Monday, September 23, 2013

Domain: aa3247.com

Just observed this a scan for this domain. No attacks just yet. 

Source:

122.136.196.116 - AS4837 CHINA169-BACKBONE CNCGROUP

Response:

About 255 A records in the 182.156.202.x range.

IPtables rule:

iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFFF=0x06414133 && 0x2c&0xFFFFFFFF=0x32343703 && 0x30&0xDFDFDFFF=0x434f4d00" -j DROP -m comment --comment "DROP DNS Q aa3247.com"

More rules here

Name servers:

aa3247.com.             7200    IN      NS      ns3.mmtac1.com.
aa3247.com.             7200    IN      NS      ns4.mmtac1.com.
aa3247.com.             7200    IN      NS      ns1.mmtac1.com.
aa3247.com.             7200    IN      NS      ns2.mmtac1.com.

;; ADDITIONAL SECTION:
ns3.mmtac1.com.         300     IN      A       222.163.192.106
ns2.mmtac1.com.         86400   IN      A       162.212.182.165
ns2.mmtac1.com.         86400   IN      A       162.212.182.66
ns2.mmtac1.com.         86400   IN      A       64.62.186.91
ns2.mmtac1.com.         86400   IN      A       222.163.192.106
ns1.mmtac1.com.         300     IN      A       222.163.192.106
ns1.mmtac1.com.         300     IN      A       222.163.192.104
ns4.mmtac1.com.         300     IN      A       222.163.192.106
ns4.mmtac1.com.         300     IN      A       222.163.192.104
ns3.mmtac1.com.         300     IN      A       222.163.192.104
ns2.mmtac1.com.         86400   IN      A       64.62.186.74
ns2.mmtac1.com.         86400   IN      A       222.163.192.104
ns2.mmtac1.com.         86400   IN      A       64.62.186.77

Whois:


Domain: aa3247.com
Status: Protected

DNS:
        ns1.mmtac1.com
        ns2.mmtac1.com

Created: 2013-09-14 16:33:55
Expires: 2014-09-14 08:33:55
Last Modified: 2013-09-14 16:33:54

Registrant Contact:
        Whoisprotection.cc
        Domain Admin  (reg_1358531@whoisprotection.cc)
        Lot 2-1, Incubator 1, Technology Park Malaysia, Bukit Jalil
        Kuala Lumpur, Wilayah Persekutuan, Malaysia 57000
        P: +603.89966788 F: +0.0

Administrative Contact:
        Whoisprotection.cc
        Domain Admin  (adm_1358531@whoisprotection.cc)
        Lot 2-1, Incubator 1, Technology Park Malaysia, Bukit Jalil
        Kuala Lumpur, Wilayah Persekutuan, Malaysia 57000
        P: +603.89966788 F: +0.0

Technical Contact:
        Whoisprotection.cc
        Domain Admin  (tec_1358531@whoisprotection.cc)
        Lot 2-1, Incubator 1, Technology Park Malaysia, Bukit Jalil
        Kuala Lumpur, Wilayah Persekutuan, Malaysia 57000
        P: +603.89966788 F: +0.0

Billing Contact:
        Whoisprotection.cc
        Domain Admin  (bil_1358531@whoisprotection.cc)
        Lot 2-1, Incubator 1, Technology Park Malaysia, Bukit Jalil
        Kuala Lumpur, Wilayah Persekutuan, Malaysia 57000
        P: +603.89966788 F: +0.0

9 comments:

  1. Think this is related to some virus. I see a compromised computer sending ICMP packets with the url aa3247.com in the data. The packets are being sent to 122.136.196.116. This computer already received 10gb (maybe 18gb total) in the past few days.

    ReplyDelete
    Replies
    1. Do you have a sample of the malware? If you do, would you be so kind to send it to my email?

      That is a surprisingly large amount of data...

      Delete
  2. I am also seeing DNS lookups for this record coming from 122.136.196.117 it repeats for a few minutes, then stops, then comes back again hours later.

    ReplyDelete
  3. aa3247.com has a large size A records...My DNS Server receive requests from 122.136.196.117..But,It doesn't sequencely requests aa3247.com..

    ReplyDelete
  4. 122.136.196.116:10770 is creeping to my router

    ReplyDelete
  5. Seeing this as well. any idea if the process is identified? Tried scanning with a couple tools, but no positive yet.

    ReplyDelete
    Replies
    1. Are you sure you are not just running a DNS Server on the computer? If you see queries, you are particicpating, if you see responses you are being ddos-ed.

      Delete
  6. I have a windows HOST that seems to be making DNS requests for aa3247.com. Catching it outbound on firewall. Working to isolate the process. Any thoughts on how one might go about that? Using procmon does not contain the content of the udp packet, packet sniff can't tell me the pid.

    ReplyDelete
    Replies
    1. I'm pretty sure that you must be running a DNS server on that windows host. If you see queries, then you are participating in these attacks, if you see responses you are the victim of a attack.

      Delete