Sunday, July 28, 2013

Domain: Hizbullah.me

Domain Hizbullah.me is being used as of 28/07 in attacks.

          1 25-Jul-2013
          2 27-Jul-2013
  73586 28-Jul-2013

This domain has been actively for ... some purpose:

http://webcache.googleusercontent.com/search?q=cache:nBmADhmYPbsJ:hizbullah.me/+&cd=1&hl=en&ct=clnk&gl=nl

Anyway: http://en.wikipedia.org/wiki/Hezbollah

Response:


244 A records in the 204.46.43.x range.

;; MSG SIZE  rcvd: 3973

I'm seeing queries for both IN A as well as IN ANY.

IPtables rule:


iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x0948495a && 0x2c&0xDFDFDFDF=0x42554c4c && 0x30&0xDFDFFFDF=0x4148024d && 0x34&0xDFFFFFFF=0x450000FF" -j DROP -m comment --comment "DROP DNS Q ANY hizbullah.me"

Name server:


hizbullah.me. 1800 IN NS ns2.hizbullah.me.

ns2.hizbullah.me. 876 IN A 176.227.205.34

176.227.205.34 AS35662 Redstation Limited

Whois


Domain ID:D8379044-ME
Domain Name:HIZBULLAH.ME
Domain Create Date:28-May-2013 10:52:44 UTC
Domain Last Updated Date:27-Jul-2013 20:50:07 UTC
Domain Expiration Date:28-May-2014 10:52:44 UTC
Last Transferred Date:
Sponsoring Registrar:1API GmbH R17-ME
Created by:1API GmbH R17-ME
Last Updated by Registrar:Afilias R54-ME
Domain Status:CLIENT TRANSFER PROHIBITED
Registrant ID:KMP15502545-REAZ
Registrant Name:Kimberley Mently
Registrant Organization:Private Person
Registrant Address:102 po box
Registrant Address2:
Registrant Address3:
Registrant City:chicago
Registrant State/Province:VA
Registrant Country/Economy:US
Registrant Postal Code:43212
Registrant Phone:+1.2837732283
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant E-mail:
Admin ID:KMP15502545-REAZ
Admin Name:Kimberley Mently
Admin Organization:Private Person
Admin Address:102 po box
Admin Address2:
Admin Address3:
Admin City:chicago
Admin State/Province:VA
Admin Country/Economy:US
Admin Postal Code:43212
Admin Phone:+1.2837732283
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin E-mail:
Tech ID:KMP15502545-REAZ
Tech Name:Kimberley Mently
Tech Organization:Private Person
Tech Address:102 po box
Tech Address2:
Tech Address3:
Tech City:chicago
Tech State/Province:VA
Tech Country/Economy:US
Tech Postal Code:43212
Tech Phone:+1.2837732283
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech E-mail:
Nameservers:NS1.HIZBULLAH.ME
Nameservers:NS2.HIZBULLAH.ME

Attacked IPs:

  Top 50
  15481 204.75.167.165
   2922 99.153.244.45
   2674 37.252.102.25
   2557 137.116.186.96
   2488 112.175.69.112
   2483 37.252.102.41
   2438 37.114.52.35
   2188 208.98.37.162
   1969 177.71.150.244
   1878 84.108.228.43
   1231 94.23.18.145
   1214 65.52.24.110
   1120 188.224.19.204
   1003 94.23.6.52
    989 212.224.114.158
    826 82.66.184.16
    801 2.24.90.247
    778 5.39.68.139
    722 80.139.126.113
    711 71.59.18.2
    657 208.98.37.163
    629 107.197.252.69
    587 98.254.241.202
    578 199.180.251.9
    560 74.91.113.63
    517 78.145.214.3
    500 78.129.224.17
    490 109.64.60.235
    490 108.50.48.48
    481 109.123.126.145
    420 69.31.20.84
    393 80.179.219.56
    380 66.87.24.16
    380 174.54.135.5
    361 77.251.53.38
    338 208.98.56.228
    326 37.142.185.36
    320 84.200.69.115
    318 74.91.122.78
    315 208.98.37.164
    312 94.197.127.72
    311 94.23.199.109
    311 62.219.125.174
    310 78.35.109.201
    307 173.56.45.175
    304 76.110.53.166
    301 168.61.144.13
    289 188.165.58.31
    280 79.195.184.168
    279 5.39.92.42


Saturday, July 27, 2013

Domain: lineage2-game.ru

Received a tip that this domain was used for attacks. I myself have only seen scanning for this domain.

LineAge2-Game.ru

Response:

A records in the 204.46.43.x range.
Response size: 3989

Source:

Seen this domain name scanning the internet from the following IPs:

93.174.93.178 AS29073 Ecatel Network
94.102.56.235 AS29073 Ecatel Network 

These IPs have previously been observed scaning for domains such as:

ripe.net
sema.cz (Blog)
*.DirectedAt.Asia
TheSwat.net (Blog)
1rip.com (Blog)

Name servers:

At the time when I received the tip it was:

lineage2-game.ru IN NS ns1.reg.ru
lineage2-game.ru IN NS ns2.reg.ru

Now this has changed to:

lineage2-game.ru. 86368 IN NS ns1.timeweb.ru.
lineage2-game.ru. 86368 IN NS ns2.timeweb.ru.

;; ADDITIONAL SECTION:
ns1.timeweb.ru. 86368 IN A 92.53.116.200
ns2.timeweb.ru. 86368 IN A 92.53.98.100

Strange:

dig any lineage2-game.ru @8.8.8.8

; <<>> DiG 9.9.2-P2 <<>> any lineage2-game.ru @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 64227
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL:


I thought this was odd as I received SRVFAIL when I try to dig for the domain now. But when trying @ns1.reg.ru I receive a 238 line response!!


dig any lineage2-game.ru @ns1.reg.ru
;; Truncated, retrying in TCP mode.

; <<>> DiG 9.9.2-P2 <<>> any lineage2-game.ru @ns1.reg.ru
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60090


So either the people behind this domain are hiding by temporarily changing NS.. or are in the process of migrating to a different registrar.


