cname-trackers icon indicating copy to clipboard operation
cname-trackers copied to clipboard
verified publisher icon AdguardTeam

Random popup domain with CNAME *.ahacdn.me

Open bigdargon opened this issue 3 years ago • 4 comments

Through recent monitoring, I discovered a random group of domains with CNAMEs from *.ahacdn.me. Should we block them?

#[cdn12359286.ahacdn.me]
0.0.0.0 0696e8978a.e0d4e3650c.com
#[cdn28786515.ahacdn.me]
0.0.0.0 8a129b6462.8d6fac2030.com
0.0.0.0 0b05d0612b.0565f1f90c.com
0.0.0.0 0fccf56c02.d14b19b49f.com
0.0.0.0 161e68ac42.dc7c0b823d.com
0.0.0.0 1a8eb62517.840df00e08.com
0.0.0.0 20fae701c7.8a080862f3.com
0.0.0.0 2431bce671.20239be1ae.com
0.0.0.0 28b9cfa1ce.a615d4c326.com
0.0.0.0 2933448a31.4e39c772dc.com
0.0.0.0 2fe5885777.b370db8cb7.com
0.0.0.0 30c3199523.4022cfe7d9.com
0.0.0.0 322c318d55.7d9bbf7e5b.com
0.0.0.0 33b9b88162.dc1c6c157e.com
0.0.0.0 3cc3906e85.7f59b515a6.com
0.0.0.0 41c1ffbaa1.24fa533251.com
0.0.0.0 441d65438d.b1f72fc1be.com
0.0.0.0 4dbd367a0f.d4624d2bc2.com
0.0.0.0 5092f667b4.c785e43db1.com
0.0.0.0 5265c011ae.60b8fe6ea3.com
0.0.0.0 54ef83e486.338f4d497f.com
0.0.0.0 6d710ff802.ddc08eb47c.com
0.0.0.0 72c73fef76.55a70c5ade.com
0.0.0.0 7eeb1771b0.86b16730f8.com
0.0.0.0 830b8fe930.864db374c6.com
0.0.0.0 8a4cba9e75.544e649ba3.com
0.0.0.0 8e15d1e530.551327fd36.com
0.0.0.0 91dacd27c8.d2e48d0dce.com
0.0.0.0 9aeded3984.cd239ecf15.com
0.0.0.0 9e0bb4f10a.c59538e98c.com
0.0.0.0 a1039d6267.1506527e41.com
0.0.0.0 a9de68097f.a40c129de3.com
0.0.0.0 aa9271e4a2.4d4ac172b7.com
0.0.0.0 b2903f16ac.c9c2b6b980.com
0.0.0.0 b4f91231ab.ea38b1fdc5.com
0.0.0.0 b79eac9131.12e42de17f.com
0.0.0.0 b94ea798af.ac2e81c7b8.com
0.0.0.0 c3b1aea9b1.b546c8dcd2.com
0.0.0.0 c5b6f5b3b0.856f639e2a.com
0.0.0.0 cb2d4d0a03.ce3fbb6bac.com
0.0.0.0 d9a902a337.593e7fec57.com
0.0.0.0 dd77535fba.3901da0f4a.com
0.0.0.0 e31130cb48.b1e50c8028.com
0.0.0.0 e4c8e13238.bad8b2e252.com
0.0.0.0 e605e5c0f1.12a8861c61.com
0.0.0.0 ec73c518ce.d6740c1a30.com
0.0.0.0 f00961160c.25391ebf69.com
0.0.0.0 fb9c1069a6.9f3f61c6a1.com
0.0.0.0 js.cabnnr.com
0.0.0.0 js.canstrm.com
0.0.0.0 js.capndr.com
0.0.0.0 js.natsdk.com
0.0.0.0 js.wpadmngr.com
0.0.0.0 js.wpshsdk.com
0.0.0.0 js.wpushsdk.com
0.0.0.0 sw.wpush.org
#[cdn44221613.ahacdn.me]
0.0.0.0 0490217d1b.39785fe3f1.com
0.0.0.0 07992b9524.ad1d862ce0.com
0.0.0.0 0f13eb71c8.74adf02407.com
0.0.0.0 11eeb6300b.c7673123bd.com
0.0.0.0 1c714c2b23.840df00e08.com
0.0.0.0 1e6cb6defd.338f4d497f.com
0.0.0.0 21ffc7a7c6.f21c8cd9a7.com
0.0.0.0 2c95056fda.855656c3a0.com
0.0.0.0 30590d9455.1aed915a81.com
0.0.0.0 4ba3b72b0c.713661e535.com
0.0.0.0 53ce09d439.255925943c.com
0.0.0.0 54705174db.8b1f93b707.com
0.0.0.0 55e0337459.92333cc277.com
0.0.0.0 582c054e5d.4022cfe7d9.com
0.0.0.0 5ad970a7c3.86b16730f8.com
0.0.0.0 70fe531675.3eb8f14569.com
0.0.0.0 767528f77a.342c15527e.com
0.0.0.0 7ccbc65df5.a615d4c326.com
0.0.0.0 7cf163435a.ddc08eb47c.com
0.0.0.0 81a3159d81.ba3d1a19fe.com
0.0.0.0 8ea6735569.24fa533251.com
0.0.0.0 9ee76635e7.45d2bbfb2a.com
0.0.0.0 b553ce7e52.c986493e7d.com
0.0.0.0 b581d46c65.6f7e85a9b7.com
0.0.0.0 b99bc0c857.f338113ad0.com
0.0.0.0 c89659e7cc.3a57c13de7.com
0.0.0.0 d0ec86fd23.6ff2f7bf3d.com
0.0.0.0 d1c52479fc.c9c2b6b980.com
0.0.0.0 d4701e7b64.21550edfab.com
0.0.0.0 e73daaeb4f.58c036d100.com
0.0.0.0 f4733d7c73.1d354c1645.com
#[cdn65182383.ahacdn.me]
0.0.0.0 js.jnkstff.com
#[cdn81910013.ahacdn.me]
0.0.0.0 na.nawpush.com

