I previously reported on no-reverse-dns-configured.com and the current and previous owners. But what about the February 2016 botnet attacks? Who was the owner when the domain name was invoked in those attacks?
According to DomainTools, the owner of no-reverse-dns-configured.com in February 2016 was Slawek Modrzejewski. Slawek was original owner of the domain name since it was first registered in 11/15/2015.
On 4/9/2016, the registration for no-reverse-dns-configured.com was dropped by GoDaddy. Five days later, the registration was picked up by SouthNames Inc. (NamePal.com) with an anonymous owner protected by United Privacy Corp, which is based in Belize.
In addition to the number WHOIS record updates for no-reverse-dns-configured.com, there has been an equally historic hosting history. As of this writing, no-reverse-dns-configured.com has been pointed to 14 different IP addresses, shown in the illustration below from DomainTools.
During the botnet attacks, the hosting IP address was changed to 184.108.40.206 which is managed by ColoCrossing. After the attacks the server IP address was changed to 220.127.116.11 – which is a bit odd as that IP is managed by Alascom, Inc. in Anchorage, Alaska. Further information provided by DomainTools shows 78 domain names have A records going to 18.104.22.168.
This leads to none of those domain names actually resolving anywhere, which may appear to be some sort of “spammer nullroute”. The full list of the 78 domain names pointing to 22.214.171.124 is available here. I notified AT&T/Alascom about these fake A records pointing to their infastructure and will follow up if I hear back from their NOC/IPAM team.
Google has received and processed your security review request. Google systems indicate that https://badpackets[.]net/ no longer contains links to harmful sites or downloads. The warnings visible to users are being removed from your site. This may take a few hours to happen.
Thank you to Google Search Console Team for clearing up this false-positive so quickly!
Recently, I posted about the IP 126.96.36.199 and the DoS attacks I observed in my syslog. I presumed the reverse DNS record (PTR record) pointing to no-reverse-dns-configured.com was just a one-time fake. However, further investigation blew that theory out of the water.
Upon review of the top three networks in my all-time dropped packets list, I saw 188.8.131.52 which is also managed by Quasi Networks LTD and has a PTR record, you guessed it, going to no-reverse-dns-configured.com. At that point I figured further investigation into this domain name was needed.
IBM X-Force Exchange is reporting the DNS name no-reverse-dns-configured.com has 245 associated DNS records of which 244 are PTR records from IP addresses managed by Quasi Networks LTD. Many of the IP addresses shown have been blacklisted by IBM.
A little further down the page shows no-reverse-dns-configured.com was flagged as malware 673 times, mostly for a phishing attack in December 2016.
Threatcrowd.org is also reporting no-reverse- dns-configured.com as malicous, including a link to a post on MalwareMustDie.org. In the post on MMD, no-reverse- dns-configured.com is shown as being used in a DDoS attack in February 2016, referred to as “MMD-0052-2016 – Overview of “SkidDDoS” ELF++ IRC Botnet.”
So what is the ownership history of the no-reverse- dns-configured.com domain name? According a ThreatMiner.org lookup, the domain name was owned in 2016 by world famous domain name squatter Milen Radumilo. Milen is credited with almost 100,000 registered domain names on DomainTools.
Milen Radumilo lost a notable domain name dispute against Energizer Brands, LLC for saidenergizer.com. The complaint notes that Milen used the domain name in bad faith, going so far to impersonate the Energizer Bunny to profit from links to third-party websites. Milen was also involved in at least five previous domain name dispute proceedings, each of which resulted in him forfeiting the squatted domain name.
Milen was also exposed in the Flexytalk WordPress plugin incident when he scooped two expired domains and subsequently injected popup scams into the websites using the plugin.
Sometime around March 10, 2017 the domain name ownership of no-reverse-dns-configured.com was transferred from Milen Radumilo to Dmitry Vasilev. Similar Quasi Networks Ltd, Dimitry also has an address in Seychelles.
Dmitry is also a prolific domain name squatter, with over 18,000 domains associated to him, mostly under the organization “Kineticdomains Ltd” A prior domain name dispute Dmitry was involved in references his company as “Elmaco Ltd” but no further information is found for either company.
I contacted RIPE NCC regarding the malicious traffic from Quasi Networks and informed them of the of the numerous PTR records pointing to no-reverse-dns-configured.com. I received a response from RIPC NCC Customer Services that, “In order to have a reverse delagation [sic] PTR records are not a must and therefor [sic] any can create PTR records with false information.” I followed up with further documentation of the malicious activity Quasi Networks and will update this post with their response.
These false positives may come at a time that Google is adjusting Google Safe Browsing algorithm to enforce higher security requirements for websites. Google put webmasters on notice in October 2016 advising that all non-HTTPS traffic would eventually display a “Not Secure” warning in Chrome.
Our runner up title for most dropped packets is bestowed upon 184.108.40.206. So what nefarious activity have we seen? On the surface, the attacks appear fairly benign. However, the deeper we go down the rabbit hole, the more we discover!