Whois:

domain:        LINEAGE2-GAME.RU
nserver:       ns1.timeweb.ru.
nserver:       ns2.timeweb.ru.
state:         REGISTERED, DELEGATED, UNVERIFIED
person:        Private Person
registrar:     REGRU-REG-RIPN
admin-contact: http://www.reg.ru/whois/admin_contact
created:       2012.11.29
paid-till:     2013.11.29
free-date:     2013.12.30
source:        TCI


Registrar:


A bunch of Zeus domains have been registered there:


Though this is probably duo to its size.

Targets:

I have no information on attacked targets.

Conclusion:

When searching for this domain on Google it is obvious that this domain up until recently was used for hosting some PVP / RPG game. 

At this moment the domain when asking the right NS will return a large response. Not sure why the NS is changed perhaps to hide. 



Domain: txt.pwserver.com.ua.

Observing scanning for this domain with a TXT request.

txt.pwserver.com.ua.

Response:

txt.pwserver.com.ua. 3596 IN TXT "sdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdasssdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdas5533" ">" "sdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdasdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdas5533" ">" "sdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdaasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdas5533" ">" "sdasdassdasdassdasdassdasdassdasdassdasdassdasdassdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdas5533" ">" "sdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdas5533" ">" "sdasdassdasdassdasdassdasdassdasdassdasdassdasdasasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdas5533" ">" "sdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdas5533" ">" "sdasdassdasdassdasdassdasdassdasdassdasdassdasdassdassdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdas5533" ">" "sdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdas5533" ">" "sdasdassdasdassdasdassdasdassdasdassdasdassdssdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdas5533" ">" "sdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdas5533" ">" "sdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdssdasdassdasdassdasdassdasdassdasdassdasdassdas5533" ">" "11111111wwwsdasdassdasdassaasdasdasddasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdasasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasddassda88978978766sdassdasdassd" ">" "11111111wwwsdasdassdasdassaasdasdasddasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasddassda88978978766sdassdasdassd" ">" "11111111wwwsdasdassdasdassaasdasdasddasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasddassda88978978766sdassdasdassd" ">" "11111111wwwsdasdassdasdassaasdasdasddasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasddassda88978978766sdassdasdassd" ">" "asuidhasiudyhasiudhyasiudyhasiudyuaisydasiuydasuidhasiudyhasiudhyasiudyhasiudyuaisydasiuydsadjua"

Name servers:

txt.pwserver.com.ua. 3600 IN NS ns1.ua-dc.net. - 91.212.124.5
txt.pwserver.com.ua. 3600 IN NS ns2.ua-dc.net. - 91.214.69.18

Any pwserver.com.ua:
pwserver.com.ua. 2600 IN SOA ns1.ua-dc.net. root.ua-dc.net. 2013052605 28800 7200 1209600 2600
pwserver.com.ua. 2600 IN NS ns1.ua-dc.net.
pwserver.com.ua. 2600 IN NS ns2.ua-dc.net.
pwserver.com.ua. 2600 IN A 91.212.124.2
pwserver.com.ua. 2600 IN MX 10 mail.pwserver.com.ua.


Reverse DNS value:

  2.124.212.91.in-addr.arpa. 86400 IN PTR hosting.ua-dc.net.
83.124.212.91.in-addr.arpa. 86400 IN PTR mailplanet.ws.

So the scan is originating from the same subnet as the domain requested. 
The A record of this domain seems to go to a legit gaming site... Hijacked DNS admin page?

scan source:

26-Jul-2013 04:25: client 91.212.124.83#5709: query: www.ru IN A +
26-Jul-2013 04:25: client 91.212.124.83#60400: query: txt.pwserver.com.ua IN TXT +
26-Jul-2013 04:25: client 91.212.124.83#52350: query: txt.pwserver.com.ua IN TXT +T


It seems that this scan will first attempt a www.ru query to see if a dns server responds. If this is the case it will do two txt.pwservers.com.ua queries.

Conclusion

I think this is a hijacked domain as it has a legit domain associated with it. 
Still odd the scan comes from the same subnet though.

Update 2013-08-06:

Domain does not seem to respond to any queries at the moment.

Recent activity:

Amount, Date
       2   26-Jul-2013
   219   30-Jul-2013
       1   31-Jul-2013
     19   01-Aug-2013
     29   02-Aug-2013
   272   03-Aug-2013
   363   04-Aug-2013
 1154   05-Aug-2013

Attacked hosts:
Count IP
    257 81.19.212.71
    192 88.191.189.83
    177 94.23.237.17
    161 37.59.17.204
    158 94.55.3.121
    136 188.165.198.126
    130 94.102.56.237
     91 91.121.33.230
     89 95.211.60.30
     82 88.190.60.27
     71 184.164.153.99
     67 149.210.130.40
     64 88.190.220.7
     57 176.31.245.11
     56 89.234.142.33
     51 84.102.220.188
     32 5.135.154.168
     30 184.164.146.163
     19 158.255.96.211
     14 89.93.137.187
     11 93.174.93.96
     11 88.168.133.227
     10 78.219.44.107
     10 168.61.144.13
      9 87.98.146.202
      9 46.105.54.254
      9 4.23.61.126
      8 86.196.78.14
      8 84.6.28.57
      7 194.105.153.82
      7 184.164.152.179
      6 62.4.16.130
      6 62.210.230.207
      4 190.93.254.21
      3 178.33.227.190
      2 91.212.124.83
      2 199.168.99.42
      2 199.16.131.212
      1 93.174.93.51



Saturday, July 20, 2013

Domain: DisposableEmailCheck.com

Domain requested from a IP that previously requested 1Rip.com.

Requested A records that seem to point at something valid.
Have not checked the site itself yet.

http://urlquery.net/report.php?id=3880013


Dig output:

disposableemailcheck.com. 300 IN MX 15 eforward4.registrar-servers.com.
disposableemailcheck.com. 21600 IN SOA lady.ns.cloudflare.com. dns.cloudflare.com. 2013072006 10000 2400 604800 3600
disposableemailcheck.com. 21600 IN NS lady.ns.cloudflare.com.
disposableemailcheck.com. 300 IN MX 10 eforward1.registrar-servers.com.
disposableemailcheck.com. 300 IN TXT "v=spf1 include:spf.efwd.registrar-servers.com ~all"
disposableemailcheck.com. 300 IN MX 10 eforward3.registrar-servers.com.
disposableemailcheck.com. 21600 IN NS phil.ns.cloudflare.com.
disposableemailcheck.com. 300 IN MX 20 eforward5.registrar-servers.com.
disposableemailcheck.com. 300 IN MX 10 eforward2.registrar-servers.com.
disposableemailcheck.com. 300 IN A 141.101.116.121
disposableemailcheck.com. 300 IN A 141.101.117.121

Name servers:

disposableemailcheck.com. 21600 IN NS phil.ns.cloudflare.com.
disposableemailcheck.com. 21600 IN NS lady.ns.cloudflare.com.

