I’m now the proud owner of these domains:

Why would I purchase such strange looking domains you ask?

It all started long ago, while working for my enterprise. I saw some activity flagged by OpenDNS / Umbrella for some CnC traffic bound for these domains. It was being blocked but as I dug a little deeper I noted that they weren’t registered to anyone.

So, I figured, let’s register them & see what tries to connect….

Fast forward a few hours & login to an ec2 instance running apache. I noticed it felt a little ‘slow’ but it didn’t appear to be cpu-bound. I ran a netstat command and saw a crapload of connections to 443. So, I registered a letsencrypt certificate & watched my logs start to fill up:

62.xx.xx.xx - - [15/Mar/2019:20:16:21 +0000] "POST /v1/users/tokens/renew HTTP/1.1" 404 219 "-" "NordApp android (playstore/3.11.3) Android 9"
107.xx.xx.xx - - [15/Mar/2019:20:16:21 +0000] "GET /v1/servers/count HTTP/1.1" 404 214 "-" "NordVPN/78 CFNetwork/902.3.1 Darwin/17.7.0 (x86_64)"
82.xx.xx.xx - - [15/Mar/2019:20:16:21 +0000] "POST /v1/users/tokens/renew HTTP/1.1" 404 219 "-" "NordApp android (playstore/3.11.3) Android 9"
80.xx.xx.xx - - [15/Mar/2019:20:16:21 +0000] "POST /v1/users/tokens/renew HTTP/1.1" 404 219 "-" "NordApp android (sideload/3.11.3) Android 5.1.1"
185.xx.xx.xx - - [15/Mar/2019:20:16:21 +0000] "GET /v1/servers?fields%5Bservers.id%5D=&fields%5Bservers.load%5D=&filters%5Bservers.status%5D=online&limit=5402 HTTP/1.1" 404 208 "-" "NordVPN/78 CFNetwork/760.9 Darwin/15.6.0 (x86_64)"
77.xx.xx.xx - - [15/Mar/2019:20:16:21 +0000] "POST /v1/users/tokens/renew HTTP/1.1" 404 219 "-" "NordApp android (playstore/3.11.3) Android 9"
185.xx.xx.xx - - [15/Mar/2019:20:16:21 +0000] "POST /v1/users/tokens/renew HTTP/1.1" 404 219 "-" "NordApp android (playstore/3.11.2) Android 8.0.0"

Clearly, this is traffic that is not intended for me. I reached out to NordVPN security & received a response that they’re looking into it.

My curiosity is around what could have caused this? Misconfiguration? I sandboxed the 3.11.3 version of NordVPN but wasn’t able to reproduce this issue.

This was / is no joke, here’s the utilization according to AWS:

I’m curious if others are seeing this on their networks and what the root cause is.

2 thoughts on “f5d599a39d02caef1984e95fdc606f838893ffc5.xyz

  1. Similar situation with Umbrella and a device running NordVPN. Seemed to start dialing out to these address around 4pm each day. Still no idea why.


  2. I just wanted to say thanks for researching this. We were seeing the same thing and it was only through your blog that we worked out it was Nord.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: