Monday, December 22, 2014

Domain: defcon.org

Domain: defcon.org

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x06444546 && 0x2c&0xDFDFDFFF=0x434f4e03 && 0x30&0xDFDFDFFF=0x4f524700 && 0x34&0xFFFF0000=0x00FF0000" -j DROP -m comment --comment "DROP DNS Q defcon.org"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 54 --algo bm --hex-string '|06646566636f6e036f72670000ff|' -j DROP -m comment --comment "DROP DNS Q defcon.org"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
defcon.org. 17330 IN NS dns-2.datamerica.com.
defcon.org. 17330 IN NS dns-1.datamerica.com.


Response:


A 14
DNSKEY 5
MX 3
NS 9
NSEC 2
RRSIG 10
SOA 3
SPF 3
TXT 3
Rsize 4084


Whois


Domain Name:DEFCON.ORG
Domain ID: D1826-LROR
Creation Date: 1993-06-21T04:00:00Z
Updated Date: 2014-04-21T08:27:45Z
Registry Expiry Date: 2017-06-20T04:00:00Z
Sponsoring Registrar:Network Solutions, LLC (R63-LROR)
Sponsoring Registrar IANA ID: 2
WHOIS Server:
Referral URL:
Domain Status: clientTransferProhibited
Registrant ID:51671423-NSIV
Registrant Name:Perfect Privacy, LLC
Registrant Organization:DEF CON Communications, Inc.
Registrant Street: 12808 Gran Bay Parkway West
Registrant Street: care of Network Solutions
Registrant Street: PO Box 459
Registrant City:Jacksonville
Registrant State/Province:FL
Registrant Postal Code:32258
Registrant Country:US
Registrant Phone:+1.5707088780
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:ua7cc74z6fh@networksolutionsprivateregistration.com
Admin ID:43296585-NSIV
Admin Name:Perfect Privacy, LLC
Admin Organization:
Admin Street: 12808 Gran Bay Parkway West
Admin Street: care of Network Solutions
Admin City:Jacksonville
Admin State/Province:FL
Admin Postal Code:32258
Admin Country:US
Admin Phone:+1.5707088780
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email:rv4hu2bx2d2@networksolutionsprivateregistration.com
Tech ID:43296585-NSIV
Tech Name:Perfect Privacy, LLC
Tech Organization:
Tech Street: 12808 Gran Bay Parkway West
Tech Street: care of Network Solutions
Tech City:Jacksonville
Tech State/Province:FL
Tech Postal Code:32258
Tech Country:US
Tech Phone:+1.5707088780
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email:rv4hu2bx2d2@networksolutionsprivateregistration.com
Name Server:DNS-2.DATAMERICA.COM
Name Server:DNS-1.DATAMERICA.COM
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
DNSSEC:signedDelegation
DS Created 1:2011-07-08T13:14:45Z
DS Key Tag 1:59611
Algorithm 1:5
Digest Type 1:1
Digest 1:07BCC192690AEE10148C5E6AB38995FE0A2A4B3D
DS Maximum Signature Life 1:1814400 seconds
DS Created 2:2011-07-08T13:15:14Z
DS Key Tag 2:59611
Algorithm 2:5
Digest Type 2:2
Digest 2:15B567E4743D993B923507926CDA709611F335A1D0A7D38456EE12E5D16375B7
DS Maximum Signature Life 2:1814400 seconds

Access to Public Interest Registry WHOIS information is provided to assist persons in determining the contents of a domain name registration record in the Public Interest Registry registry database. The data in this record is provided by Public Interest Registry for informational purposes only, and Public Interest Registry does not guarantee its accuracy. This service is intended only for query-based access. You agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to(a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the data recipient's own existing customers; or (b) enable high volume, automated, electronic processes that send queries or data to the systems of Registry Operator, a Registrar, or Afilias except as reasonably necessary to register domain names or modify existing registrations. All rights reserved. Public Interest Registry reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy.





Wednesday, December 17, 2014

Domain: globe.gov

Domain: globe.gov

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x05474c4f && 0x2c&0xDFDFFFDF=0x42450347 && 0x30&0xDFDFFFFF=0x4f560000 && 0x34&0xFF000000=0xFF000000" -j DROP -m comment --comment "DROP DNS Q globe.gov"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 53 --algo bm --hex-string '|05676c6f626503676f760000ff|' -j DROP -m comment --comment "DROP DNS Q globe.gov"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
globe.gov. 21599 IN NS ns1.p03.dynect.net.
globe.gov. 21599 IN NS ns2.p03.dynect.net.
globe.gov. 21599 IN NS ns3.p03.dynect.net.
globe.gov. 21599 IN NS ns4.p03.dynect.net.


Response:


A 29
DNSKEY 9
MX 10
NS 17
NSEC 3
RRSIG 17
SOA 4
TXT 5
Rsize 6584


Whois


% DOTGOV WHOIS Server ready
Domain Name: GLOBE.GOV
Status: ACTIVE


>>> Last update of whois database: 2014-12-17T21:39:17Z <<<
Please be advised that this whois server only contains information pertaining
to the .GOV domain. For information for other domains please use the whois
server at RS.INTERNIC.NET.



Domain: inboot.co

Domain: inboot.co

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x06494e42 && 0x2c&0xDFDFDFFF=0x4f4f5402 && 0x30&0xDFDFFFFF=0x434f0000 && 0x34&0xFF000000=0xFF000000" -j DROP -m comment --comment "DROP DNS Q inboot.co"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 53 --algo bm --hex-string '|06696e626f6f7402636f0000ff|' -j DROP -m comment --comment "DROP DNS Q inboot.co"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
inboot.co. 21599 IN NS tim.ns.cloudflare.com.
inboot.co. 21599 IN NS sue.ns.cloudflare.com.


Response:


A 4
NS 4
SOA 1
TXT 2
Rsize 4240


Whois


Domain Name: INBOOT.CO
Domain ID: D61871173-CO
Sponsoring Registrar: ENOM, INC.
Sponsoring Registrar IANA ID: 48
Registrar URL (registration services): www.enom.com
Domain Status: clientTransferProhibited
Variant: INBOOT.CO
Registrant ID: 8EDE10B0075F53D1
Registrant Name: WhoisGuard Protected
Registrant Organization: WhoisGuard, Inc.
Registrant Address1: P.O. Box 0823-03411
Registrant City: Panama
Registrant State/Province: Panama
Registrant Postal Code: 00000
Registrant Country: Panama
Registrant Country Code: PA
Registrant Phone Number: +507.8365503
Registrant Facsimile Number: +51.17057182
Registrant Email: legal@whoisguard.com
Administrative Contact ID: 8EDE10B0075F53D1
Administrative Contact Name: WhoisGuard Protected
Administrative Contact Organization: WhoisGuard, Inc.
Administrative Contact Address1: P.O. Box 0823-03411
Administrative Contact City: Panama
Administrative Contact State/Province: Panama
Administrative Contact Postal Code: 00000
Administrative Contact Country: Panama
Administrative Contact Country Code: PA
Administrative Contact Phone Number: +507.8365503
Administrative Contact Facsimile Number: +51.17057182
Administrative Contact Email: legal@whoisguard.com
Billing Contact ID: 8EDE10B0075F53D1
Billing Contact Name: WhoisGuard Protected
Billing Contact Organization: WhoisGuard, Inc.
Billing Contact Address1: P.O. Box 0823-03411
Billing Contact City: Panama
Billing Contact State/Province: Panama
Billing Contact Postal Code: 00000
Billing Contact Country: Panama
Billing Contact Country Code: PA
Billing Contact Phone Number: +507.8365503
Billing Contact Facsimile Number: +51.17057182
Billing Contact Email: legal@whoisguard.com
Technical Contact ID: 8EDE10B0075F53D1
Technical Contact Name: WhoisGuard Protected
Technical Contact Organization: WhoisGuard, Inc.
Technical Contact Address1: P.O. Box 0823-03411
Technical Contact City: Panama
Technical Contact State/Province: Panama
Technical Contact Postal Code: 00000
Technical Contact Country: Panama
Technical Contact Country Code: PA
Technical Contact Phone Number: +507.8365503
Technical Contact Facsimile Number: +51.17057182
Technical Contact Email: legal@whoisguard.com
Name Server: TIM.NS.CLOUDFLARE.COM
Name Server: SUE.NS.CLOUDFLARE.COM
Created by Registrar: ENOM, INC.
Last Updated by Registrar: ENOM, INC.
Domain Registration Date: Sat Oct 11 18:43:36 GMT 2014
Domain Expiration Date: Sat Oct 10 23:59:59 GMT 2015
Domain Last Updated Date: Sat Oct 11 18:50:09 GMT 2014
DNSSEC: false

>>>> Whois database was last updated on: Wed Dec 17 20:22:54 GMT 2014 <<<<
.CO Internet, S.A.S., the Administrator for .CO, has collected this
information for the WHOIS database through Accredited Registrars.
This information is provided to you for informational purposes only
and is designed to assist persons in determining contents of a domain
name registration record in the .CO Internet registry database. .CO
Internet makes this information available to you "as is" and does not
guarantee its accuracy.

By submitting a WHOIS query, you agree that you will use this data
only for lawful purposes and that, under no circumstances will you
use this data: (1) to allow, enable, or otherwise support the transmission
of mass unsolicited, commercial advertising or solicitations via direct
mail, electronic mail, or by telephone; (2) in contravention of any
applicable data and privacy protection laws; or (3) to enable high volume,
automated, electronic processes that apply to the registry (or its systems).
Compilation, repackaging, dissemination, or other use of the WHOIS
database in its entirety, or of a substantial portion thereof, is not allowed
without .CO Internet's prior written permission. .CO Internet reserves the
right to modify or change these conditions at any time without prior or
subsequent notification of any kind. By executing this query, in any manner
whatsoever, you agree to abide by these terms. In some limited cases,
domains that might appear as available in whois might not actually be
available as they could be already registered and the whois not yet updated
and/or they could be part of the Restricted list. In this cases, performing a
check through your Registrar's (EPP check) will give you the actual status
of the domain. Additionally, domains currently or previously used as
extensions in 3rd level domains will not be available for registration in the
2nd level. For example, org.co,mil.co,edu.co,com.co,net.co,nom.co,arts.co,
firm.co,info.co,int.co,web.co,rec.co,co.co.

NOTE: FAILURE TO LOCATE A RECORD IN THE WHOIS DATABASE IS NOT
INDICATIVE OF THE AVAILABILITY OF A DOMAIN NAME.

All domain names are subject to certain additional domain name registration
rules. For details, please visit our site at www.cointernet.co .



Domain: vlch.net

Domain: vlch.net

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x04564c43 && 0x2c&0xDFFFDFDF=0x48034e45 && 0x30&0xDFFFFFFF=0x540000FF" -j DROP -m comment --comment "DROP DNS Q vlch.net"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 52 --algo bm --hex-string '|04766c6368036e65740000ff|' -j DROP -m comment --comment "DROP DNS Q vlch.net"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
vlch.net. 3599 IN NS ns.ru-tld.ru.
vlch.net. 3599 IN NS ns.ru-tld.com.
vlch.net. 3599 IN NS ns.ru-tld.net.
vlch.net. 3599 IN NS ns.ru-tld.org.


Response:


NS 4
SOA 1
TXT 1
Rsize 4400


Whois



Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: VLCH.NET
Registrar: BIZCN.COM, INC.
Whois Server: whois.bizcn.com
Referral URL: http://www.bizcn.com
Name Server: NS.RU-TLD.COM
Name Server: NS.RU-TLD.NET
Name Server: NS.RU-TLD.ORG
Name Server: NS.RU-TLD.RU
Status: clientDeleteProhibited
Status: clientTransferProhibited
Updated Date: 06-dec-2014
Creation Date: 05-dec-2014
Expiration Date: 05-dec-2015

>>> Last update of whois database: Wed, 17 Dec 2014 20:21:53 GMT <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.


The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain name: vlch.net
Registry Domain ID: 1888849831_DOMAIN_NET-VRSN
Registrar WHOIS Server: whois.bizcn.com
Registrar URL: http://www.bizcn.com
Updated Date: 2014-12-05T18:40:38Z
Creation Date: 2014-12-05T18:40:34Z
Registrar Registration Expiration Date: 2015-12-05T18:40:34Z
Registrar: Bizcn.com,Inc.
Registrar IANA ID: 471
Registrar Abuse Contact Email: abuse@bizcn.com
Registrar Abuse Contact Phone: +86.5922577888
Reseller: Cnobin Technology HK Limited
Domain Status: clientDeleteProhibited
Domain Status: clientTransferProhibited
Registry Registrant ID:
Registrant Name: Zhong Si
Registrant Organization: Xicheng Co.
Registrant Street: Huixindongjie 15 2
Registrant City: Beijing
Registrant State/Province: Chaoyang
Registrant Postal Code: 101402
Registrant Country: cn
Registrant Phone: +01.01066569215
Registrant Phone Ext:
Registrant Fax: +01.01066549216
Registrant Fax Ext:
Registrant Email: williamdanielsen@yahoo.com
Registry Admin ID:
Admin Name: Zhong Si
Admin Organization: Xicheng Co.
Admin Street: Huixindongjie 15 2
Admin City: Beijing
Admin State/Province: Chaoyang
Admin Postal Code: 101402
Admin Country: cn
Admin Phone: +01.01066569215
Admin Phone Ext:
Admin Fax: +01.01066549216
Admin Fax Ext:
Admin Email: williamdanielsen@yahoo.com
Registry Tech ID:
Tech Name: Zhong Si
Tech Organization: Xicheng Co.
Tech Street: Huixindongjie 15 2
Tech City: Beijing
Tech State/Province: Chaoyang
Tech Postal Code: 101402
Tech Country: cn
Tech Phone: +01.01066569215
Tech Phone Ext:
Tech Fax: +01.01066549216
Tech Fax Ext:
Tech Email: williamdanielsen@yahoo.com
Name Server: ns.ru-tld.com
Name Server: ns.ru-tld.org
Name Server: ns.ru-tld.net
Name Server: ns.ru-tld.ru
DNSSEC: unsignedDelegation
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2014-12-17T20:22:12Z




