– Malware remnants from yesteryear or harmless prodding by The Nielsen Company?

Our runner up title for most dropped packets is bestowed upon So what nefarious activity have we seen? On the surface, the attacks appear fairly benign. However, the deeper we go down the rabbit hole, the more we discover!

So what ports are being attacked and how often? Port 35935 was the lowest and 65428 the highest. TCP was the only protocol used and no single port was attacked more than 18 times in the total 2,462 attacks (still in progress).

The quest gets more interesting when we look into the backstory of A WHOIS query returns:

OrgName: Internap Network Services Corporation
Address: 250 Williams Street
Address: Suite E100
City: Atlanta
StateProv: GA
PostalCode: 30303
Country: US
RegDate: 1996-07-18
Updated: 2012-01-24
Ref: https://whois.arin.net/rest/org/PNAP

ARIN’s Abuse Contact page for Internap appears to be out of date by providing a disconnected phone number. I contacted ARIN regarding this and was notified by ARIN hostmaster Jonathan Roberts, “ARIN will attempt to find updated contact information for this record.”

According to Internap Network Services Corporation’s website they are the, “… leading technology provider of internet infrastructure through both Colocation Business and Enterprise Services (including network connectivity, IP, bandwidth, and Managed Hosting), and Cloud Services (including enterprise-grade AgileCLOUD 2.0, Bare-Metal Servers, and SMB iWeb platforms).”

Looking at the map provided on their website, they have a datacenter in Atlanta and presumably that is where lives.

TraceRoute from Network-Tools.com to
Hop (ms) (ms) (ms) IP Address Host name
1 Timed out Timed out Timed out –
2 1 1 1 ntt-level3-200g.dallas1.level3.net
3 1 1 1 ae-0.r23.dllstx09.us.bb.gin.ntt.net
4 40 41 41 ae-8.r23.snjsca04.us.bb.gin.ntt.net
5 40 40 40 ae-45.r01.snjsca04.us.bb.gin.ntt.net
6 43 44 43 ae-0.internap.snjsca04.us.bb.gin.ntt.net
7 44 44 43 border5.pc1-bbnet1.sje011.pnap.net
8 48 48 49 inapvoxcust-3.border3.sje011.pnap.net
9 43 43 43 –
Trace complete

On the second-to-last hop “inapvoxcust” is noted in the hostname. This reveals further details about the owner of, a company named Voxel Dot Net. According to Bloomberg, “Voxel Dot Net, Inc. provides internet hosting services and infrastructure software. The Company offers cloud hosting, circuit testing, interconnection, server racks, firewall, backup, load balancing, power circuits, and recovery solutions” and is also based in Atlanta, GA. Visiting http://www.voxel.net in the browser simply redirects to www.internap.com – putting our investigation into a loop.

So let’s charge further down the rabbit hole and get to the good stuff!  AbuseIPDB users report 42 attacks from, notably DoS attacks dating back to May 3, 2016. Cymon shows malware has been reported for by malwr.com. It gets interesting when we look deeper into the associated domains reported by Cymon:


A Google search yields 5,000+ results for “loadr.exelator.com” and most signs point to a browser hijacker injected through “load.js”.

So who is behind exelator.com?  Visiting http://www.exelator.com in the browser redirects to http://www.exelate.com and the truth is finally revealed.


Shockingly, it is The Nielsen Company (US), LLC. Or as they refer to it, “Nielsen Artificial Intelligence (AI)” and describe it as “Our marketing cloud gives you access to a universe of Nielsen audience data. We help you understand your customers at a level no one else can match. But it doesn’t stop there. Using built-in analytics and Nielsen Artificial Intelligence (AI), our cloud is constantly evaluating the success of your marketing and making adjustments in real-time. The result? Every step of your marketing process gets smarter and more effective.”

2 thoughts on “ – Malware remnants from yesteryear or harmless prodding by The Nielsen Company?”

  1. I am getting hit via as my router is full of attempts Blocked IN=eth0 OUT= MAC=c8:a7:0a:a9:8c:97:40:a6:77:be:36:ca:08:00 SRC= DST=[REDACTED] LEN=71 TOS=00 PREC=0x00 TTL=56 ID=18918 DF PROTO=TCP SPT=443 DPT=49726 SEQ=1372870341 ACK=3419201302 WINDOW=62 ACK PSH URGP=0 MARK=0
    After attempting to find this I stumbled upon this under a google search . Is this the end of the doc ? Why would Neilsen AI be attempting to gain access to my computer/ connect to my computer / possibly sending pop ups ? No idea at all why they are in my router … Seems like they are using random IP addresses instead of just


Leave a Reply to Rich OConnor Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.