txt.pwserver.com.ua.
Response:
txt.pwserver.com.ua. 3596 IN TXT "sdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdasssdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdas5533" ">" "sdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdasdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdas5533" ">" "sdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdaasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdas5533" ">" "sdasdassdasdassdasdassdasdassdasdassdasdassdasdassdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdas5533" ">" "sdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdas5533" ">" "sdasdassdasdassdasdassdasdassdasdassdasdassdasdasasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdas5533" ">" "sdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdas5533" ">" "sdasdassdasdassdasdassdasdassdasdassdasdassdasdassdassdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdas5533" ">" "sdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdas5533" ">" "sdasdassdasdassdasdassdasdassdasdassdasdassdssdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdas5533" ">" "sdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdas5533" ">" "sdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdssdasdassdasdassdasdassdasdassdasdassdasdassdas5533" ">" "11111111wwwsdasdassdasdassaasdasdasddasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdasasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasddassda88978978766sdassdasdassd" ">" "11111111wwwsdasdassdasdassaasdasdasddasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasddassda88978978766sdassdasdassd" ">" "11111111wwwsdasdassdasdassaasdasdasddasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasddassda88978978766sdassdasdassd" ">" "11111111wwwsdasdassdasdassaasdasdasddasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasddassda88978978766sdassdasdassd" ">" "asuidhasiudyhasiudhyasiudyhasiudyuaisydasiuydasuidhasiudyhasiudhyasiudyhasiudyuaisydasiuydsadjua"
Name servers:
txt.pwserver.com.ua. 3600 IN NS ns1.ua-dc.net. - 91.212.124.5
txt.pwserver.com.ua. 3600 IN NS ns2.ua-dc.net. - 91.214.69.18
Any pwserver.com.ua:
pwserver.com.ua. 2600 IN SOA ns1.ua-dc.net. root.ua-dc.net. 2013052605 28800 7200 1209600 2600
pwserver.com.ua. 2600 IN NS ns1.ua-dc.net.
pwserver.com.ua. 2600 IN NS ns2.ua-dc.net.
pwserver.com.ua. 2600 IN A 91.212.124.2
pwserver.com.ua. 2600 IN MX 10 mail.pwserver.com.ua.
Reverse DNS value:
2.124.212.91.in-addr.arpa. 86400 IN PTR hosting.ua-dc.net.
83.124.212.91.in-addr.arpa. 86400 IN PTR mailplanet.ws.
So the scan is originating from the same subnet as the domain requested.
The A record of this domain seems to go to a legit gaming site... Hijacked DNS admin page?
scan source:
26-Jul-2013 04:25: client 91.212.124.83#5709: query: www.ru IN A +
26-Jul-2013 04:25: client 91.212.124.83#60400: query: txt.pwserver.com.ua IN TXT +
26-Jul-2013 04:25: client 91.212.124.83#52350: query: txt.pwserver.com.ua IN TXT +T
It seems that this scan will first attempt a www.ru query to see if a dns server responds. If this is the case it will do two txt.pwservers.com.ua queries.
26-Jul-2013 04:25: client 91.212.124.83#5709: query: www.ru IN A +
26-Jul-2013 04:25: client 91.212.124.83#60400: query: txt.pwserver.com.ua IN TXT +
26-Jul-2013 04:25: client 91.212.124.83#52350: query: txt.pwserver.com.ua IN TXT +T
It seems that this scan will first attempt a www.ru query to see if a dns server responds. If this is the case it will do two txt.pwservers.com.ua queries.
Conclusion
I think this is a hijacked domain as it has a legit domain associated with it.
Still odd the scan comes from the same subnet though.
Recent activity:
Amount, Date
2 26-Jul-2013
219 30-Jul-2013
1 31-Jul-2013
19 01-Aug-2013
29 02-Aug-2013
272 03-Aug-2013
363 04-Aug-2013
1154 05-Aug-2013
Update 2013-08-06:
Domain does not seem to respond to any queries at the moment.Recent activity:
Amount, Date
2 26-Jul-2013
219 30-Jul-2013
1 31-Jul-2013
19 01-Aug-2013
29 02-Aug-2013
272 03-Aug-2013
363 04-Aug-2013
1154 05-Aug-2013
Attacked hosts:
Count IP
257 81.19.212.71
192 88.191.189.83
177 94.23.237.17
161 37.59.17.204
158 94.55.3.121
136 188.165.198.126
130 94.102.56.237
91 91.121.33.230
89 95.211.60.30
82 88.190.60.27
71 184.164.153.99
67 149.210.130.40
64 88.190.220.7
57 176.31.245.11
56 89.234.142.33
51 84.102.220.188
32 5.135.154.168
30 184.164.146.163
19 158.255.96.211
14 89.93.137.187
11 93.174.93.96
11 88.168.133.227
10 78.219.44.107
10 168.61.144.13
9 87.98.146.202
9 46.105.54.254
9 4.23.61.126
8 86.196.78.14
8 84.6.28.57
7 194.105.153.82
7 184.164.152.179
6 62.4.16.130
6 62.210.230.207
4 190.93.254.21
3 178.33.227.190
2 91.212.124.83
2 199.168.99.42
2 199.16.131.212
1 93.174.93.51
No comments:
Post a Comment