I was trying the Canary Token and place a WORD file on Public folder in my network, I got a triggered update saying that its Channel is DNS. I tried to check the IP address and its owned by OpenDNS, my question is… Does it mean that OpenDNS tries to access the file on our local public shared folder?
When you say public? Do you mean its Internet accessible?
Sorry for the confusion; were running on active directory environment with network share folder w/ restrictions of user per department and we have 1 public folder for everyone to use but only for internal not accessible outside. We’re using pfSense as firewall running on load balance and both WAN interface is set to route DNS traffic to OpenDNS.
The canary token is located on the public folder for AD users only; local access, not shared on internet, no VPN setup.
Im not sure how this got triggered but somehow something did a DNS lookup on the host name of that token. This will be because that host name leaked out in someway. Like maybe through your browser or the my server. Not actually sure. But its nothing to worry about. I have seen this before with the odd token out of 1000s.
This morning, I had a Password file canary drop triggered by IP address 220.127.116.11 in my Microsoft OneDrive folder on a government drive. The WHOIS look-up resulted in the following info:
Source: whois.arin.netIP Address: 18.104.22.168Name: UU-65-208-151-112-D1Handle: NET-65-208-151-112-1Registration Date: 7/30/08Range: 22.214.171.124-126.96.36.199Customer: Kintiskton LLCCustomer Handle: C02002451Address: PO BOX 7360
City: MOUNTAIN VIEWState/Province: CAPostal Code: 94037-7360Country: UNITED STATES
I googled Kintiskton LLC, and it seems this company had a number of IP addresses in the same range perform bot scans of another guy’s photos a while back. He tries to track them down on this blog post:
I put a 2nd drop in the folder and will monitor to see if it gets scanned.
I didn’t know Bot scans could trigger the token. I was thinking the file needed to be opened.