Blog for hpHosts, and whatever else I feel like writing about ....

Tuesday, 16 September 2008

EstDomains now allowing WhoIs queries

I was investigating hiskyhost.net (AS43355), due to the fact I've now got 48 domains going through them, that are associated with malware. More interestingly, they all resolve to housing.hiskyhost.net - a hostname that does not itself, actually resolve to an IP;

http://hosts-file.net/?s=housing.hiskyhost.net

During the course of the investigation, I decided to do a WhoIs query, and prior to my trying today, EstDomains have never allowed WhoIs queries, instead opting to either refuse access to their WhoIs server, or as is the case with whois.internet.bs, return complete rubbish (i.e. when querying whois.internet.bs, their WhoIs server will return "D D"). In October 2007, I noticed their server consistently returning the following, irrespective of the domain being queried;

WhoIs Information:

Referred to: whois.estdomains.com
By: whois.internic.net

An I/O error occured while sending to the backend.

WhoIs server: whois.estdomains.com


Having done a WhoIs query via the EstDomains website, I decided to try modifying the hpHosts site to do the query directly against their WhoIs server - and what did it return? Surprisingly, it returned the same data as their web interface - something it had never done before;

WhoIs Information:

Referred to: whois.estdomains.com
By: whois.crsnic.net

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: http://www.estdomains.com

Domain Name: HISKYHOST.NET

Registrant:
High Sky Hosting
Alexey Vorobiev (admin@hiskyhost.net)
ul Oleko Dundicha 5
S Petersburg
null,192283
RU
Tel. +7.9214598211

Creation Date: 29-Jan-2008
Expiration Date: 29-Jan-2009

Domain servers in listed order:
ns2.hiskyhost.net
ns1.hiskyhost.net


Administrative Contact:
High Sky Hosting
Alexey Vorobiev (admin@hiskyhost.net)
ul Oleko Dundicha 5
S Petersburg
null,192283
RU
Tel. +7.9214598211

Technical Contact:
High Sky Hosting
Alexey Vorobiev (admin@hiskyhost.net)
ul Oleko Dundicha 5
S Petersburg
null,192283
RU
Tel. +7.9214598211

Billing Contact:
High Sky Hosting
Alexey Vorobiev (admin@hiskyhost.net)
ul Oleko Dundicha 5
S Petersburg
null,192283
RU
Tel. +7.9214598211

Status:ACTIVE


What I am rather interested in however, is their possible connection to hiskyhost.net, 2checkout.com and internet.bs.

As a side note, I've also noticed some of those that previously resolved to housing.hiskyhost.net (e.g. mcdirecting.com), though still going through EstDomains, now resolving to the VDHost Ltd/Ultranet (AS35057) netblock;

http://hosts-file.net/?s=78.157.143.133&sDM=1#matches

This also of course, begs the question of whether there is any relation between these, to EstDomains aswell? Or whether it's just me being overly suspicious. Either way, EstDomains, if they are serious about taking malicious domains offline (and I doubt they are - more likely they're just doing it until they're out of the headlines so to speak), then they need to take both those on VDHost/Ultranet, and those on HiskyHost, offline - as shown by the following, someone's already disabled some of them;

http://hosts-file.net/misc/Hiskyhost_-_VDHost_-_EstDomains.html

In the meantime, hopefully they'll continue to allow access to their WhoIs server, and not "accidentally" disable it??? Time will tell.

No comments: