This post is related to wpadblocking.com / wpadblock.com case [https://blog.redteam.pl/search?q=wpadblocking.com] which infrastructure is besides hosting domains with typos (typosquatting). erstwhile we utilized PassiveTotal service on the IP address 144.76.184.43 we got the following results:
resolve,firstSeen,lastSeen
gayeta.pl,2013-11-28 13:01:16,2019-05-13 00:29:01
smtp.wpp.pl,2019-04-30 19:31:27,2019-05-13 00:23:40
poczta.oent.pl,2019-05-09 00:56:34,2019-05-12 12:25:30
smtp.poczta.oent.pl,2019-05-10 19:46:58,2019-05-12 12:25:29
mail.poczta.oent.pl,2019-05-10 19:46:59,2019-05-12 08:59:38
imap.oent.pl,2019-05-10 15:01:41,2019-05-11 17:45:21
pop3.oent.pl,2019-05-05 02:42:21,2019-05-11 17:39:36
smtp3.oent.pl,2019-05-09 14:00:25,2019-05-09 14:00:25
ms.wpp.pl,2019-05-09 13:22:16,2019-05-09 13:22:16
a.mx.wpp.pl,2019-05-09 13:09:11,2019-05-09 13:09:11
server1.wpp.pl,2019-05-09 10:21:47,2019-05-09 10:21:47
box.oent.pl,2019-05-09 09:33:10,2019-05-09 09:33:10
imap.poczta.oent.pl,2019-05-08 06:06:15,2019-05-08 06:06:15
smtp.oent.pl,2019-04-30 20:00:24,2019-05-07 22:42:32
mail.oent.pl,2019-04-30 13:46:38,2019-05-07 22:21:48
pop.wpp.pl,2019-05-03 09:08:16,2019-05-03 09:08:16
www.vanesssa-and-zac.blog.oent.pl,2019-05-02 06:51:26,2019-05-02 06:51:26
smtp.pozcta.oent.pl,2019-05-01 11:09:46,2019-05-01 11:09:46
cl2.xl.wpp.pl,2019-05-01 02:49:42,2019-05-01 02:49:42
relay1.oent.pl,2019-05-01 02:29:54,2019-05-01 02:29:54
wpp.pl,2013-11-21 06:11:57,2019-04-30 06:30:39
oent.pl,2013-11-19 16:59:04,2019-04-30 02:20:40
aallegro.pl,2014-10-25 12:34:50,2016-07-13 11:35:38
ellegro.pl,2014-01-20 04:30:20,2016-07-06 21:59:55
allegero.pl,2014-04-02 05:50:41,2016-05-29 16:13:24
kallegro.pl,2014-02-24 14:58:40,2014-02-24 14:58:44
These are typosquatted domains related to largest Polish websites – Onet, Allegro and Wirtualna Polska (WP).
Almost all these domains redirect to a different URL:
gayeta.pl
301 https://www.booking.com/index.html?aid=1300873
smtp.wpp.pl
301 https://www.wpadblock.com/
poczta.oent.pl
301 https://www.booking.com/index.html?aid=1300873
smtp.poczta.oent.pl
301 https://www.booking.com/index.html?aid=1300873
mail.poczta.oent.pl
301 https://www.booking.com/index.html?aid=1300873
imap.oent.pl
301 https://www.booking.com/index.html?aid=1300873
pop3.oent.pl
301 https://www.booking.com/index.html?aid=1300873
smtp3.oent.pl
301 https://www.booking.com/index.html?aid=1300873
ms.wpp.pl
301 https://www.wpadblock.com/
a.mx.wpp.pl
301 https://www.wpadblock.com/
server1.wpp.pl
301 https://www.wpadblock.com/
box.oent.pl
301 https://www.booking.com/index.html?aid=1300873
imap.poczta.oent.pl
301 https://www.booking.com/index.html?aid=1300873
smtp.oent.pl
301 https://www.booking.com/index.html?aid=1300873
mail.oent.pl
301 https://www.booking.com/index.html?aid=1300873
pop.wpp.pl
301 https://www.wpadblock.com/
www.vanesssa-and-zac.blog.oent.pl
301 https://www.booking.com/index.html?aid=1300873
smtp.pozcta.oent.pl
301 https://www.booking.com/index.html?aid=1300873
cl2.xl.wpp.pl
301 https://www.wpadblock.com/
relay1.oent.pl
301 https://www.booking.com/index.html?aid=1300873
wpp.pl
301 https://www.booking.com/index.html?aid=1300873
oent.pl
301 https://www.booking.com/index.html?aid=1300873
aallegro.pl
000
ellegro.pl
302 https://itunes.apple.com/pl/app/dns-override-change-dns-update/id1060830093?mt=8&at=11lbaA
allegero.pl
200
kallegro.pl
302 http://www.kallegro.pl
One of the URLs is related to a business ran by the wpadblock.com owner:
https://itunes.apple.com/pl/app/dns-override-change-dns-update/id1060830093?mt=8&at=11lbaA
http://www.kallegro.pl is returning default OVH placeholder website.
