Hi
We have seen a few instances today of alerts on internal and customer machines for detection of a web threat from "o.ss2.us". From what I can see this looks like some kind of SSL certificate revocation check process using On-line Certificate Status Protocol.
This host name appears cited on page 60 of https://ssl-ccp.godaddy.com/repository/previous_doc_versions/StarfieldCertificatePolicyandCertificationPracticeStatement_v3.7.pdf relating to the certificate details for Starfield Root Certificate Authority - G2 root certification authority.
We have spent a fair amount of time looking into this without a lot of luck earlier today to work out what it is; the whois info all looks very vague - all using GoDaddy protection services and it appears to have adverts selling adverts it but running a check on the details does look like a MIME content type of application/ocsp-response when running the full URL from the Sophos Central threat center case through URLscan.io - https://urlscan.io/result/a7c9e203-459b-4246-9502-178f4245414d / https://urlscan.io/api/v1/result/a7c9e203-459b-4246-9502-178f4245414d/
My first thought with the buy this domain type page on the root was it was compromise or taken over following domain name non-renewal but then I wouldn't expect a content type back of oscp-response???
Any thoughts?
Chris
This thread was automatically locked due to age.
