Fwd: malware.watch rdns

shawn wilson ag4ve.us at gmail.com
Wed Dec 17 10:20:09 UTC 2014


I asked on this on another list I'm on and didn't get any reply, so I
figured I might have better luck here

Anyone know what malware.watch. is doing? Below is basically
everything I could find:

http://www.robtex.net/en/advisory/dns/watch/malware/ssl-scanning-015/

They've got a web page, but nothing there:
 % curl -I malware.watch
HTTP/1.1 200 OK
Date: Thu, 13 Nov 2014 19:17:29 GMT
Content-Type: text/html
Connection: keep-alive
Set-Cookie: __cfduid=
da37b063f68032dfe5adc07ae35fe27031415906249;
expires=Fri, 13-Nov-15 19:17:29 GMT; path=/; domain=.malware.watch;
HttpOnly
X-Frame-Options: sameorigin
Server: cloudflare-nginx
CF-RAY: 188d4f4cd3cb0eeb-EWR

What I saw was ssl-scanning-###.malware.watch, so after that curl I
figured I'd start by blowing up their dns :)
 % printf '%03d\n' {0..999} | while read f; do dig=$(dig
"ssl-scanning-${f}.malware.watch" +short); if [ -n "$dig" ]; then echo
"$f: $dig"; fi; done  ~ swlap1
015: 85.17.239.155
016: 104.200.21.140
017: 195.154.114.206

(It was pointed out to me this could be more easily written as: dig
+noall +ans ssl-scanning-{000..999}.malware.watch)

So they only have three in that block, on is in the Netherlands, the
other is Linode (US), and the last is French:
8   21.28 ms as4436-1-c.111eighthave.ny.ibone.comcast.net (173.167.57.162)
9   17.01 ms vlan-75.ar2.ewr1.us.as4436.gtt.net (69.31.34.129)
10  15.73 ms as13335.xe-7-0-3.ar2.ewr1.us.as4436.gtt.net (69.31.95.70)
11  15.85 ms 104.28.19.47

7   10.07 ms he-1-15-0-0-cr01.350ecermak.il.ibone.comcast.net (68.86.85.70)
8   9.58 ms  ae15.bbr02.eq01.wdc02.networklayer.com (75.149.228.94)
9   10.98 ms ae7.bbr01.eq01.wdc02.networklayer.com (173.192.18.194)
10  23.08 ms ae0.bbr01.tl01.atl01.networklayer.com (173.192.18.153)
11  43.01 ms ae13.bbr02.eq01.dal03.networklayer.com (173.192.18.134)
12  43.02 ms po32.dsr02.dllstx3.networklayer.com (173.192.18.231)
13  44.33 ms po32.dsr02.dllstx2.networklayer.com (70.87.255.70)
14  50.71 ms po2.car01.dllstx2.networklayer.com (70.87.254.78)
15  41.94 ms router1-dal.linode.com (67.18.7.90)
16  42.63 ms li799-140.members.linode.com (104.200.21.140)

7   11.36 ms he-0-13-0-1-pe04.ashburn.va.ibone.comcast.net (68.86.87.142)
8   10.95 ms xe-7-0-2.was10.ip4.gtt.net (77.67.71.193)
9   87.79 ms xe-4-2-0.par22.ip4.gtt.net (89.149.182.98)
10  87.80 ms online-gw.ip4.gtt.net (46.33.93.90)
11  91.82 ms 49e-s46-1-a9k1.dc3.poneytelecom.eu (195.154.1.77)
12  88.27 ms ssl-scanning-017.malware.watch (195.154.114.206)



More information about the NANOG mailing list