Domain: maximumstresser.net

Domain: maximumstresser.net

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x0f4d4158 && 0x2c&0xDFDFDFDF=0x494d554d && 0x30&0xDFDFDFDF=0x53545245 && 0x34&0xDFDFDFDF=0x53534552 && 0x38&0xFFDFDFDF=0x034e4554 && 0x3c&0xFF000000=0x00000000" -j DROP -m comment --comment "DROP DNS Q maximumstresser.net"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 61 --algo bm --hex-string '|0F6d6178696d756d7374726573736572036e657400|' -j DROP -m comment --comment "DROP DNS Q maximumstresser.net"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
maximumstresser.net. 20557 IN NS ns2.maximumstresser.net.
maximumstresser.net. 20557 IN NS ns1.maximumstresser.net.


Response:


A 241
NS 2
SOA 1
Rsize 3992


Whois



Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: MAXIMUMSTRESSER.NET
Registrar: ENOM, INC.
Whois Server: whois.enom.com
Referral URL: http://www.enom.com
Name Server: NS1.MAXIMUMSTRESSER.NET
Name Server: NS2.MAXIMUMSTRESSER.NET
Status: clientTransferProhibited
Updated Date: 15-dec-2014
Creation Date: 20-oct-2014
Expiration Date: 20-oct-2015

>>> Last update of whois database: Wed, 17 Dec 2014 20:19:06 GMT <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.


The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.


Domain Name: MAXIMUMSTRESSER.NET
Registry Domain ID: 1881263729_DOMAIN_NET-VRSN
Registrar WHOIS Server: whois.enom.com
Registrar URL: www.enom.com
Updated Date: 2014-10-20T07:13:35.00Z
Creation Date: 2014-10-20T14:13:00.00Z
Registrar Registration Expiration Date: 2015-10-20T14:13:00.00Z
Registrar: ENOM, INC.
Registrar IANA ID: 48
Registrar Abuse Contact Email: abuse@enom.com
Registrar Abuse Contact Phone: +1.4252982646
Reseller: NAMECHEAP.COM
Domain Status: clientTransferProhibited
Registry Registrant ID:
Registrant Name: WHOISGUARD PROTECTED
Registrant Organization: WHOISGUARD, INC.
Registrant Street: P.O. BOX 0823-03411
Registrant City: PANAMA
Registrant State/Province: PANAMA
Registrant Postal Code: 00000
Registrant Country: PA
Registrant Phone: +507.8365503
Registrant Phone Ext:
Registrant Fax: +51.17057182
Registrant Fax Ext:
Registrant Email: F0792631A61B409D871FFC1496678396.PROTECT@WHOISGUARD.COM
Registry Admin ID:
Admin Name: WHOISGUARD PROTECTED
Admin Organization: WHOISGUARD, INC.
Admin Street: P.O. BOX 0823-03411
Admin City: PANAMA
Admin State/Province: PANAMA
Admin Postal Code: 00000
Admin Country: PA
Admin Phone: +507.8365503
Admin Phone Ext:
Admin Fax: +51.17057182
Admin Fax Ext:
Admin Email: F0792631A61B409D871FFC1496678396.PROTECT@WHOISGUARD.COM
Registry Tech ID:
Tech Name: WHOISGUARD PROTECTED
Tech Organization: WHOISGUARD, INC.
Tech Street: P.O. BOX 0823-03411
Tech City: PANAMA
Tech State/Province: PANAMA
Tech Postal Code: 00000
Tech Country: PA
Tech Phone: +507.8365503
Tech Phone Ext:
Tech Fax: +51.17057182
Tech Fax Ext:
Tech Email: F0792631A61B409D871FFC1496678396.PROTECT@WHOISGUARD.COM
Name Server: NS1.MAXIMUMSTRESSER.NET
Name Server: NS2.MAXIMUMSTRESSER.NET
DNSSEC: unSigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
Last update of WHOIS database: 2014-10-20T07:13:35.00Z


We reserve the right to modify these terms at any time. By submitting
this query, you agree to abide by these terms.
Version 6.3 4/3/2002



Saturday, December 13, 2014

Domain: pizdaizda.com.ru

Domain: pizdaizda.com.ru

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x0950495a && 0x2c&0xDFDFDFDF=0x4441495a && 0x30&0xDFDFFFDF=0x44410343 && 0x34&0xDFDFFFDF=0x4f4d0252 && 0x38&0xDFFF0000=0x55000000" -j DROP -m comment --comment "DROP DNS Q pizdaizda.com.ru"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 58 --algo bm --hex-string '|0970697a6461697a646103636f6d02727500|' -j DROP -m comment --comment "DROP DNS Q pizdaizda.com.ru"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
pizdaizda.com.ru. 298 IN NS ns2.spaceweb.ru.
pizdaizda.com.ru. 298 IN NS ns1.spaceweb.ru.


Response:


A 2
MX 2
NS 2
SOA 1
TXT 20
Rsize 4080


Whois


% By submitting a query to RIPN's Whois Service
% you agree to abide by the following terms of use:
% http://www.ripn.net/about/servpol.html#3.2 (in Russian)
% http://www.ripn.net/about/en/servpol.html#3.2 (in English).

No entries found for the selected source(s).

Last updated on 2014.12.13 22:56:31 MSK




Tuesday, December 9, 2014

Domain: basjuk.com.ru

Domain: basjuk.com.ru

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x06424153 && 0x2c&0xDFDFDFFF=0x4a554b03 && 0x30&0xDFDFDFFF=0x434f4d02 && 0x34&0xDFDFFF00=0x52550000" -j DROP -m comment --comment "DROP DNS Q basjuk.com.ru"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 55 --algo bm --hex-string '|066261736a756b03636f6d02727500|' -j DROP -m comment --comment "DROP DNS Q basjuk.com.ru"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
basjuk.com.ru. 599 IN NS ns1.spaceweb.ru.
basjuk.com.ru. 599 IN NS ns2.spaceweb.ru.


Response:


A 2
MX 2
NS 2
SOA 1
TXT 20
Rsize 4077


Whois


% By submitting a query to RIPN's Whois Service
% you agree to abide by the following terms of use:
% http://www.ripn.net/about/servpol.html#3.2 (in Russian)
% http://www.ripn.net/about/en/servpol.html#3.2 (in English).

No entries found for the selected source(s).

Last updated on 2014.12.09 22:21:33 MSK




Monday, December 8, 2014

Domain: free-google-2.cloudns.org

Domain: free-google-2.cloudns.org

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x0d465245 && 0x2c&0xDFFFDFDF=0x452d474f && 0x30&0xDFDFDFDF=0x4f474c45 && 0x34&0xFFFFFFDF=0x2d320743 && 0x38&0xDFDFDFDF=0x4c4f5544 && 0x3c&0xDFDFFFDF=0x4e53034f && 0x40&0xDFDFFF00=0x52470000" -j DROP -m comment --comment "DROP DNS Q free-google-2.cloudns.org"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 67 --algo bm --hex-string '|0D667265652d676f6f676c652d3207636c6f75646e73036f726700|' -j DROP -m comment --comment "DROP DNS Q free-google-2.cloudns.org"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
cloudns.org. 3599 IN NS ns1.cloudns.net.
cloudns.org. 3599 IN NS ns2.cloudns.net.
cloudns.org. 3599 IN NS ns3.cloudns.net.
cloudns.org. 3599 IN NS ns4.cloudns.net.


Response:


A 128
MX 2
NS 4
SOA 1
Rsize 2250


Whois


Domain Name:CLOUDNS.ORG
Domain ID: D158423907-LROR
Creation Date: 2010-02-22T14:13:42Z
Updated Date: 2014-02-06T09:03:03Z
Registry Expiry Date: 2015-02-22T14:13:42Z
Sponsoring Registrar:PDR Ltd. d/b/a PublicDomainRegistry.com (R27-LROR)
Sponsoring Registrar IANA ID: 303
WHOIS Server:
Referral URL:
Domain Status: clientTransferProhibited
Registrant ID:DI_13293734
Registrant Name:Domain Administrator
Registrant Organization:Cloud DNS Ltd
Registrant Street: Iskar Str 4
Registrant Street: Lozenets
Registrant City:Sofia
Registrant State/Province:Sofia
Registrant Postal Code:1000
Registrant Country:BG
Registrant Phone:+359.888911444
Registrant Phone Ext:
Registrant Fax: +359.8889114441
Registrant Fax Ext:
Registrant Email:support@cloudns.net
Admin ID:DI_13293734
Admin Name:Domain Administrator
Admin Organization:Cloud DNS Ltd
Admin Street: Iskar Str 4
Admin Street: Lozenets
Admin City:Sofia
Admin State/Province:Sofia
Admin Postal Code:1000
Admin Country:BG
Admin Phone:+359.888911444
Admin Phone Ext:
Admin Fax: +359.8889114441
Admin Fax Ext:
Admin Email:support@cloudns.net
Tech ID:DI_13293734
Tech Name:Domain Administrator
Tech Organization:Cloud DNS Ltd
Tech Street: Iskar Str 4
Tech Street: Lozenets
Tech City:Sofia
Tech State/Province:Sofia
Tech Postal Code:1000
Tech Country:BG
Tech Phone:+359.888911444
Tech Phone Ext:
Tech Fax: +359.8889114441
Tech Fax Ext:
Tech Email:support@cloudns.net
Name Server:NS1.CLOUDNS.NET
Name Server:NS2.CLOUDNS.NET
Name Server:NS3.CLOUDNS.NET
Name Server:NS4.CLOUDNS.NET
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
DNSSEC:Unsigned

Access to Public Interest Registry WHOIS information is provided to assist persons in determining the contents of a domain name registration record in the Public Interest Registry registry database. The data in this record is provided by Public Interest Registry for informational purposes only, and Public Interest Registry does not guarantee its accuracy. This service is intended only for query-based access. You agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to(a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the data recipient's own existing customers; or (b) enable high volume, automated, electronic processes that send queries or data to the systems of Registry Operator, a Registrar, or Afilias except as reasonably necessary to register domain names or modify existing registrations. All rights reserved. Public Interest Registry reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy.





Sunday, December 7, 2014

Domain: ojjr.ru

Domain: ojjr.ru

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:


More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 51 --algo bm --hex-string '|046f6a6a720272750000ff|' -j DROP -m comment --comment "DROP DNS Q ojjr.ru"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
ojjr.ru. 3599 IN NS ns1.reg.ru.
ojjr.ru. 3599 IN NS ns2.reg.ru.


Response:


A 246
NS 2
SOA 1
Rsize 4032


Whois


% By submitting a query to RIPN's Whois Service
% you agree to abide by the following terms of use:
% http://www.ripn.net/about/servpol.html#3.2 (in Russian)
% http://www.ripn.net/about/en/servpol.html#3.2 (in English).

domain: OJJR.RU
nserver: ns1.reg.ru.
nserver: ns2.reg.ru.
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
registrar: REGRU-RU
admin-contact: http://www.reg.ru/whois/admin_contact
created: 2014.12.03
paid-till: 2015.12.03
free-date: 2016.01.03
source: TCI

Last updated on 2014.12.07 14:11:34 MSK




Tuesday, November 25, 2014

Domain: non.digmehl.cu.cc

Domain: non.digmehl.cu.cc

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x034e4f4e && 0x2c&0xFFDFDFDF=0x07444947 && 0x30&0xDFDFDFDF=0x4d45484c && 0x34&0xFFDFDFFF=0x02435502 && 0x38&0xDFDFFF00=0x43430000" -j DROP -m comment --comment "DROP DNS Q non.digmehl.cu.cc"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 59 --algo bm --hex-string '|036e6f6e076469676d65686c02637502636300|' -j DROP -m comment --comment "DROP DNS Q non.digmehl.cu.cc"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
digmehl.cu.cc. 21599 IN NS ken.ns.cloudflare.com.
digmehl.cu.cc. 21599 IN NS chan.ns.cloudflare.com.


Response:


TXT 1
Rsize 4095


Whois



Whois Server Version 2.0

Domain names can now be registered with many different competing registrars.
Go to http://registrar.verisign-grs.com/whois/ for detailed information.

No match for "DIGMEHL.CU.CC".

>>> Last update of whois database: 2014-11-25T22:25:55Z <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the
expiration date of the domain name registrant's agreement with the
sponsoring registrar. Users may consult the sponsoring registrar's
Whois database to view the registrar's reported date of expiration
for this registration.


The Registry database contains ONLY .cc, .tv, and .jobs domains
and Registrars.



Domain: freeinfosys.com

Domain: freeinfosys.com

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x0b465245 && 0x2c&0xDFDFDFDF=0x45494e46 && 0x30&0xDFDFDFDF=0x4f535953 && 0x34&0xFFDFDFDF=0x03434f4d && 0x38&0xFF000000=0x00000000" -j DROP -m comment --comment "DROP DNS Q freeinfosys.com"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 57 --algo bm --hex-string '|0B66726565696e666f73797303636f6d00|' -j DROP -m comment --comment "DROP DNS Q freeinfosys.com"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
freeinfosys.com. 3599 IN NS ns77.domaincontrol.com.
freeinfosys.com. 3599 IN NS ns78.domaincontrol.com.


