63.251.252.12 – Malware remnants from yesteryear or harmless prodding by The Nielsen Company?

Our runner up title for most dropped packets is bestowed upon 63.251.252.12. So what nefarious activity have we seen? On the surface, the attacks appear fairly benign. However, the deeper we go down the rabbit hole, the more we discover!

So what ports are being attacked and how often? Port 35935 was the lowest and 65428 the highest. TCP was the only protocol used and no single port was attacked more than 18 times in the total 2,462 attacks (still in progress).

The quest gets more interesting when we look into the backstory of 63.251.252.12. A WHOIS query returns:

OrgName: Internap Network Services Corporation
OrgId: PNAP
Address: 250 Williams Street
Address: Suite E100
City: Atlanta
StateProv: GA
PostalCode: 30303
Country: US
RegDate: 1996-07-18
Updated: 2012-01-24
Ref: https://whois.arin.net/rest/org/PNAP

ARIN’s Abuse Contact page for Internap appears to be out of date by providing a disconnected phone number. I contacted ARIN regarding this and was notified by ARIN hostmaster Jonathan Roberts, “ARIN will attempt to find updated contact information for this record.”

According to Internap Network Services Corporation’s website they are the, “… leading technology provider of internet infrastructure through both Colocation Business and Enterprise Services (including network connectivity, IP, bandwidth, and Managed Hosting), and Cloud Services (including enterprise-grade AgileCLOUD 2.0, Bare-Metal Servers, and SMB iWeb platforms).”

Looking at the map provided on their website, they have a datacenter in Atlanta and presumably that is where 63.251.252.12 lives.

TraceRoute from Network-Tools.com to 63.251.252.12
Hop (ms) (ms) (ms) IP Address Host name
1 Timed out Timed out Timed out –
2 1 1 1 4.68.63.178 ntt-level3-200g.dallas1.level3.net
3 1 1 1 129.250.5.5 ae-0.r23.dllstx09.us.bb.gin.ntt.net
4 40 41 41 129.250.4.154 ae-8.r23.snjsca04.us.bb.gin.ntt.net
5 40 40 40 129.250.3.175 ae-45.r01.snjsca04.us.bb.gin.ntt.net
6 43 44 43 157.238.64.138 ae-0.internap.snjsca04.us.bb.gin.ntt.net
7 44 44 43 66.151.144.31 border5.pc1-bbnet1.sje011.pnap.net
8 48 48 49 75.98.84.242 inapvoxcust-3.border3.sje011.pnap.net
9 43 43 43 63.251.252.12 –
Trace complete

On the second-to-last hop “inapvoxcust” is noted in the hostname. This reveals further details about the owner of 63.251.252.12, a company named Voxel Dot Net. According to Bloomberg, “Voxel Dot Net, Inc. provides internet hosting services and infrastructure software. The Company offers cloud hosting, circuit testing, interconnection, server racks, firewall, backup, load balancing, power circuits, and recovery solutions” and is also based in Atlanta, GA. Visiting www.voxel.net in the browser simply redirects to www.internap.com – putting our investigation into a loop.

So let’s charge further down the rabbit hole and get to the good stuff!  AbuseIPDB users report 42 attacks from 63.251.252.12, notably DoS attacks dating back to May 3, 2016. Cymon shows malware has been reported for 63.251.252.12 by malwr.com. It gets interesting when we look deeper into the associated domains reported by Cymon:

loadr.exelator.com
loadm.exelator.com
loadus.exelator.com

A Google search yields 5,000+ results for “loadr.exelator.com” and most signs point to a browser hijacker injected through “load.js”.

So who is behind exelator.com?  Visiting www.exelator.com in the browser redirects to www.exelate.com and the truth is finally revealed.

excelator.com

Shockingly, it is The Nielsen Company (US), LLC. Or as they refer to it, “Nielsen Artificial Intelligence (AI)” and describe it as “Our marketing cloud gives you access to a universe of Nielsen audience data. We help you understand your customers at a level no one else can match. But it doesn’t stop there. Using built-in analytics and Nielsen Artificial Intelligence (AI), our cloud is constantly evaluating the success of your marketing and making adjustments in real-time. The result? Every step of your marketing process gets smarter and more effective.”

2 Replies to “63.251.252.12 – Malware remnants from yesteryear or harmless prodding by The Nielsen Company?”

  1. I am getting hit via 63.251.252.12 as my router is full of attempts Blocked IN=eth0 OUT= MAC=c8:a7:0a:a9:8c:97:40:a6:77:be:36:ca:08:00 SRC=63.251.240.12 DST=[REDACTED] LEN=71 TOS=00 PREC=0x00 TTL=56 ID=18918 DF PROTO=TCP SPT=443 DPT=49726 SEQ=1372870341 ACK=3419201302 WINDOW=62 ACK PSH URGP=0 MARK=0
    After attempting to find this I stumbled upon this under a google search . Is this the end of the doc ? Why would Neilsen AI be attempting to gain access to my computer/ connect to my computer / possibly sending pop ups ? No idea at all why they are in my router … Seems like they are using random IP addresses instead of just 63.251.240.12

Leave a Reply