Re: Trying to identify hosts

[shawn wilson <ag4ve.us () gmail com>]

Oh and along that line of trying to find the source - nothing
indicates godaddy here (kinda annoying):

 % curl -I secureserver.net

        ~ swlap1
HTTP/1.1 301 Moved Permanently
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Content-Length: 145
Expires: 0
Location: http://www.secureserver.net/
Server: Microsoft-IIS/7.0
P3P: policyref="/w3c/p3p.xml", CP="COM CNT DEM FIN GOV INT NAV ONL PHY
PRE PUR STA UNI IDC CAO OTI DSP COR CUR OUR IND"
Date: Mon, 27 Oct 2014 16:02:33 GMT

 % curl -I www.secureserver.net

        ~ swlap1
HTTP/1.1 302 Found
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 160
Content-Type: text/html; charset=utf-8
Expires: -1
Location: http://www.secureserver.net/default404.aspx
Server: Microsoft-IIS/7.0
Set-Cookie: language0=en-US; domain=secureserver.net; expires=Tue,
27-Oct-2015 16:02:35 GMT; path=/
Set-Cookie: market=en-US; domain=secureserver.net; expires=Tue,
27-Oct-2015 16:02:35 GMT; path=/
Set-Cookie: language0=en-US; domain=secureserver.net; expires=Tue,
27-Oct-2015 16:02:35 GMT; path=/
Set-Cookie: market=en-US; domain=secureserver.net; expires=Tue,
27-Oct-2015 16:02:35 GMT; path=/
Set-Cookie: ATL.SID.SALES=
iMxiGMyW7sDBszdtMEyatYk7buGydr4hjvissnKiLec%3d;
path=/; HttpOnly
Set-Cookie: gdCassCluster.sePQKXdv2U=2; path=/
Set-Cookie: language0=en-US; domain=secureserver.net; expires=Tue,
27-Oct-2015 16:02:35 GMT; path=/
Set-Cookie: market=en-US; domain=secureserver.net; expires=Tue,
27-Oct-2015 16:02:35 GMT; path=/
Set-Cookie: ATL.SID.SALES=iMxiGMyW7sDBszdtMEyatYk7buGydr4hjvissnKiLec%3d;
path=/; HttpOnly
Set-Cookie: gdCassCluster.sePQKXdv2U=2; path=/
Set-Cookie: mobile.redirect.browser=0; path=/
P3P: policyref="/w3c/p3p.xml", CP="COM CNT DEM FIN GOV INT NAV ONL PHY
PRE PUR STA UNI IDC CAO OTI DSP COR CUR OUR IND"
Date: Mon, 27 Oct 2014 16:02:34 GMT

 % echo "QUIT" | openssl s_client -connect www.secureserver.net:443 |
head -10
         ~ swlap1
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "Starfield
Technologies, Inc.", CN = Starfield Root Certificate Authority - G2
verify error:num=20:unable to get local issuer certificate
DONE
CONNECTED(00000003)
---
Certificate chain
 0 s:/C=US/ST=Arizona/L=Scottsdale/O=Special Domain Services,
LLC/CN=*.secureserver.net
   i:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies,
Inc./OU=http://certs.starfieldtech.com/repository//CN=Starfield Secure
Certificate Authority - G2
 1 s:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies,
Inc./OU=http://certs.starfieldtech.com/repository//CN=Starfield Secure
Certificate Authority - G2
   i:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies,
Inc./CN=Starfield Root Certificate Authority - G2
 2 s:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies,
Inc./CN=Starfield Root Certificate Authority - G2
   i:/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2
Certification Authority
---

On Mon, Oct 27, 2014 at 1:21 PM, shawn wilson <ag4ve.us () gmail com> wrote:
> Ok, got a few off list replies that secureserver.net is godaddy which
> is fine - makes sense. I just wish this would link back to them easier
> (some backup ns being something.godaddy.com or some SOA of an IP
> listed in the spf being something.godaddy.com or whatever).
>
> Thank y'all for the info.
>
> On Mon, Oct 27, 2014 at 11:57 AM, shawn wilson <ag4ve.us () gmail com> wrote:
> > We get lots of probes from subdomains of southwestdoor.com and
> > secureserver.net 's SOA and I'm curious who these guys are?
> >
> > The only web page I could find was southwestdoor redirects to
> > http://www.arcadiacustoms.com and then to http://arcadia-custom.com/
> > (a hardware company is causing unwanted network traffic - not unless
> > they're owned)
> >
> > Traceroute for southwestdoor.com goes through secureserver.net and
> > they have lots of references (in dns) to themselves, jomax.net and
> > domaincontrol.com.
> >
> > Can someone give me a better picture of how this all fits together on
> > a company level - as in how do these guys make money and why are they
> > probing our network? I understand scans from ISPs and colos, but I
> > can't directly identify these guys as either.