Response:


A 5
MX 2
NS 2
SOA 1
TXT 7
Rsize 3125


Whois



Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: FREEINFOSYS.COM
Registrar: GODADDY.COM, LLC
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Name Server: NS77.DOMAINCONTROL.COM
Name Server: NS78.DOMAINCONTROL.COM
Status: clientDeleteProhibited
Status: clientRenewProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 25-nov-2014
Creation Date: 25-nov-2014
Expiration Date: 25-nov-2015

>>> Last update of whois database: Tue, 25 Nov 2014 22:14:51 GMT <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.


The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain Name: FREEINFOSYS.COM
Registry Domain ID: 1887105896_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Update Date: 2014-11-25 10:07:51
Creation Date: 2014-11-25 10:03:07
Registrar Registration Expiration Date: 2015-11-25 10:03:07
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.480-624-2505
Domain Status: clientTransferProhibited
Domain Status: clientUpdateProhibited
Domain Status: clientRenewProhibited
Domain Status: clientDeleteProhibited
Registry Registrant ID:
Registrant Name: Ludwig Rhys
Registrant Organization:
Registrant Street: 3796 N Yosemite St
Registrant City: Parkville
Registrant State/Province: MD
Registrant Postal Code: 21267
Registrant Country: China
Registrant Phone: +86.4108394461
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: dt22888@126.com
Registry Admin ID:
Admin Name: Ludwig Rhys
Admin Organization:
Admin Street: 3796 N Yosemite St
Admin City: Parkville
Admin State/Province: MD
Admin Postal Code: 21267
Admin Country: China
Admin Phone: +86.4108394461
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: dt22888@126.com
Registry Tech ID:
Tech Name: Ludwig Rhys
Tech Organization:
Tech Street: 3796 N Yosemite St
Tech City: Parkville
Tech State/Province: MD
Tech Postal Code: 21267
Tech Country: China
Tech Phone: +86.4108394461
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: dt22888@126.com
Name Server: NS77.DOMAINCONTROL.COM
Name Server: NS78.DOMAINCONTROL.COM
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
Last update of WHOIS database: 2014-11-25T22:00:00Z

The data contained in GoDaddy.com, LLC's WhoIs database,
while believed by the company to be reliable, is provided "as is"
with no guarantee or warranties regarding its accuracy. This
information is provided for the sole purpose of assisting you
in obtaining information about domain name registration records.
Any use of this data for any other purpose is expressly forbidden without the prior written
permission of GoDaddy.com, LLC. By submitting an inquiry,
you agree to these terms of usage and limitations of warranty. In particular,
you agree not to use this data to allow, enable, or otherwise make possible,
dissemination or collection of this data, in part or in its entirety, for any
purpose, such as the transmission of unsolicited advertising and
and solicitations of any kind, including spam. You further agree
not to use this data to enable high volume, automated or robotic electronic
processes designed to collect or compile this data for any purpose,
including mining this data for your own personal or commercial purposes.

Please note: the registrant of the domain name is specified
in the "registrant" section. In most cases, GoDaddy.com, LLC
is not the registrant of domain names listed in this database.



Wednesday, November 12, 2014

Domain: svist21.cz

Domain: svist21.cz

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x07535649 && 0x2c&0xDFDFFFFF=0x53543231 && 0x30&0xFFDFDFFF=0x02435a00 && 0x34&0xFFFF0000=0x00FF0000" -j DROP -m comment --comment "DROP DNS Q svist21.cz"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 54 --algo bm --hex-string '|077376697374323102637a0000ff|' -j DROP -m comment --comment "DROP DNS Q svist21.cz"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
svist21.cz. 1770 IN NS ns5.gransy.com.
svist21.cz. 1770 IN NS ns.gransy.com.
svist21.cz. 1770 IN NS ns2.gransy.com.
svist21.cz. 1770 IN NS ns4.gransy.com.
svist21.cz. 1770 IN NS ns3.gransy.com.


Response:


A 15
DNSKEY 5
MX 8
NS 13
NSEC 2
RRSIG 10
SOA 3
SPF 3
TXT 4
Rsize 6800





Tuesday, November 11, 2014

Domain: 067.cz

Domain: 067.cz

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28=0x03303637 && 0x2c&0xFFDFDFFF=0x02435a00 && 0x30&0xFFFF0000=0x00FF0000" -j DROP -m comment --comment "DROP DNS Q 067.cz"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 50 --algo bm --hex-string '|0330363702637a0000ff|' -j DROP -m comment --comment "DROP DNS Q 067.cz"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
067.cz. 958 IN NS ns4.gransy.com.
067.cz. 958 IN NS ns5.gransy.com.
067.cz. 958 IN NS ns3.gransy.com.
067.cz. 958 IN NS ns.gransy.com.
067.cz. 958 IN NS ns2.gransy.com.


Response:


A 14
DNSKEY 5
MX 4
NS 12
NSEC 2
RRSIG 10
SOA 3
SPF 3
TXT 4
Rsize 6684


Whois


% (c) 2006-2014 CZ.NIC, z.s.p.o.
%
% Intended use of supplied data and information
%
% Data contained in the domain name register, as well as information
% supplied through public information services of CZ.NIC association,
% are appointed only for purposes connected with Internet network
% administration and operation, or for the purpose of legal or other
% similar proceedings, in process as regards a matter connected
% particularly with holding and using a concrete domain name.
%
% Full text available at:
% http://www.nic.cz/page/306/intended-use-of-supplied-data-and-information/
%
% See also a search service at http://www.nic.cz/whois/
%
%
% Whoisd Server Version: 3.10.0
% Timestamp: Tue Nov 11 22:32:56 2014

domain: 067.cz
registrant: A24CONTACT-53436
admin-c: SB:SVIST21-S
nsset: NSS:GRANSY:3
registrar: REG-GRANSY
registered: 07.02.2013 15:06:26
changed: 11.01.2014 14:56:04
expire: 07.02.2015

contact: A24CONTACT-53436
org: Petr Koubský
name: Petr Koubský
address: Chvalova 1202/8
address: Praha 3
address: 130 00
address: CZ
registrar: REG-ACTIVE24
created: 01.12.2011 14:26:48

contact: SB:SVIST21-S
org: Svist 21 s.r.o.
name: Svist 21 s.r.o.
address: Dobrovskeho 36
address: Praha 7
address: 17000
address: CZ
registrar: REG-GRANSY
created: 05.10.2005 11:55:00
changed: 30.07.2014 09:47:05

nsset: NSS:GRANSY:3
nserver: ns.gransy.com
nserver: ns2.gransy.com
nserver: ns3.gransy.com
nserver: ns4.gransy.com
nserver: ns5.gransy.com
tech-c: GRANSY
registrar: REG-GRANSY
created: 01.10.2007 02:00:00
changed: 16.08.2010 00:39:13

contact: GRANSY
org: Gransy s.r.o.
name: Jan Horák
address: BoÃ…™ivojova 878/35
address: Praha 3
address: 130 00
address: CZ
phone: +420.732954549
fax-no: +420.226517341
e-mail: info@gransy.com
registrar: REG-MOJEID
created: 23.08.2004 17:35:00
changed: 20.04.2011 14:22:45





