Monday, October 28, 2013

Domain: 67252.info

Domain: 67252.info

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28=0x05363732 && 0x2c&0xFFFFFFDF=0x35320449 && 0x30&0xDFDFDFFF=0x4e464f00" -j DROP -m comment --comment "DROP DNS Q 67252.info"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 52 --algo bm --hex-string '|05363732353204696e666f00|' -j DROP -m comment --comment "DROP DNS Q 67252.info"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


122.136.196.116

Name server:


;; ANSWER SECTION:
67252.info. 3600 IN NS ns66.domaincontrol.com.
67252.info. 3600 IN NS ns65.domaincontrol.com.

;; ADDITIONAL SECTION:
ns65.domaincontrol.com. 86400 IN A 216.69.185.43
ns65.domaincontrol.com. 86400 IN AAAA 2607:f208:206::2b
ns66.domaincontrol.com. 86400 IN A 208.109.255.43
ns66.domaincontrol.com. 86400 IN AAAA 2607:f208:302::2b


Response:


A 2
MX 2
NS 2
SOA 1
Rsize 209


Whois



Domain ID:D50794526-LRMS
Domain Name:67252.INFO
Created On:08-Oct-2013 08:05:47 UTC
Last Updated On:18-Oct-2013 20:46:41 UTC
Expiration Date:08-Oct-2014 08:05:47 UTC
Sponsoring Registrar:GoDaddy.com, LLC (R171-LRMS)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT RENEW PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:CR152354785
Registrant Name:edson edson
Registrant Organization:
Registrant Street1:beijing
Registrant Street2:
Registrant Street3:
Registrant City:beijing
Registrant State/Province:beijing
Registrant Postal Code:511111
Registrant Country:CN
Registrant Phone:+1.5555555555
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:afanti6@gmail.com
Admin ID:CR152354787
Admin Name:edson edson
Admin Organization:
Admin Street1:beijing
Admin Street2:
Admin Street3:
Admin City:beijing
Admin State/Province:beijing
Admin Postal Code:511111
Admin Country:CN
Admin Phone:+1.5555555555
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:afanti6@gmail.com
Billing ID:CR152354788
Billing Name:edson edson
Billing Organization:
Billing Street1:beijing
Billing Street2:
Billing Street3:
Billing City:beijing
Billing State/Province:beijing
Billing Postal Code:511111
Billing Country:CN
Billing Phone:+1.5555555555
Billing Phone Ext.:
Billing FAX:
Billing FAX Ext.:
Billing Email:afanti6@gmail.com
Tech ID:CR152354786
Tech Name:edson edson
Tech Organization:
Tech Street1:beijing
Tech Street2:
Tech Street3:
Tech City:beijing
Tech State/Province:beijing
Tech Postal Code:511111
Tech Country:CN
Tech Phone:+1.5555555555
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:afanti6@gmail.com
Name Server:NS66.DOMAINCONTROL.COM
Name Server:NS65.DOMAINCONTROL.COM
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:





Monday, October 21, 2013

Domain: 53193.info

Domain: 53193.info


If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.


If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28=0x05353331 && 0x2c&0xFFFFFFDF=0x39330449 && 0x30&0xDFDFDFFF=0x4e464f00" -j DROP -m comment --comment "DROP DNS Q 53193.info"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt


String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 52 --algo bm --hex-string '|05353331393304696e666f00|' -j DROP -m comment --comment "DROP DNS Q 53193.info"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
53193.info. 3600 IN NS ns66.domaincontrol.com.
53193.info. 3600 IN NS ns65.domaincontrol.com.

;; ADDITIONAL SECTION:
ns65.domaincontrol.com. 86400 IN A 216.69.185.43
ns65.domaincontrol.com. 86400 IN AAAA 2607:f208:206::2b
ns66.domaincontrol.com. 86400 IN A 208.109.255.43
ns66.domaincontrol.com. 86400 IN AAAA 2607:f208:302::2b


Response:


A 2
MX 2
NS 2
SOA 1
Rsize 209*

*Perhaps domain is not active yet or problem with my resolver.

Whois



Domain ID:D50794513-LRMS
Domain Name:53193.INFO
Created On:08-Oct-2013 08:05:46 UTC
Last Updated On:18-Oct-2013 19:44:40 UTC
Expiration Date:08-Oct-2014 08:05:46 UTC
Sponsoring Registrar:GoDaddy.com, LLC (R171-LRMS)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT RENEW PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:CR152354749
Registrant Name:edson edson
Registrant Organization:
Registrant Street1:beijing
Registrant Street2:
Registrant Street3:
Registrant City:beijing
Registrant State/Province:beijing
Registrant Postal Code:511111
Registrant Country:CN
Registrant Phone:+1.5555555555
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:afanti6@gmail.com
Admin ID:CR152354751
Admin Name:edson edson
Admin Organization:
Admin Street1:beijing
Admin Street2:
Admin Street3:
Admin City:beijing
Admin State/Province:beijing
Admin Postal Code:511111
Admin Country:CN
Admin Phone:+1.5555555555
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:afanti6@gmail.com
Billing ID:CR152354752
Billing Name:edson edson
Billing Organization:
Billing Street1:beijing
Billing Street2:
Billing Street3:
Billing City:beijing
Billing State/Province:beijing
Billing Postal Code:511111
Billing Country:CN
Billing Phone:+1.5555555555
Billing Phone Ext.:
Billing FAX:
Billing FAX Ext.:
Billing Email:afanti6@gmail.com
Tech ID:CR152354750
Tech Name:edson edson
Tech Organization:
Tech Street1:beijing
Tech Street2:
Tech Street3:
Tech City:beijing
Tech State/Province:beijing
Tech Postal Code:511111
Tech Country:CN
Tech Phone:+1.5555555555
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:afanti6@gmail.com
Name Server:NS66.DOMAINCONTROL.COM
Name Server:NS65.DOMAINCONTROL.COM
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:




Sunday, October 20, 2013

Domain: 43614.info

Domain: 43614.info

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28=0x05343336 && 0x2c&0xFFFFFFDF=0x31340449 && 0x30&0xDFDFDFFF=0x4e464f00" -j DROP -m comment --comment "DROP DNS Q 43614.info"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 52 --algo bm --hex-string '|05343336313404696e666f00|' -j DROP -m comment --comment "DROP DNS Q 43614.info"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
43614.info. 3600 IN NS ns65.domaincontrol.com.
43614.info. 3600 IN NS ns66.domaincontrol.com.

;; ADDITIONAL SECTION:
ns65.domaincontrol.com. 86400 IN A 216.69.185.43
ns65.domaincontrol.com. 86400 IN AAAA 2607:f208:206::2b


Response:


A 2
MX 2
NS 2
SOA 1
Rsize 209*

* Perhaps the domain is currently not active

Whois



Domain ID:D50794517-LRMS
Domain Name:43614.INFO
Created On:08-Oct-2013 08:05:47 UTC
Last Updated On:18-Oct-2013 20:46:42 UTC
Expiration Date:08-Oct-2014 08:05:47 UTC
Sponsoring Registrar:GoDaddy.com, LLC (R171-LRMS)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT RENEW PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:CR152354777
Registrant Name:edson edson
Registrant Organization:
Registrant Street1:beijing
Registrant Street2:
Registrant Street3:
Registrant City:beijing
Registrant State/Province:beijing
Registrant Postal Code:511111
Registrant Country:CN
Registrant Phone:+1.5555555555
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:afanti6@gmail.com
Admin ID:CR152354779
Admin Name:edson edson
Admin Organization:
Admin Street1:beijing
Admin Street2:
Admin Street3:
Admin City:beijing
Admin State/Province:beijing
Admin Postal Code:511111
Admin Country:CN
Admin Phone:+1.5555555555
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:afanti6@gmail.com
Billing ID:CR152354780
Billing Name:edson edson
Billing Organization:
Billing Street1:beijing
Billing Street2:
Billing Street3:
Billing City:beijing
Billing State/Province:beijing
Billing Postal Code:511111
Billing Country:CN
Billing Phone:+1.5555555555
Billing Phone Ext.:
Billing FAX:
Billing FAX Ext.:
Billing Email:afanti6@gmail.com
Tech ID:CR152354778
Tech Name:edson edson
Tech Organization:
Tech Street1:beijing
Tech Street2:
Tech Street3:
Tech City:beijing
Tech State/Province:beijing
Tech Postal Code:511111
Tech Country:CN
Tech Phone:+1.5555555555
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:afanti6@gmail.com
Name Server:NS66.DOMAINCONTROL.COM
Name Server:NS65.DOMAINCONTROL.COM
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:





