I’m now the proud owner of these domains:

Why would I purchase such strange looking domains you ask?

It all started long ago, while working for my enterprise. I saw some activity flagged by OpenDNS / Umbrella for some CnC traffic bound for these domains. It was being blocked but as I dug a little deeper I noted that they weren’t registered to anyone.

So, I figured, let’s register them & see what tries to connect….

Fast forward a few hours & login to an ec2 instance running apache. I noticed it felt a little ‘slow’ but it didn’t appear to be cpu-bound. I ran a netstat command and saw a crapload of connections to 443. So, I registered a letsencrypt certificate & watched my logs start to fill up:

62.xx.xx.xx - - [15/Mar/2019:20:16:21 +0000] "POST /v1/users/tokens/renew HTTP/1.1" 404 219 "-" "NordApp android (playstore/3.11.3) Android 9"
107.xx.xx.xx - - [15/Mar/2019:20:16:21 +0000] "GET /v1/servers/count HTTP/1.1" 404 214 "-" "NordVPN/78 CFNetwork/902.3.1 Darwin/17.7.0 (x86_64)"
82.xx.xx.xx - - [15/Mar/2019:20:16:21 +0000] "POST /v1/users/tokens/renew HTTP/1.1" 404 219 "-" "NordApp android (playstore/3.11.3) Android 9"
80.xx.xx.xx - - [15/Mar/2019:20:16:21 +0000] "POST /v1/users/tokens/renew HTTP/1.1" 404 219 "-" "NordApp android (sideload/3.11.3) Android 5.1.1"
185.xx.xx.xx - - [15/Mar/2019:20:16:21 +0000] "GET /v1/servers?fields%5Bservers.id%5D=&fields%5Bservers.load%5D=&filters%5Bservers.status%5D=online&limit=5402 HTTP/1.1" 404 208 "-" "NordVPN/78 CFNetwork/760.9 Darwin/15.6.0 (x86_64)"
77.xx.xx.xx - - [15/Mar/2019:20:16:21 +0000] "POST /v1/users/tokens/renew HTTP/1.1" 404 219 "-" "NordApp android (playstore/3.11.3) Android 9"
185.xx.xx.xx - - [15/Mar/2019:20:16:21 +0000] "POST /v1/users/tokens/renew HTTP/1.1" 404 219 "-" "NordApp android (playstore/3.11.2) Android 8.0.0"

Clearly, this is traffic that is not intended for me. I reached out to NordVPN security & received a response that they’re looking into it.

My curiosity is around what could have caused this? Misconfiguration? I sandboxed the 3.11.3 version of NordVPN but wasn’t able to reproduce this issue.

This was / is no joke, here’s the utilization according to AWS:

I’m curious if others are seeing this on their networks and what the root cause is.

2 thoughts on “f5d599a39d02caef1984e95fdc606f838893ffc5.xyz”

  1. Similar situation with Umbrella and a device running NordVPN. Seemed to start dialing out to these address around 4pm each day. Still no idea why.

  2. I just wanted to say thanks for researching this. We were seeing the same thing and it was only through your blog that we worked out it was Nord.

Comments are closed.