Okay, looks more or less consistent.
After that, let's try to know what's running of this server... I think about an IRC service, to control Bots, or a download / update service for compromised hosts.
I first try using the IP address DomainCrawler gave me:
C:\>nmap -O --osscan-guess 208.97.178.13
Starting Nmap 5.00 ( http://nmap.org ) at 2010-03-11 23:16 Paris, Madrid
Interesting ports on apache2-noxim.fuze.dreamhost.com (208.97.178.13):
Not shown: 990 filtered ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
113/tcp open auth
548/tcp open afp
587/tcp open submission
5222/tcp open unknown
5269/tcp open unknown
5666/tcp open nrpe
Warning: OSScan results may be unreliable because we could not find at least 1 o
pen and 1 closed port
Device type: general purpose|WAP|router
Running (JUST GUESSING) : Linux 2.6.X|2.4.X (97%), D-Link embedded (87%), Linksy
s embedded (87%), Peplink embedded (87%)
Aggressive OS guesses: Linux 2.6.22 (97%), Linux 2.6.15 - 2.6.26 (94%), Linux 2.
6.22 (Ubuntu, x86) (92%), Linux 2.6.27 (Ubuntu 8.10) (92%), Linux 2.6.23 (92%),
Linux 2.6.13 - 2.6.27 (89%), Linux 2.4.20 (Red Hat 7.2) (88%), Linux 2.6.17 - 2.
6.28 (88%), Linux 2.6.22 - 2.6.23 (88%), Linux 2.6.24 - 2.6.28 (88%)
No exact OS matches for host (test conditions non-ideal).
OS detection performed. Please report any incorrect results at http://nmap.org/s
ubmit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.90 seconds
What? looks like an ADSL box?
But this is not the last surprise. If I do the same using the other IP address I got for DNS resolution, here is the result:
C:\>nmap -O --osscan-guess 66.33.212.15
Starting Nmap 5.00 ( http://nmap.org ) at 2010-03-11 23:42 Paris, Madrid
Interesting ports on ps7371.dreamhost.com (66.33.212.15):
Not shown: 991 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
111/tcp open rpcbind
113/tcp open auth
587/tcp open submission
1030/tcp open iad1
5666/tcp open nrpe
Device type: WAP|router|general purpose|storage-misc
Running (JUST GUESSING) : Linksys Linux 2.4.X (97%), Linux 2.4.X|2.6.X (97%), Mi
kroTik RouterOS 3.X (94%), Belkin embedded (93%), ZyXEL embedded (91%), D-Link e
mbedded (90%), Enterasys embedded (90%)
Aggressive OS guesses: OpenWrt White Russian 0.9 (Linux 2.4.30) (97%), OpenWrt 0
.9 - 7.09 (Linux 2.4.30 - 2.4.34) (97%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (9
7%), MikroTik RouterOS 3.0beta5 (94%), Linux 2.6.21 (94%), Linux 2.6.18 - 2.6.27
(93%), Linux 2.4.21 - 2.4.31 (likely embedded) (93%), Linux 2.6.15 - 2.6.23 (em
bedded) (93%), Linux 2.6.15 - 2.6.24 (93%), Linux 2.6.15 - 2.6.26 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 16 hops
OS detection performed. Please report any incorrect results at http://nmap.org/s
ubmit/ .
Nmap done: 1 IP address (1 host up) scanned in 45.91 seconds
Surprisingly, the scan results look similar!
Untill I have proof of the contrary, I therefore belive this is a malicious architecture, where boxes have been compromised and used to handle requests sent from compromised computers...
There is also a quite obvious DNS synchronization issue in here. Still, OpenDNS remains the safest service to query.
If anybody has got further details about that domain and IP addresses, feel free to post a comment or send me an email.