{"id":680,"date":"2014-04-29T02:05:46","date_gmt":"2014-04-29T06:05:46","guid":{"rendered":"http:\/\/www.glaver.org\/blog\/?p=680"},"modified":"2015-10-08T20:54:20","modified_gmt":"2015-10-09T00:54:20","slug":"ipv4scan-com-scan-or-scam","status":"publish","type":"post","link":"https:\/\/www.glaver.org\/blog\/?p=680","title":{"rendered":"IPv4Scan.com – scan or scam?"},"content":{"rendered":"

One of my occasional consulting customers called me in a panic because all of their HP printers printed out the same page at the same time:<\/p>\n

GET http:\/\/ipv4scan.com\/hello\/check.txt HTTP\/1.1
\nHost: ipv4scan.com
\nAccept-Encoding: gzip, deflate, compress
\nAccept: *\/*
\nUser-Agent: IPv4Scan (+http:\/\/ipv4scan.com)<\/code><\/small><\/p>\n

Now, I have nothing against most network measurement bots. Most are useful, and the rest are usually well-intentioned, even if they are counterproductive. The one thing these have in common is that they have a page that tells you what they’re doing, why they’re doing it, and who to contact if you have further questions.<\/p>\n

The http:\/\/IPv4Scan.com<\/a> page does none of those:<\/p>\n

\"Screen<\/p>\n

There is no contact information provided on the page, there is no statement of how the data is being used (other than that it is “not for sale, rental or release”). The web page source does not contain any useful contact information, either. So they’re collecting this data for their own, unspecified, purposes.<\/p>\n

Ok, maybe it is legit, just with a spectacularly bad public relations campaign. Let’s look and see who is behind this:<\/p>\n

(0:115) host:~terry# jwhois ipv4scan.com
\n[whois.internet.bs]
\nDomain Name: IPV4SCAN.COM
\nRegistry Domain ID: 1824307886_DOMAIN_COM-VRSN
\nRegistrar WHOIS Server: whois.internet.bs
\nRegistrar URL: http:\/\/www.internetbs.net
\nUpdated Date: 2013-08-30T10:37:11Z
\nCreation Date: 2013-08-30T10:21:44Z
\nRegistrar Registration Expiration Date: 2014-08-30T10:21:44Z
\nRegistrar: Internet.bs Corp.
\nRegistrar IANA ID: 814
\nRegistrar Abuse Contact Email: abuse@internet.bs
\nRegistrar Abuse Contact Phone:
\nReseller:
\nDomain Status: clientTransferProhibited
\nRegistry Registrant ID:
\nRegistrant Name: Domain Administrator
\nRegistrant Organization: Fundacion Private Whois
\nRegistrant Street: Attn: ipv4scan.com, Aptds. 0850-00056
\nRegistrant City: Panama
\nRegistrant State\/Province:
\nRegistrant Postal Code: Zona 15
\nRegistrant Country: PA
\nRegistrant Phone: +507.65967959
\nRegistrant Phone Ext:
\nRegistrant Fax:
\nRegistrant Fax Ext:
\nRegistrant Email: 5230a6158jiing35@5225b4d0pi3627q9.privatewhois.net
\nRegistry Admin ID:
\nAdmin Name: Domain Administrator
\nAdmin Organization: Fundacion Private Whois
\nAdmin Street: Attn: ipv4scan.com, Aptds. 0850-00056
\nAdmin City: Panama
\nAdmin State\/Province:
\nAdmin Postal Code: Zona 15
\nAdmin Country: PA
\nAdmin Phone: +507.65967959
\nAdmin Phone Ext:
\nAdmin Fax:
\nAdmin Fax Ext:
\nAdmin Email: 5230a6157t3qutyb@5225b4d0pi3627q9.privatewhois.net
\nRegistry Tech ID:
\nTech Name: Domain Administrator
\nTech Organization: Fundacion Private Whois
\nTech Street: Attn: ipv4scan.com, Aptds. 0850-00056
\nTech City: Panama
\nTech State\/Province:
\nTech Postal Code: Zona 15
\nTech Country: PA
\nTech Phone: +507.65967959
\nTech Phone Ext:
\nTech Fax:
\nTech Fax Ext:
\nTech Email: 5230a615n285uy95@5225b4d0pi3627q9.privatewhois.net
\nName Server: ns-canada.topdns.com
\nName Server: ns-usa.topdns.com
\nName Server: ns-uk.topdns.com
\nDNSSEC: unsigned
\nURL of the ICANN WHOIS Data Problem Reporting System: http:\/\/wdprs.internic.net\/
\n>>> Last update of WHOIS database: 2014-04-29T05:00:41Z <<<<\/code><\/small><\/p>\n

Ok, so they're hiding behind a privacy service, but seem to be located in Panama. Let's see if the IP address they're using matches:<\/p>\n

