investigate creation date of domain #16
Comments
|
I came across this issue in my research and decided to do a bit of additional research on that site for the domains registered on 8/30/2019 starting at https://domain-status.com/archives/2019-8-30/com/registered/1 using other keyword patterns I identified in the domain names. I started with "times" and the first domain I found that matched the pattern for these sites that wasn't listed yet was centraloctimes.com, which had an A Record set for 3.222.217.66. I noticed after I did a reverse IP lookup on that for other domains that this is the same server IP you found. I also noticed that the domain is using Google MX records. See https://who.is/dns/centraloctimes.com The tool I used for the reverse IP lookup is listing 121 domains on this new IP, and of the 100 I can view on a free account they all match the naming convention for these shady localized news sites. There are quite a few that you don't have listed above. See https://dnslytics.com/reverse-ip/3.222.217.66 Additional IPs not listed above or https://github.com/MassMove/AttackVectors/blob/master/LocalJournals/sites.csv centralalamedanews.com |
|
Shall I scrape and add them to the sites.csv? Edit: nevermind I just did and they are all not active yet. Do we have confirmation that they belong in the same group or would it be wise to monitor them separately? |
|
I really fell down a rabbit hole tonight with all this. I'd say they definitely fit the pattern of the other sites and are all hosted in the same manner with the DNS already pointing to the same server. They just aren't "active" sites yet. Perhaps we need a status column for now in the CSV to determine sites that have been activated and ones that fit the profile, but are inactive. |
Given that the creation date of a lot of the domains is the same and also shares the creation date with domains that we know are active, the naming convention is the same and the way it's hosted (aws and many domains on one server), I think it would be safe to assume it's the same organisation. |
|
I know that feeling. Damn rabbit holes everywhere as of late! And yes, I think a active column would make sense. |
|
@mariotacke #25 is merged, thanks for that. Feel free to merge any pull requests yourself so I'm not a bottleneck. |
|
@Bermos they are all online now. And confirmed to be inbred: https://centraloregontimes.com/terms - can you scrape and flesh out sites.csv? We have an httpResponseCode column which doubles as an active column now. Send dudes! |
source of new domains
By googling some of the domains currently listed, I stumbled upon this website:
https://domain-status.com/archives/2019-8-30/com/registered/221
It contained westtxnews.com website that was listed on the github, and by simply searching in the page for "news" I found a few more suspicious website, showing the 404 message.
suspicious pages:
westcontracostanews.com
westdfwnews.com (already listed)
westeldoradonews.com
westhoustonnews.com (already listed)
westnovanews.com (already listed)
westrgvnews.com (already listed)
westsgvnews.com
westventuranews.com
All unlisted domains seem to be on the same AWS server. I listed what I found below so it's recorded, but I'm sure there's more on this server, but I don't know how to get all of them.
Namely:
reverse lookup on westcontracostanews.com (3.222.217.66)
alohastatenews.com
antelopevalleytoday.com
beaverstatenews.com
eastkingnews.com
evergreenreporter.com
kitsapreview.com
moseslaketoday.com
newashingtonnews.com
northkingnews.com
northsnohomishnews.com
nwwashingtonnews.com
olympictimes.com
piercetoday.com
seattlesounder.com
sewashingtonnews.com
southkingnews.com
southsnohomishnews.com
southsoundtimes.com
spokanecotimes.com
spokanestandard.com
tricitiesreporter.com
vancouverreporter.com
waislenews.com
wenatcheetimes.com
westcontracostanews.com
westeldoradonews.com
westventuranews.com
yakimatimes.com
all of the above are not listed right now
The text was updated successfully, but these errors were encountered: