Recently, I posted about the IP 220.127.116.11 and the DoS attacks I observed in my syslog. I presumed the reverse DNS record (PTR record) pointing to no-reverse-dns-configured.com was just a one-time fake. However, further investigation blew that theory out of the water.
Upon review of the top three networks in my all-time dropped packets list, I saw 18.104.22.168 which is also managed by Quasi Networks LTD and has a PTR record, you guessed it, going to no-reverse-dns-configured.com. At that point I figured further investigation into this domain name was needed.
IBM X-Force Exchange is reporting the DNS name no-reverse-dns-configured.com has 245 associated DNS records of which 244 are PTR records from IP addresses managed by Quasi Networks LTD. Many of the IP addresses shown have been blacklisted by IBM.
A little further down the page shows no-reverse-dns-configured.com was flagged as malware 673 times, mostly for a phishing attack in December 2016.
Threatcrowd.org is also reporting no-reverse- dns-configured.com as malicous, including a link to a post on MalwareMustDie.org. In the post on MMD, no-reverse- dns-configured.com is shown as being used in a DDoS attack in February 2016, referred to as “MMD-0052-2016 – Overview of “SkidDDoS” ELF++ IRC Botnet.”
no-reverse-dns-configured.com is invoked yet again on DigitalOcean’s community forum back in February 2016 where a user reported, “Strang [sic] activity at auth.log (POSSIBLE BREAK-IN ATTEMPT)” from an IP address with a PTR record going to no-reverse-dns-configured.com.
So what is the ownership history of the no-reverse- dns-configured.com domain name? According a ThreatMiner.org lookup, the domain name was owned in 2016 by world famous domain name squatter Milen Radumilo. Milen is credited with almost 100,000 registered domain names on DomainTools.
Milen Radumilo lost a notable domain name dispute against Energizer Brands, LLC for saidenergizer.com. The complaint notes that Milen used the domain name in bad faith, going so far to impersonate the Energizer Bunny to profit from links to third-party websites. Milen was also involved in at least five previous domain name dispute proceedings, each of which resulted in him forfeiting the squatted domain name.
Milen was also exposed in the Flexytalk WordPress plugin incident when he scooped two expired domains and subsequently injected popup scams into the websites using the plugin.
Sometime around March 10, 2017 the domain name ownership of no-reverse-dns-configured.com was transferred from Milen Radumilo to Dmitry Vasilev. Similar Quasi Networks Ltd, Dimitry also has an address in Seychelles.
Dmitry is also a prolific domain name squatter, with over 18,000 domains associated to him, mostly under the organization “Kineticdomains Ltd” A prior domain name dispute Dmitry was involved in references his company as “Elmaco Ltd” but no further information is found for either company.
I contacted RIPE NCC regarding the malicious traffic from Quasi Networks and informed them of the of the numerous PTR records pointing to no-reverse-dns-configured.com. I received a response from RIPC NCC Customer Services that, “In order to have a reverse delagation [sic] PTR records are not a must and therefor [sic] any can create PTR records with false information.” I followed up with further documentation of the malicious activity Quasi Networks and will update this post with their response.