Saturday, October 19, 2013

Domain: gtml2.com

Domain: gtml2.com

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x0547544d && 0x2c&0xDFFFFFDF=0x4c320343 && 0x30&0xDFDFFF00=0x4f4d0000" -j DROP -m comment --comment "DROP DNS Q gtml2.com"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 51 --algo bm --hex-string '|0567746d6c3203636f6d00|' -j DROP -m comment --comment "DROP DNS Q gtml2.com"

More Iptables rules for the STRING module can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
gtml2.com. 3600 IN NS ns1.namecity.com.
gtml2.com. 3600 IN NS ns2.namecity.com.

;; ADDITIONAL SECTION:
ns1.namecity.com. 172800 IN A 62.128.193.35
ns2.namecity.com. 172800 IN A 84.22.161.171


Response:


A 2
MX 253
NS 2
SOA 1
TXT 1
Rsize 6260


Whois



Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: GTML2.COM
Registrar: TUCOWS DOMAINS INC.
Whois Server: whois.tucows.com
Referral URL: http://domainhelp.opensrs.net
Name Server: NS1.NAMECITY.COM
Name Server: NS2.NAMECITY.COM
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 18-apr-2013
Creation Date: 21-may-2007
Expiration Date: 21-may-2014

>>> Last update of whois database: Sat, 19 Oct 2013 21:17:32 UTC <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.


The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Registrant:
CommuniGator Ltd
The old Byre
Peper Harow
Godalming, SURREY GU8 6BQ
GB

Domain name: GTML2.COM


Administrative Contact:
Yates, Aaron aaron.yates@communigator.co.uk
The old Byre
Peper Harow
Godalming, SURREY GU8 6BQ
GB
+44.1483411911
Technical Contact:
Yates, Aaron aaron.yates@communigator.co.uk
The old Byre
Peper Harow
Godalming, SURREY GU8 6BQ
GB
+44.1483411911


Registration Service Provider:
Internetters Ltd, hostmaster@internetters.co.uk
+44.3701709170
+44.1419316785 (fax)
http://www.internetters.co.uk



Registrar of Record: TUCOWS, INC.
Record last updated on 18-Apr-2013.
Record expires on 21-May-2014.
Record created on 21-May-2007.

Registrar Domain Name Help Center:
http://tucowsdomains.com

Domain servers in listed order:
NS1.NAMECITY.COM
NS2.NAMECITY.COM


Domain status: clientTransferProhibited
clientUpdateProhibited






Friday, October 18, 2013

Domain: txt.fwserver.com.ua

Domain: txt.fwserver.com.ua

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.

Very similar to the txt.pwserver.com.ua domain!


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x03545854 && 0x2c&0xFFDFDFDF=0x08465753 && 0x30&0xDFDFDFDF=0x45525645 && 0x34&0xDFFFDFDF=0x5203434f && 0x38&0xDFFFDFDF=0x4d025541 && 0x3c&0xFF000000=0x00000000" -j DROP -m comment --comment "DROP DNS Q txt.fwserver.com.ua"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 61 --algo bm --hex-string '|0374787408667773657276657203636f6d02756100|' -j DROP -m comment --comment "DROP DNS Q txt.fwserver.com.ua"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
txt.fwserver.com.ua. 28800 IN NS ns1.ua-dc.net.
txt.fwserver.com.ua. 28800 IN NS ns2.ua-dc.net.

;; ADDITIONAL SECTION:
ns1.ua-dc.net. 3600 IN A 91.212.124.5
ns2.ua-dc.net. 3600 IN A 91.214.69.18


Response:


A 242
NS 2
SOA 1
Rsize 3979


Whois


domain:           fwserver.com.ua
dom-public:       NO
registrant:       lklqe46182
admin-c:          lklqe46182
tech-c:           nic
mnt-by:           ua.nic
nserver:          ns2.ua-dc.net
nserver:          ns1.ua-dc.net
status:           ok
created:          2013-07-14 22:33:29+03
expires:          2014-07-14 22:33:29+03
source:           UAEPP

% Registrar:
% ==========
registrar:        ua.nic
organization:     NIC.UA LLC
organization-loc: ТОВ "НІК.ЮЕЙ"
url:              http://nic.ua
city:             Dnipropetrovsk
country:          UA
source:           UAEPP

% Registrant:
% ===========
contact-id:       lklqe46182
person:           n/a
person-loc:       not published
e-mail:           admin@aden.dp.ua
address:          n/a
phone:            +380.000000000
mnt-by:           ua.nic
status:           ok
status:           linked
created:          2013-04-06 13:07:34+03
source:           UAEPP


% Administrative Contacts:
% =======================
contact-id:       lklqe46182
person:           n/a
person-loc:       not published
e-mail:           admin@aden.dp.ua
address:          n/a
phone:            +380.000000000
mnt-by:           ua.nic
status:           ok
status:           linked
created:          2013-04-06 13:07:34+03
source:           UAEPP


% Technical Contacts:
% ===================
contact-id:       nic
person:           NIC.UA LLC
person-loc:       ТОВ "НІК.ЮЕЙ"
organization:     NIC.UA LLC
organization-loc: ТОВ "НІК.ЮЕЙ"
e-mail:           uanic@nic.ua
address:          Plehanova 18 512
address:          Dnepropetrovsk
postal-code:      49000
country:          UA
address-loc:      Плеханова 18 512
address-loc:      Днепропетровск
country-loc:      UA
phone:            +380.442329962
fax:              +380.445937569
mnt-by:           ua.nic
status:           ok
status:           linked
created:          2003-01-08 00:00:00+02
modified:         2013-06-22 13:51:58+03
source:           UAEPP





Domain: azmx.ru

Domain: azmx.ru

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x04415a4d && 0x2c&0xDFFFDFDF=0x58025255 && 0x30&0xFF000000=0x00000000" -j DROP -m comment --comment "DROP DNS Q azmx.ru"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 49 --algo bm --hex-string '|04617a6d7802727500|' -j DROP -m comment --comment "DROP DNS Q azmx.ru"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


Unknown

Name server:


;; ANSWER SECTION:
azmx.ru. 3600 IN NS dns2.komtet.ru.
azmx.ru. 3600 IN NS dns1.komtet.ru.

;; ADDITIONAL SECTION:
dns1.komtet.ru. 86400 IN A 46.183.160.146
dns2.komtet.ru. 86400 IN A 91.224.22.148


Response:


A 239
MX 1
NS 2
SOA 1
TXT 1
Rsize 4010


Whois


% By submitting a query to RIPN's Whois Service
% you agree to abide by the following terms of use:
% http://www.ripn.net/about/servpol.html#3.2 (in Russian)
% http://www.ripn.net/about/en/servpol.html#3.2 (in English).

domain: AZMX.RU
nserver: dns1.komtet.ru.
nserver: dns2.komtet.ru.
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
registrar: RU-CENTER-REG-RIPN
admin-contact: https://www.nic.ru/whois
created: 2013.10.17
paid-till: 2014.10.17
free-date: 2014.11.17
source: TCI

Last updated on 2013.10.19 04:16:31 MSK




Domain: krasti.us

Domain: krasti.us

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x064b5241 && 0x2c&0xDFDFDFFF=0x53544902 && 0x30&0xDFDFFF00=0x55530000" -j DROP -m comment --comment "DROP DNS Q krasti.us"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 51 --algo bm --hex-string '|066b726173746902757300|' -j DROP -m comment --comment "DROP DNS Q krasti.us"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


Unknown

Name server:


;; ANSWER SECTION:
krasti.us. 3440 IN NS ns64.domaincontrol.com.
krasti.us. 3440 IN NS ns63.domaincontrol.com.

;; ADDITIONAL SECTION:
ns63.domaincontrol.com. 8556 IN A 216.69.185.42
ns63.domaincontrol.com. 8556 IN AAAA 2607:f208:206::2a
ns64.domaincontrol.com. 8556 IN A 208.109.255.42
ns64.domaincontrol.com. 8556 IN AAAA 2607:f208:302::2a


Response:


A 2
MX 30
NS 2
SOA 1
TXT 1
Rsize 4886


The response it self is noteworthy:

;; ANSWER SECTION:
krasti.us.              3600    IN      SOA     ns63.domaincontrol.com. dns.jomax.net. 2013101709 28800 7200 604800 600
krasti.us.              589     IN      A       184.168.221.51
krasti.us.              3589    IN      NS      ns63.domaincontrol.com.
krasti.us.              3589    IN      NS      ns64.domaincontrol.com.
krasti.us.              604800  IN      TXT     "sdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdasssdasdassdasdassdasdas                 sdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdas5533                  > sdasd" "assdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdasdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassda                 sdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdas5533 > sdasdassdasd" "assdasdassdasdassdasdassdas                 dassdasdassdasdassdaasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdas                 dassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdas5533 > sdasdassdasdassda" "sdassdasdassdasdassdasdassdasdassdassdasdassdasdassdasdassdasdass                 dasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdas55                 33 > sdasdassdasdassdasdassdasdassdasdassd" "asda"
krasti.us.              604800  IN      MX      26 lolwutevet8.ddos-guard.sux.net.aipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutandyo                 uaresucksucksucksuckg.com.
krasti.us.              604800  IN      MX      26 lolwutevet8.ddos-guard.sux.net.aipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutandyo                 uaresucksucksucksugck.com.
krasti.us.              604800  IN      MX      28 lolwutevet0.ddos-guard.sux.net.aipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutandyo                 uaresuc7ksucksucksuck.com.
krasti.us.              604800  IN      MX      28 lolwutevet0.ddos-guard.sux.net.aipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutandyo                 uaresucksucksuckgsuck.com.
krasti.us.              604800  IN      MX      28 lolwutevet0.ddos-guard.sux.net.aipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutandyo                 uaresucksucksucksuckg.com.
krasti.us.              604800  IN      MX      29 lolwutevet33.ddos-guard.sux.net.aipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutandy                 ouares6ucksucksucksuck.com.
krasti.us.              604800  IN      MX      29 lolwutevet33.ddos-guard.sux.net.aipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutandy                 ouaresucksucksgucksuck.com.
krasti.us.              604800  IN      MX      30 lolwutevet23.ddos-guard.sux.net.aipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutandy                 ouare5sucksucksucksuck.com.
krasti.us.              604800  IN      MX      30 lolwutevet23.ddos-guard.sux.net.aipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutandy                 ouaresucksucksucksuckf.com.
krasti.us.              604800  IN      MX      30 lolwutevet23.ddos-guard.sux.net.aipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutandy                 ouaresucksucksucgknsuck.com.
krasti.us.              604800  IN      MX      32 lolwutevet33.ddos-guard.sux.net.aipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutandy                 ouar4esucksucksucksuck.com.
krasti.us.              604800  IN      MX      32 lolwutevet33.ddos-guard.sux.net.aipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutandy                 ouaresucksucksucksuckn.com.
krasti.us.              604800  IN      MX      32 lolwutevet33.ddos-guard.sux.net.aipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutandy                 ouaresucksucksucksucku.com.
krasti.us.              604800  IN      MX      10 lolwutevet1.ddos-guard.sux.net.antipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutand                 youaresucksucksucksuck.com.
krasti.us.              604800  IN      MX      10 lolwutevet1.ddos-guard.sux.net.antipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutand                 you3aresucksucksucksuck.com.
krasti.us.              604800  IN      MX      10 lolwutevet1.ddos-guard.sux.net.antipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutand                 youaresucksuckssucksuck.com.
krasti.us.              604800  IN      MX      10 lolwutevet1.ddos-guard.sux.net.antipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutand                 youaresucksucksucksucdk.com.
krasti.us.              604800  IN      MX      21 lolwutevet2.ddos-guard.sux.net.aipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutandyo                 ua2resucksucksucksuck.com.
krasti.us.              604800  IN      MX      21 lolwutevet2.ddos-guard.sux.net.aipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutandyo                 uaresucksucksucksuckd.com.
krasti.us.              604800  IN      MX      21 lolwutevet2.ddos-guard.sux.net.aipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutandyo                 uaresucksucksuscksuck.com.
krasti.us.              604800  IN      MX      22 lolwutevet3.ddos-guard.sux.net.aipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutandyo                 u1aresucksucksucksuxck.com.
krasti.us.              604800  IN      MX      22 lolwutevet3.ddos-guard.sux.net.aipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutandyo                 uaresucksuckncsucksuck.com.
krasti.us.              604800  IN      MX      22 lolwutevet3.ddos-guard.sux.net.aipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutandyo                 uaresucksucksucksugckd.com.
krasti.us.              604800  IN      MX      23 lolwutevet4.ddos-guard.sux.net.aipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutandyo                 uaresucksucksucksuckn.com.
krasti.us.              604800  IN      MX      23 lolwutevet4.ddos-guard.sux.net.aipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutandyo                 uaresucksucnksucksuck.com.
krasti.us.              604800  IN      MX      23 lolwutevet4.ddos-guard.sux.net.aipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutandyo                 uaresucksucksucknbsuxck.com.
krasti.us.              604800  IN      MX      24 lolwutevet5.ddos-guard.sux.net.aipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutandyo                 uaresucksucksucksuck.com.
krasti.us.              604800  IN      MX      24 lolwutevet5.ddos-guard.sux.net.aipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutandyo                 uaresucksu0cksucksuck.com.
krasti.us.              604800  IN      MX      24 lolwutevet5.ddos-guard.sux.net.aipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutandyo                 uaresucksucksucksuckg.com.
krasti.us.              604800  IN      MX      26 lolwutevet8.ddos-guard.sux.net.aipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutandyo                 uaresuck8sucksucksuck.com.
krasti.us.              86389   IN      RRSIG   NSEC 5 2 86400 20131117021009 20131018011009 24075 US. Vlhl+ElSyzbwVU3MM+u1u0bGJqoOF05SaoCvO2A4oMYq9                 tt3IbAQUUNv u5+QVWtuiijylhFNIFMEBbVNsyfbGgGbA+2OhtrOKf2kyh5GWH9Hlb32 +sSn6cxvRPoVBPdwjIJhknriy0o1ignfsEPj74mBLPsCobdH7YISdywc l/A=
krasti.us.              86389   IN      NSEC    KRASZEWSKI.us. NS RRSIG NSEC

Whois


Domain Name: KRASTI.US
Domain ID: D42540828-US
Sponsoring Registrar: GODADDY.COM, INC.
Sponsoring Registrar IANA ID: 146
Registrar URL (registration services): whois.godaddy.com
Domain Status: clientDeleteProhibited
Domain Status: clientRenewProhibited
Domain Status: clientTransferProhibited
Domain Status: clientUpdateProhibited
Registrant ID: CR152951749
Registrant Name: Ivan Kudashev
Registrant Address1: gorod rostov, sprosit' evgenya
Registrant Address2: marchenko is ddog-guarda
Registrant City: Rostov
Registrant Postal Code: 531189
Registrant Country: Russian Federation
Registrant Country Code: RU
Registrant Phone Number: +7.9651765432
Registrant Email: ivan-kudashev@insorg-mail.info
Registrant Application Purpose: P3
Registrant Nexus Category: C11
Administrative Contact ID: CR152951751
Administrative Contact Name: Ivan Kudashev
Administrative Contact Address1: gorod rostov, sprosit' evgenya
Administrative Contact Address2: marchenko is ddog-guarda
Administrative Contact City: Rostov
Administrative Contact Postal Code: 531189
Administrative Contact Country: Russian Federation
Administrative Contact Country Code: RU
Administrative Contact Phone Number: +7.9651765432
Administrative Contact Email: ivan-kudashev@insorg-mail.info
Administrative Application Purpose: P3
Administrative Nexus Category: C11
Billing Contact ID: CR152951752
Billing Contact Name: Ivan Kudashev
Billing Contact Address1: gorod rostov, sprosit' evgenya
Billing Contact Address2: marchenko is ddog-guarda
Billing Contact City: Rostov
Billing Contact Postal Code: 531189
Billing Contact Country: Russian Federation
Billing Contact Country Code: RU
Billing Contact Phone Number: +7.9651765432
Billing Contact Email: ivan-kudashev@insorg-mail.info
Billing Application Purpose: P3
Billing Nexus Category: C11
Technical Contact ID: CR152951750
Technical Contact Name: Ivan Kudashev
Technical Contact Address1: gorod rostov, sprosit' evgenya
Technical Contact Address2: marchenko is ddog-guarda
Technical Contact City: Rostov
Technical Contact Postal Code: 531189
Technical Contact Country: Russian Federation
Technical Contact Country Code: RU
Technical Contact Phone Number: +7.9651765432
Technical Contact Email: ivan-kudashev@insorg-mail.info
Technical Application Purpose: P3
Technical Nexus Category: C11
Name Server: NS63.DOMAINCONTROL.COM
Name Server: NS64.DOMAINCONTROL.COM
Created by Registrar: GODADDY.COM, INC.
Last Updated by Registrar: GODADDY.COM, INC.
Domain Registration Date: Fri Oct 18 02:09:40 GMT 2013
Domain Expiration Date: Fri Oct 17 23:59:59 GMT 2014
Domain Last Updated Date: Fri Oct 18 02:09:40 GMT 2013

>>>> Whois database was last updated on: Sat Oct 19 00:15:16 GMT 2013 <<<<


All domain names are subject to certain additional domain name registration
rules. For details, please visit our site at www.whois.us.



Thursday, October 17, 2013

Domain: pipcvsemnaher.com

Domain: pipcvsemnaher.com

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x0d504950 && 0x2c&0xDFDFDFDF=0x43565345 && 0x30&0xDFDFDFDF=0x4d4e4148 && 0x34&0xDFDFFFDF=0x45520343 && 0x38&0xDFDFFF00=0x4f4d0000" -j DROP -m comment --comment "DROP DNS Q pipcvsemnaher.com"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 59 --algo bm --hex-string '|0D706970637673656d6e6168657203636f6d00|' -j DROP -m comment --comment "DROP DNS Q pipcvsemnaher.com"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
pipcvsemnaher.com. 10800 IN NS a.dns.gandi.net.
pipcvsemnaher.com. 10800 IN NS c.dns.gandi.net.
pipcvsemnaher.com. 10800 IN NS b.dns.gandi.net.

;; ADDITIONAL SECTION:
a.dns.gandi.net. 86400 IN A 173.246.97.2
a.dns.gandi.net. 86400 IN AAAA 2604:3400:a::2
b.dns.gandi.net. 86400 IN A 217.70.184.40
b.dns.gandi.net. 86400 IN AAAA 2001:4b98:b:a::40
c.dns.gandi.net. 86400 IN A 217.70.182.20
c.dns.gandi.net. 86400 IN AAAA 2001:4b98:c:521::20


Response:


A 240
MX 2
NS 3
SOA 1
Rsize 4013


Whois



Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: PIPCVSEMNAHER.COM
Registrar: GANDI SAS
Whois Server: whois.gandi.net
Referral URL: http://www.gandi.net
Name Server: A.DNS.GANDI.NET
Name Server: B.DNS.GANDI.NET
Name Server: C.DNS.GANDI.NET
Status: clientTransferProhibited
Updated Date: 27-sep-2013
Creation Date: 27-sep-2013
Expiration Date: 27-sep-2014

>>> Last update of whois database: Thu, 17 Oct 2013 22:10:35 UTC <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.


The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
--- #YAML:1.0
# GANDI Registrar whois database for .COM, .NET, .ORG., .INFO, .BIZ, .NAME
#

domain: pipcvsemnaher.com
reg_created: 2013-09-27 19:48:23
expires: 2014-09-27 19:48:23
created: 2013-09-27 21:48:23
changed: 2013-10-03 12:26:18
transfer-prohibited: yes
ns0: a.dns.gandi.net
ns1: b.dns.gandi.net
ns2: c.dns.gandi.net
owner-c:
nic-hdl: DP4983-GANDI
organisation: ~
person: Denis Pulman
obfuscated: Obfuscated by Gandi
address: (Gandi) 63-65 boulevard Massena
zipcode: (Gandi) 75013
city: (Gandi) Paris
country: (Gandi) France
phone: (Gandi) +33.170377666
fax: (Gandi) +33.143730576
email: af703dda29383534e30a3133cc4c41cc-1785642@contact.gandi.net
lastupdated: 2013-09-27 17:57:31
admin-c:
nic-hdl: DP4983-GANDI
organisation: ~
person: Denis Pulman
obfuscated: Obfuscated by Gandi
address: (Gandi) 63-65 boulevard Massena
zipcode: (Gandi) 75013
city: (Gandi) Paris
country: (Gandi) France
phone: (Gandi) +33.170377666
fax: (Gandi) +33.143730576
email: af703dda29383534e30a3133cc4c41cc-1785642@contact.gandi.net
lastupdated: 2013-09-27 17:57:31
tech-c:
nic-hdl: DP4983-GANDI
organisation: ~
person: Denis Pulman
obfuscated: Obfuscated by Gandi
address: (Gandi) 63-65 boulevard Massena
zipcode: (Gandi) 75013
city: (Gandi) Paris
country: (Gandi) France
phone: (Gandi) +33.170377666
fax: (Gandi) +33.143730576
email: af703dda29383534e30a3133cc4c41cc-1785642@contact.gandi.net
lastupdated: 2013-09-27 17:57:31
bill-c:
nic-hdl: DP4983-GANDI
organisation: ~
person: Denis Pulman
obfuscated: Obfuscated by Gandi
address: (Gandi) 63-65 boulevard Massena
zipcode: (Gandi) 75013
city: (Gandi) Paris
country: (Gandi) France
phone: (Gandi) +33.170377666
fax: (Gandi) +33.143730576
email: af703dda29383534e30a3133cc4c41cc-1785642@contact.gandi.net
lastupdated: 2013-09-27 17:57:31



Tuesday, October 15, 2013

Domain: 37349.info

Domain: 37349.info

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28=0x05333733 && 0x2c&0xFFFFFFDF=0x34390449 && 0x30&0xDFDFDFFF=0x4e464f00" -j DROP -m comment --comment "DROP DNS Q 37349.info"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 52 --algo bm --hex-string '|05333733343904696e666f00|' -j DROP -m comment --comment "DROP DNS Q 37349.info"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
37349.info. 7200 IN NS ns1.sdfre.info.
37349.info. 7200 IN NS ns2.sdfre.info.

;; ADDITIONAL SECTION:
ns1.sdfre.info. 60925 IN A 64.62.186.125
ns1.sdfre.info. 60925 IN A 162.211.182.100
ns1.sdfre.info. 60925 IN A 162.211.182.101
ns1.sdfre.info. 60925 IN A 162.211.182.102
ns1.sdfre.info. 60925 IN A 162.211.182.103
ns1.sdfre.info. 60925 IN A 162.212.182.66
ns1.sdfre.info. 60925 IN A 162.212.182.67
ns1.sdfre.info. 60925 IN A 162.212.182.81
ns1.sdfre.info. 60925 IN A 162.212.182.163
ns1.sdfre.info. 60925 IN A 162.212.182.165
ns1.sdfre.info. 60925 IN A 64.62.186.77
ns1.sdfre.info. 60925 IN A 64.62.186.91
ns1.sdfre.info. 60925 IN A 64.62.186.110
ns2.sdfre.info. 60925 IN A 162.211.182.100
ns2.sdfre.info. 60925 IN A 162.211.182.101
ns2.sdfre.info. 60925 IN A 162.211.182.102
ns2.sdfre.info. 60925 IN A 162.211.182.103
ns2.sdfre.info. 60925 IN A 162.212.182.66
ns2.sdfre.info. 60925 IN A 162.212.182.67
ns2.sdfre.info. 60925 IN A 162.212.182.81
ns2.sdfre.info. 60925 IN A 162.212.182.163
ns2.sdfre.info. 60925 IN A 162.212.182.165
ns2.sdfre.info. 60925 IN A 64.62.186.77
ns2.sdfre.info. 60925 IN A 64.62.186.91
ns2.sdfre.info. 60925 IN A 64.62.186.110
ns2.sdfre.info. 60925 IN A 64.62.186.125


Response:


A 257
NS 2
SOA 1
Rsize 4211


Whois



Domain ID:D50794519-LRMS
Domain Name:37349.INFO
Created On:08-Oct-2013 08:05:47 UTC
Last Updated On:11-Oct-2013 16:03:32 UTC
Expiration Date:08-Oct-2014 08:05:47 UTC
Sponsoring Registrar:GoDaddy.com, LLC (R171-LRMS)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT RENEW PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:CR152354753
Registrant Name:edson edson
Registrant Organization:
Registrant Street1:beijing
Registrant Street2:
Registrant Street3:
Registrant City:beijing
Registrant State/Province:beijing
Registrant Postal Code:511111
Registrant Country:CN
Registrant Phone:+1.5555555555
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:afanti6@gmail.com
Admin ID:CR152354755
Admin Name:edson edson
Admin Organization:
Admin Street1:beijing
Admin Street2:
Admin Street3:
Admin City:beijing
Admin State/Province:beijing
Admin Postal Code:511111
Admin Country:CN
Admin Phone:+1.5555555555
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:afanti6@gmail.com
Billing ID:CR152354756
Billing Name:edson edson
Billing Organization:
Billing Street1:beijing
Billing Street2:
Billing Street3:
Billing City:beijing
Billing State/Province:beijing
Billing Postal Code:511111
Billing Country:CN
Billing Phone:+1.5555555555
Billing Phone Ext.:
Billing FAX:
Billing FAX Ext.:
Billing Email:afanti6@gmail.com
Tech ID:CR152354754
Tech Name:edson edson
Tech Organization:
Tech Street1:beijing
Tech Street2:
Tech Street3:
Tech City:beijing
Tech State/Province:beijing
Tech Postal Code:511111
Tech Country:CN
Tech Phone:+1.5555555555
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:afanti6@gmail.com
Name Server:NS1.SDFRE.INFO
Name Server:NS2.SDFRE.INFO
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:





Domain: 36372.info

Domain: 36372.info

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28=0x05333633 && 0x2c&0xFFFFFFDF=0x37320449 && 0x30&0xDFDFDFFF=0x4e464f00" -j DROP -m comment --comment "DROP DNS Q 36372.info"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 52 --algo bm --hex-string '|05333633373204696e666f00|' -j DROP -m comment --comment "DROP DNS Q 36372.info"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
36372.info. 7200 IN NS ns2.sdfre.info.
36372.info. 7200 IN NS ns1.sdfre.info.

;; ADDITIONAL SECTION:
ns1.sdfre.info. 63402 IN A 64.62.186.91
ns1.sdfre.info. 63402 IN A 64.62.186.110
ns1.sdfre.info. 63402 IN A 64.62.186.125
ns1.sdfre.info. 63402 IN A 162.211.182.100
ns1.sdfre.info. 63402 IN A 162.211.182.101
ns1.sdfre.info. 63402 IN A 162.211.182.102
ns1.sdfre.info. 63402 IN A 162.211.182.103
ns1.sdfre.info. 63402 IN A 162.212.182.66
ns1.sdfre.info. 63402 IN A 162.212.182.67
ns1.sdfre.info. 63402 IN A 162.212.182.81
ns1.sdfre.info. 63402 IN A 162.212.182.163
ns1.sdfre.info. 63402 IN A 162.212.182.165
ns1.sdfre.info. 63402 IN A 64.62.186.77
ns2.sdfre.info. 63402 IN A 64.62.186.110
ns2.sdfre.info. 63402 IN A 64.62.186.125
ns2.sdfre.info. 63402 IN A 162.211.182.100
ns2.sdfre.info. 63402 IN A 162.211.182.101
ns2.sdfre.info. 63402 IN A 162.211.182.102
ns2.sdfre.info. 63402 IN A 162.211.182.103
ns2.sdfre.info. 63402 IN A 162.212.182.66
ns2.sdfre.info. 63402 IN A 162.212.182.67
ns2.sdfre.info. 63402 IN A 162.212.182.81
ns2.sdfre.info. 63402 IN A 162.212.182.163
ns2.sdfre.info. 63402 IN A 162.212.182.165
ns2.sdfre.info. 63402 IN A 64.62.186.77
ns2.sdfre.info. 63402 IN A 64.62.186.91


Response:


A 257
NS 2
SOA 1
Rsize 4211


Whois



Domain ID:D50794514-LRMS
Domain Name:36372.INFO
Created On:08-Oct-2013 08:05:46 UTC
Last Updated On:11-Oct-2013 16:02:50 UTC
Expiration Date:08-Oct-2014 08:05:46 UTC
Sponsoring Registrar:GoDaddy.com, LLC (R171-LRMS)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT RENEW PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:CR152354741
Registrant Name:edson edson
Registrant Organization:
Registrant Street1:beijing
Registrant Street2:
Registrant Street3:
Registrant City:beijing
Registrant State/Province:beijing
Registrant Postal Code:511111
Registrant Country:CN
Registrant Phone:+1.5555555555
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:afanti6@gmail.com
Admin ID:CR152354743
Admin Name:edson edson
Admin Organization:
Admin Street1:beijing
Admin Street2:
Admin Street3:
Admin City:beijing
Admin State/Province:beijing
Admin Postal Code:511111
Admin Country:CN
Admin Phone:+1.5555555555
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:afanti6@gmail.com
Billing ID:CR152354744
Billing Name:edson edson
Billing Organization:
Billing Street1:beijing
Billing Street2:
Billing Street3:
Billing City:beijing
Billing State/Province:beijing
Billing Postal Code:511111
Billing Country:CN
Billing Phone:+1.5555555555
Billing Phone Ext.:
Billing FAX:
Billing FAX Ext.:
Billing Email:afanti6@gmail.com
Tech ID:CR152354742
Tech Name:edson edson
Tech Organization:
Tech Street1:beijing
Tech Street2:
Tech Street3:
Tech City:beijing
Tech State/Province:beijing
Tech Postal Code:511111
Tech Country:CN
Tech Phone:+1.5555555555
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:afanti6@gmail.com
Name Server:NS1.SDFRE.INFO
Name Server:NS2.SDFRE.INFO
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:





Saturday, October 12, 2013

Domain: aa.10781.info

Domain: aa.10781.info

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFFF=0x02414105 && 0x2c=0x31303738 && 0x30&0xFFFFDFDF=0x3104494e && 0x34&0xDFDFFF00=0x464f0000" -j DROP -m comment --comment "DROP DNS Q aa.10781.info"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 55 --algo bm --hex-string '|02616105313037383104696e666f00|' -j DROP -m comment --comment "DROP DNS Q aa.10781.info"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


122.136.196.116

     27 aa.10781.info
     24 aa3247.com
     10 4fwhk.com

Name server:


;; ANSWER SECTION:
10781.info.             7200    IN      NS      ns2.05930.info.
10781.info.             7200    IN      NS      ns1.05930.info.

