.73.210.29. This IP address has been associated with malware in the past. Further investigation showed that literally hundreds of "brand name" sites point to this IP address (if you are using the "wrong" DNS server). For example, see the report from the BFK passive DNS caching tools: http://www.bfk.de/bfk_dnslogger.html?query=208.73.210.29#result Please let us know if you are seeing outbound traffic to this IP address or if you see DNS resolution requests that return this IP address. We are still investigating details.
------ |
Johannes 3694 Posts ISC Handler |
Subscribe |
Dec 13th 2011 7 years ago |
Johannes:
I just read this article and did a quick scan via Arcsight for the past 4 days on our network just to see if anything showed up as a "destination" to the ip address posted in this article. Results are in and Total Events: 375 Firewall states: Dropped UDP DNS request from label length bytes exceeds remaining packet length 208.73.210.29 Possible malware server? I may have another IP for you which is 208.73.210.128 Please let us know more info as I will continue investigating. |
dec0der 7 Posts |
Quote |
Dec 13th 2011 7 years ago |
Maybe not associated with DNS attacks, but this IP address appears to have more to "offer" than just a "yellow book".
For example, http://www.google.com/safebrowsing/diagnostic?site=AS:33626 mentions a number of hostnames associated with malware. Of those, the following currently resolve to 208.73.210.29: sites-counter.com, phones4wow.com, a-n-d-the.com, livench.com, mydearmishima.com and mainnetsoll.com (iphonecase.com, backyardbox.com and jiggythepom.com currently resolve to 208.73.210.48). See http://support.clean-mx.de/clean-mx/viruses.php?ip=208.73.210.29&sort=first%20desc for some malware URL's, or Google to: "208.73.210.29" malware Finally http://www.robtex.com/ip/208.73.210.29.html lists possibly more hostnames associated with 208.73.210.29 (though not as many as bfk.de). |
Erik van Straten 122 Posts |
Quote |
Dec 13th 2011 7 years ago |
I ran a report in my web gateway for all web browsing to 208.73.210.29. I have 410 URLs with a destination address of 208.73.210.29 for the past 24 hours on my network. Let me know if you would like them.
Thanks, -casper114 |
Erik van Straten 1 Posts |
Quote |
Dec 13th 2011 7 years ago |
Got a few hits on 208.73.210.29, in one case it seems to point to webexeurope.com
|
Erik van Straten 1 Posts |
Quote |
Dec 14th 2011 7 years ago |
A few hundred http hits in the last 24 hours. In addition to the DNS lookups.
|
Erik van Straten 1 Posts |
Quote |
Dec 14th 2011 7 years ago |
First time I noticed unusual number of wildcard queries was Mon Nov 28 13:00:00 2011. I made couple images out of reports that are available from DNS hosting partner that we are using.
http://ut3.org/~kerolasa/wildcard_monthly.png http://ut3.org/~kerolasa/wildcard_hourly.png The queries seem to come in bursts, and they also have day/night fluctuation. As I could not understand where these queries might be coming from I contacted DNS hosting partner. They said there is broken crawler somewhere in internet causing trouble for many domains. Perhaps this is related. |
kerolasa 1 Posts |
Quote |
Dec 15th 2011 7 years ago |
Domaintools = 1.5 million+ sites registered to this ip address [http://whois.domaintools.com/208.73.210.29]
Robtex = 200+ registered to this ip address [http://www.robtex.com/ip/208.73.210.29.html] HostExploit.com = |
REB 3 Posts |
Quote |
Dec 18th 2011 7 years ago |
Sign Up for Free or Log In to start participating in the conversation!