So, where are Esthosts/Estdomains now that Intercage/Atrivo are in such trouble?
Let's take a look-see at where Intercage/Atrivo's most infamous client, esthosts/estdomains, are situated - using Domaintools, cidr-report.org and bfk-de, and a smattering of Sam Spade 1.14. I'm not using Robtex that much because I get the sense that, sometimes, its data is behind the times and it should be noted that by the time this article goes live, things may have changed again. I think the hardest part of writing about this stuff is not doing the research per se, but rather, trying to distill the information down into a format that is half-way possible to understand.
In summary, what do we see? Well, it looks like Esthosts/Estdomains have come to rest in Russia and Amsterdam. I also note that their infamous ex-host Intercage (who are, apparently, still off the air) continue to have some involvement with Esthost/Estdomains via protectdetails.com (protectdetails.com is the WHOIS privacy service Estdomains created to replace Directi's PrivacyProtect service) and Cernel. I was also interested to note that Domaintools reports that the SSL Certificate for protectdetails.com and cernel.org are both "billing.esthost.com" (btw, note that the correct spelling is CERNEL, not CERNAL - even hostexploit.com got the spelling wrong in places in its PDF report...)
I don't expect things to settle down any time soon. Those behind malware, and malware hosting, are being watched like a hawk. For example, reports about Intercage who, as I noted on the 25th, being knocked offline again over the past 24 hours or so include:
UnitedLayer COO: Giving access to InterCage is an issue of ethics (an interview with Intercage/Atrivo's latest peer explaining why they were willing to take Intercage/Atrivo on)
Yes, Atrivo/Intercage is Offline Again...
Notorious ISP Intercage goes dark again (notes that "Kacperski is evaluating whether his company [Atrivo/Intercage] can continue as a business")
Net pariah Intercage back among the dead - No more Global Crossing
Intercage, gone with the wind again
The nitty gritty details of Esthosts/Estdomains are...
estdomains.com A 83.171.76.98 - ZAO Petersburg Transit Telecom (PTT), Russia (AS31353) *A*
estdomains.com A 94.102.49.3 - Ecatel LTD, Amsterdam (AS29073) *B*
estdomains.com NS ans1.esthost.com
estdomains.com NS ans2.esthost.com
estdomains.com NS temp1.estdomains.com
estdomains.com NS ns1.estdomains.com
estdomains.com NS temp2.estdomains.com
estdomains.com NS ns2.estdomains.com
estdomains.com NS a.estdomains.com
estdomains.com NS b.estdomains.com
esthost.com A 94.102.49.3 - Ecatel LTD, Amsterdam (AS29073) *C*
esthost.com NS ens1.esthost.com
esthost.com NS ans2.esthost.com
esthost.com NS ans3.esthost.com
esthost.com NS ans4.esthost.com
*A*
83.171.76.98 A ns2.protectdetails.com - ZAO Petersburg Transit Telecom (PTT), Russia (AS31353)
83.171.76.86 A estdomains.com
83.171.76.86 A b.estdomains.com
*B* and *C*
94.102.49.3 A estdomains.com - Ecatel LTD, Amsterdam (AS29073)
94.102.49.3 A esthost.com
protectdetails.com A 89.108.73.87 - Agava JSC, Russia (AS39561) *D*
protectdetails.com NS ns1.protectdetails.com
protectdetails.com NS ns2.protectdetails.com
ns2.protectdetails.com - A: 69.50.176.229 - Intercage Inc, California (note: SSL Cert billing.esthost.com) (AS27595) *E*
ns2.protectdetails.com - A: 83.171.76.98 - ZAO Petersburg Transit Telecom (PTT), Russia (AS31353)
*E*
69.50.176.229 also hosts cernel.org, online-company.com, otegra.com, otegra.net
69.50.176.229 A ns2.protectdetails.com
69.50.176.229 A ns1.esthost.com
69.50.176.229 A ens1.esthost.com
69.50.176.229 A ns2.esthost.com
69.50.176.229 A ns2.cernel.net
WHOIS
protectdetails.com
69.50.180.157 (Domaintools) - Intercage Inc, California (AS27295)
Registrar: Estdomains, Inc
Created 11 June 2008
Registrant: Protect Details Inc, Domain Manager, privatecontact@protectdetails.com
cernel.net
216.255.190.85 (Domaintools) - Intercage Inc, California (AS27295)
Registrar: Estdomains, Inc
Created 28 November 2005
Registrant Cernel Inc, Legal Department, support@cernel.net
cernel.org
69.50.176.229 (Domaintools) - Intercage Inc. California (AS27295)
Registrar: Estdomains, Inc
Created 28 November 2008
Registrant: Cernel Inc, Legal Department, support@cernel.net
Note: SSL Cert is noted as billing.esthost.com (Domaintools)
ZAO Petersburg Transit Telecom (PTT), Russia (AS31353) *A*
Upstream ASN-SPBNIT OJSC North-West Telecom Autonomous System (AS8997)
ASN-SPBNIT OJSC North-West Telecom Autonomous System (AS8997)
Upstream ROSTELECOM-AS (AS12389), RTCOMM-AS (AS8342), TRANSTELECOM (AS20485), RETN-AS (AS9002)
Ecatel LTD, Amsterdam (AS29073) *B* and *C*
Upstream OPEN-PEERING-AS (AS20562), OPENHOSTING (AS33970), TISCALI-BACKBONE (AS3257), HURRICANE (AS6939)
Agava JSC, Russia (AS39561) *D*
Upstream - Skymedia, Russia (AS39134)
Skymedia, Russia (AS39134)
Upstream Transtelecom, Russia (AS20485)
Transtelecom, Russia (AS20485)
Upstream Tiscali-Backbone (AS3257), IS (AS3741), Rostelecom-AS (AS12389), Telianet (AS1299), CW Cable and Wireless (AS1273), NTT-Communications-2914 (AS2914), RETN-AS (AS9002), BTN-ASN (AS3491)
Intercage Inc, California (note: SSL Cert billing.esthost.com) (AS27595) *E*
No upstream provider