Source:

89.248.162.212 Netherlands  AS29073 Ecatel Network

Whois:

Registration Service Provided By: Namecheap.com
Contact: 
Visit: http://namecheap.com
Registered through: eNom, Inc.

Domain name: disposableemailcheck.com

Registrant Contact:
   WhoisGuard, Inc.
   WhoisGuard Protected ()
   
   Fax: 
   P.O. Box 0823-03411
   Panama, Panama NA
   PA

Administrative Contact:
   WhoisGuard, Inc.
   WhoisGuard Protected ()
   +507.8365503
   Fax: +51.17057182
   P.O. Box 0823-03411
   Panama, Panama NA
   PA

Technical Contact:
   WhoisGuard, Inc.
   WhoisGuard Protected ()
   +507.8365503
   Fax: +51.17057182
   P.O. Box 0823-03411
   Panama, Panama NA
   PA

Status: Locked

Name Servers:
   lady.ns.cloudflare.com
   phil.ns.cloudflare.com
   
Creation date: 18 Oct 2012 09:18:00
Expiration date: 18 Oct 2013 01:18:00




Friday, July 19, 2013

Domain: theswat.net

TheSwat.Net seen requested for the first time.

Domain registered at Gandi.net

"query: theswat.net IN A +E"

Returns:

The query returns about 242 A records in the 204.46.43.x range.

Name servers:

Namservers same as DirectedAt.Asia

ns2.theswat.net. 84052 IN A 74.91.18.226
ns1.theswat.net. 84052 IN A 74.91.18.226


Whois

domain: theswat.net
reg_created: 2013-01-18 15:32:20
expires: 2014-01-18 15:32:20
created: 2013-01-18 16:32:21
changed: 2013-07-05 04:59:43
transfer-prohibited: yes
ns0: ns1.theswat.net 74.91.18.226
owner-c:
  nic-hdl: JK2889-GANDI
  owner-name: Julius Kivimäki
  organisation: ~
  person: Julius Kivimäki
  address: Urho Kekkosen katu 1
  zipcode: 00100
  city: Helsinki
  country: Canada
  phone: +358.207710710
  fax: ~
  email: 
  lastupdated: 2013-02-16 11:32:57
admin-c:
  nic-hdl: JK2889-GANDI
  owner-name: Julius Kivimäki
  organisation: ~
  person: Julius Kivimäki
  address: Urho Kekkosen katu 1
  zipcode: 00100
  city: Helsinki
  country: Canada
  phone: +358.207710710
  fax: ~
  email: 
  lastupdated: 2013-02-16 11:32:57
tech-c:
  nic-hdl: JK2889-GANDI
  owner-name: Julius Kivimäki
  organisation: ~
  person: Julius Kivimäki
  address: Urho Kekkosen katu 1
  zipcode: 00100
  city: Helsinki
  country: Canada
  phone: +358.207710710
  fax: ~
  email: 
  lastupdated: 2013-02-16 11:32:57
bill-c:
  nic-hdl: JK2889-GANDI
  owner-name: Julius Kivimäki
  organisation: ~
  person: Julius Kivimäki
  address: Urho Kekkosen katu 1
  zipcode: 00100
  city: Helsinki
  country: Canada
  phone: +358.207710710
  fax: ~
  email: 
  lastupdated: 2013-02-16 11:32:57


Source:

Domain was requested from IP: 

93.174.93.175 AS29073 Ecatel Network 

I've previously seen this IP request 1rip.com 4 times throughout July as well as Ddos.cat.


Wednesday, July 17, 2013

Domain: Ddos.Cat

New domain: DDOS.Cat. 

Domain was used in a botnet before see the following article: 



query: ddos.cat IN A +E

Attackers:
94.102.51.226
93.174.93.175
80.82.64.217
89.248.172.6

Name servers: 

ns1.ddos.cat.           17840   IN      A       74.91.18.226
ns2.ddos.cat.           17840   IN      A       74.91.18.226

Name server IPs match the DirectedAt.Asia ones and a few others. Check the label: 'domains'

Whois:

Domain ID: REG-D973669
Domain Name: ddos.cat
Domain Name ACE: ddos.cat
Domain Language: ca
Registrar ID: R-2027 (GANDI SAS)
Created On: 2012-02-08 01:38:28 GMT
Last Updated On: 2013-07-13 14:42:53 GMT
Expiration Date: 2014-02-08 01:38:28 GMT
Maintainer: http://www.ovh.com
Status: clientTransferProhibited
Registrant ID: ovh50d9de63pi1u
Registrant Name: Max Maton
Registrant Organization: 
Registrant Street: 10 Staleys Acre
Registrant Street: Borough Green
Registrant Street: Sevenoaks, Kent
Registrant City: Sevenoaks
Registrant State/Province: 
Registrant Postal Code: TN15 8GT
Registrant Country: GB
Registrant Phone: +44.7403070068
Registrant Phone Ext: 
Registrant Fax: 
Registrant Fax Ext: 
Registrant Email: 
Admin ID: K2889-GANDI-MIUB
Admin Name: Julius Kivimaki
Admin Organization: 
Admin Street: Urho Kekkosen katu 1
Admin City: Helsinki
Admin State/Province: 
Admin Postal Code: 00100
Admin Country: CA
Admin Phone: +358.207710710
Admin Phone Ext: 
Admin Fax: 
Admin Fax Ext: 
Admin Email: 
Tech ID: K2889-GANDI-MIUB
Tech Name: Julius Kivimaki
Tech Organization: 
Tech Street: Urho Kekkosen katu 1
Tech City: Helsinki
Tech State/Province: 
Tech Postal Code: 00100
Tech Country: CA
Tech Phone: +358.207710710
Tech Phone Ext: 
Tech Fax: 
Tech Fax Ext: 
Tech Email: 
Billing ID: K2889-GANDI-MIUB
Billing Name: Julius Kivimaki
Billing Organization: 
Billing Street: Urho Kekkosen katu 1
Billing City: Helsinki
Billing State/Province: 
Billing Postal Code: 00100
Billing Country: CA
Billing Phone: +358.207710710
Billing Phone Ext: 
Billing Fax: 
Billing Fax Ext: 
Billing Email: 
Name Server: ns1.ddos.cat 74.91.18.226
Name Server ACE: ns1.ddos.cat 74.91.18.226
Name Server: ns2.ddos.cat 74.91.18.226
Name Server ACE: ns2.ddos.cat 74.91.18.226


Couple of entries:



Date Time SourceIP SPort TTL: Country: ISP: Payload: Domain: Type:
20130713 05:19:00 PM 89.248.172.6 38777 59 'NL' 'AS29073 Ecatel Network' 65535 ddos.cat A
20130713 05:19:00 PM 80.82.64.217 60885 59 'NL' 'AS29073 Ecatel Network' 65535 ddos.cat A
20130713 05:19:00 PM 93.174.93.175 55715 59 'NL' 'AS29073 Ecatel Network' 65535 ddos.cat A
20130713 06:01:00 PM 94.102.51.226 42093 59 'NL' 'AS29073 Ecatel Network' 65535 ddos.cat A
20130713 06:10:00 PM 94.102.51.14 57450 59 'NL' 'AS29073 Ecatel Network' 65535 ddos.cat A
20130717 02:17:00 PM 89.248.174.117 53111 59 'NL' 'AS29073 Ecatel Network' 65535 ddos.cat ANY



Attacks


Attacks with this domain have started:


       361    15-Jul-2013
 143490    16-Jul-2013
 385882    17-Jul-2013
   37263    18-Jul-2013


Attacked IPs:

 282852 90.156.201.19 - fe.shared.masterhost.ru.
   79680 87.242.67.62 - sads2.hs.shared.masterhost.ru.
   78927 186.2.161.134 - ddos-guard.net.
   27617 212.48.153.202 - 10.in-addr.newhost.ru.
   25987 178.210.64.124 - aa12345aa.nichost.ru.
   19490 46.165.231.130
   16608 92.53.126.118
   13089 212.58.153.195
     6037 95.211.193.32
     4460 90.156.201.13
     2024 186.2.161.7
     1392 82.194.241.14
     1381 109.163.235.100 - R136a1.esteq.net.
     1325 87.242.73.77 - panel.gohost.ru.
     1046 178.32.211.74
       999 178.32.209.116
       950 87.98.159.80 - 87-98-159-80.kimsufi.com.
       631 88.190.50.220 - 88-190-50-220.rev.dedibox.fr.
       567 93.170.92.160
       476 217.16.19.17
       360 69.31.20.84
       360 166.78.70.168
       360 146.255.193.84
       270 193.232.244.250 - irb-732.r1-m9.mnogobyte.net.

       105 82.192.71.163



Sunday, July 14, 2013

Domain: ScannerDNS.tk


ScannerDns.tk sounds legit!

Name servers:

scannerdns.tk.          86377   IN      NS      ns1.scannerdns.tk.
scannerdns.tk.          86377   IN      NS      ns2.scannerdns.tk.

;; ADDITIONAL SECTION:
ns2.scannerdns.tk.      86377   IN      A       174.140.167.98
ns1.scannerdns.tk.      86377   IN      A       174.140.167.98

Name server hosted at:  United States Portland Directspace Networks Llc.


Scan source:

80.82.70.167 - Ecatel (obviously)

I have seen this IP also request d.directedat.asia.



Thursday, July 11, 2013

Domain: sema.cz

Observed this domain 2013 - 07 - 11 around 20:00 for the first time.

Source of the request was: 199.180.119.18

I have observed this IP request . (root) at the start of June.

The source is located in the United States and part of the VolumeDrive ISP (AS46664). This ISP also seems to host a decent amount of scanners just like 'AS29073 Ecatel Network' (my post on them).

Host records:
    1 A
    4 NS
    1 SOA
    1 NSEC
    2 DNSKEY
    6 RRSIG

Response size: 4667

Amplification with this domain would be possible using a ANY or RRSIG query. RRSIG would generate a 3342 response.

Iptables rule:


iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x0453454d && 0x2c&0xDFFFDFDF=0x4102435a && 0x30&0xFFFFFFDF=0x0000ff00" -j DROP -m comment --comment "DROP DNS Q ANY sema.cz"

Whois:


omain:       sema.cz
registrant:   HEJLIK
admin-c:      HEJLIK
nsset:        NSS:GRANSY:3
keyset:       KEYSET
registrar:    REG-GRANSY
status:       paid and in zone
registered:   09.01.2000 16:21:00
changed:      19.12.2012 08:54:04
expire:       09.01.2014

contact:      HEJLIK
name:         Jindřich Hejlík
registrar:    REG-MOJEID
created:      27.10.2010 10:49:40
changed:      21.01.2013 17:55:33

nsset:        NSS:GRANSY:3
nserver:      ns.gransy.com
nserver:      ns2.gransy.com
nserver:      ns3.gransy.com
nserver:      ns4.gransy.com
nserver:      ns5.gransy.com
tech-c:       GRANSY
registrar:    REG-GRANSY
created:      01.10.2007 02:00:00
changed:      16.08.2010 00:39:13

contact:      GRANSY
org:          Gransy s.r.o.
name:         Jan Horák
address:      Bořivojova 878/35
address:      Praha 3
address:      130 00
address:      CZ
phone:        +420.732954549
fax-no:       +420.226517341
e-mail:       
registrar:    REG-MOJEID
created:      23.08.2004 17:35:00
changed:      20.04.2011 14:22:45

keyset:       KEYSET
dnskey:       257 3 7
BQEAAAABw0H2Xb7JjIuMMVRD3oqWpoXsriUK4sCT2B0TAc9b6v7K+gEIfhtrQ+LImQ/yY4VLZ1z88RDe48LvV2kA3fjB+4tFJTsgmgxCAg29skRNorVLnb6ztSqZO3FuTYgH3yywEw3W4rTkPfthNhiaMEVXVrFDDU4dGhiJmvIa9mkaPOkIKeRV4gJqs2YSEIhCKeMxkNNGLn1CIXAiFjVbVDcYFv0n1bBY2iDUllDIRZapMfoSwJMnHI6VXz3CGjxIfcFcr+BUfVFhobqyV848n4HJcHKMgErtC8xFmRD++Pq/isLbNs48zDSZQY5jJvD30anwzZnzhWJJ2ZlirUm6pIazB3a6A7V3c381TsRAyY8suy5pkEriSVs4wSfHkiiwd3Z1sHCTHgefwyRrArFycXR4bvz9sSFOCjbZfJ4S2RFchQa2D+IJsea+kXa+LGOi2enMd6Jaq5+WB6dUkgWz+9a0/xqCC2ShywyWeazuoLaaejL8NUDfsGj4TEHfkXX+/BodFl6SicWsQEZuNU44/+pyyFqgDKsHu9t8mDtz/IGRZ/Duj9GKTQ4j953Czkic0thvFwqqd6Xm+C48K1qIB1vWqV4AinXDVf/qjbkPxGP01P+riUs5E0zTEoJOtyTtm/xoV5lTwe2PvhysrtGmcTdyqZXDZ6DQnUgkO7BUjlprbnk=
tech-c:       GRANSY
registrar:    REG-GRANSY
created:      20.10.2010 18:09:11
changed:      25.10.2010 00:49:05


Name servers:


AS35592 COOLHOUSING Autonomous System
  ns2.gransy.com.  89.187.132.100  
AS15685 Casablanca INT Autonomous system
  ns3.gransy.com.  77.78.126.35
  ns.gransy.com.   77.78.104.149
AS8972 intergenia AG
  ns4.gransy.com.  85.25.73.97
AS29278 Deninet KFT
  ns5.gransy.com.  79.172.193.112 

*Name servers have a very low TTL of 180.


Full DNS Response:


;; ANSWER SECTION:
sema.cz. 848 IN RRSIG DNSKEY 7 2 1800 20140619190510 20130619190510 56890 sema.cz. bClsAodwFnc/6s5eZs3ZgDxqVNUdGQ4USO8+lDMeAoBSkSz8QS/cCQ+Y kkMuO7iWXAa/48iI7IdPXeAQcIqkuToUwMmkDElrZUNDJiQ/OACQXNig oHpKY+Cmv9KELmIsx7TfSM0abGNMVgOhloqR1hIARzSVkNKev8shsitj 0GaMkSGgqHoCZY1Z/vMTM8QtpMyw+aSdYJye+H4h2h0gxtJYj3JiZmVl 2JkMBRnFM7YVePiRHfx8vfQ5rbRL2tXRYbkM+GOm2ckLGWjkKgU3YveL fZAXUZkaSBfE5Ialf7Aw56bc0iC4jaSapvWcfZ4wj/iAWZHjCS4seEDD LAX1feKKniyFlNMNv3SJR76/VHfFs9eUYOaGFFTCMbfgJ2TSs+gZAtdB L2ZrjdU7jbOvSbr55esFPPjxsUORSJU7q4mOxExkUmO4FNPKpQfOwf/Z DxuGIEoB05oPXvxqEVZlkePo//TuR1Ptjibxno5coWkZ7v7Ft+nYi3CN Aub/UccPZh8Ov0JTSZRuDzIONx0YZYvWEj8h9deLzHn/1ty/7defZAfs Mk0SGFEN0nMCsc9P7isXtWlPmkJsVNoEeEjsckHsJEAU2pJLFcZqSRY1 RtXV22EhYDR3YFq3hOhWS9Sa/gRVzP7f70WF60uVWrj7hLllEK9QzbS4 1EjaLwxPe2k=

sema.cz. 848 IN RRSIG NSEC 7 2 1800 20140619190510 20130619190510 56890 sema.cz. pps2J7sCaxbUHMlhMIUJedHS7TDYAmuSLDx8WkdarmgYesxtD+vCswqw RZdA63MDnA57O+rLq0Q3RK2ahKYRIVDC9sh/9Pwf7sym2v3uumHbq+qv dCI+Y7xk4QsOa4udxZaWE9DPB7d9pyVUR+4Ay0pXnLgRphWc6Dp3QKhv 5PWRxyZMAzLLOU6ZjOAIdJQCTr3+RLxUXaQfyJHxkBtJznL0TlMlsKS+ HRlaih4K724JtQ5A1yUU0WUBLKYdCurGoqQtR2q7+8YjPaX78Qhrobwp YbVNBuhrb8sCnHrzr4two83EpjUmE0BFTCRlYLqpbzktJGLqF3/jkseA JcXxEH0NGseCq+lhOXNWfFTN7ZojQxihayhGVwwispJj2gdcmegNdOb9 OIaNsYoZtRBmCUdDPHLmKxwGjZERp55jRvg+uQ2Mhwcr6sGz7EcJT/7T DEGUOnzf13uIRpOFmmxjkt9aMXrZM8q6hkFwbhpW9mXA5w4x635gYxi+ CFcM+B4girAC9F+tMRe7ETGykNf2gSc89iDDHce1wGnAXeXZRsBA8TL7 1OrznuNpSruKMOIIZZn1cV0DukmGDVzV4n0KKdGVI/P+689IhARvwSdm vJ05PrAawLS1CJyU4H9rVx6kQfwHKl31g8ns51+0GEPflDaqAqnzQaSQ 62G0OzM0md4=

sema.cz. 848 IN RRSIG A 7 2 1800 20140619190510 20130619190510 56890 sema.cz. H57weQn8GYeIBSHePOf0tG6SranN98Ah+wfVUUmv9hRP9vuhwQSd1XvP qxAj/Q4SLo/FoCl3ofv2gJxkFbuuF4xzDn5jKOpr/Zlkf5cxn2iMlWk+ eSPnI+4d9mM1bbIL0OCMB5vH582a4EalhvMBDPam+JJ7OfE8LoDPo6L5 O31KPyZLjM6VP71KtIyAG/tOUpw+x/GsjEWLJe0gk9O08d+k/uNsG95C WmmFRXSbyiV668ssesaZXvrteUHxbJC4gQqcpsp+M/0ZC5mpwQClGdcY a4gzk1oHh8QZM37MgqsWEEMA4VN/pm1YaHs8RPg71T6pnuhWl/TjsTAU WxTL5ffIPk2ixUqQtqrO/IpE+dTghVKkfz5X3zlVm8ernrtZvQEPrVpz oZB1+gi648fDs7PxShikcNj7jFeHP7QJ9+pmzL9+LUuy3mDI15c1qO1i e6u3BdvXH/v6DVBDQQ15GXvIPELgbMWvn05XnpaJUAMQvwKZ2pPDtqnp Q85nn2DlQmd5qrE9PWB9IXtSh4fEw9qg2/Zdq3U29iZyd5xF7GiQVdqb cPSbsK4A5X6CB/cnhhDVsDIqDG9O/MTkwAWnqcGpEO76GrpO94mT//F8 5g0r49+RwbfPi4A2/ErZlIJTX/7I4b5WJaSx4QD3wuzxolmeSoZL62mU P6AAbv+ycwg=

sema.cz. 848 IN DNSKEY 256 3 7 BQEAAAAB9QdSKCeptWzBV1tlAFU+AaiSGgU7XaUY6YHgtUQ1ggPvJApl v3N9Xt8vB+z7/FThK4gxzQ3xZ+Y0xZ0sEnQVdl05XTfrrOGjwr6x3Pwx wepWONVZ6FXDb+LhEFx95kYOIjhLnyr5UvOHu9vFOEu1mMENo9gdg00D MBX+tXNBxiHIXzsFUE90QmXBro2GH4EHqTX+4ZVuNCOFhzAnp3h+O7SQ TR8npmdRrmWJvC42uT6ODGEFOnstZ+vJDQnc3ZLvzJvuaXK9pUGJmIQ7 5MEs9xcngf7JXRmW/FqsTph0ZcAXUoad8+Tu43Z0+V1Znf7WtCfODqqj KsKklt7CdY7R6NzEV9b5F//rvG88wZeg+PKXNVbQFFSzyguEsFrvjrTT hdKjyDPfbMRl/vMeoB/dfnB1VP5Ds1zMpqqYqiPPVLBmCjuRC2EalK3t Ph3y9U2xE+A2vytXETew+T+nX9ZG62rS7YnKwsMYrSzUPDTXYgCVwsDM /2Ecl5XEpemOnTvMmQGh7LUuYs/kK2hImPew5ntAQC6jnGr37xC3xtBf kFQN4sV5iSOvZWs5mjP2iEhGEFl5fRqU0Zvck0vOCHBBU0oRj8k4VUpU KSFe2W4iKolj2VS9Jr7S5WIFGFMHUfhyC1j5FVAqSyLBnEKOWper3O+d MQrtWTRl5L1H7v96O/E=

sema.cz. 848 IN NS ns5.gransy.com.

sema.cz. 848 IN RRSIG SOA 7 2 1800 20140619190510 20130619190510 56890 sema.cz. 1cxlrzqZHdw+WuHFNGzhiw/CSp0l5dfCUKHQe9nn86KElwCojkYUwgWs BGLfqOq7IS/EKKsvRIqdweNJ/UGVJz+jPDEY/Zreyj/8yGM3V4Vdf8xI dmsNicbNRiS7tUtvBkDtbYR4Fr8D/hqRZf0vHan61oVLBMeBzKCVy4ud prVBmDTrJgZIGci54RyBbFfR9Zn8N0sRPwenTMdj615KgzPAky6ZjdM/ 1lgrXY8IelkVxDher+xjRtb54DSN3hqwU1BmRwhCn54/pJ++rmHgBZF/ RSOzt0DP/XwSUCcYbgl5D5WcJk5vzFHpQsv2OP10ZJ/gy18yjJRW2d/W pUhIi3Tlg5cGxJHu3uSs0rzR3jSnTWPluuOzLpqieU1gOgR4T9jIQH0j H4iHnVJVFnX/PZ2yFdVg0Ofq4t4LsZ8Rv5mL4M11V6ooFBJCEQrk9MMc O18pDc0H0xiQGum7lkZnUl/Wb291PrtKCP659YOFa7b7Fk3nZwZCNAkC /mdLAqKN3n7ECe/naHtG3xKw+X9puTtH8MHNCr2fQYJdnTpwUXZZ+XmK PaiHF0nBiqtT61DMOCUllEuxo9qECYOdh9T6XkegWpb2REyufPbxMqdk tADz3j42edWIGjcc+CNHhH/6DrwcLw/lJDwUQ7nG/GEL3RDPogYKNYdS ih+SAPFY+38=

sema.cz. 848 IN RRSIG NS 7 2 1800 20140619190510 20130619190510 56890 sema.cz. raTGz8SAwydKGMgeevncP7vf1QAFABF6y9xTmM6k+Pqb2IXbc3q3eGX0 sZfULRMtZELQ0Wof/JVbEnIRUFAg3noBfEvq9JnUqK3DMJ89lBVY0caN ObggAA0gjZLU3ThDbXi5CoKVoW2UX6UFE3ALGsdTC+vPIZGS2KUj12q3 uTtZiTH4uDBrBzsHtu9d6TGzLOX9sXhRLKfI995qX9QoZ9GI+oh8nJ43 /huQtRuiCIGfhT+lsILJAMlIWh9S77wZzvIVFgeUjg8pIO3YMvBnMNZW 54JdBIq+z+hAY1svrwhCYuIFaCUoSMM51/YkrfQWe3Lpe3L05fJnd96b PSUecVO8pfX0QJGO8eY3TeIEbc1gH+8cpxwDTrLrJHtkIt9tHmGk4BuA XgEjyJ2M68YTmxgoeQv2SElR4YgBP+vQhk95EawdgIhOkmLoqmrs2xoE skTbR10GAIylipodsWVtgX9Bod78yO6UC9z+AfrCM9eOx3Z7VloZ+yO2 RB7/L+1LhJ+xuK/6M4JYQ3EnGo+0FUUaqoW2BGWmTy/WgDXo1LTJBDy2 ZIZqu3/QgOQEmjdQ4sPfZ6WatfuAX5PoWxAu+xLe6b9jC12hJYAJ0PXC VXl0PRA/pDN5DqBusf+zg/F1odClO47yPblx4q0KPL30J9nqQo0E4Lgy 8bRhum87Ylk=

sema.cz. 848 IN RRSIG DNSKEY 7 2 1800 20140619190510 20130619190510 52247 sema.cz. SZyLqwAJsacknCd+qEJjpcR6CpVVqIbcBttMw46PG033hjWpG0KL1NnB bWJinJ6sZV7MiRfrcVkg5uUq5LP6ZwgVnj5vHXPCPjebeRX5D46jqBCu hQklt4gJ+IxJO+2qY6+LQjBPUtdPEXbFklzrQ2PW19yEco8gnqPRIS/Y /KcZc2menltJguuwk7eqFXvFI/YjbOBr0yKYScM6EGxy0HXtlp3h0j4Z CFOsFobUUo/E/CA3jUAZfWHMmj8k42xTG1hVODY7ZgP6PB1WoVSqCZU2 OHmwG2RQ0MtqAAkjgsFav1slmgitGq8gq/ttgvtF0rvQqBvY8eFvCAYY OUyZVEbrCBW8L9gSF3yK4j4JJf7QIxh3dC0j7N0aqFzzFiN9qHgxUzi+ jukhzg9tTmqoiMGoyv+ArTIOw6nZRO7hy/MZsAW1yyv0JSX0w59ODDk/ znlPEqQvpKQg7myoyZl638YBoPHWWtOqSjPbHuyWd8dj0GoFukUn2dJt Dyom1pK53fgTLBZlQJheqJmWIyfcNxrBlNML9BMShcNOv9xJVMZNHDcg f6v/PQpS8Cz+ikPoOiMsPTqJYQDSzrd1s9UYq/+mhlq/lFF31zt689eX tPqEE3zz6HP4dZUy4WEAZno3YnHg9PJapBTqzJHxNlTiDBDrhfwSe10l eSzuNGYfPpY=

sema.cz. 848 IN NS ns2.gransy.com.

sema.cz. 848 IN NSEC *.sema.cz. A NS SOA RRSIG NSEC DNSKEY

sema.cz. 848 IN DNSKEY 257 3 7 BQEAAAABw0H2Xb7JjIuMMVRD3oqWpoXsriUK4sCT2B0TAc9b6v7K+gEI fhtrQ+LImQ/yY4VLZ1z88RDe48LvV2kA3fjB+4tFJTsgmgxCAg29skRN orVLnb6ztSqZO3FuTYgH3yywEw3W4rTkPfthNhiaMEVXVrFDDU4dGhiJ mvIa9mkaPOkIKeRV4gJqs2YSEIhCKeMxkNNGLn1CIXAiFjVbVDcYFv0n 1bBY2iDUllDIRZapMfoSwJMnHI6VXz3CGjxIfcFcr+BUfVFhobqyV848 n4HJcHKMgErtC8xFmRD++Pq/isLbNs48zDSZQY5jJvD30anwzZnzhWJJ 2ZlirUm6pIazB3a6A7V3c381TsRAyY8suy5pkEriSVs4wSfHkiiwd3Z1 sHCTHgefwyRrArFycXR4bvz9sSFOCjbZfJ4S2RFchQa2D+IJsea+kXa+ LGOi2enMd6Jaq5+WB6dUkgWz+9a0/xqCC2ShywyWeazuoLaaejL8NUDf sGj4TEHfkXX+/BodFl6SicWsQEZuNU44/+pyyFqgDKsHu9t8mDtz/IGR Z/Duj9GKTQ4j953Czkic0thvFwqqd6Xm+C48K1qIB1vWqV4AinXDVf/q jbkPxGP01P+riUs5E0zTEoJOtyTtm/xoV5lTwe2PvhysrtGmcTdyqZXD Z6DQnUgkO7BUjlprbnk=

sema.cz. 848 IN A 31.31.74.149

sema.cz. 848 IN NS ns.gransy.com.

sema.cz. 848 IN NS ns3.gransy.com.

sema.cz. 848 IN NS ns4.gransy.com.

sema.cz. 848 IN SOA ns.gransy.com. root.gransy.com. 2013061984 86400 900 1209600 1800


Attacks:

Seen used atleast once against Akamai. Small attack. Test?

Date:
3636   18-Jul-2013

Targets:
3636   69.31.20.84

Info:
69.31.20.84 AS35994 Akamai Technologies, Inc.


Recent activity:

15-Jul-2013    62
18-Jul-2013    3636
21-Jul-2013    12946
29-Jul-2013    333
02-Aug-201    3 64
03-Aug-2013  113
04-Aug-2013  172
05-Aug-2013  2880
06-Aug-2013  447

   3780 69.31.20.84
    524 88.191.189.83
    477 94.23.237.17
    353 188.165.198.126
    299 37.59.17.204
    271 84.102.220.188
    233 91.121.33.230
    226 198.24.138.26
    218 89.234.142.33
    134 149.210.130.40
    121 184.164.153.99
    113 78.219.44.107
    107 92.160.90.79
     82 88.190.60.27
     78 88.190.220.7
     75 5.135.154.168
     74 178.33.170.122
     72 168.61.144.13
     68 89.93.137.187
     66 184.164.146.163
     65 78.226.201.31
     56 178.33.170.237
     56 178.33.170.193
     55 178.33.170.99
     55 178.33.170.8
     55 178.33.170.77
     55 178.33.170.55
     55 178.33.170.5
     55 178.33.170.29
     55 178.33.170.27
     55 178.33.170.165
     55 178.33.170.143
     55 178.33.170.123
     55 178.33.170.121
     55 178.33.170.102
     55 178.33.170.101
     55 178.33.170.100
     54 178.33.170.7
     54 178.33.170.33
     54 178.33.170.239
     54 178.33.170.238
     54 178.33.170.218
     54 178.33.170.217
     54 178.33.170.166
     54 178.33.170.149
     54 178.33.170.130
     53 178.33.170.97
     53 178.33.170.86
     53 178.33.170.83
     53 178.33.170.80
     53 178.33.170.71
     53 178.33.170.6
     53 178.33.170.59
     53 178.33.170.56
     53 178.33.170.36
     53 178.33.170.34
     53 178.33.170.28
     53 178.33.170.246
     53 178.33.170.241
     53 178.33.170.234
     53 178.33.170.224
     53 178.33.170.216
     53 178.33.170.215
     53 178.33.170.197
     53 178.33.170.191
     53 178.33.170.174
     53 178.33.170.172
     53 178.33.170.171
     53 178.33.170.167
     53 178.33.170.162
     53 178.33.170.160
     53 178.33.170.146
     53 178.33.170.145
     53 178.33.170.141
     53 178.33.170.14
     53 178.33.170.115
     53 178.33.170.105
     52 178.33.170.94
     52 178.33.170.9
     52 178.33.170.81
     52 178.33.170.61
     52 178.33.170.58
     52 178.33.170.54
     52 178.33.170.52
     52 178.33.170.49
     52 178.33.170.37
     52 178.33.170.253
     52 178.33.170.242
     52 178.33.170.240
     52 178.33.170.231
     52 178.33.170.220
     52 178.33.170.219
     52 178.33.170.214
     52 178.33.170.213
     52 178.33.170.211
     52 178.33.170.210
     52 178.33.170.21
     52 178.33.170.196
     52 178.33.170.195
     52 178.33.170.180
     52 178.33.170.169
     52 178.33.170.163
     52 178.33.170.150
     52 178.33.170.147
     52 178.33.170.127
     52 178.33.170.126
     52 178.33.170.12
     52 178.33.170.108
     52 178.33.170.104
     52 178.33.170.103
     51 178.33.170.98
     51 178.33.170.96
     51 178.33.170.95
     51 178.33.170.84
     51 178.33.170.82
     51 178.33.170.78
     51 178.33.170.76
     51 178.33.170.75
     51 178.33.170.74
     51 178.33.170.65
     51 178.33.170.63
     51 178.33.170.62
     51 178.33.170.53
     51 178.33.170.50
     51 178.33.170.44
     51 178.33.170.40
     51 178.33.170.39
     51 178.33.170.30
     51 178.33.170.26
     51 178.33.170.251
     51 178.33.170.235
     51 178.33.170.233
     51 178.33.170.226
     51 178.33.170.221
     51 178.33.170.22
     51 178.33.170.209
     51 178.33.170.202
     51 178.33.170.2
     51 178.33.170.199
     51 178.33.170.194
     51 178.33.170.187
     51 178.33.170.173
     51 178.33.170.157
     51 178.33.170.154
     51 178.33.170.153
     51 178.33.170.152
     51 178.33.170.144
     51 178.33.170.138
     51 178.33.170.136
     51 178.33.170.134
     51 178.33.170.131
     51 178.33.170.128
     51 178.33.170.125
     51 178.33.170.124
     51 178.33.170.118
     51 178.33.170.116
     51 178.33.170.112
     51 178.33.170.11
     51 178.33.170.107
     51 178.33.170.106
     51 178.33.170.10
     50 178.33.170.93
     50 178.33.170.89
     50 178.33.170.88
     50 178.33.170.85
     50 178.33.170.79
     50 178.33.170.73
     50 178.33.170.66
     50 178.33.170.57
     50 178.33.170.51
     50 178.33.170.47
     50 178.33.170.4
     50 178.33.170.38
     50 178.33.170.32
     50 178.33.170.31
     50 178.33.170.3
     50 178.33.170.254
     50 178.33.170.245
     50 178.33.170.244
     50 178.33.170.236
     50 178.33.170.207
     50 178.33.170.20
     50 178.33.170.198
     50 178.33.170.192
     50 178.33.170.19
     50 178.33.170.188
     50 178.33.170.183
     50 178.33.170.182
     50 178.33.170.181
     50 178.33.170.176
     50 178.33.170.175
     50 178.33.170.17
     50 178.33.170.168
     50 178.33.170.164
     50 178.33.170.159
     50 178.33.170.156
     50 178.33.170.148
     50 178.33.170.142
     50 178.33.170.140
     50 178.33.170.137
     50 178.33.170.135
     50 178.33.170.129
     50 178.33.170.120
     50 178.33.170.119
     50 178.33.170.117
     50 178.33.170.113
     50 178.33.170.111
     50 178.33.170.109
     49 178.33.170.92
     49 178.33.170.87
     49 178.33.170.72
     49 178.33.170.64
     49 178.33.170.45
     49 178.33.170.42
     49 178.33.170.41
     49 178.33.170.255
     49 178.33.170.250
     49 178.33.170.25
     49 178.33.170.249
     49 178.33.170.243
     49 178.33.170.24
     49 178.33.170.232
     49 178.33.170.230
     49 178.33.170.229
     49 178.33.170.228
     49 178.33.170.227
     49 178.33.170.225
     49 178.33.170.223
     49 178.33.170.222
     49 178.33.170.212
     49 178.33.170.208
     49 178.33.170.206
     49 178.33.170.204
     49 178.33.170.203
     49 178.33.170.201
     49 178.33.170.189
     49 178.33.170.18
     49 178.33.170.179
     49 178.33.170.178
     49 178.33.170.170
     49 178.33.170.161
     49 178.33.170.16
     49 178.33.170.155
     49 178.33.170.151
     49 178.33.170.13
     49 178.33.170.114
     48 178.33.170.91
     48 178.33.170.90
     48 178.33.170.70
     48 178.33.170.69
     48 178.33.170.67
     48 178.33.170.60
     48 178.33.170.48
     48 178.33.170.46
     48 178.33.170.43
     48 178.33.170.252
     48 178.33.170.248
     48 178.33.170.23
     48 178.33.170.200
     48 178.33.170.186
     48 178.33.170.184
     48 178.33.170.177
     48 178.33.170.158
     48 178.33.170.133
     48 178.33.170.132
     47 178.33.170.35
     47 178.33.170.205
     47 178.33.170.190
     47 178.33.170.15
     47 178.33.170.139
     47 178.33.170.110
     46 178.33.170.68
     46 178.33.170.247
     46 178.33.170.185
     36 88.191.237.70
     25 77.111.198.64
     22 91.234.105.84
     22 24.190.85.101
     20 93.174.93.96
     19 37.59.33.185
     19 37.187.52.97
     17 5.135.39.36
     15 84.6.28.57
     14 46.105.54.254
     11 88.168.133.227
     11 4.23.61.126
     10 80.185.69.212
     10 62.4.16.130
     10 62.210.230.207
     10 194.105.153.82
     10 190.93.255.21
     10 190.93.254.21
     10 184.164.152.179
     10 178.33.227.190
      9 87.98.146.202
      9 86.196.78.14
      7 23.13.116.82
      3 93.174.93.178
      2 87.98.150.35
      1 89.248.174.32
      1 74.118.193.43
      1 213.5.176.51
      1 199.16.131.212