Invalid validation requests from redirected domains


#1

Hi,

We’ve detected a number of seemingly fraudulent validation requests:

2018-03-08 00:46:30 GET /es - 2600:3000:2710:200::1d Mozilla/5.0+(compatible;+Let’s+Encrypt+validation+server;++https://www.letsencrypt.org) http://tenerife-casa-vivienda-piso-comprar-sevende.com/.well-known/acme-challenge/Q5DL1OlDTjrHLclf0r4oYPJnrPkuQ5x9lFOoGjx3qy4 200 7893 340 359
2018-03-08 00:46:32 GET /es - 2600:3000:2710:200::1d Mozilla/5.0+(compatible;+Let’s+Encrypt+validation+server;++https://www.letsencrypt.org) http://www.tenerife-casa-vivienda-piso-comprar-sevende.com/.well-known/acme-challenge/wV7A2c9HWDob1wLgjI-U_s5IFoGxdQzOFB2bcbdhkaQ 200 7893 344 374
2018-03-08 01:20:14 GET /en - 195.42.142.18 libwww-perl/6.15 - 200 29570 125 109
2018-03-08 01:20:16 GET /en - 195.42.142.18 libwww-perl/6.15 - 200 29570 125 109
2018-03-08 01:20:16 GET /en - 2600:3000:2710:200::1d Mozilla/5.0+(compatible;+Let’s+Encrypt+validation+server;++https://www.letsencrypt.org) http://tenerife-realestate.com/.well-known/acme-challenge/5yP5mUXqNrkE6MMmSrS4VitbeQP2ZhQ-WzPT_H4YfwI 200 7736 316 359
2018-03-08 01:20:18 GET /en - 2600:3000:2710:200::1d Mozilla/5.0+(compatible;+Let’s+Encrypt+validation+server;++https://www.letsencrypt.org) http://www.tenerife-realestate.com/.well-known/acme-challenge/3oEH9ZoHYumU37c6JBIXz2BygtlSS2TC3sD7JN4_6bM 200 7736 320 375
2018-03-08 01:20:24 GET /en - 195.42.142.18 libwww-perl/6.15 - 200 29570 125 109
2018-03-08 01:25:39 GET /nl - 195.42.142.18 libwww-perl/6.15 - 200 28843 125 109
<<>>
2018-03-08 01:26:40 GET /nl - 195.42.142.18 libwww-perl/6.15 - 200 28843 125 124
2018-03-08 01:26:42 GET /nl - 2600:3000:2710:200::1d Mozilla/5.0+(compatible;+Let’s+Encrypt+validation+server;++https://www.letsencrypt.org) http://www.tenerifehome.be/.well-known/acme-challenge/QvootDaH9vItJMeM6B1bB8-vvRA4UiTiUIG0tbHAWCg 200 7597 312 358
2018-03-08 01:26:58 GET /fr - 195.42.142.18 libwww-perl/6.15 - 200 29046 125 156
2018-03-08 01:27:00 GET /fr/.well-known/acme-challenge/dD_saDDdj-6UI7vLcOtQv97F978oj3CWFfpLXD13zmk - 195.42.142.18 libwww-perl/6.15 - 404 13555 196 62
2018-03-08 01:27:00 GET /fr - 2600:3000:2710:200::1d Mozilla/5.0+(compatible;+Let’s+Encrypt+validation+server;++https://www.letsencrypt.org) http://tenerifehome.fr/.well-known/acme-challenge/h9Vf7wWifJrZCWeED3Pl9tIgqjX8SbJYripPVkLrvH0 200 7759 308 375
2018-03-08 01:27:01 GET /fr/.well-known/acme-challenge/dD_saDDdj-6UI7vLcOtQv97F978oj3CWFfpLXD13zmk - 2600:3000:2710:200::1d Mozilla/5.0+(compatible;+Let’s+Encrypt+validation+server;++https://www.letsencrypt.org) http://www.tenerifehome.fr/.well-known/acme-challenge/dD_saDDdj-6UI7vLcOtQv97F978oj3CWFfpLXD13zmk 404 5712 383 218
2018-03-08 01:27:01 GET /fr/.well-known/acme-challenge/dD_saDDdj-6UI7vLcOtQv97F978oj3CWFfpLXD13zmk - 2600:3000:2710:200::1d Mozilla/5.0+(compatible;+Let’s+Encrypt+validation+server;++https://www.letsencrypt.org) http://www.tenerifehome.fr/.well-known/acme-challenge/dD_saDDdj-6UI7vLcOtQv97F978oj3CWFfpLXD13zmk 404 5712 383 218
2018-03-08 01:33:43 GET /de - 195.42.142.18 libwww-perl/6.15 - 200 29083 125 109
2018-03-08 01:33:45 GET /de - 2600:3000:2710:200::1d Mozilla/5.0+(compatible;+Let’s+Encrypt+validation+server;++https://www.letsencrypt.org) http://www.teneriffa-haus-appartement-wohnung-ferien-kauf-verkauf.com/.well-known/acme-challenge/CJWdVbsqd2Mc12fOQqzyWVjQRpvow16G2Zja4Dkw78k 200 7635 355 375

(note: many more similar entries have been omitted)

Of note are the immediately preceding requests from 195.42.142.18, that are obviously related.

This seems to be some kind of automated processing that is trying to take advantage of the fact that these domains perform a HTTP redirect (e.g., www.tenerife-realestate.com redirects to www.tenerifehome.com, where these log entries originate from). Our understanding is that these verification requests all have failed, but to this it is still a bit puzzling, as the scammer does not have control over the domains that the is trying to obtain the certificates for. Put in another way, we are unsure what they are actually trying to achieve.

We did check the public certificate transparency reports for the domains, and no certificates seem to have been issued.

We are looking for guidance for additional check or measures that we can perform (note that www.tenerifehome.com does use a Let’s Encrypt certificate, but these validation checks are not related to this certificate).

Thanks,

Tirreg


#2

The libwww-perl requests come from a shared web host called ICDHost.com (https://www.icdsoft.com/en/news/security/lets-encrypt-ssl).

tenerifehome.com resolves to an address hosted by ICDHost as well.

So, I would not attribute it to anyting malicious.

Is it possible that the ICDHost shared hosting believes that it is authoritative for the domains it is trying to perform validation for?

I’ve seen this happen a lot of with other types of shared hosting, where a domain gets migrated to another server, but the site doesn’t get deleted from the previous shared hosting, so it continues trying to renew a certificate that will never succeed.


#3

Hmm… looks like you are right. These domains actually belong to one of our customers, and the domain name registrations are handled by a third party for legacy reasons. Seems like this third party is using ICDHost.com to manage the domains and for some reason also has some generic hosting package there.

Thanks,

Tirreg


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.