;; ADDITIONAL SECTION:
ns1.05930.info.         18825   IN      A       162.212.182.163
ns1.05930.info.         18825   IN      A       162.212.182.66
ns2.05930.info.         18825   IN      A       162.212.182.66
ns2.05930.info.         18825   IN      A       162.212.182.67
ns1.05930.info.         18825   IN      A       64.62.186.91
ns2.05930.info.         18825   IN      A       162.211.182.100
ns2.05930.info.         18825   IN      A       162.211.182.103
ns1.05930.info.         18825   IN      A       64.62.186.77
ns1.05930.info.         18825   IN      A       162.211.182.101
ns2.05930.info.         18825   IN      A       162.211.182.101
ns2.05930.info.         18825   IN      A       64.62.186.110
ns2.05930.info.         18825   IN      A       162.212.182.81
ns1.05930.info.         18825   IN      A       162.212.182.81
ns2.05930.info.         18825   IN      A       64.62.186.125
ns1.05930.info.         18825   IN      A       162.211.182.102
ns2.05930.info.         18825   IN      A       64.62.186.77
ns1.05930.info.         18825   IN      A       64.62.186.110
ns1.05930.info.         18825   IN      A       64.62.186.125
ns1.05930.info.         18825   IN      A       162.212.182.165
ns1.05930.info.         18825   IN      A       162.211.182.100
ns1.05930.info.         18825   IN      A       162.212.182.67
ns2.05930.info.         18825   IN      A       64.62.186.91
ns2.05930.info.         18825   IN      A       162.211.182.102
ns1.05930.info.         18825   IN      A       162.211.182.103
ns2.05930.info.         18825   IN      A       162.212.182.165
ns2.05930.info.         18825   IN      A       162.212.182.163

Response:


A 256
Rsize 4127


Whois


Domain ID:D50794524-LRMS
Domain Name:10781.INFO
Created On:08-Oct-2013 08:05:47 UTC
Last Updated On:11-Oct-2013 16:01:30 UTC
Expiration Date:08-Oct-2014 08:05:47 UTC
Sponsoring Registrar:GoDaddy.com, LLC (R171-LRMS)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT RENEW PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Status:TRANSFER PROHIBITED
Status:ADDPERIOD
Registrant ID:CR152354745
Registrant Name:edson edson
Registrant Organization:
Registrant Street1:beijing
Registrant Street2:
Registrant Street3:
Registrant City:beijing
Registrant State/Province:beijing
Registrant Postal Code:511111
Registrant Country:CN
Registrant Phone:+1.5555555555
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:afanti6@gmail.com
Admin ID:CR152354747
Admin Name:edson edson
Admin Organization:
Admin Street1:beijing
Admin Street2:
Admin Street3:
Admin City:beijing
Admin State/Province:beijing
Admin Postal Code:511111
Admin Country:CN
Admin Phone:+1.5555555555
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:afanti6@gmail.com
Billing ID:CR152354748
Billing Name:edson edson
Billing Organization:
Billing Street1:beijing
Billing Street2:
Billing Street3:
Billing City:beijing
Billing State/Province:beijing
Billing Postal Code:511111
Billing Country:CN
Billing Phone:+1.5555555555
Billing Phone Ext.:
Billing FAX:
Billing FAX Ext.:
Billing Email:afanti6@gmail.com
Tech ID:CR152354746
Tech Name:edson edson
Tech Organization:
Tech Street1:beijing
Tech Street2:
Tech Street3:
Tech City:beijing
Tech State/Province:beijing
Tech Postal Code:511111
Tech Country:CN
Tech Phone:+1.5555555555
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:afanti6@gmail.com
Name Server:NS1.SDFRE.INFO
Name Server:NS2.SDFRE.INFO
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:




Friday, October 11, 2013

Domain: babywow.co.uk

Domain: babywow.co.uk

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x07424142 && 0x2c&0xDFDFDFDF=0x59574f57 && 0x30&0xFFDFDFFF=0x02434f02 && 0x34&0xDFDFFF00=0x554b0000" -j DROP -m comment --comment "DROP DNS Q babywow.co.uk"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 55 --algo bm --hex-string '|0762616279776f7702636f02756b00|' -j DROP -m comment --comment "DROP DNS Q babywow.co.uk"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


94.102.52.44 - Ecatel

Name server:


;; ANSWER SECTION:
babywow.co.uk. 10800 IN NS b.dns.gandi.net.
babywow.co.uk. 10800 IN NS a.dns.gandi.net.
babywow.co.uk. 10800 IN NS c.dns.gandi.net.

;; ADDITIONAL SECTION:
a.dns.gandi.net. 44411 IN A 173.246.97.2
a.dns.gandi.net. 44411 IN AAAA 2604:3400:a::2
b.dns.gandi.net. 44411 IN A 217.70.184.40
b.dns.gandi.net. 44411 IN AAAA 2001:4b98:b:a::40
c.dns.gandi.net. 44411 IN A 217.70.182.20
c.dns.gandi.net. 44411 IN AAAA 2001:4b98:c:521::20


Response:


A 243
NS 3
SOA 1
TXT 2
Rsize 4515


Whois



Domain name:
babywow.co.uk

Registrant:
Jesy Leu

Registrant type:
UK Individual

Registrant's address:
The registrant is a non-trading individual who has opted to have their
address omitted from the WHOIS service.

Registrar:
Gandi t/a Gandi [Tag = GANDI]
URL: http://www.gandi.net

Relevant dates:
Registered on: 07-Oct-2013
Expiry date: 07-Oct-2014
Last updated: 07-Oct-2013

Registration status:
Registered until expiry date.

Name servers:
a.dns.gandi.net
b.dns.gandi.net
c.dns.gandi.net

WHOIS lookup made at 22:35:53 11-Oct-2013

--
This WHOIS information is provided for free by Nominet UK the central registry
for .uk domain names. This information and the .uk WHOIS are:

Copyright Nominet UK 1996 - 2013.

You may not access the .uk WHOIS or use any data from it except as permitted
by the terms of use available in full at http://www.nominet.org.uk/whoisterms, which
includes restrictions on: (A) use of the data for advertising, or its
repackaging, recompilation, redistribution or reuse (B) obscuring, removing
or hiding any or all of this notice and (C) exceeding query rate or volume
limits. The data is provided on an 'as-is' basis and may lag behind the
register. Access may be withdrawn or restricted at any time.



Domain: 36088.info

Domain: 36088.info


If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.


If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28=0x05333630 && 0x2c&0xFFFFFFDF=0x38380449 && 0x30&0xDFDFDFFF=0x4e464f00" -j DROP -m comment --comment "DROP DNS Q 36088.info"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt


String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 52 --algo bm --hex-string '|05333630383804696e666f00|' -j DROP -m comment --comment "DROP DNS Q 36088.info"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
36088.info. 7200 IN NS ns2.05930.info.
36088.info. 7200 IN NS ns1.05930.info.

