[176910] in North American Network Operators' Group
Fwd: malware.watch rdns
daemon@ATHENA.MIT.EDU (shawn wilson)
Wed Dec 17 05:20:37 2014
X-Original-To: nanog@nanog.org
In-Reply-To: <CAH_OBif=mAjsB+BJk4nbhSsKx+QY4W2o_3w-OJ3xMsJbq8U_DQ@mail.gmail.com>
From: shawn wilson <ag4ve.us@gmail.com>
Date: Wed, 17 Dec 2014 05:20:09 -0500
To: North American Network Operators Group <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
I asked on this on another list I'm on and didn't get any reply, so I
figured I might have better luck here
Anyone know what malware.watch. is doing? Below is basically
everything I could find:
http://www.robtex.net/en/advisory/dns/watch/malware/ssl-scanning-015/
They've got a web page, but nothing there:
% curl -I malware.watch
HTTP/1.1 200 OK
Date: Thu, 13 Nov 2014 19:17:29 GMT
Content-Type: text/html
Connection: keep-alive
Set-Cookie: __cfduid=
da37b063f68032dfe5adc07ae35fe27031415906249;
expires=Fri, 13-Nov-15 19:17:29 GMT; path=/; domain=.malware.watch;
HttpOnly
X-Frame-Options: sameorigin
Server: cloudflare-nginx
CF-RAY: 188d4f4cd3cb0eeb-EWR
What I saw was ssl-scanning-###.malware.watch, so after that curl I
figured I'd start by blowing up their dns :)
% printf '%03d\n' {0..999} | while read f; do dig=$(dig
"ssl-scanning-${f}.malware.watch" +short); if [ -n "$dig" ]; then echo
"$f: $dig"; fi; done ~ swlap1
015: 85.17.239.155
016: 104.200.21.140
017: 195.154.114.206
(It was pointed out to me this could be more easily written as: dig
+noall +ans ssl-scanning-{000..999}.malware.watch)
So they only have three in that block, on is in the Netherlands, the
other is Linode (US), and the last is French:
8 21.28 ms as4436-1-c.111eighthave.ny.ibone.comcast.net (173.167.57.162)
9 17.01 ms vlan-75.ar2.ewr1.us.as4436.gtt.net (69.31.34.129)
10 15.73 ms as13335.xe-7-0-3.ar2.ewr1.us.as4436.gtt.net (69.31.95.70)
11 15.85 ms 104.28.19.47
7 10.07 ms he-1-15-0-0-cr01.350ecermak.il.ibone.comcast.net (68.86.85.70)
8 9.58 ms ae15.bbr02.eq01.wdc02.networklayer.com (75.149.228.94)
9 10.98 ms ae7.bbr01.eq01.wdc02.networklayer.com (173.192.18.194)
10 23.08 ms ae0.bbr01.tl01.atl01.networklayer.com (173.192.18.153)
11 43.01 ms ae13.bbr02.eq01.dal03.networklayer.com (173.192.18.134)
12 43.02 ms po32.dsr02.dllstx3.networklayer.com (173.192.18.231)
13 44.33 ms po32.dsr02.dllstx2.networklayer.com (70.87.255.70)
14 50.71 ms po2.car01.dllstx2.networklayer.com (70.87.254.78)
15 41.94 ms router1-dal.linode.com (67.18.7.90)
16 42.63 ms li799-140.members.linode.com (104.200.21.140)
7 11.36 ms he-0-13-0-1-pe04.ashburn.va.ibone.comcast.net (68.86.87.142)
8 10.95 ms xe-7-0-2.was10.ip4.gtt.net (77.67.71.193)
9 87.79 ms xe-4-2-0.par22.ip4.gtt.net (89.149.182.98)
10 87.80 ms online-gw.ip4.gtt.net (46.33.93.90)
11 91.82 ms 49e-s46-1-a9k1.dc3.poneytelecom.eu (195.154.1.77)
12 88.27 ms ssl-scanning-017.malware.watch (195.154.114.206)
