Saturday, September 28, 2013

Domain: Sandia.gov

Some attacks are using this legit domain with ANY queries.
Seeing as ANY queries are not really used in a legit manner I have no problem dropping these.. like its hot.

IPtables:


iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x0653414e && 0x2c&0xDFDFDFFF=0x44494103 && 0x30&0xDFDFDFFF=0x474f5600 && 0x34&0xFFFFFFFF=0x00ff0001" -j DROP -m comment --comment "DROP DNS Q ANY sandia.gov"


More rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

Source:


First scan I observed for Sandia.gov came from sweden:

First:

94.185.81.128 - Netrouting

Later on:
89.248.172.121 - Ecatel
-hackwhatlol.cc
-edelion.su
-2soe.ru

Name server:


sandia.gov. 3600 IN NS ns8.sandia.gov.
sandia.gov. 3600 IN NS ns2.ca.sandia.gov.
sandia.gov. 3600 IN NS ns9.sandia.gov.
sandia.gov. 3600 IN NS ns1.ca.sandia.gov.

;; ADDITIONAL SECTION:
ns1.ca.sandia.gov. 3600 IN A 198.206.219.65
ns9.sandia.gov. 3600 IN A 132.175.7.210
ns2.ca.sandia.gov. 3600 IN A 198.206.219.66
ns8.sandia.gov. 3600 IN A 132.175.7.209

Response:


Just massive!