;; ADDITIONAL SECTION:
ns1.05930.info. 85619 IN A 162.212.182.165
ns1.05930.info. 85619 IN A 64.62.186.77
ns1.05930.info. 85619 IN A 64.62.186.91
ns1.05930.info. 85619 IN A 64.62.186.110
ns1.05930.info. 85619 IN A 64.62.186.125
ns1.05930.info. 85619 IN A 162.211.182.100
ns1.05930.info. 85619 IN A 162.211.182.101
ns1.05930.info. 85619 IN A 162.211.182.102
ns1.05930.info. 85619 IN A 162.211.182.103
ns1.05930.info. 85619 IN A 162.212.182.66
ns1.05930.info. 85619 IN A 162.212.182.67
ns1.05930.info. 85619 IN A 162.212.182.81
ns1.05930.info. 85619 IN A 162.212.182.163
ns2.05930.info. 85619 IN A 64.62.186.77
ns2.05930.info. 85619 IN A 64.62.186.91
ns2.05930.info. 85619 IN A 64.62.186.110
ns2.05930.info. 85619 IN A 64.62.186.125
ns2.05930.info. 85619 IN A 162.211.182.100
ns2.05930.info. 85619 IN A 162.211.182.101
ns2.05930.info. 85619 IN A 162.211.182.102
ns2.05930.info. 85619 IN A 162.211.182.103
ns2.05930.info. 85619 IN A 162.212.182.66
ns2.05930.info. 85619 IN A 162.212.182.67
ns2.05930.info. 85619 IN A 162.212.182.81
ns2.05930.info. 85619 IN A 162.212.182.163
ns2.05930.info. 85619 IN A 162.212.182.165


Response:


A 30
Rsize 508


Whois



Domain ID:D50794512-LRMS
Domain Name:36088.INFO
Created On:08-Oct-2013 08:05:46 UTC
Last Updated On:09-Oct-2013 08:36:40 UTC
Expiration Date:08-Oct-2014 08:05:46 UTC
Sponsoring Registrar:GoDaddy.com, LLC (R171-LRMS)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT RENEW PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Status:TRANSFER PROHIBITED
Status:ADDPERIOD
Registrant ID:CR152354773
Registrant Name:edson edson
Registrant Organization:
Registrant Street1:beijing
Registrant Street2:
Registrant Street3:
Registrant City:beijing
Registrant State/Province:beijing
Registrant Postal Code:511111
Registrant Country:CN
Registrant Phone:+1.5555555555
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:afanti6@gmail.com
Admin ID:CR152354775
Admin Name:edson edson
Admin Organization:
Admin Street1:beijing
Admin Street2:
Admin Street3:
Admin City:beijing
Admin State/Province:beijing
Admin Postal Code:511111
Admin Country:CN
Admin Phone:+1.5555555555
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:afanti6@gmail.com
Billing ID:CR152354776
Billing Name:edson edson
Billing Organization:
Billing Street1:beijing
Billing Street2:
Billing Street3:
Billing City:beijing
Billing State/Province:beijing
Billing Postal Code:511111
Billing Country:CN
Billing Phone:+1.5555555555
Billing Phone Ext.:
Billing FAX:
Billing FAX Ext.:
Billing Email:afanti6@gmail.com
Tech ID:CR152354774
Tech Name:edson edson
Tech Organization:
Tech Street1:beijing
Tech Street2:
Tech Street3:
Tech City:beijing
Tech State/Province:beijing
Tech Postal Code:511111
Tech Country:CN
Tech Phone:+1.5555555555
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:afanti6@gmail.com
Name Server:NS1.05930.INFO
Name Server:NS2.05930.INFO
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:




Thursday, October 10, 2013

Domain: txt409.tekjeton.com

Domain: txt409.tekjeton.com

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x06545854 && 0x2c=0x34303908 && 0x30&0xDFDFDFDF=0x54454b4a && 0x34&0xDFDFDFDF=0x45544f4e && 0x28&0xFFDFDFDF=0x03434f4d && 0x3c&0xFF000000=0x00000000" -j DROP -m comment --comment "DROP DNS Q txt409.tekjeton.com"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 61 --algo bm --hex-string '|067478743430390874656b6a65746f6e03636f6d00|' -j DROP -m comment --comment "DROP DNS Q txt409.tekjeton.com"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


217.74.255.150

Name server:

tekjeton.com.           86379   IN      NS      linux2.patikayapim.com.
tekjeton.com.           86379   IN      NS      linux1.patikayapim.com.

;; ADDITIONAL SECTION:
linux2.patikayapim.com. 86379   IN      A       85.159.68.59
linux1.patikayapim.com. 86379   IN      A       85.159.68.58

Response:


Rsize 98


Whois



The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain Name: TEKJETON.COM
Registrar URL: http://www.godaddy.com
Updated Date: 2013-03-21 13:29:23
Creation Date: 2010-06-03 12:19:30
Registrar Expiration Date: 2014-06-03 12:19:30
Registrar: GoDaddy.com, LLC
Registrant Name: Burak Aydogan
Registrant Organization:
Registrant Street: Besiktas
Registrant City: Istanbul
Registrant State/Province: Marmara
Registrant Postal Code: 34050
Registrant Country: Turkey
Admin Name: Burak Aydogan
Admin Organization:
Admin Street: Besiktas
Admin City: Istanbul
Admin State/Province: Marmara
Admin Postal Code: 34050
Admin Country: Turkey
Admin Phone: 00905322425631
Admin Fax:
Admin Email: arteleon@gmail.com
Tech Name: Burak Aydogan
Tech Organization:
Tech Street: Besiktas
Tech City: Istanbul
Tech State/Province: Marmara
Tech Postal Code: 34050
Tech Country: Turkey
Tech Phone: 00905322425631
Tech Fax:
Tech Email: arteleon@gmail.com
Name Server: LINUX1.PATIKAYAPIM.COM
Name Server: LINUX2.PATIKAYAPIM.COM




Domain: supermegatrue.mcdir.ru

Domain: supermegatrue.mcdir.ru

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x0d535550 && 0x2c&0xDFDFDFDF=0x45524d45 && 0x30&0xDFDFDFDF=0x47415452 && 0x34&0xDFDFFFDF=0x5545054d && 0x28&0xDFDFDFDF=0x43444952 && 0x3c&0xFFDFDFFF=0x02525500" -j DROP -m comment --comment "DROP DNS Q supermegatrue.mcdir.ru"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 64 --algo bm --hex-string '|0D73757065726d65676174727565056d6364697202727500|' -j DROP -m comment --comment "DROP DNS Q supermegatrue.mcdir.ru"

More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


186.2.166.135

Name server:


;; ANSWER SECTION:
supermegatrue.mcdir.ru. 477 IN NS ns4.mchost.ru.
supermegatrue.mcdir.ru. 477 IN NS ns2.mchost.ru.
supermegatrue.mcdir.ru. 477 IN NS ns1.mchost.ru.
supermegatrue.mcdir.ru. 477 IN NS ns3.mchost.ru.

;; ADDITIONAL SECTION:
ns1.mchost.ru. 477 IN A 178.208.73.21
ns2.mchost.ru. 477 IN A 85.17.176.6
ns3.mchost.ru. 477 IN A 95.211.62.212
ns4.mchost.ru. 477 IN A 188.40.249.239


Response:


A 2
MX 2
NS 4
SOA 1
TXT 1
Rsize 301


Whois


% By submitting a query to RIPN's Whois Service
% you agree to abide by the following terms of use:
% http://www.ripn.net/about/servpol.html#3.2 (in Russian)
% http://www.ripn.net/about/en/servpol.html#3.2 (in English).

No entries found for the selected source(s).

Last updated on 2013.10.10 22:01:38 MSK




Wednesday, October 9, 2013

Domain: 30259.info

Domain: 30259.info

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28=0x05333032 && 0x2c&0xFFFFFFDF=0x35390449 && 0x30&0xDFDFDFFF=0x4e464f00" -j DROP -m comment --comment "DROP DNS Q 30259.info"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 52 --algo bm --hex-string '|05333032353904696e666f00|' -j DROP -m comment --comment "DROP DNS Q 30259.info"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
30259.info. 7200 IN NS ns1.05930.info.
30259.info. 7200 IN NS ns2.05930.info.