The domain allegero.pl is hosting a tracker:
$ curl -v http://allegero.pl
* Rebuilt URL to: http://allegero.pl/
* Trying 185.253.212.22...
* TCP_NODELAY set
* Connected to allegero.pl (185.253.212.22) port 80 (#0)
> GET / HTTP/1.1
> Host: allegero.pl
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx
< Date: Mon, 13 May 2019 10:53:30 GMT
< Content-Type: text/html; charset=UTF-8
< Transfer-Encoding: chunked
< Connection: close
< Set-Cookie: PHPSESSID=ab437e667f649c687080c99c7879e7c7; path=/; HttpOnly
< Set-Cookie: locale=pl_PL; expires=Thu, 10-May-2029 10:53:30 GMT; Max-Age=315360000; path=/
<
<html>
<head>
<meta http-equiv="refresh" content="5;url=https://allegro.pl">
<script>
function redirect()
{
var url = "https://allegro.pl";
window.location.replace("https://track.aftermarket.pl/track.php?track=e6a1e73952f56f5414c3fd06c60e762f&ref=" + document.referrer + "&url=" + encodeURIComponent(url));
}
redirect();
</script>
</head>
<body>
</body>
</html>
* Closing connection 0
The tracker is redirecting to Allegro website:
GET /track.php?track=4caac08f0efcfde652c460778e22b119&ref=&url=https%3A%2F%2Fallegro.pl HTTP/1.1
Host: track.aftermarket.pl
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://allegero.pl/
Connection: close
Upgrade-Insecure-Requests: 1
HTTP/1.1 301 Moved Permanently
Set-Cookie: PHPSESSID=f5a9e97df3da0eb8780c493e3157e92f; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: locale=pl_PL; expires=Thu, 10-May-2029 11:11:59 GMT; Max-Age=315360000; path=/
Location: https://allegro.pl
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Date: Mon, 13 May 2019 11:11:59 GMT
Server: LiteSpeed
Connection: close
It is hosted by AfterMarket:
inetnum: 185.253.212.0 - 185.253.212.255
netname: AfterMarket-Production-Network
remarks: AfterMarket.pl interior services and operations
country: PL
What is besides crucial is that these websites HTTPS certificates issued to them:
$ curl -v https://oent.pl
* Rebuilt URL to: https://oent.pl/
* Trying 104.31.87.62...
* TCP_NODELAY set
* Connected to oent.pl (104.31.87.62) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection utilizing TLSv1.2 / ECDHE-ECDSA-CHACHA20-POLY1305
* ALPN, server accepted to usage h2
* Server certificate:
* subject: C=US; ST=CA; L=San Francisco; O=CloudFlare, Inc.; CN=sni.cloudflaressl.com
* start date: Apr 30 00:00:00 2019 GMT
* expire date: Apr 30 12:00:00 2020 GMT
* subjectAltName: host "oent.pl" matched cert's "oent.pl"
* issuer: C=US; ST=CA; L=San Francisco; O=CloudFlare, Inc.; CN=CloudFlare Inc ECC CA-2
* SSL certificate verify ok.
* utilizing HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* utilizing Stream ID: 1 (easy handle 0x7fffbd5708e0)
> GET / HTTP/2
> Host: oent.pl
> User-Agent: curl/7.58.0
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 301
< date: Mon, 13 May 2019 11:35:58 GMT
< content-type: text/html
< set-cookie: __cfduid=d2f27c7dcd77c0e719c3b4caccb02a59f1557747358; expires=Tue, 12-May-20 11:35:58 GMT; path=/; domain=.oent.pl; HttpOnly
< location: https://www.booking.com/index.html?aid=1300873
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< server: cloudflare
< cf-ray: 4d6454fbfb8f6aff-WAW
<
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>openresty</center>
</body>
</html>
* Connection #0 to host oent.pl left intact
$ curl -v https://wpp.pl
* Rebuilt URL to: https://wpp.pl/
* Trying 104.27.171.239...