Also, there are 2 domains ntvpforever.com &cds.h5z9g8y6.hwcdn.net I'm tracking them. It's also possible that these CNAMEs only contain ads/trackers

#[ntvpforever.com]
0.0.0.0 0956a1534a.255925943c.com
0.0.0.0 0acbf53d71.711f421280.com
0.0.0.0 0b6ecb7f80.c986493e7d.com
0.0.0.0 5ab3edc5c1.342c15527e.com
0.0.0.0 61254102fd.92333cc277.com
0.0.0.0 68787fa2a4.0439c255ac.com
0.0.0.0 780f961964.b3fb511da0.com
0.0.0.0 7fe465ee76.f21c8cd9a7.com
0.0.0.0 92756fbe9c.3a57c13de7.com
0.0.0.0 c4045fee5e.90cd7fb7ca.com
0.0.0.0 c66ed6bbd0.866e69bc8e.com
0.0.0.0 da2870069a.c9c2b6b980.com
0.0.0.0 e8609911b3.c785e43db1.com
#[cds.h5z9g8y6.hwcdn.net]
0.0.0.0 js.wpnjs.com
0.0.0.0 js.wpnsrv.com
0.0.0.0 js.wpncdn.com

bigdargon avatar Jun 06 '22 02:06 bigdargon

This seems a whole lot like #41, just not quite as advanced.

TPS avatar Jun 06 '22 02:06 TPS

Thanks for your attention! I was still manually tracking and blocking each domain in my project when it was discovered by our team.

bigdargon avatar Jun 06 '22 02:06 bigdargon

IIRC ahacdn.me can not generally be blocked due to breakage.

Yuki2718 avatar Jun 18 '22 11:06 Yuki2718

Most random domains with IP address 45.133.44.24 and 45.133.44.25 are popups (for subdomains ahacdn.me)

bigdargon avatar Jun 24 '22 08:06 bigdargon