This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Terri_Hawkins
Collaborator
‎2020-05-14 05:09 AM
Jump to solution

Lots of Traffic to 4 IP Addresses

I am curious as to whether anyone else is seeing a great deal of traffic to 4 ip addresses....

104.244.xx.20 with the xx being either 36, 37, 38 or 39

We have ~3000 pc's on our network and I am seeing ~100 logs in an hour for each one. (first thing this morning I had 24,431 logs, not everyone is in yet)

I have googled these addresses and some sites say it is malware, some say it is good, but I can't find a reliable source to let me know what it is. The site name is <daldt or amidt> .adsafeprotected.com. When I go to their www site it does not look malicious (but I know that is not an indicator that the site is ok). I have all the traffic blocked right now and nothing is breaking. The traffic is coming from all the PC's on our network, including mine, and it must be behind the scenes stuff because I am not going there intentionally.

We have recently switched to Chrome as our default browser, but I can't find anything associating the IP's with Chrome either.

Any assistance is appreciated,

thanks

terri

 

0 Kudos
2 Solutions

Accepted Solutions
Timothy_Hall
MVP Gold
MVP Gold
‎2020-05-14 05:35 AM
Jump to solution

ARIN.net says it is "Integral Ad Science" (integralads.com) whose website seems pretty vague about about what they actually do, so I'm assuming they are tracking user data and shoveling ads.  In my opinion, block 'em.

Network: NET-104-244-36-0-1

Source Registry
ARIN
Net Range
104.244.36.0 - 104.244.39.255
CIDR
104.244.36.0/22
Source Registry
ARIN
Kind
Org
Full Name
Integral Ad Science, Inc.
Handle
ASML-5
Email
network@integralads.com
Address
95 Morton St 8th Floor New York NY 10014 United States
Roles
Registrant
Registration
Thu, 02 Aug 2012 13:38:40 GMT (Thu Aug 02 2012 local time)
Last Changed
Wed, 22 Jun 2016 14:14:23 GMT (Wed Jun 22 2016 local time)
Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

View solution in original post

Timothy_Hall
MVP Gold
MVP Gold
‎2020-05-14 06:54 AM
In response to MartinZ
Jump to solution

Great analysis, given that extra info I'd say block the whole 104.244.36.0/22 netblock outright, not just the .20 host addresses as I'm sure they will shift host addresses around inside their netblock at some point to avoid existing blocks.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

View solution in original post

5 Replies
Timothy_Hall
MVP Gold
MVP Gold
‎2020-05-14 05:35 AM
Jump to solution

ARIN.net says it is "Integral Ad Science" (integralads.com) whose website seems pretty vague about about what they actually do, so I'm assuming they are tracking user data and shoveling ads.  In my opinion, block 'em.

Network: NET-104-244-36-0-1

Source Registry
ARIN
Net Range
104.244.36.0 - 104.244.39.255
CIDR
104.244.36.0/22
Source Registry
ARIN
Kind
Org
Full Name
Integral Ad Science, Inc.
Handle
ASML-5
Email
network@integralads.com
Address
95 Morton St 8th Floor New York NY 10014 United States
Roles
Registrant
Registration
Thu, 02 Aug 2012 13:38:40 GMT (Thu Aug 02 2012 local time)
Last Changed
Wed, 22 Jun 2016 14:14:23 GMT (Wed Jun 22 2016 local time)
Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
MartinZ
Contributor
‎2020-05-14 06:22 AM
In response to Timothy_Hall
Jump to solution

Agree on the blocking. Those IP's go back to adsafeprotected which is associated with both adware and malware. 

2020-05-14_9-02-24.jpg

You can see the relationships to a lot of Android and other exe files here: https://www.virustotal.com/graph/http%253A%252F%252Fdaldt.adsafeprotected.com%252F

2020-05-14_9-14-05.jpg

Apparently there was a binary PUP with the same name (ADSAFEPROTECTED) at one point, so check for that. It could be they have moved to pure hosted. I would give them the benefit of the doubt that maybe they are protecting ads, but as @Timothy_Hall  points out their "website seems pretty vague" and that is a lot of traffic.

https://greatis.com/blog/howto/remove-adsafeprotected-forever.htm

Timothy_Hall
MVP Gold
MVP Gold
‎2020-05-14 06:54 AM
In response to MartinZ
Jump to solution

Great analysis, given that extra info I'd say block the whole 104.244.36.0/22 netblock outright, not just the .20 host addresses as I'm sure they will shift host addresses around inside their netblock at some point to avoid existing blocks.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
Wolfgang
MVP Gold
MVP Gold
‎2020-05-14 08:41 AM
Jump to solution

 

from Check Point categorization:

Bildschirmfoto 2020-05-14 um 17.38.50.png

 

 

 

 

 

As all other guys recommend, block them.

Wolfgang

Terri_Hawkins
Collaborator
‎2020-05-14 08:48 AM
In response to Wolfgang
Jump to solution

Thank you all for your input! I will block the traffic.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events