* TCP_NODELAY set
* Connected to wpp.pl (104.27.171.239) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection utilizing TLSv1.2 / ECDHE-ECDSA-CHACHA20-POLY1305
* ALPN, server accepted to usage h2
* Server certificate:
* subject: C=US; ST=CA; L=San Francisco; O=CloudFlare, Inc.; CN=sni.cloudflaressl.com
* start date: Apr 30 00:00:00 2019 GMT
* expire date: Apr 30 12:00:00 2020 GMT
* subjectAltName: host "wpp.pl" matched cert's "wpp.pl"
* issuer: C=US; ST=CA; L=San Francisco; O=CloudFlare, Inc.; CN=CloudFlare Inc ECC CA-2
* SSL certificate verify ok.
* utilizing HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* utilizing Stream ID: 1 (easy handle 0x7ffff567f8e0)
> GET / HTTP/2
> Host: wpp.pl
> User-Agent: curl/7.58.0
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 301
< date: Mon, 13 May 2019 11:36:37 GMT
< cache-control: max-age=3600
< expires: Mon, 13 May 2019 12:36:37 GMT
< location: https://www.booking.com/index.html?aid=1300873
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< server: cloudflare
< cf-ray: 4d6455f0ea0fcc77-WAW
<
* Connection #0 to host wpp.pl left intact
$ curl -v https://allegero.pl
* Rebuilt URL to: https://allegero.pl/
* Trying 185.253.212.22...
* TCP_NODELAY set
* Connected to allegero.pl (185.253.212.22) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* NPN, negotiated HTTP1.1
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Unknown (67):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection utilizing TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=allegero.pl
* start date: Apr 10 11:39:03 2019 GMT
* expire date: Jul 9 11:39:03 2019 GMT
* subjectAltName: host "allegero.pl" matched cert's "allegero.pl"
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: allegero.pl
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx
< Date: Mon, 13 May 2019 11:36:41 GMT
< Content-Type: text/html; charset=UTF-8
< Transfer-Encoding: chunked
< Connection: close
< Set-Cookie: PHPSESSID=255345562eed09aa7e1c9eb0db03e0bc; path=/; secure; HttpOnly
< Set-Cookie: locale=pl_PL; expires=Thu, 10-May-2029 11:36:41 GMT; Max-Age=315360000; path=/
<
<html>
<head>
<meta http-equiv="refresh" content="5;url=https://allegro.pl">
<script>
function redirect()
{
var url = "https://allegro.pl";
window.location.replace("https://track.aftermarket.pl/track.php?track=41a67df81114fe01b0e110657ad8c9d7&ref=" + document.referrer + "&url=" + encodeURIComponent(url));
}
redirect();
</script>
</head>
<body>
</body>
</html>
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):
There are besides email servers, which catch e-mails sent by mistake to these typosquatted domains:
$ host -t mx allegero.pl
allegero.pl message is handled by 10 mail.mailerhost.net.
$ host -t mx wpp.pl
wpp.pl message is handled by 30 aspmx3.googlemail.com.
wpp.pl message is handled by 20 alt1.aspmx.l.google.com.
wpp.pl message is handled by 30 aspmx4.googlemail.com.
wpp.pl message is handled by 20 alt2.aspmx.l.google.com.
wpp.pl message is handled by 30 aspmx5.googlemail.com.
wpp.pl message is handled by 30 aspmx2.googlemail.com.
wpp.pl message is handled by 10 aspmx.l.google.com.
$ host -t mx oent.pl
oent.pl message is handled by 20 alt2.aspmx.l.google.com.
oent.pl message is handled by 30 aspmx3.googlemail.com.
oent.pl message is handled by 10 aspmx.l.google.com.
oent.pl message is handled by 30 aspmx2.googlemail.com.
oent.pl message is handled by 30 aspmx5.googlemail.com.
oent.pl message is handled by 20 alt1.aspmx.l.google.com.
oent.pl message is handled by 30 aspmx4.googlemail.com.
WHOIS details:
$ whois oent.pl
DOMAIN NAME: oent.pl
registrant type: organization
nameservers: aron.ns.cloudflare.com.
guy.ns.cloudflare.com.
created: 2009.08.10 19:01:34
last modified: 2019.04.30 16:21:22
renewal date: 2019.08.10 19:01:34
option created: 2017.08.10 16:05:19
option expiration date: 2020.08.10 16:05:19
dnssec: Unsigned
REGISTRAR:
premium.pl Sp. z o.o.
