Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Suspicious traffic to unusual site names in the .info TLD - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Suspicious traffic to unusual site names in the .info TLD
One of my customer's systems has been connecting to unusual sites in the .info TLD. These are site names like:

expeditertruffleluxury.info
daresroutinebroadcast.info
fetalhydrantembroider.info
jumblejockeyhurler.info

The names all seem to be 3 long but obscure English words. They all have similar registration details, in particular the same registrar and creation date.

Domain Name: EXPEDITERTRUFFLELUXURY.INFO
Registry Domain ID: D503300000043619417-LRMS
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.wildwestdomains.com
Updated Date: 2017-10-25T20:30:30Z
Creation Date: 2017-08-26T02:08:26Z
Registry Expiry Date: 2018-08-26T02:08:26Z

All resolved addresses point to blocks owned by "Hurricane Electric":
64.62.175.43/32
64.62.197.86/32
64.62.197.88/32
64.71.171.66/32
64.71.171.71/32
64.71.174.47/32
64.71.174.68/32
64.71.174.85/32
64.71.174.86/32
64.71.174.89/32
65.49.126.74/32
65.49.126.83/32
66.160.178.82/32
66.160.199.40/32
66.160.201.55/32
66.160.201.56/32
66.160.201.80/32
72.52.87.74/32
72.52.112.41/32
72.52.112.52/32
72.52.112.88/32
72.52.125.42/32
72.52.125.62/32
72.52.125.78/32
72.52.125.84/32
74.82.4.44/32
74.82.4.83/32
74.82.35.71/32
74.82.35.73/32
74.82.35.83/32
74.82.60.59/32
74.82.60.60/32
74.82.60.66/32
74.82.60.69/32
74.82.60.80/32

The traffic is all HTTPS encrypted.

Has anyone seen anything similar?
jauntysankey

5 Posts

Sign Up for Free or Log In to start participating in the conversation!