The IP address 66.194.234.66 visited me today. It was not a unique visit and did not arouse any suspicion, but when my automated lookup script ran its IP lookup it returned the error message “;; Warning: Message parser reports malformed message packet.”, along with 54 host names. Very odd.
66.192.0.0 – 66.195.255.255 tw telecom holdings
A reverse ip domain check reveals no web sites found.
Log entry:
66.194.234.66 [24/Jan/2017:14:03:53 GET /something.jpg HTTP/1.1 200 177820 https://www.google.com/ Mozilla/5.0 (iPad; CPU OS 10_0_2 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A456 Safari/602.1
Returned host names, from the “host” command. Some of these host names are not even registered, such as healthcareaudio.biz. Others are registered to various domain name registrars. Why are they doing this?
credentialingexpert.com
codingguru.com
cent05.elidns.net
behaviorialhealth.com
behavioral-health.org
audioupdate.org
bankersminute.com
audioupdate.net
audiohomesite.net
audiohomesite.com
assistedhousingminute.com
webinarinstitute.com
techskillspipeline.tv
techskillspipeline.net
techskillspipeline.com
techskillspipeline.biz
tampavm01.dns-wire.com
skilljump.tv
skilljump.net
skilljump.com
skilljump.biz
renewal-solutions.info
renewal-solutions.com
renewal-solutions.biz
professionalskills.net
officetechskills.com
nursingaudio.com
medicineandhealthdaily.info
medicineandhealthdaily.com
medicineandhealthdaily.biz
medicarecompliancenews.com
medaudio.net
managedcareexpert.com
itaudioinfo.net
hraudioinfo.com
hraudioinfo.biz
hospitalaudio.com
healthpolicyinfo.com
healthcareaudio.tv
healthcareaudio.net
healthcareaudio.info
healthcareaudio.biz
healthcare-hr.com
healthcare-books.net
healthcare-books.info
healthcare-books.biz
hclearning.net
hclearning.com
hc-compliance.com
goaudiolearning.com
finpubinfo.com
finaudioinfo.com
excelminute.com
educationminute.com
I tossed the IP addy into IBM’s X-Force search and one host-name jumped out.
exchange.xforce.ibmcloud.com/ip/66.194.234.66
Followed the results for ‘educationminute[dot]com’.
exchange.xforce.ibmcloud.com/url/educationminute.com
Aside from WHOIS info there are 12 Urls registered. Some are flagged anonymization services and malware but the oldest url at the bottom seems responsible for a botnet control & command center. Let’s take a closer look.
exchange.xforce.ibmcloud.com/ip/69.64.147.249
Looks like this botnet is called “Tsunami”. I could dig deeper but I need to sleep now. But before I go, those of you out there running WordPress should upgrade. There is a new vulnerability discovered:
exchange.xforce.ibmcloud.com/vulnerabilities/121433
Peace and sweet dreams.
[Don: Thanks, Barry. I’ll spend the time to research and use the IBM X-Force system. It looks really helpful.]