Thursday, October 23, 2014

Domain: domenamocy.pl

Domain: domenamocy.pl

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x0a444f4d && 0x2c&0xDFDFDFDF=0x454e414d && 0x30&0xDFDFDFFF=0x4f435902 && 0x34&0xDFDFFFFF=0x504c0000 && 0x38&0xFF000000=0xFF000000" -j DROP -m comment --comment "DROP DNS Q domenamocy.pl"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 57 --algo bm --hex-string '|0A646f6d656e616d6f637902706c0000ff|' -j DROP -m comment --comment "DROP DNS Q domenamocy.pl"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
domenamocy.pl. 21599 IN NS dns30.hosteam.pl.
domenamocy.pl. 21599 IN NS dns22.hosteam.pl.
domenamocy.pl. 21599 IN NS dns9.hosteam.pl.
domenamocy.pl. 21599 IN NS dns31.hosteam.pl.
domenamocy.pl. 21599 IN NS dns.hosteam.pl.
domenamocy.pl. 21599 IN NS dns6.hosteam.pl.
domenamocy.pl. 21599 IN NS dns24.hosteam.pl.
domenamocy.pl. 21599 IN NS dns15.hosteam.pl.
domenamocy.pl. 21599 IN NS dns21.hosteam.pl.
domenamocy.pl. 21599 IN NS dns4.hosteam.pl.
domenamocy.pl. 21599 IN NS dns26.hosteam.pl.
domenamocy.pl. 21599 IN NS dns13.hosteam.pl.
domenamocy.pl. 21599 IN NS fns2.42.pl.
domenamocy.pl. 21599 IN NS dns14.hosteam.pl.
domenamocy.pl. 21599 IN NS dns5.hosteam.pl.
domenamocy.pl. 21599 IN NS dns27.hosteam.pl.
domenamocy.pl. 21599 IN NS dns18.hosteam.pl.
domenamocy.pl. 21599 IN NS dns3.hosteam.pl.
domenamocy.pl. 21599 IN NS fns1.42.pl.
domenamocy.pl. 21599 IN NS dns25.hosteam.pl.
domenamocy.pl. 21599 IN NS dns17.hosteam.pl.
domenamocy.pl. 21599 IN NS dns8.hosteam.pl.
domenamocy.pl. 21599 IN NS dns10.hosteam.pl.
domenamocy.pl. 21599 IN NS dns32.hosteam.pl.
domenamocy.pl. 21599 IN NS dns29.hosteam.pl.
domenamocy.pl. 21599 IN NS dns16.hosteam.pl.
domenamocy.pl. 21599 IN NS dns11.hosteam.pl.
domenamocy.pl. 21599 IN NS dns28.hosteam.pl.
domenamocy.pl. 21599 IN NS dns7.hosteam.pl.
domenamocy.pl. 21599 IN NS dns12.hosteam.pl.
domenamocy.pl. 21599 IN NS dns2.hosteam.pl.
domenamocy.pl. 21599 IN NS dns19.hosteam.pl.
domenamocy.pl. 21599 IN NS dns23.hosteam.pl.
domenamocy.pl. 21599 IN NS dns20.hosteam.pl.


Response:


NS 34
SOA 1
Rsize 760


Whois



DOMAIN NAME: domenamocy.pl
registrant type: individual
nameservers: fns1.42.pl. [79.98.145.34]
fns2.42.pl. [2a02:2978::a503:4209:2][195.80.237.194]
created: 2014.10.19 02:37:25
last modified: 2014.10.19 03:59:36
renewal date: 2015.10.19 02:37:25

no option

dnssec: Unsigned


REGISTRAR:
nazwa.pl S.A.(dawniej NetArt Spolka Akcyjna S.K.A.)
ul. Cystersow 20A
31-553 Krakow
Polska/Poland
+48.801 33 22 33
+48.12 297 88 10
+48.12 297 88 08
kontakt@nazwa.pl
www.nazwa.pl

WHOIS displays data with a delay not exceeding 15 minutes in relation to the .pl Registry system
Registrant data available at http://dns.pl/cgi-bin/en_whois.pl



Friday, October 17, 2014

Domain: oggr.ru

Domain: oggr.ru

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x044f4747 && 0x2c&0xDFFFDFDF=0x52025255 && 0x30&0xFFFFFF00=0x0000FF00" -j DROP -m comment --comment "DROP DNS Q oggr.ru"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 51 --algo bm --hex-string '|046f6767720272750000ff|' -j DROP -m comment --comment "DROP DNS Q oggr.ru"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
oggr.ru. 21599 IN NS ns2.reg.ru.
oggr.ru. 21599 IN NS ns1.reg.ru.


Response:


A 245
NS 2
SOA 1
Rsize 4016


Whois


% By submitting a query to RIPN's Whois Service
% you agree to abide by the following terms of use:
% http://www.ripn.net/about/servpol.html#3.2 (in Russian)
% http://www.ripn.net/about/en/servpol.html#3.2 (in English).

domain: OGGR.RU
nserver: ns1.reg.ru.
nserver: ns2.reg.ru.
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
registrar: REGRU-RU
admin-contact: http://www.reg.ru/whois/admin_contact
created: 2014.04.14
paid-till: 2015.04.14
free-date: 2015.05.15
source: TCI

Last updated on 2014.10.17 22:51:33 MSK




Domain: nlhosting.nl

Domain: nlhosting.nl

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x094e4c48 && 0x2c&0xDFDFDFDF=0x4f535449 && 0x30&0xDFDFFFDF=0x4e47024e && 0x34&0xDFFFFFFF=0x4c0000FF" -j DROP -m comment --comment "DROP DNS Q nlhosting.nl"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 56 --algo bm --hex-string '|096e6c686f7374696e67026e6c0000ff|' -j DROP -m comment --comment "DROP DNS Q nlhosting.nl"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
nlhosting.nl. 10799 IN NS ns.nlhosting.net.
nlhosting.nl. 10799 IN NS ns1.nlhosting.net.


Response:


A 14
DNSKEY 4
MX 4
NS 9
NSEC3PARAM 2
RRSIG 9
SOA 2
TXT 2
TYPE65534 3
Rsize 3635


Whois


Domain name: nlhosting.nl
Status: active

Registrar:
NL Hosting Internet Solutions bv
Kerkstraat 1
6669DA DODEWAARD
Netherlands

DNSSEC: yes

Domain nameservers:
ns.nlhosting.net
ns1.nlhosting.net

Record maintained by: NL Domain Registry

Copyright notice
No part of this publication may be reproduced, published, stored in a
retrieval system, or transmitted, in any form or by any means,
electronic, mechanical, recording, or otherwise, without prior
permission of the Foundation for Internet Domain Registration in the
Netherlands (SIDN).
These restrictions apply equally to registrars, except in that
reproductions and publications are permitted insofar as they are
reasonable, necessary and solely in the context of the registration
activities referred to in the General Terms and Conditions for .nl
Registrars.
Any use of this material for advertising, targeting commercial offers or
similar activities is explicitly forbidden and liable to result in legal
action. Anyone who is aware or suspects that such activities are taking
place is asked to inform the Foundation for Internet Domain Registration
in the Netherlands.
(c) The Foundation for Internet Domain Registration in the Netherlands
(SIDN) Dutch Copyright Act, protection of authors' rights (Section 10,
subsection 1, clause 1).



