Got an interesting email from CIRA today with:
CE14-12545 [Malware hosted on ygglhalayvtwy.khabarov[.]ca]
URL: http://ygglhalayvtwy.khabarov[.]ca/xnor/orladjaup.jpg
IP: 204[.]44[.]87[.]184
MD5: EFDCED1D3D8145EED471362B04E144871EBA2122
Malware: Trojan.Win32/Bicololo.A
That's pretty odd, as domain is mine but I never set up subdomains, or even a wildcard. And I obviously don't serve malware.
Dig output:
; <<>> DiG 9.8.3-P1 <<>> ygglhalayvtwy.khabarov.ca
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29242
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;ygglhalayvtwy.khabarov.ca. IN A
;; ANSWER SECTION:
ygglhalayvtwy.khabarov.ca. 2498 IN A 204.44.87.184
;; Query time: 2 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Mon Dec 29 23:10:19 2014
;; MSG SIZE rcvd: 59
So it resolves to some IP I have no idea about.
I checked afraid.org where I manage DNS. No such A record there.
Namecheap where I hold domain name has nothing suspicious either.
What's going on here exactly?