So what ports are being attacked and how often? Port 35935 was the lowest and 65428 the highest. TCP was the only protocol used and no single port was attacked more than 18 times in the total 2,462 attacks (still in progress).
The quest gets more interesting when we look into the backstory of 220.127.116.11. A WHOIS query returns:
OrgName: Internap Network Services Corporation
Address: 250 Williams Street
Address: Suite E100
ARIN’s Abuse Contact page for Internap appears to be out of date by providing a disconnected phone number. I contacted ARIN regarding this and was notified by ARIN hostmaster Jonathan Roberts, “ARIN will attempt to find updated contact information for this record.”
According to Internap Network Services Corporation’s website they are the, “… leading technology provider of internet infrastructure through both Colocation Business and Enterprise Services (including network connectivity, IP, bandwidth, and Managed Hosting), and Cloud Services (including enterprise-grade AgileCLOUD 2.0, Bare-Metal Servers, and SMB iWeb platforms).”
Looking at the map provided on their website, they have a datacenter in Atlanta and presumably that is where 18.104.22.168 lives.
TraceRoute from Network-Tools.com to 22.214.171.124
Hop (ms) (ms) (ms) IP Address Host name
1 Timed out Timed out Timed out –
2 1 1 1 126.96.36.199 ntt-level3-200g.dallas1.level3.net
3 1 1 1 188.8.131.52 ae-0.r23.dllstx09.us.bb.gin.ntt.net
4 40 41 41 184.108.40.206 ae-8.r23.snjsca04.us.bb.gin.ntt.net
5 40 40 40 220.127.116.11 ae-45.r01.snjsca04.us.bb.gin.ntt.net
6 43 44 43 18.104.22.168 ae-0.internap.snjsca04.us.bb.gin.ntt.net
7 44 44 43 22.214.171.124 border5.pc1-bbnet1.sje011.pnap.net
8 48 48 49 126.96.36.199 inapvoxcust-3.border3.sje011.pnap.net
9 43 43 43 188.8.131.52 –
On the second-to-last hop “inapvoxcust” is noted in the hostname. This reveals further details about the owner of 184.108.40.206, a company named Voxel Dot Net. According to Bloomberg, “Voxel Dot Net, Inc. provides internet hosting services and infrastructure software. The Company offers cloud hosting, circuit testing, interconnection, server racks, firewall, backup, load balancing, power circuits, and recovery solutions” and is also based in Atlanta, GA. Visiting www.voxel.net in the browser simply redirects to www.internap.com – putting our investigation into a loop.
So let’s charge further down the rabbit hole and get to the good stuff! AbuseIPDB users report 42 attacks from 220.127.116.11, notably DoS attacks dating back to May 3, 2016. Cymon shows malware has been reported for 18.104.22.168 by malwr.com. It gets interesting when we look deeper into the associated domains reported by Cymon:
A Google search yields 5,000+ results for “loadr.exelator.com” and most signs point to a browser hijacker injected through “load.js”.
So who is behind exelator.com? Visiting www.exelator.com in the browser redirects to www.exelate.com and the truth is finally revealed.
Shockingly, it is The Nielsen Company (US), LLC. Or as they refer to it, “Nielsen Artificial Intelligence (AI)” and describe it as “Our marketing cloud gives you access to a universe of Nielsen audience data. We help you understand your customers at a level no one else can match. But it doesn’t stop there. Using built-in analytics and Nielsen Artificial Intelligence (AI), our cloud is constantly evaluating the success of your marketing and making adjustments in real-time. The result? Every step of your marketing process gets smarter and more effective.”
I’ve been watching the dropped packets for 22.214.171.124 awhile now and feel it’s safe to bestow the title of “The Master Needler” upon them.
So which ports are they poking the most? Interestingly, the ports attacked were evenly distributed and appear mostly random. The lowest port number attacked was 1000 and the highest was 65506. No single port was attacked more than 26 times. The only protocol used in the attacked was TCP.
As of this writing, I have seen 20,489 unique attacks from 126.96.36.199. No other single IP address found in my syslog comes close to this amount. So who is operating the attack server 188.8.131.52?
A RIPE database query for the 184.108.40.206/24 subnet yields the following result:
org-name: Quasi Networks LTD.
address: Suite 1, Second Floor
address: Sound & Vision House, Francis Rachel Street
address: Victoria, Mahe, SEYCHELLES
remarks: IMPORTANT INFORMATION
remarks: We are a high bandwidth network provider offering bandwidth solutions.
remarks: Government agencies can sent their requests to email@example.com
remarks: Please only use firstname.lastname@example.org for abuse reports.
remarks: For all other requests, please see the details on our website.
Performing a WHOIS lookup shows a PTR record going to a CNAME for no-reverse-dns-configured.com. This is a bit odd and likely is a fake/fraudulent PTR record since there is no actual relation to the DNS name.
So when will the attacks stop? I have not heard back from Quasi Networks yet.
It appears I’m not alone however, others are reporting similar attacks from 220.127.116.11: