Saturday, July 27, 2013

Domain: lineage2-game.ru

Received a tip that this domain was used for attacks. I myself have only seen scanning for this domain.

LineAge2-Game.ru

Response:

A records in the 204.46.43.x range.
Response size: 3989

Source:

Seen this domain name scanning the internet from the following IPs:

93.174.93.178 AS29073 Ecatel Network
94.102.56.235 AS29073 Ecatel Network 

These IPs have previously been observed scaning for domains such as:

ripe.net
sema.cz (Blog)
*.DirectedAt.Asia
TheSwat.net (Blog)
1rip.com (Blog)

Name servers:

At the time when I received the tip it was:

lineage2-game.ru IN NS ns1.reg.ru
lineage2-game.ru IN NS ns2.reg.ru

Now this has changed to:

lineage2-game.ru. 86368 IN NS ns1.timeweb.ru.
lineage2-game.ru. 86368 IN NS ns2.timeweb.ru.

;; ADDITIONAL SECTION:
ns1.timeweb.ru. 86368 IN A 92.53.116.200
ns2.timeweb.ru. 86368 IN A 92.53.98.100

Strange:

dig any lineage2-game.ru @8.8.8.8

; <<>> DiG 9.9.2-P2 <<>> any lineage2-game.ru @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 64227
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL:


I thought this was odd as I received SRVFAIL when I try to dig for the domain now. But when trying @ns1.reg.ru I receive a 238 line response!!


dig any lineage2-game.ru @ns1.reg.ru
;; Truncated, retrying in TCP mode.

; <<>> DiG 9.9.2-P2 <<>> any lineage2-game.ru @ns1.reg.ru
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60090


So either the people behind this domain are hiding by temporarily changing NS.. or are in the process of migrating to a different registrar.


Whois:

domain:        LINEAGE2-GAME.RU
nserver:       ns1.timeweb.ru.
nserver:       ns2.timeweb.ru.
state:         REGISTERED, DELEGATED, UNVERIFIED
person:        Private Person
registrar:     REGRU-REG-RIPN
admin-contact: http://www.reg.ru/whois/admin_contact
created:       2012.11.29
paid-till:     2013.11.29
free-date:     2013.12.30
source:        TCI


Registrar:


A bunch of Zeus domains have been registered there:


Though this is probably duo to its size.

Targets:

I have no information on attacked targets.

Conclusion:

When searching for this domain on Google it is obvious that this domain up until recently was used for hosting some PVP / RPG game. 

At this moment the domain when asking the right NS will return a large response. Not sure why the NS is changed perhaps to hide. 



No comments:

Post a Comment