Saturday, August 3, 2013

Domain: PacketDevil.com

Seen a request for the domain PacketDevil.com:

Update 2 (Dec-2013): 

The whois suggest the domain was moved to Enom, inc and has the following name servers:

packetdevil.com.        172800  IN      NS      ns1.packetdevil.com.

packetdevil.com.        172800  IN      NS      ns2.packetdevil.com.

ns1.packetdevil.com.    84134   IN      A       192.184.82.100
ns2.packetdevil.com.    84126   IN      A       192.184.82.100

Update 1 August 7: Seeing a.packetdevil.com as well. 253 A records.

02-Aug-2013 16:xx: client 89.248.168.219: query: packetdevil.com IN ANY +E

DNS entries have recently been removed or are currently being changed as not all DNS servers seem to return any entries. At least the following entries have been seen:

;packetdevil.com. IN ANY

;; ANSWER SECTION:
packetdevil.com. 85120 IN NS pat.ns.cloudflare.com.
packetdevil.com. 85120 IN NS hugh.ns.cloudflare.com.

;; ADDITIONAL SECTION:
hugh.ns.cloudflare.com. 86356 IN A 173.245.59.117
pat.ns.cloudflare.com. 86260 IN A 173.245.58.139

IPtables:

Seem some search queries for iptables rule to block this stuff. So here you go:

iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x0b504143 && 0x2c&0xDFDFDFDF=0x4b455444 && 0x30&0xDFDFDFDF=0x4556494c && 0x34&0xFFDFDFDF=0x03434f4d && 0x38&0xFFFFFFFF=0x0000ff00" -j DROP -m comment --comment "DROP DNS Q ANY packetdevil.com"

Added rule for a.packetdevil.com:

iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFFFDF=0x01410b50 && 0x2c&0xDFDFDFDF=0x41434b45 && 0x30&0xDFDFDFDF=0x54444556 && 0x34&0xDFDFFFDF=0x494c0343 && 0x38&0xDFDFFFFF=0x4f4d0000" -j DROP -m comment --comment "DROP DNS Q a.packetdevil.com"

For more iptables rules check my github:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

Whois:


Registration Service Provided By: Namecheap.com

Contact: 
Visit: http://namecheap.com
Registered through: eNom, Inc.

Domain name: packetdevil.com

Registrant Contact:
   WhoisGuard, Inc.
   WhoisGuard Protected ()
   
   Fax: 
   P.O. Box 0823-03411
   Panama, Panama NA
   PA

Administrative Contact:
   WhoisGuard, Inc.
   WhoisGuard Protected ()
   +507.8365503
   Fax: +51.17057182
   P.O. Box 0823-03411
   Panama, Panama NA
   PA

Technical Contact:
   WhoisGuard, Inc.
   WhoisGuard Protected ()
   +507.8365503
   Fax: +51.17057182
   P.O. Box 0823-03411
   Panama, Panama NA
   PA

Status: Locked

Name Servers:
   hugh.ns.cloudflare.com
   pat.ns.cloudflare.com
   
Creation date: 24 May 2013 13:40:00
Expiration date: 24 May 2014 13:40:00


Source:


The IP 89.248.168.219 part of the Ecatel Network has been seen before:

26-Jun-2013 03:45:28.518 client 89.248.168.219: query: nukes.directedat.asia IN ANY +E
01-Jul-2013 22:59: client 89.248.168.219: query: 1rip.com IN A +E
01-Jul-2013 22:59: client 89.248.168.219: query: 1rip.com IN A +E
01-Jul-2013 22:59: client 89.248.168.219: query: 1rip.com IN A +E
18-Jul-2013 17:03: client 89.248.168.219: query: d.directedat.asia IN ANY +E
24-Jul-2013 18:43: client 89.248.168.219: query: d.directedat.asia IN ANY +E
02-Aug-2013 16:48: client 89.248.168.219: query: packetdevil.com IN ANY +E



6 comments:

  1. I using centos5.5 and got this error 'iptables v1.3.5: Couldn't load match `u32':/lib/iptables/libipt_u32.so: cannot open shared object file: No such file or directory', how can I fix this?

    ReplyDelete
    Replies
    1. From what I heard, CentOs does not support the IPtables u32 module.. So after a few people complained I've wrote rules that I think should work for you. You can find them on my github:

      https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

      It uses the string module. Hope this works/helps you!

      Delete
    2. Thank you for your help but now I got this error 'iptables: Unknown error 4294967295'

      Delete
  2. I just discovered my named server was being brought to its knees with messages that look like: named[29305]: client 24.2.64.93#2216: error sending response: unexpected error

    Searching for the error did little. When I looked at packets via tcpdump and wireshark I saw "size limited during capture" in response to two simultaneous requests on consecutive IPs for a Standard query A a.packetdevil.com. I applied the packetdevil rules from the link in comments on my Centos 5.6 box and they worked! Thanks so much!

    I am still seeing plenty of queries via tcpdump, but not in my log files. I am seeing ns1.fkfkfkfa.com now as well...

    ReplyDelete