Hall of Shame updated with known IP addresses with PTR records going to no-reverse-dns-configured.com

The Hall of Shame has been updated with a list of known IP addresses with PTR records going to no-reverse-dns-configured.com.

I have found the following IP addresses in my syslog with PTR records going to no-reverse-dns-configured.com.  80.82.65.66 was previously discussed due to the sheer volume of attacks.

All IP addresses are managed by Quasi Networks LTD, per the RIPE  Database lookup.

Source IP count Protocol
80.82.65.66 20489 TCP
80.82.79.104 91 TCP
80.82.70.134 11 TCP & UDP
80.82.78.188 11 TCP
89.248.171.40 7 UDP
80.82.65.204 4 UDP
80.82.70.2 3 UDP
89.248.162.142 2 TCP
89.248.170.224 2 TCP
89.248.172.90 2 TCP
80.82.65.199 1 TCP
89.248.160.192 1 TCP
89.248.168.15 1 TCP
89.248.172.44 1 TCP

Google Search Console Team deems Bad Packets Report a safe website!

Huzzah! Bad Packets Report has been cleared as a safe site by the Google Search Console Team.

Earlier this morning, we received the following notification:

To: Webmaster of https://badpackets[.]net/,

Google has received and processed your security review request. Google systems indicate that https://badpackets[.]net/ no longer contains links to harmful sites or downloads. The warnings visible to users are being removed from your site. This may take a few hours to happen.

Thank you to Google Search Console Team for clearing up this false-positive so quickly!

no-reverse-dns-configured.com – The mother of all PTR records

Recently, I posted about the IP 80.82.65.66 and the DoS attacks I observed in my syslog. I presumed the reverse DNS record (PTR record) pointing to no-reverse-dns-configured.com was just a one-time fake. However, further investigation blew that theory out of the water.

Upon review of the top three networks in my all-time dropped packets list, I saw 93.174.93.136 which is also managed by Quasi Networks LTD and has a PTR record, you guessed it, going to no-reverse-dns-configured.com. At that point I figured further investigation into this domain name was needed.

IBM X-Force Exchange is reporting the DNS name no-reverse-dns-configured.com has 245 associated DNS records of which 244 are PTR records from IP addresses managed by Quasi Networks LTD.  Many of the IP addresses shown have been blacklisted by IBM.

A little further down the page shows no-reverse-dns-configured.com was flagged as malware 673 times, mostly for a phishing attack in December 2016.

ThreatCrowd.org report on no-reverse-dns-configured.com

Threatcrowd.org is also reporting no-reverse- dns-configured.com as malicous, including a link to a post on MalwareMustDie.org. In the post on MMD, no-reverse- dns-configured.com is shown as being used in a DDoS attack in February 2016, referred to as “MMD-0052-2016 – Overview of “SkidDDoS” ELF++ IRC Botnet.”

no-reverse-dns-configured.com is invoked yet again on DigitalOcean’s community forum back in February 2016 where a user reported, “Strang [sic] activity at auth.log (POSSIBLE BREAK-IN ATTEMPT)” from an IP address with a PTR record going to no-reverse-dns-configured.com.

So what is the ownership history of the no-reverse- dns-configured.com domain name?  According a ThreatMiner.org lookup, the domain name was owned in 2016 by world famous domain name squatter Milen Radumilo. Milen is credited with almost 100,000 registered domain names on DomainTools.

Milen Radumilo squatted on the domain saidenergizer.com

Milen Radumilo lost a notable domain name dispute against Energizer Brands, LLC for saidenergizer.com. The complaint notes that Milen used the domain name in bad faith, going so far to impersonate the Energizer Bunny to profit from links to third-party websites. Milen was also involved in at least five previous domain name dispute proceedings, each of which resulted in him forfeiting the squatted domain name.

Milen was also exposed in the Flexytalk WordPress plugin incident when he scooped two expired domains and subsequently injected popup scams into the websites using the plugin.

