Source:
122.136.196.116 - AS4837 CHINA169-BACKBONE CNCGROUP
Response:
About 255 A records in the 182.156.202.x range.IPtables rule:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFFF=0x06414133 && 0x2c&0xFFFFFFFF=0x32343703 && 0x30&0xDFDFDFFF=0x434f4d00" -j DROP -m comment --comment "DROP DNS Q aa3247.com"More rules here
Name servers:
aa3247.com. 7200 IN NS ns3.mmtac1.com.aa3247.com. 7200 IN NS ns4.mmtac1.com.
aa3247.com. 7200 IN NS ns1.mmtac1.com.
aa3247.com. 7200 IN NS ns2.mmtac1.com.
;; ADDITIONAL SECTION:
ns3.mmtac1.com. 300 IN A 222.163.192.106
ns2.mmtac1.com. 86400 IN A 162.212.182.165
ns2.mmtac1.com. 86400 IN A 162.212.182.66
ns2.mmtac1.com. 86400 IN A 64.62.186.91
ns2.mmtac1.com. 86400 IN A 222.163.192.106
ns1.mmtac1.com. 300 IN A 222.163.192.106
ns1.mmtac1.com. 300 IN A 222.163.192.104
ns4.mmtac1.com. 300 IN A 222.163.192.106
ns4.mmtac1.com. 300 IN A 222.163.192.104
ns3.mmtac1.com. 300 IN A 222.163.192.104
ns2.mmtac1.com. 86400 IN A 64.62.186.74
ns2.mmtac1.com. 86400 IN A 222.163.192.104
ns2.mmtac1.com. 86400 IN A 64.62.186.77
Whois:
Domain: aa3247.com
Status: Protected
DNS:
ns1.mmtac1.com
ns2.mmtac1.com
Created: 2013-09-14 16:33:55
Expires: 2014-09-14 08:33:55
Last Modified: 2013-09-14 16:33:54
Registrant Contact:
Whoisprotection.cc
Domain Admin (reg_1358531@whoisprotection.cc)
Lot 2-1, Incubator 1, Technology Park Malaysia, Bukit Jalil
Kuala Lumpur, Wilayah Persekutuan, Malaysia 57000
P: +603.89966788 F: +0.0
Administrative Contact:
Whoisprotection.cc
Domain Admin (adm_1358531@whoisprotection.cc)
Lot 2-1, Incubator 1, Technology Park Malaysia, Bukit Jalil
Kuala Lumpur, Wilayah Persekutuan, Malaysia 57000
P: +603.89966788 F: +0.0
Technical Contact:
Whoisprotection.cc
Domain Admin (tec_1358531@whoisprotection.cc)
Lot 2-1, Incubator 1, Technology Park Malaysia, Bukit Jalil
Kuala Lumpur, Wilayah Persekutuan, Malaysia 57000
P: +603.89966788 F: +0.0
Billing Contact:
Whoisprotection.cc
Domain Admin (bil_1358531@whoisprotection.cc)
Lot 2-1, Incubator 1, Technology Park Malaysia, Bukit Jalil
Kuala Lumpur, Wilayah Persekutuan, Malaysia 57000
P: +603.89966788 F: +0.0
Think this is related to some virus. I see a compromised computer sending ICMP packets with the url aa3247.com in the data. The packets are being sent to 122.136.196.116. This computer already received 10gb (maybe 18gb total) in the past few days.
ReplyDeleteDo you have a sample of the malware? If you do, would you be so kind to send it to my email?
DeleteThat is a surprisingly large amount of data...
I am also seeing DNS lookups for this record coming from 122.136.196.117 it repeats for a few minutes, then stops, then comes back again hours later.
ReplyDeleteaa3247.com has a large size A records...My DNS Server receive requests from 122.136.196.117..But,It doesn't sequencely requests aa3247.com..
ReplyDelete122.136.196.116:10770 is creeping to my router
ReplyDeleteSeeing this as well. any idea if the process is identified? Tried scanning with a couple tools, but no positive yet.
ReplyDeleteAre you sure you are not just running a DNS Server on the computer? If you see queries, you are particicpating, if you see responses you are being ddos-ed.
DeleteI have a windows HOST that seems to be making DNS requests for aa3247.com. Catching it outbound on firewall. Working to isolate the process. Any thoughts on how one might go about that? Using procmon does not contain the content of the udp packet, packet sniff can't tell me the pid.
ReplyDeleteI'm pretty sure that you must be running a DNS server on that windows host. If you see queries, then you are participating in these attacks, if you see responses you are the victim of a attack.
Delete