(0:116) host:~terry# host ipv4scan.com
\nipv4scan.com has address 93.174.93.51
\nipv4scan.com mail is handled by 5 smtp09.topdns.com.
\nipv4scan.com mail is handled by 5 smtp01.topdns.com.
\n(0:117) host:~terry# jwhois 93.174.93.51
\n[whois.ripe.net]
\n% This is the RIPE Database query service.
\n% The objects are in RPSL format.
\n%
\n% The RIPE Database is subject to Terms and Conditions.
\n% See http:\/\/www.ripe.net\/db\/support\/db-terms-conditions.pdf<\/p>\n

% Note: this output has been filtered.
\n% To receive output for a database update, use the \"-B\" flag.<\/p>\n

% Information related to '93.174.93.0 - 93.174.93.255'<\/p>\n

% Abuse contact for '93.174.93.0 - 93.174.93.255' is 'admin@ecatel.net'<\/p>\n

inetnum: 93.174.93.0 - 93.174.93.255
\nnetname: NL-ECATEL
\ndescr: ECATEL LTD
\ndescr: Dedicated servers
\ndescr: http:\/\/www.ecatel.net\/
\ncountry: NL
\nadmin-c: EL25-RIPE
\ntech-c: EL25-RIPE
\nstatus: ASSIGNED PA
\nmnt-by: ECATEL-MNT
\nmnt-lower: ECATEL-MNT
\nmnt-routes: ECATEL-MNT
\nsource: RIPE # Filtered<\/p>\n

role: Ecatel LTD
\naddress: P.O.Box 19533
\naddress: 2521 CA The Hague
\naddress: Netherlands
\nabuse-mailbox: abuse@ecatel.info
\nremarks: ----------------------------------------------------
\nremarks: ECATEL LTD
\nremarks: Dedicated and Co-location hosting services
\nremarks: ----------------------------------------------------
\nremarks: for abuse complaints : abuse@ecatel.info
\nremarks: for any other questions : info@ecatel.info
\nremarks: ----------------------------------------------------
\nadmin-c: EL25-RIPE
\ntech-c: EL25-RIPE
\nnic-hdl: EL25-RIPE
\nmnt-by: ECATEL-MNT
\nsource: RIPE # Filtered<\/p>\n

% Information related to '93.174.88.0\/21AS29073'<\/p>\n

route: 93.174.88.0\/21
\ndescr: AS29073, Route object
\norigin: AS29073
\nmnt-by: ECATEL-MNT
\nsource: RIPE # Filtered<\/p>\n

% This query was served by the RIPE Database Query Service version 1.72 (DBC-WHOIS3)<\/code><\/small><\/p>\n

So, they're using an IP address allocated to Ecatel in the Netherlands. Not exactly close to Panama, is it? Let's see if that address is actually in the Netherlands:<\/p>\n

(0:118) host:~terry# traceroute ipv4scan.com
\ntraceroute to ipv4scan.com (93.174.93.51), 64 hops max, 52 byte packets
\n [snip]
\n 8 be2094.ccr21.bos01.atlas.cogentco.com (154.54.30.14) 20.530 ms
\n be2097.ccr22.bos01.atlas.cogentco.com (154.54.30.118) 19.664 ms
\n be2095.ccr21.bos01.atlas.cogentco.com (154.54.30.38) 20.657 ms
\n 9 be2387.ccr22.lpl01.atlas.cogentco.com (154.54.44.166) 85.582 ms 85.667 ms
\n be2386.ccr21.lpl01.atlas.cogentco.com (154.54.44.162) 85.388 ms
\n10 be2183.ccr42.ams03.atlas.cogentco.com (154.54.58.70) 95.882 ms
\n be2182.ccr41.ams03.atlas.cogentco.com (154.54.77.245) 95.035 ms
\n be2183.ccr42.ams03.atlas.cogentco.com (154.54.58.70) 97.517 ms
\n11 be2311.ccr21.ams04.atlas.cogentco.com (154.54.74.90) 130.510 ms
\n be2312.ccr21.ams04.atlas.cogentco.com (154.54.74.94) 94.574 ms
\n be2311.ccr21.ams04.atlas.cogentco.com (154.54.74.90) 101.849 ms
\n12 149.11.38.179 (149.11.38.179) 101.548 ms 118.302 ms 102.141 ms
\n13 server.anonymous-hosting-service.com (93.174.93.51) 98.234 ms 97.335 ms 96.958 ms<\/code><\/small><\/p>\n

Ok, the server is in Amsterdam, Netherlands. But hiding behind anonymous-hosting-service.com seems suspicious. Let's see where they<\/i> are:<\/p>\n

(0:119) host:~terry# jwhois anonymous-hosting-service.com
\n[Querying whois.verisign-grs.com]
\n[Redirected to whois.onlinenic.com]
\n[Querying whois.onlinenic.com]
\n[whois.onlinenic.com]<\/p>\n