;; ADDITIONAL SECTION:
ns1.05930.info. 86399 IN A 162.211.182.101
ns1.05930.info. 86399 IN A 162.211.182.102
ns1.05930.info. 86399 IN A 162.211.182.103
ns1.05930.info. 86399 IN A 162.212.182.66
ns1.05930.info. 86399 IN A 162.212.182.67
ns1.05930.info. 86399 IN A 162.212.182.81
ns1.05930.info. 86399 IN A 162.212.182.163
ns1.05930.info. 86399 IN A 162.212.182.165
ns1.05930.info. 86399 IN A 64.62.186.77
ns1.05930.info. 86399 IN A 64.62.186.91
ns1.05930.info. 86399 IN A 64.62.186.110
ns1.05930.info. 86399 IN A 64.62.186.125
ns1.05930.info. 86399 IN A 162.211.182.100
ns2.05930.info. 86399 IN A 162.211.182.102
ns2.05930.info. 86399 IN A 162.211.182.103
ns2.05930.info. 86399 IN A 162.212.182.66
ns2.05930.info. 86399 IN A 162.212.182.67
ns2.05930.info. 86399 IN A 162.212.182.81
ns2.05930.info. 86399 IN A 162.212.182.163
ns2.05930.info. 86399 IN A 162.212.182.165
ns2.05930.info. 86399 IN A 64.62.186.77
ns2.05930.info. 86399 IN A 64.62.186.91
ns2.05930.info. 86399 IN A 64.62.186.110
ns2.05930.info. 86399 IN A 64.62.186.125
ns2.05930.info. 86399 IN A 162.211.182.100
ns2.05930.info. 86399 IN A 162.211.182.101


Response:


A 257
NS 2
SOA 1
Rsize 4211


Whois



Domain ID:D50794515-LRMS
Domain Name:30259.INFO
Created On:08-Oct-2013 08:05:46 UTC
Last Updated On:09-Oct-2013 08:35:59 UTC
Expiration Date:08-Oct-2014 08:05:46 UTC
Sponsoring Registrar:GoDaddy.com, LLC (R171-LRMS)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT RENEW PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Status:TRANSFER PROHIBITED
Status:ADDPERIOD
Registrant ID:CR152354789
Registrant Name:edson edson
Registrant Organization:
Registrant Street1:beijing
Registrant Street2:
Registrant Street3:
Registrant City:beijing
Registrant State/Province:beijing
Registrant Postal Code:511111
Registrant Country:CN
Registrant Phone:+1.5555555555
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:afanti6@gmail.com
Admin ID:CR152354791
Admin Name:edson edson
Admin Organization:
Admin Street1:beijing
Admin Street2:
Admin Street3:
Admin City:beijing
Admin State/Province:beijing
Admin Postal Code:511111
Admin Country:CN
Admin Phone:+1.5555555555
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:afanti6@gmail.com
Billing ID:CR152354792
Billing Name:edson edson
Billing Organization:
Billing Street1:beijing
Billing Street2:
Billing Street3:
Billing City:beijing
Billing State/Province:beijing
Billing Postal Code:511111
Billing Country:CN
Billing Phone:+1.5555555555
Billing Phone Ext.:
Billing FAX:
Billing FAX Ext.:
Billing Email:afanti6@gmail.com
Tech ID:CR152354790
Tech Name:edson edson
Tech Organization:
Tech Street1:beijing
Tech Street2:
Tech Street3:
Tech City:beijing
Tech State/Province:beijing
Tech Postal Code:511111
Tech Country:CN
Tech Phone:+1.5555555555
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:afanti6@gmail.com
Name Server:NS1.05930.INFO
Name Server:NS2.05930.INFO
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:





Sunday, October 6, 2013

Domain: 379zc.com

Domain: 379zc.com

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:

iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28=0x05333739 && 0x2c&0xDFDFFFDF=0x5a430343 && 0x30&0xDFDFFF00=0x4f4d0000" -j DROP -m comment --comment "DROP DNS Q 379zc.com"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:

iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 51 --algo bm --hex-string '|053337397a6303636f6d00|' -j DROP -m comment --comment "DROP DNS Q 379zc.com"

More Iptables rules for the STRING module can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt


Source:



No IP source for this domain


Name server:


;; ANSWER SECTION:
379zc.com. 3771 IN NS ns2.mmtac1.com.
379zc.com. 3771 IN NS ns3.mmtac1.com.
379zc.com. 3771 IN NS ns1.mmtac1.com.
379zc.com. 3771 IN NS ns4.mmtac1.com.

;; ADDITIONAL SECTION:
ns1.mmtac1.com. 161983 IN A 64.62.186.91
ns1.mmtac1.com. 161983 IN A 162.211.182.100
ns1.mmtac1.com. 161983 IN A 162.211.182.106
ns1.mmtac1.com. 161983 IN A 162.212.182.66
ns1.mmtac1.com. 161983 IN A 162.212.182.67
ns1.mmtac1.com. 161983 IN A 162.212.182.81
ns1.mmtac1.com. 161983 IN A 162.212.182.163
ns1.mmtac1.com. 161983 IN A 162.212.182.165
ns1.mmtac1.com. 161983 IN A 64.62.186.74
ns1.mmtac1.com. 161983 IN A 64.62.186.77
ns2.mmtac1.com. 161983 IN A 162.211.182.100
ns2.mmtac1.com. 161983 IN A 162.211.182.106
ns2.mmtac1.com. 161983 IN A 162.212.182.66
ns2.mmtac1.com. 161983 IN A 162.212.182.67
ns2.mmtac1.com. 161983 IN A 162.212.182.81
ns2.mmtac1.com. 161983 IN A 162.212.182.163
ns2.mmtac1.com. 161983 IN A 162.212.182.165
ns2.mmtac1.com. 161983 IN A 64.62.186.74
ns2.mmtac1.com. 161983 IN A 64.62.186.77
ns2.mmtac1.com. 161983 IN A 64.62.186.91



Response:



A 257
NS 4
SOA 1
Rsize 4247



Whois




Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: 379ZC.COM
Registrar: WEB COMMERCE COMMUNICATIONS LIMITED DBA WEBNIC.CC
Whois Server: whois.webnic.cc
Referral URL: http://www.webnic.cc
Name Server: NS1.MMTAC1.COM
Name Server: NS2.MMTAC1.COM
Status: clientDeleteProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 27-sep-2013
Creation Date: 27-sep-2013
Expiration Date: 27-sep-2014

>>> Last update of whois database: Sun, 06 Oct 2013 19:42:10 UTC <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.


The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.

The Data in Web Commerce Communications Limited ("WEBCC")'s WHOIS database
is provided by WEBCC for information purposes, and to assist in obtaining
information about or related to a domain name registration record. WEBCC
does not guarantee its accuracy. By submitting a WHOIS query, you agree
that you will use this Data only for lawful purposes and that, under no
circumstances will you use this Data to:

(1) allow, enable, or otherwise support the transmission of mass unsolicited,
commercial advertising or solicitations via e-mail (spam).
(2) enable high volume, automated, electronic processes that apply to WEBCC
(or its systems).

The compilation, repackaging, dissemination or other use of this Data is
expressly prohibited without the prior written consent of WEBCC. WEBCC
reserves the right to terminate your access to the WEBCC WHOIS database in
its sole discretion, including without limitation, for excessive querying
of the WHOIS database or for failure to otherwise abide by this policy.
WEBCC reserves the right to modify these terms at any time.


Domain: 379zc.com
Status: Protected

DNS:
ns1.mmtac1.com
ns2.mmtac1.com

Created: 2013-09-27 15:08:09
Expires: 2014-09-27 07:08:09
Last Modified: 2013-09-27 15:08:08

Registrant Contact:
Hong Yuan
yuan hong (asdfasdf@google.com)
No.331, asdaf Road
changsha, Hunan, cn 418001
P: +745.2714389 F: +0.0

Administrative Contact:
Hong Yuan
yuan hong (asdfasdf@google.com)
No.331, asdaf Road
changsha, Hunan, cn 418001
P: +745.2714389 F: +0.0

Technical Contact:
Hong Yuan
yuan hong (asdfasdf@google.com)
No.331, asdaf Road
changsha, Hunan, cn 418001
P: +745.2714389 F: +0.0

Billing Contact:
Hong Yuan
yuan hong (asdfasdf@google.com)
No.331, asdaf Road
changsha, Hunan, cn 418001
P: +745.2714389 F: +0.0