Tuesday, August 20, 2013

Domain: Edelion.su

Seen a scan for this domain, won't take long before it will be abused in attacks.

Query was: 20-Aug-2013 client 89.248.172.121: query: edelion.su IN A +E

Update 21-Aug-2013:

Attacks have started with this domain. Query comes in as Edelion rather than edelion. Corrected my iptables rule to be case-insensitive.

Source:


89.248.172.121 AS29073 Ecatel Network

Seen before:


      1 hackwhatlol.cc
      1 edelion.su


IPtables rule:


iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28=0x07656465 && 0x2c=0x6c696f6e && 0x30=0x02737500" -j DROP -m comment --comment "DROP DNS Q edelion.su"

iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x07454445 && 0x2c&0xDFDFDFDF=0x4c494f4e && 0x30&0xFFDFDFFF=0x02535500" -j DROP -m comment --comment "DROP DNS Q edelion.su"

Full Rule Set

Response:


244 A records in the 204.46.43.x range

Name servers:


;; ANSWER SECTION:
edelion.su. 43200 IN NS ns2.reg.ru.
edelion.su. 43200 IN NS ns1.reg.ru.

;; ADDITIONAL SECTION:
ns1.reg.ru. 86376 IN A 31.31.204.52
ns1.reg.ru. 86376 IN A 31.31.205.55
ns1.reg.ru. 86376 IN A 144.76.40.132
ns2.reg.ru. 86376 IN A 88.212.207.122
ns1.reg.ru. 86376 IN A 31.31.205.39
ns2.reg.ru. 86376 IN A 31.31.204.37
ns2.reg.ru. 86376 IN A 31.31.205.56
ns2.reg.ru. 86376 IN A 31.31.204.25
ns1.reg.ru. 86376 IN A 88.212.207.121


Whois:


domain:        EDELION.SU
nserver:       ns1.reg.ru.
nserver:       ns2.reg.ru.
state:         REGISTERED, DELEGATED
person:        Private Person
e-mail:        dim199351@mail.ru
registrar:     REGRU-REG-FID
created:       2013.01.30
paid-till:     2014.01.30
free-date:     2014.03.04
source:        TCI

Last updated on 2013.08.20 23:56:40 MSK

1 comment:

  1. Seen this attack a lot today. My solution:

    #!/bin/bash
    if [ "$1" != "" ]; then
    iptables -t raw -I PREROUTING -p udp --destination-port 53 -m string --algo kmp --from 30 --hex-string "|$1|" -j DROP
    else
    echo "$0 HEXDUMPSTRING"
    echo "Localize hexstring at line 0030 containing unwanted query: tshark -i eth0 host port 53 -x "
    fi
    echo; echo;
    echo "Existing DENY rules regler"
    echo "-------------------------------------"
    iptables -t raw -L -n

    ReplyDelete