Domain Name: anonymous-hosting-service.com
\nRegistry Domain ID:
\nRegistrar WHOIS Server: whois.onlinenic.com
\nRegistrar URL: http:\/\/www.onlinenic.com
\nUpdated Date: 2014-04-06 03:14:38
\nCreation Date: 2009-09-08
\nRegistrar Registration Expiration Date: 2015-09-08
\nRegistrar: Onlinenic Inc
\nRegistrar IANA ID: 82
\nRegistrar Abuse Contact Email: onlinenic-enduser@onlinenic.com
\nRegistrar Abuse Contact Phone: +1.5107698492
\nDomain Status: clientTransferProhibited
\nRegistry Registrant ID:
\nRegistrant Name: Laura Yun
\nRegistrant Organization: Vindo International Ltd.
\nRegistrant Street: Oliaji TradeCenter - 1st floor
\nRegistrant City: Victoria
\nRegistrant State\/Province: Mahe
\nRegistrant Postal Code: 5567
\nRegistrant Country: SC
\nRegistrant Phone: +248.6629012
\nRegistrant Phone Ext:
\nRegistrant Fax: +248.24822575500
\nRegistrant Fax Ext:
\nRegistrant Email: anonymous.client@vindohosting.com
\nRegistry Admin ID:
\nAdmin Name: Laura Yun
\nAdmin Organization: Vindo International Ltd.
\nAdmin Street: Oliaji TradeCenter - 1st floor
\nAdmin City: Victoria
\nAdmin State\/Province: Mahe
\nAdmin Postal Code: 5567
\nAdmin Country: SC
\nAdmin Phone: +248.6629012
\nAdmin Phone Ext:
\nAdmin Fax: +248.24822575500
\nAdmin Fax Ext:
\nAdmin Email: anonymous.client@vindohosting.com
\nRegistry Tech ID:
\nTech Name: Laura Yun
\nTech Organization: Vindo International Ltd.
\nTech Street: Oliaji TradeCenter - 1st floor
\nTech City: Victoria
\nTech State\/Province: Mahe
\nTech Postal Code: 5567
\nTech Country: SC
\nTech Phone: +248.6629012
\nTech Phone Ext:
\nTech Fax: +248.24822575500
\nTech Fax Ext:
\nTech Email: anonymous.client@vindohosting.com
\nName Server: ns1.anonymous-hosting-service.com
\nName Server: ns2.anonymous-hosting-service.com
\nURL of the ICANN WHOIS Data Problem Reporting System: http:\/\/wdprs.internic.net\/
\n>>> Last update of WHOIS database: 2014-04-06 03:14:38 <<<<\/code><\/small><\/p>\n

Well, this is definitely fishy. No legitimate survey would be hiding behind so many levels of indirection.<\/p>\n

I used the site's form to \"opt out\" 0.0.0.0\/1 with an email address requesting they contact me about their project. I've also sent email to the abuse contacts shown above, pointing them to this blog entry, in the hope that they can get some sort of explanation from their customer.<\/p>\n

In the meantime, you may want to fine-tune your firewall rules to prevent this type of probe. That would (at a minimum) include blocking all outside connection attempts on ports 80 (http) and 443 (https) to anything on your network that is not<\/b> intended to be a public web server. I cannot<\/b> recommend using their opt-out form as there is no indication of what they do with the information. For all I know, it has the same effect as sending \"unsubscribe\" in response to a spam email - it just targets you for more spam.<\/p>\n

If I receive any information from my inquiries, I'll update this blog entry accordingly.<\/p>\n","protected":false},"excerpt":{"rendered":"

One of my occasional consulting customers called me in a panic because all of their HP printers printed out the same page at the same time: GET http:\/\/ipv4scan.com\/hello\/check.txt HTTP\/1.1 Host: ipv4scan.com Accept-Encoding: gzip, deflate, compress Accept: *\/* User-Agent: IPv4Scan (+http:\/\/ipv4scan.com) Now, I have nothing against most network measurement bots. Most are useful, and the rest […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[3,4],"tags":[],"_links":{"self":[{"href":"https:\/\/www.glaver.org\/blog\/index.php?rest_route=\/wp\/v2\/posts\/680"}],"collection":[{"href":"https:\/\/www.glaver.org\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.glaver.org\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.glaver.org\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.glaver.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=680"}],"version-history":[{"count":10,"href":"https:\/\/www.glaver.org\/blog\/index.php?rest_route=\/wp\/v2\/posts\/680\/revisions"}],"predecessor-version":[{"id":805,"href":"https:\/\/www.glaver.org\/blog\/index.php?rest_route=\/wp\/v2\/posts\/680\/revisions\/805"}],"wp:attachment":[{"href":"https:\/\/www.glaver.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=680"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.glaver.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=680"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.glaver.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=680"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}