;; ANSWER SECTION:
Sandia.gov. 3600 IN SOA taurus.Sandia.gov. dnsadmin.Sandia.gov. 448880 1800 900 604800 3600
Sandia.gov. 0 IN RRSIG NSEC3PARAM 7 2 0 20131009150422 20130909150422 30602 sandia.gov. lqLdGBXNggppzQAHk0F3LsG70+AMHJVEgOj0+tYV7i7F3EguhK1K/wWg NmMmm2s2yhuOQDHOvKc3RXoVLbumXqIuu9cr/Mqbnx06dsTrlbmfoSNM Lc9+Lye/hf57u2etlsLt2krwAvSliOcIARg5CxyRj1ckbRoBvoMpsFt4 SkiHJlpw2/YpAb30MsPz0HHNwL4kwidv3HS+kR6RlSy0bBpPIrQBit7A 1OwxaWnzpB645EJjVAB5CBi7edGFQL9dyOh8PTWKAC4dOxo6MObukIDX 81sd1DeVj/aTvaZzK/ImXlZnraw1qwO9B90caQG6+lPKmXVJQK8pxQvQ 9Dz2gg==
Sandia.gov. 0 IN NSEC3PARAM 1 0 2 8BEC6F
Sandia.gov. 3600 IN RRSIG DNSKEY 7 2 3600 20131009150422 20130909150422 20739 sandia.gov. UIKkraXl1rSrpCORN6+0XFjNQFeJXBSiF9UT/nPabh3g+BGaBcZqpIjW NloD2cgW+Q43VsRlSwoiDYzB9OafzYknVxhI2WaG9aNrrtoCuCl+Bz7r auHhmN/HQq7VVSPp0YOL4Tw2RasvbLmNT/mKAEFGPmHm5dVWtmR/aiJj Fx4vUFCoquG1FUYdE8cwhOutIfhNulzCm41HsRoleKLy3yzwqZCtMoeg ow8g+HBSEt3j1ZrFyIg1WjOuPi2Il66EIz7yCBi3PKLKMJYd9DNpU+BR xx9viNX+jI05w7Ds96AO6zVyE1wRxj3twPOTTuVFvWeRVWFpxzUv9iR9 1z75EQ==
Sandia.gov. 3600 IN RRSIG DNSKEY 7 2 3600 20131009150422 20130909150422 30602 sandia.gov. nFKdZ1BJAqsOt2M8J50nFjRwrMs3Om0x2LHx/bW8PgE5i4r/OE8yl5Or qBS34MpNSJG9y059OALcSVWv/Y7yzEhnFuAJw1JM0gbXjTDWAvdOJToI 7B0lQ2rZU+REvZzgp6FVcEzH1MgoR/LRqlxaP/93/CSvOBEsQfnTcH/+ YdD4TYw02jHYSFYCGbvDSn+Z6RmvvLdlcSn9FyMDes8uDshW+niPGEr2 iET5UHnn7TMFk/nnj8f8esP7Rgc5PDMbSFj4w3AkCyWT7K5dqk5IwpfL coKMAf+2i4/PmaPHQySBie0JirKGufuTpIllKEVXMOdu/nGQjSdCXd8B UaHFVg==
Sandia.gov. 3600 IN RRSIG DNSKEY 7 2 3600 20131009150422 20130909150422 36033 sandia.gov. bOwF9y4fTZvEeWwJYEQfwpkzAaQz1jjuP/vrcODtNWIZjPCH2r+KAq9P NIyRMlPxveybfJPqVT0xhDL97stjhUldzXH3hgFnra/OnhSC/4xH5ipR +ExCuuL6vsJHiORpIMXKZ2IqDdbIqYCiy2pOdYlFXDliI264AF/kp1V9 5zwuz2ohKIjtEU9eeZdgdynFlpFNt7Cl0HrdlOBsOLZAQdT6Tfvrh73T zuW3kkYXUiDo4z1FE8SwcMoSULyP8YBU10Es1JBBQNIVcv3artgzz4q1 L2ZqpTuvZ+bwZUfY93QYHTnEvjCo14psTAK3lAhEoU62CKPPxhmmsToR kFuwSg==
Sandia.gov. 3600 IN DNSKEY 256 3 7 AwEAAZ0oH+W7xJXP7f/O7J25tQQEG9xqj6LecK9pESLccr0MwEO+Xha9 4qMClFvQ8uCjogyPuFizBNk0s0WjOa+XyBVzhZg2djpqARmq8VmPMXEx GpkDgkP1ukdoTESrc1XC+Sbi0uE8tRGmu+eus4n3Yk/+tS9L3ka3daOZ CJuaCV0Om9XTnDP+m8ElUdHju0RUFN63hKdx++/7PNzTw6prj2ddeKW6 Zao3naBvYsGbfzKpAd1d7NDK29QYh+MFUe1s3ccBhTmgvCiRjsl1LAAQ jaZ9KZYOPT0JJZQ9Qtlxmj6enQtdIPOYzyjALkIv193dXlE+G0S5Arr9 fjMaf7lEyNc=
Sandia.gov. 3600 IN DNSKEY 256 3 7 AwEAAfaaLgwMLLou2EXeq0lw3dHUos46XgWEGczA2xz1r2RttO8ATyrR gx4rW+MaIyLLO5es0Et8Fum5qRHa9uwAqkrF5mNC2o05HyA4lv8zr9Px Q6xWDBlvkQMSBVmfgyMT0hLBt4wwrKycYsDEpxJFuQcZih8lZaInSRG2 RNZL7ThwycRawvgKMDWO59giOcU51AWAks8BQN5z/33jvFgbPwYJObV1 CytBZlyDdLlCryOn+xRKZKtF6TTCzOfvlquKcEeqzfhGNn5nUquZWAay klBDYM6NnSjmui2482/KRImoygE8DayJ9aN9BIH5v+ehdegWsRtX/U8m HIA4/E/2//U=
Sandia.gov. 3600 IN DNSKEY 257 3 7 AwEAAb80HHQXbrsrmm8L5T1V3QDoXEEDJpts4S6ttkFVOa+fb4anMU3B 7KNK4jgg8sDXMhDfgTWHOc9EEAuy3Obv/6ArD4+385P+EuH5NGLd5f/l Wl8GC9S24mDTpe2sNKi4AHJQxnREuI8Oxr/Mh92W5+HWDdIBt5IKH/nu 9Wlf76Yg3x8jHZYgxVBMgPGF+UYUMQLKAjtJ/XFRObLLL+RQNdNkBqrQ LDkPBxbG1m8rDNa+uCbBiOWGBjZxrjEyQCA/2ZAKQ9lhVFZWuxb8DA3m eiu8sfhWb3tbuZHhCb2HniV43oPKICN4GdIDrHQkZCUOzEMKLSyX98VW QoHdaaOT1is=