Zbożowa 4
70-653 Szczecin
801 066 444
pomoc@premium.pl
https://premium.pl/kontakt
$ whois allegero.pl
DOMAIN NAME: allegero.pl
registrant type: individual
nameservers: ns1.aftermarket.pl. [185.253.213.10]
ns2.aftermarket.pl. [185.253.214.10]
created: 2011.09.26 09:54:01
last modified: 2018.09.22 08:43:52
renewal date: 2019.09.26 09:54:01
no option
dnssec: Unsigned
REGISTRAR:
Michau Enterprises Ltd.
Chytron, 3, Office 301, P.C. 1075 Nicosia, Cypr
tel.+357.22761649
fax:+357.22767543
e-mail:domains@dropped.pl
http://www.AfterMarket.pl/contact.php
$ whois wpp.pl
DOMAIN NAME: wpp.pl
registrant type: organization
nameservers: aron.ns.cloudflare.com.
guy.ns.cloudflare.com.
created: 2012.06.03 13:21:56
last modified: 2019.05.07 18:50:25
renewal date: 2020.06.03 13:21:56
option created: 2017.03.09 17:23:43
option expiration date: 2020.03.09 17:23:43
dnssec: Unsigned
REGISTRAR:
premium.pl Sp. z o.o.
Zbożowa 4
70-653 Szczecin
801 066 444
pomoc@premium.pl
https://premium.pl/kontakt
Most of these domains are hosted on the same IP address 144.76.184.43 as the wpadblock.com project:
gayeta.pl has address 144.76.184.43
smtp.wpp.pl has address 144.76.184.43
poczta.oent.pl has address 144.76.184.43
smtp.poczta.oent.pl has address 144.76.184.43
mail.poczta.oent.pl has address 144.76.184.43
imap.oent.pl has address 144.76.184.43
pop3.oent.pl has address 144.76.184.43
smtp3.oent.pl has address 144.76.184.43
ms.wpp.pl has address 144.76.184.43
a.mx.wpp.pl has address 144.76.184.43
server1.wpp.pl has address 144.76.184.43
box.oent.pl has address 144.76.184.43
imap.poczta.oent.pl has address 144.76.184.43
smtp.oent.pl has address 144.76.184.43
mail.oent.pl has address 144.76.184.43
pop.wpp.pl has address 144.76.184.43
www.vanesssa-and-zac.blog.oent.pl has address 144.76.184.43
smtp.pozcta.oent.pl has address 144.76.184.43
cl2.xl.wpp.pl has address 144.76.184.43
relay1.oent.pl has address 144.76.184.43
wpp.pl has address 104.27.171.239
wpp.pl has address 104.27.170.239
oent.pl has address 104.31.87.62
oent.pl has address 104.31.86.62
aallegro.pl has no A record
ellegro.pl has address 188.128.255.251
allegero.pl has address 185.253.212.22
kallegro.pl has address 87.98.239.5
DNS wildcard is in use:
$ host -t a redteam.oent.pl
redteam.oent.pl has address 144.76.184.43
$ host -t a redteam.gayeta.pl
redteam.gayeta.pl is an alias for gayeta.pl.
gayeta.pl has address 144.76.184.43
$ host -t a redteam.wpp.pl
redteam.wpp.pl has address 144.76.184.43
Because of this any requested URL with a typo of specified websites will forward to the Booking.com affiliate program [https://blog.redteam.pl/2019/05/badwpad-dns-suffix-wpad-wpadblocking-com.html]:
$ curl -I redteam.oent.pl
HTTP/1.1 301 Moved Permanently
Server: openresty
Date: Tue, 14 May 2019 08:23:42 GMT
Content-Type: text/html
Content-Length: 182
Connection: keep-alive
Location: https://www.booking.com/index.html?aid=1300873
Following domains have different IP address than the wpadblock.com project:
wpp.pl has address 104.27.171.239
wpp.pl has address 104.27.170.239
oent.pl has address 104.31.86.62
oent.pl has address 104.31.87.62
ellegro.pl has address 188.128.255.251
allegero.pl has address 185.253.212.22
kallegro.pl has address 87.98.239.5
ASNs related to these IP addresses:
104.27.170.239 "Cloudflare, Inc."
104.27.171.239 "Cloudflare, Inc."
104.31.86.62 "Cloudflare, Inc."
104.31.87.62 "Cloudflare, Inc."
185.253.212.22 "Marcin Waligorski Greener" (AfterMarket.pl interior services and operations)
188.128.255.251 "home.pl S.A."
87.98.239.5 "OVH SAS"
Above analysis demonstrates that not only badWPAD infrastructure with wpad.tld domains were hosted but besides typosquatted domains for common websites.