Odd Kerberos Hosts After HD Wipe, and fresh OS re-install



  • After reformatting my hard disk and rebuilding/re-installing the latest macOS operating system, I found the following IP addresses after running Kerberos.internal.com:

    kerberos.internal.com has address 96.126.123.244

    kerberos.internal.com has address 45.33.2.79

    kerberos.internal.com has address 45.79.19.196

    kerberos.internal.com has address 45.56.79.23

    kerberos.internal.com has address 45.33.23.183

    kerberos.internal.com has address 198.58.118.167

    command output

    These IPs belong to a web hosting company called Linode LLC out of New Jersey. These IP addresses are also listed in the Abuse IDB website with reports of XSS attacks and more. I just want a sanity check - after wiping my hard disk and re-installing my OS and immediately running this command that this is highly indicative of the presence of sophisticated malware right?

    I want to add that this is a personal machine, not used for work, or associated with any dc.



  • internal.com is a domain name registered on the public Internet (to whom, we don't know, because the WHOIS is private). It is not, as you might have suspected, internal to your network or company, unless your company just so happens to have registered that domain name. It may be that your organization is using its own DNS server to serve internal domains as internal.com, but that's not a good idea and they should stop using other people's domains for that purpose.

    It appears that the owners of this domain have specified a wildcard record in their DNS, so all hostnames under internal.com resolve to the same IP addresses, whether that's www.internal.com, kerberos.internal.com, or unprintable.internal.com.

    As a result, this is not the Kerberos server you were intending to use; it's just some unrelated domain, and its configuration is not indicative of anything nefarious. I haven't tested, but I suspect it won't even respond to Kerberos packets at all.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2