Oh and along that line of trying to find the source - nothing indicates godaddy here (kinda annoying): % curl -I secureserver.net ~ swlap1 HTTP/1.1 301 Moved Permanently Cache-Control: no-cache, no-store, must-revalidate Pragma: no-cache Content-Length: 145 Expires: 0 Location: http://www.secureserver.net/ Server: Microsoft-IIS/7.0 P3P: policyref="/w3c/p3p.xml", CP="COM CNT DEM FIN GOV INT NAV ONL PHY PRE PUR STA UNI IDC CAO OTI DSP COR CUR OUR IND" Date: Mon, 27 Oct 2014 16:02:33 GMT % curl -I www.secureserver.net ~ swlap1 HTTP/1.1 302 Found Cache-Control: no-cache Pragma: no-cache Content-Length: 160 Content-Type: text/html; charset=utf-8 Expires: -1 Location: http://www.secureserver.net/default404.aspx Server: Microsoft-IIS/7.0 Set-Cookie: language0=en-US; domain=secureserver.net; expires=Tue, 27-Oct-2015 16:02:35 GMT; path=/ Set-Cookie: market=en-US; domain=secureserver.net; expires=Tue, 27-Oct-2015 16:02:35 GMT; path=/ Set-Cookie: language0=en-US; domain=secureserver.net; expires=Tue, 27-Oct-2015 16:02:35 GMT; path=/ Set-Cookie: market=en-US; domain=secureserver.net; expires=Tue, 27-Oct-2015 16:02:35 GMT; path=/ Set-Cookie: ATL.SID.SALES= iMxiGMyW7sDBszdtMEyatYk7buGydr4hjvissnKiLec%3d; path=/; HttpOnly Set-Cookie: gdCassCluster.sePQKXdv2U=2; path=/ Set-Cookie: language0=en-US; domain=secureserver.net; expires=Tue, 27-Oct-2015 16:02:35 GMT; path=/ Set-Cookie: market=en-US; domain=secureserver.net; expires=Tue, 27-Oct-2015 16:02:35 GMT; path=/ Set-Cookie: ATL.SID.SALES=iMxiGMyW7sDBszdtMEyatYk7buGydr4hjvissnKiLec%3d; path=/; HttpOnly Set-Cookie: gdCassCluster.sePQKXdv2U=2; path=/ Set-Cookie: mobile.redirect.browser=0; path=/ P3P: policyref="/w3c/p3p.xml", CP="COM CNT DEM FIN GOV INT NAV ONL PHY PRE PUR STA UNI IDC CAO OTI DSP COR CUR OUR IND" Date: Mon, 27 Oct 2014 16:02:34 GMT % echo "QUIT" | openssl s_client -connect www.secureserver.net:443 | head -10 ~ swlap1 depth=2 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Root Certificate Authority - G2 verify error:num=20:unable to get local issuer certificate DONE CONNECTED(00000003) --- Certificate chain 0 s:/C=US/ST=Arizona/L=Scottsdale/O=Special Domain Services, LLC/CN=*.secureserver.net i:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://certs.starfieldtech.com/repository//CN=Starfield Secure Certificate Authority - G2 1 s:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://certs.starfieldtech.com/repository//CN=Starfield Secure Certificate Authority - G2 i:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Root Certificate Authority - G2 2 s:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Root Certificate Authority - G2 i:/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority --- On Mon, Oct 27, 2014 at 1:21 PM, shawn wilson <ag4ve.us@gmail.com> wrote:
Ok, got a few off list replies that secureserver.net is godaddy which is fine - makes sense. I just wish this would link back to them easier (some backup ns being something.godaddy.com or some SOA of an IP listed in the spf being something.godaddy.com or whatever).
Thank y'all for the info.
On Mon, Oct 27, 2014 at 11:57 AM, shawn wilson <ag4ve.us@gmail.com> wrote:
We get lots of probes from subdomains of southwestdoor.com and secureserver.net 's SOA and I'm curious who these guys are?
The only web page I could find was southwestdoor redirects to http://www.arcadiacustoms.com and then to http://arcadia-custom.com/ (a hardware company is causing unwanted network traffic - not unless they're owned)
Traceroute for southwestdoor.com goes through secureserver.net and they have lots of references (in dns) to themselves, jomax.net and domaincontrol.com.
Can someone give me a better picture of how this all fits together on a company level - as in how do these guys make money and why are they probing our network? I understand scans from ISPs and colos, but I can't directly identify these guys as either.