Sometime around March 10, 2017 the domain name ownership of no-reverse-dns-configured.com was transferred from Milen Radumilo to Dmitry Vasilev. Similar Quasi Networks Ltd, Dimitry also has an address in Seychelles.

Dmitry is also a prolific domain name squatter, with over 18,000 domains associated to him, mostly under the organization “Kineticdomains Ltd” A prior domain name dispute Dmitry was involved in references his company as “Elmaco Ltd” but no further information is found for either company.

I contacted RIPE NCC regarding the malicious traffic from Quasi Networks and informed them of the of the numerous PTR records pointing to no-reverse-dns-configured.com. I received a response from RIPC NCC Customer Services that, “In order to have a reverse delagation [sic] PTR records are not a must and therefor [sic] any can create PTR records with false information.”  I followed up with further documentation of the malicious activity Quasi Networks and will update this post with their response.

Google Safe Browsing algorithm labels Bad Packets Report as “unsafe site”

Irony levels reached maximum levels today when Google Safe Browsing labeled Bad Packets Report, our website, as an “unsafe site” per the notification received in the Google Search Console.

False positive report by Google

Unfortunately, no explanation was provided on the Google Transparency Report website noting that:

The site badpackets.net contains harmful content, including pages that:

  • Contain suspicious or unknown software

This is an incredible claim, given that no software is hosted on Bad Packet Reports, nor any URLs that link to “suspicious or unknown software”.

Google did not respond to a request for comment on the matter.

Other Google users are reporting similar issues on the Webmaster Central Help Forum but no explanation has been provided by Google for these false positives.

These false positives may come at a time that Google is adjusting Google Safe Browsing algorithm to enforce higher security requirements for websites.  Google put webmasters on notice in October 2016 advising that all non-HTTPS traffic would eventually display a “Not Secure” warning in Chrome.

63.251.252.12 – Malware remnants from yesteryear or harmless prodding by The Nielsen Company?

Our runner up title for most dropped packets is bestowed upon 63.251.252.12. So what nefarious activity have we seen? On the surface, the attacks appear fairly benign. However, the deeper we go down the rabbit hole, the more we discover!

So what ports are being attacked and how often? Port 35935 was the lowest and 65428 the highest. TCP was the only protocol used and no single port was attacked more than 18 times in the total 2,462 attacks (still in progress).

The quest gets more interesting when we look into the backstory of 63.251.252.12. A WHOIS query returns:

OrgName: Internap Network Services Corporation
OrgId: PNAP
Address: 250 Williams Street
Address: Suite E100
City: Atlanta
StateProv: GA
PostalCode: 30303
Country: US
RegDate: 1996-07-18
Updated: 2012-01-24
Ref: https://whois.arin.net/rest/org/PNAP

ARIN’s Abuse Contact page for Internap appears to be out of date by providing a disconnected phone number. I contacted ARIN regarding this and was notified by ARIN hostmaster Jonathan Roberts, “ARIN will attempt to find updated contact information for this record.”

According to Internap Network Services Corporation’s website they are the, “… leading technology provider of internet infrastructure through both Colocation Business and Enterprise Services (including network connectivity, IP, bandwidth, and Managed Hosting), and Cloud Services (including enterprise-grade AgileCLOUD 2.0, Bare-Metal Servers, and SMB iWeb platforms).”

Looking at the map provided on their website, they have a datacenter in Atlanta and presumably that is where 63.251.252.12 lives.

TraceRoute from Network-Tools.com to 63.251.252.12
Hop (ms) (ms) (ms) IP Address Host name
1 Timed out Timed out Timed out –
2 1 1 1 4.68.63.178 ntt-level3-200g.dallas1.level3.net
3 1 1 1 129.250.5.5 ae-0.r23.dllstx09.us.bb.gin.ntt.net
4 40 41 41 129.250.4.154 ae-8.r23.snjsca04.us.bb.gin.ntt.net
5 40 40 40 129.250.3.175 ae-45.r01.snjsca04.us.bb.gin.ntt.net
6 43 44 43 157.238.64.138 ae-0.internap.snjsca04.us.bb.gin.ntt.net
7 44 44 43 66.151.144.31 border5.pc1-bbnet1.sje011.pnap.net
8 48 48 49 75.98.84.242 inapvoxcust-3.border3.sje011.pnap.net
9 43 43 43 63.251.252.12 –
Trace complete