Thursday, October 16, 2014

Domain: doleta.gov

Domain: doleta.gov

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x06444f4c && 0x2c&0xDFDFDFFF=0x45544103 && 0x30&0xDFDFDFFF=0x474f5600 && 0x34&0xFFFF0000=0x00FF0000" -j DROP -m comment --comment "DROP DNS Q doleta.gov"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 54 --algo bm --hex-string '|06646f6c65746103676f760000ff|' -j DROP -m comment --comment "DROP DNS Q doleta.gov"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
doleta.gov. 899 IN NS ns06.dol.gov.
doleta.gov. 899 IN NS ns4.dol.gov.
doleta.gov. 899 IN NS ns2.dol.gov.
doleta.gov. 899 IN NS ns1.dol.gov.
doleta.gov. 899 IN NS ns05.dol.gov.
doleta.gov. 899 IN NS dino.doleta.gov.


Response:


A 15
AAAA 2
DNSKEY 4
MX 7
NS 14
NSEC3PARAM 2
RRSIG 9
SOA 2
TXT 2
Rsize 3691






Domain: bmw.digmehl.cu.cc

Domain: bmw.digmehl.cu.cc

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x03424d57 && 0x2c&0xFFDFDFDF=0x07444947 && 0x30&0xDFDFDFDF=0x4d45484c && 0x34&0xFFDFDFFF=0x02435502 && 0x38&0xDFDFFF00=0x43430000" -j DROP -m comment --comment "DROP DNS Q bmw.digmehl.cu.cc"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 59 --algo bm --hex-string '|03626d77076469676d65686c02637502636300|' -j DROP -m comment --comment "DROP DNS Q bmw.digmehl.cu.cc"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
digmehl.cu.cc. 21599 IN NS ken.ns.cloudflare.com.
digmehl.cu.cc. 21599 IN NS chan.ns.cloudflare.com.


Response:


TXT 1
Rsize 4095






Monday, October 13, 2014

Domain: guessinfosys.com

Domain: guessinfosys.com

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x0c475545 && 0x2c&0xDFDFDFDF=0x5353494e && 0x30&0xDFDFDFDF=0x464f5359 && 0x34&0xDFFFDFDF=0x5303434f && 0x38&0xDFFFFFFF=0x4d0000FF" -j DROP -m comment --comment "DROP DNS Q guessinfosys.com"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 60 --algo bm --hex-string '|0C6775657373696e666f73797303636f6d0000ff|' -j DROP -m comment --comment "DROP DNS Q guessinfosys.com"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
guessinfosys.com. 1461 IN NS ns72.domaincontrol.com.
guessinfosys.com. 1461 IN NS ns71.domaincontrol.com.


Response:


A 6
MX 2
NS 2
SOA 1
TXT 7
Rsize 3195


Whois



Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: GUESSINFOSYS.COM
Registrar: GODADDY.COM, LLC
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Name Server: NS71.DOMAINCONTROL.COM
Name Server: NS72.DOMAINCONTROL.COM
Status: clientDeleteProhibited
Status: clientRenewProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 12-sep-2014
Creation Date: 12-sep-2014
Expiration Date: 12-sep-2015

>>> Last update of whois database: Mon, 13 Oct 2014 23:04:03 GMT <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.


The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain Name: GUESSINFOSYS.COM
Registry Domain ID: 1875368893_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Update Date: 2014-09-11 23:02:31
Creation Date: 2014-09-11 22:52:05
Registrar Registration Expiration Date: 2015-09-11 22:52:05
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.480-624-2505
Domain Status: clientTransferProhibited
Domain Status: clientUpdateProhibited
Domain Status: clientRenewProhibited
Domain Status: clientDeleteProhibited
Registry Registrant ID:
Registrant Name: paopao sun
Registrant Organization:
Registrant Street: NO.4-2-401,FengNianCun,DongLi Dist.
Registrant City: Tianjin
Registrant State/Province: tianjin
Registrant Postal Code: 300010
Registrant Country: China
Registrant Phone: +86.13920258784
Registrant Phone Ext:
Registrant Fax: +86.13920258784
Registrant Fax Ext:
Registrant Email: quinnxaa@hotmail.com
Registry Admin ID:
Admin Name: paopao sun
Admin Organization:
Admin Street: NO.4-2-401,FengNianCun,DongLi Dist.
Admin City: Tianjin
Admin State/Province: tianjin
Admin Postal Code: 300010
Admin Country: China
Admin Phone: +86.13920258784
Admin Phone Ext:
Admin Fax: +86.13920258784
Admin Fax Ext:
Admin Email: quinnxaa@hotmail.com
Registry Tech ID:
Tech Name: paopao sun
Tech Organization:
Tech Street: NO.4-2-401,FengNianCun,DongLi Dist.
Tech City: Tianjin
Tech State/Province: tianjin
Tech Postal Code: 300010
Tech Country: China
Tech Phone: +86.13920258784
Tech Phone Ext:
Tech Fax: +86.13920258784
Tech Fax Ext:
Tech Email: quinnxaa@hotmail.com
Name Server: NS71.DOMAINCONTROL.COM
Name Server: NS72.DOMAINCONTROL.COM
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
Last update of WHOIS database: 2014-10-13T23:00:00Z

The data contained in GoDaddy.com, LLC's WhoIs database,
while believed by the company to be reliable, is provided "as is"
with no guarantee or warranties regarding its accuracy. This
information is provided for the sole purpose of assisting you
in obtaining information about domain name registration records.
Any use of this data for any other purpose is expressly forbidden without the prior written
permission of GoDaddy.com, LLC. By submitting an inquiry,
you agree to these terms of usage and limitations of warranty. In particular,
you agree not to use this data to allow, enable, or otherwise make possible,
dissemination or collection of this data, in part or in its entirety, for any
purpose, such as the transmission of unsolicited advertising and
and solicitations of any kind, including spam. You further agree
not to use this data to enable high volume, automated or robotic electronic
processes designed to collect or compile this data for any purpose,
including mining this data for your own personal or commercial purposes.

Please note: the registrant of the domain name is specified
in the "registrant" section. In most cases, GoDaddy.com, LLC
is not the registrant of domain names listed in this database.