Sandia.gov. 3600 IN DNSKEY 257 3 7 AwEAAeWCWZhMfUwZSU+3Sqqk3OvDCDPw9sBWL7HioNjo8FI90QdbNYRh 6z9Ks2fEoguMRHlTobVbptJ2wlRQPWTyC8qlaWnT82hdj5tpOzNlfuWy wRu7Yw+DOBJUT1d1ygwGVl9YbNl2gw4JCbVjqyZl2SogXAXWJecQKrJZ gToYW/hkoTUWEnW80j60wwXyeBR6TExVNTsuimV4vNas1nDqKd3jf8fS pszH5CFR/Ytw29f4qaZRxGfgtQf05AwMLrKNfiHXjRnhQ/Wc4irjW4o6 J07xJumdVm2edvevOwPc5HvoTcHKueBn+8cyq7FDc0pwutB190FV8WU6 XTTQMJQpOAE=
Sandia.gov. 3600 IN RRSIG TXT 7 2 3600 20131009150422 20130909150422 30602 sandia.gov. 5qOYnmGkx1fdXmDe5gtUNeFFqEJFcQ9EFxQ4Txl1ptaDHQasmN1FZBvP YKR1bZB6hPTfxDnUZt8vNwuMNOquoRYRjUOerfs6l6BrrY5K/9ax9w3I 5v9TwsfSf9CtQBRJPg+Rlmu5hHk1CqtR3D9SmDiTyTxmItOW24uoPz3f ZW5d652/laiIU8i1YKSVlOdUXzyuyBRfCyjH4K83h/dsne5tKM8qtKAK g+5zPJq1F48jfROwO8JFtxDSB7jya1Kdg5vGPSJqFsWKGGkDoz52Axen d4qPLcb2bOSo2JGRBcGuPj8glSMzWAInD5Jswmsc1cqrPZoN9MxXNrq+ Afa+SQ==
Sandia.gov. 3600 IN TXT "v=spf1 mx ip4:132.175.109.20 ip4:132.175.109.21  ip4:132.175.109.1  ip4:132.175.109.4 ~all"
Sandia.gov. 1200 IN RRSIG MX 7 2 1200 20131009150422 20130909150422 30602 sandia.gov. 6VIvlQ0KK1YsBmArv9XcVNbhRygoMRxyi1iNEWZ1Unv3UF46tMu/oW/r hxkOpZvnAhf4hQvXh21Mkd2m4N+MLo9iYV8E+Abwy+ppDg2AbFqmk6jh GFwdq2Ea3Lm3cRU4es0paBNmyJjl5TMV9LVcyBjJps9xA157p0qBJThW EqRadUpk/e0AJydsIjTC5v1iss5QjuTmZW8TmSIWRvHa1WHi0W3VWRiA Q3REr+t45ADgvRHOUFf4fxvwjx7/7rXrQNlUpoMJDzZhNb2in2m3p1Yo BezZH5pGsj0bwVSlaBvAmxUGUIsydrTppGF20TgwwyDxx98/YJbwYZLN 8wV82g==
Sandia.gov. 1200 IN MX 10 sentry-three.Sandia.gov.
Sandia.gov. 1200 IN MX 30 hubble.ca.Sandia.gov.
Sandia.gov. 1200 IN MX 10 sentry-two.Sandia.gov.
Sandia.gov. 3600 IN RRSIG A 7 2 3600 20131009150422 20130909150422 30602 sandia.gov. psOBfXIvGsNDNeSJQyGvRdo33ewhWmMrUxazO8n2/elAuyv9o58/TXKO O+D2NtjuqFcBg22oYm2Yj0zEBWmYl7QsjH5Ys1HJT3kfQUex9NeS9yvF iUA5mNeP9iynByZYDW5ySkunOgrpVz4T6VafEfZKrckj41Q4dVa71h8h ksSVRmhSE5WWM9qcs/emrssdSqLz9ea/UrylzZVtdrUxbDe7wYZ1SRli I5FKv8KLHY/XyY8mYRWD8dKx7VAdyOP3P2y5J12V5ueZkLYBuYKqFXdI Z2ZAG3X6pA1fEEkIRO1oAufMNtVkzQflgOVopuJVTwNd8IPgjqtpNSwZ 2JXNDg==
Sandia.gov. 3600 IN A 132.175.81.4
Sandia.gov. 3600 IN RRSIG NS 7 2 3600 20131009150422 20130909150422 30602 sandia.gov. 00A++N5y/op/NXmIeV3MSVKn+qOtpWkrGXxX+Z1xn/n+VXRiLsC0hSO2 AKf+WsdlQ8mfs3k91ez2ecYg/MTwjGkwy4ZGieuG4t7yLxKBC3yc9cXm 7VYKpFEvDZAJo/5pk8BjN2y8dzZ78vB1xt+vkBdpgFZe8L1SRCOLVtKz HuAIsG9g3WU1S6VIKog9kOECnSaQ5iTfKSbc7SgqY+1Qfk66DSpulELL 8TL8vlW8THgwqYLbJ/mgOvQ+6MmTzKR5ydeDc4/8W0SkQzQe6TYVFNLo sa4KLJxPKoCZ2eiulrvh2HD+usrLTMRs10jMCyORQAwgdRn3a8bjrMa4 11x+sQ==
Sandia.gov. 3600 IN NS ns1.ca.Sandia.gov.
Sandia.gov. 3600 IN NS ns2.ca.Sandia.gov.
Sandia.gov. 3600 IN NS ns9.Sandia.gov.
Sandia.gov. 3600 IN NS ns8.Sandia.gov.
Sandia.gov. 3600 IN RRSIG SOA 7 2 3600 20131027181002 20130927171002 30602 sandia.gov. OkmrnYqJU9TMCebksFWYaCPkd2UGZNL/z7rVm2YkbyBk+HpTZvQbF8DA lPUZFTLycHEjaGxlR7Gd/W2cYnkuIol9X7zq+/+KSd13CTLJBS2kbneZ vV98yzzNDNH56BoIEG6A8xTyaZ4sSyiO5rm2aJxoMpvypF9niKjIPcmn 74vsBRsTbWMxsAj4cwhz8K9T3EhzuD1DlS4TPivsWMyS7nWCVHQEK+0R fBNfWWbLRTREpGBF0FFSLewztbIhmCtHKhoWvreWoylfMiDXaEooImjx sVswO6AEO4nqjK7qGEak2P8nBzLpIzSnqgln2Bk/5/qfmfIkSmKz+4wo XVTYAg==

Whois


% DOTGOV WHOIS Server ready
   Domain Name: SANDIA.GOV
   Status: ACTIVE




1 comment:

  1. I was hit by an attack with sandia.gov as the payload.

    http://blog.offenders.org/?p=257

    ReplyDelete