On the second-to-last hop “inapvoxcust” is noted in the hostname. This reveals further details about the owner of 63.251.252.12, a company named Voxel Dot Net. According to Bloomberg, “Voxel Dot Net, Inc. provides internet hosting services and infrastructure software. The Company offers cloud hosting, circuit testing, interconnection, server racks, firewall, backup, load balancing, power circuits, and recovery solutions” and is also based in Atlanta, GA. Visiting www.voxel.net in the browser simply redirects to www.internap.com – putting our investigation into a loop.

So let’s charge further down the rabbit hole and get to the good stuff!  AbuseIPDB users report 42 attacks from 63.251.252.12, notably DoS attacks dating back to May 3, 2016. Cymon shows malware has been reported for 63.251.252.12 by malwr.com. It gets interesting when we look deeper into the associated domains reported by Cymon:

loadr.exelator.com
loadm.exelator.com
loadus.exelator.com

A Google search yields 5,000+ results for “loadr.exelator.com” and most signs point to a browser hijacker injected through “load.js”.

So who is behind exelator.com?  Visiting www.exelator.com in the browser redirects to www.exelate.com and the truth is finally revealed.

excelator.com

Shockingly, it is The Nielsen Company (US), LLC. Or as they refer to it, “Nielsen Artificial Intelligence (AI)” and describe it as “Our marketing cloud gives you access to a universe of Nielsen audience data. We help you understand your customers at a level no one else can match. But it doesn’t stop there. Using built-in analytics and Nielsen Artificial Intelligence (AI), our cloud is constantly evaluating the success of your marketing and making adjustments in real-time. The result? Every step of your marketing process gets smarter and more effective.”

The Master Needler – 80.82.65.66

I’ve been watching the dropped packets for 80.82.65.66 awhile now and feel it’s safe to bestow the title of “The Master Needler” upon them.

So which ports are they poking the most?  Interestingly, the ports attacked were evenly distributed and appear mostly random. The lowest port number attacked was 1000 and the highest was 65506. No single port was attacked more than 26 times. The only protocol used in the attacked was TCP.

The full list of ports attacked by 80.82.65.66 is located here: https://pastebin.com/w0uca8q6

As of this writing, I have seen 20,489 unique attacks from 80.82.65.66. No other single IP address found in my syslog comes close to this amount. So who is operating the attack server 80.82.65.66?

A RIPE database query for the 80.82.65.0/24 subnet yields the following result:

org-name: Quasi Networks LTD.
org-type: OTHER
address: Suite 1, Second Floor
address: Sound & Vision House, Francis Rachel Street
address: Victoria, Mahe, SEYCHELLES
remarks: *****************************************************************************
remarks: IMPORTANT INFORMATION
remarks: *****************************************************************************
remarks: We are a high bandwidth network provider offering bandwidth solutions.
remarks: Government agencies can sent their requests to gov.request@quasinetworks.com
remarks: Please only use abuse@quasinetworks.com for abuse reports.
remarks: For all other requests, please see the details on our website.
remarks: *****************************************************************************

Performing a  WHOIS lookup shows a PTR record going to a CNAME for no-reverse-dns-configured.com. This is a bit odd and likely is a fake/fraudulent PTR record since there is no actual relation to the DNS name.

Fake PTR record for 80.82.65.66

So when will the attacks stop?  I have not heard back from Quasi Networks yet.

It appears I’m not alone however, others are reporting similar attacks from 80.82.65.66:

AbuseIPDB » 80.82.65.66 was reported 67 times

Time Warner Cable customer reporting a SYN flood attack from 80.82.65.66

Cymon reports 80.82.65.66 is found in blacklists and noted malicious activities.