Suspicious DNS query after install passbolt

Hello there,

I have installed Passbolt on a server that does not have any other service running. Last weekend I got an alert from my security system regarding a suspicious DNS query executed on the server where Passbolt was deployed.

Follow my findings so far…

The query was on static-74.235.93.111-tataidc.co.in

I did a whois and got this:

whois static-74.235.93.111-tataidc.co.in

% IANA WHOIS server
% for more information on IANA, visit http://www.iana.org
% This query returned 1 object

refer: whois.registry.in

domain: IN

organisation: National Internet Exchange of India
address: 6C,6D,6E Hansalaya Building 15, Barakhamba Road
address: New Delhi 110 001
address: India

contact: administrative
name: Rajiv Kumar
organisation: National Internet Exchange of India
address: 6C,6D,6E Hansalaya Building 15, Barakhamba Road
address: New Delhi 110 001
address: India
phone: +91 11 48202011
fax-no: +91 11 48202013
e-mail: registry@nixi.in

contact: technical
name: Rajiv Kumar
organisation: National Internet Exchange of India
address: 6C,6D,6E Hansalaya Building 15, Barakhamba Road
address: New Delhi 110 001
address: India
phone: +91 11 48202011
fax-no: +91 11 48202013
e-mail: rajiv@nixi.in

nserver: NS1.REGISTRY.IN 2001:dcd:1:0:0:0:0:12 37.209.192.12
nserver: NS2.REGISTRY.IN 2001:dcd:2:0:0:0:0:12 37.209.194.12
nserver: NS3.REGISTRY.IN 2001:dcd:3:0:0:0:0:12 37.209.196.12
nserver: NS4.REGISTRY.IN 2001:dcd:4:0:0:0:0:12 37.209.198.12
nserver: NS5.REGISTRY.IN 156.154.100.20 2001:0502:2eda:0:0:0:0:20
nserver: NS6.REGISTRY.IN 156.154.101.20 2001:0502:ad09:0:0:0:0:20
ds-rdata: 35373 7 2 A5F1FEB3C7C62843C287BF38E0CFA8D33A1DF8FE2B7FD871BFDCFF8EA0B354DA
ds-rdata: 35373 7 1 C8750CE0393237D97BE351C84326E45A20EFF25C
ds-rdata: 54739 8 2 9F122CFD6604AE6DEDA0FE09F27BE340A318F06AFAC11714A73409D43136472C
ds-rdata: 54739 8 1 2B5CA455A0E65769FF9DF9E75EC40EE1EC1CDCA9

Do you guys know something about this?? I’m trying to find more details and I’ll let you know my findings as ASAP.

whois: whois.registry.in

status: ACTIVE
remarks: Registration information: http://www.registry.in

created: 1989-05-08
changed: 2020-03-26
source: IANA

No Data Found

No it’s the first time we hear about something like this.
This is not a domain that passbolt uses.

See. https://www.abuseipdb.com/check/111.93.235.74
Looks like a bot doing bruteforce on SSH port.

@juliosmelo what is the method you used to deploy passbolt?

I’m using docker with docker-compose

@juliosmelo we have investigated on how side but couldn’t find anything suspicious with the docker images. Do you have any new findings to share with us?

@remy I have opened a ticket on AWS regarding to this. As soon as they send some news I’ll update you.

2 Likes

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.