Domain: energystar.gov

Domain: energystar.gov

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x0a454e45 && 0x2c&0xDFDFDFDF=0x52475953 && 0x30&0xDFDFDFFF=0x54415203 && 0x34&0xDFDFDFFF=0x474f5600 && 0x38&0xFFFF0000=0x00FF0000" -j DROP -m comment --comment "DROP DNS ANY  Q energystar.gov"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 58 --algo bm --hex-string '|0A656e657267797374617203676f760000ff|' -j DROP -m comment --comment "DROP DNS ANY Q energystar.gov"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
energystar.gov. 21599 IN NS ns01-100.energystar.gov.
energystar.gov. 21599 IN NS ns02-100.energystar.gov.


Response:


A 21
AAAA 3
DNSKEY 11
MX 6
NS 16
NSEC 2
RRSIG 10
SOA 3
TXT 3
Rsize 5423


Whois


% DOTGOV WHOIS Server ready
Domain Name: ENERGYSTAR.GOV
Status: ACTIVE


>>> Last update of whois database: 2014-10-13T23:01:26Z <<<
Please be advised that this whois server only contains information pertaining
to the .GOV domain. For information for other domains please use the whois
server at RS.INTERNIC.NET.



Domain: etk.heckbro.cu.cc

Domain: etk.heckbro.cu.cc

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x0345544b && 0x2c&0xFFDFDFDF=0x07484543 && 0x30&0xDFDFDFDF=0x4b42524f && 0x34&0xFFDFDFFF=0x02435502 && 0x38&0xDFDFFF00=0x43430000" -j DROP -m comment --comment "DROP DNS Q etk.heckbro.cu.cc"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 59 --algo bm --hex-string '|0365746b076865636b62726f02637502636300|' -j DROP -m comment --comment "DROP DNS Q etk.heckbro.cu.cc"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
heckbro.cu.cc. 21536 IN NS coby.ns.cloudflare.com.
heckbro.cu.cc. 21536 IN NS alla.ns.cloudflare.com.


Response:


TXT 1
Rsize 4095





Wednesday, July 23, 2014

Domain: wradish.com

Domain: wradish.com

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x07575241 && 0x2c&0xDFDFDFDF=0x44495348 && 0x30&0xFFDFDFDF=0x03434f4d && 0x34&0xFF000000=0x00000000" -j DROP -m comment --comment "DROP DNS Q wradish.com"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 53 --algo bm --hex-string '|077772616469736803636f6d00|' -j DROP -m comment --comment "DROP DNS Q wradish.com"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


178.32.56.245

Name server:


;; ANSWER SECTION:
wradish.com. 2036 IN NS ns20.domaincontrol.com.
wradish.com. 2036 IN NS ns19.domaincontrol.com.


Response:


A 2
MX 2
NS 2
SOA 1
TXT 5
Rsize 3798


Whois



Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: WRADISH.COM
Registrar: GODADDY.COM, LLC
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Name Server: NS19.DOMAINCONTROL.COM
Name Server: NS20.DOMAINCONTROL.COM
Status: clientDeleteProhibited
Status: clientRenewProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 21-apr-2014
Creation Date: 21-apr-2014
Expiration Date: 21-apr-2015

>>> Last update of whois database: Wed, 23 Jul 2014 21:19:40 UTC <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.


The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.



Domain: webpanel.sk

Domain: webpanel.sk

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x08574542 && 0x2c&0xDFDFDFDF=0x50414e45 && 0x30&0xDFFFDFDF=0x4c02534b && 0x34&0xFF000000=0x00000000" -j DROP -m comment --comment "DROP DNS Q webpanel.sk"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 53 --algo bm --hex-string '|0877656270616e656c02736b00|' -j DROP -m comment --comment "DROP DNS Q webpanel.sk"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


69.160.47.159

Name server:


;; ANSWER SECTION:
webpanel.sk. 21599 IN NS ns1.dnsbackup.net.
webpanel.sk. 21599 IN NS ns2.dnsbackup.net.
webpanel.sk. 21599 IN NS ns1.nameserver.sk.
webpanel.sk. 21599 IN NS ns2.nameserver.sk.


Response:


A 14
DNSKEY 6
MX 10
NS 12
NSEC 2
RRSIG 9
SOA 3
TXT 4
Rsize 6543


Whois


%
% whois.sk-nic.sk - whois server for TLD .sk
%


Domain-name webpanel.sk
Admin-id YEGO-0001
Admin-name Yegon s.r.o.
Admin-legal-form s.r.o
Admin-org.-ID 35797924
Admin-address Stara Prievozska 2, Bratislava 821 09
Admin-telephone +421-2-20633171
Admin-email registrator@yegon.sk
Tech-id YEGO-0001
Tech-name Yegon s.r.o.
Tech-org.-ID 35797924
Tech-address Stara Prievozska 2, Bratislava 821 09
Tech-telephone +421-2-20633171
Tech-email registrator@yegon.sk
dns_name ns1.nameserver.sk
dns_name ns2.nameserver.sk
dns_name ns1.dnsbackup.net
dns_name ns2.dnsbackup.net
Last-update 2013-12-12
Valid-date 2015-01-09
Domain-status DOM_OK





Saturday, June 28, 2014

Domain: lalka.com.ru

Domain: lalka.com.ru

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x054c414c && 0x2c&0xDFDFFFDF=0x4b410343 && 0x30&0xDFDFFFDF=0x4f4d0252 && 0x34&0xDFFF0000=0x55000000" -j DROP -m comment --comment "DROP DNS Q lalka.com.ru"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 54 --algo bm --hex-string '|056c616c6b6103636f6d02727500|' -j DROP -m comment --comment "DROP DNS Q lalka.com.ru"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


94.79.10.76

Response:


;; ANSWER SECTION:
lalka.com.ru. 600 IN SOA ns1.spaceweb.ru. dns1.sweb.ru. 2014052970 28800 7200 604800 600
lalka.com.ru. 600 IN NS ns2.spaceweb.ru.
lalka.com.ru. 600 IN NS ns1.spaceweb.ru.
lalka.com.ru. 600 IN A 77.222.56.62
lalka.com.ru. 600 IN MX 10 mx.asdgggggasdasdasdasdsadasdasdasdasdasdasdasdasdasdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asdasdaiouuytsdasdasdsadasdasdasdasdasdasdasdasdasdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asdasdhjhjhjasdasdasdsadasdasdasdasdasdasdasdasdasdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asdasghghghdasdasdasdsadasdasdasdasdasdasdasdasdasdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asdasdffasdafgffsdasdsadasdasdasdasdasdasdasdassdasdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asdasdffasdasdasdsadasdasdasdasdasdasdasdassdfgfgfgasdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asghgghghghghsdasdasdasdsadasdasdasdasdasdasdasdasdasdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asghgghghghghsdasdasdasdsadasdasdasdasdasdasdasdasdasdasdasd1.com.
lalka.com.ru. 600 IN MX 10 mx.asghgghghghghsdasdasdasdsadasdasdasdasdasdasdasdasdasdasdasd2.com.
lalka.com.ru. 600 IN MX 10 mx.asghgghghghghsdasdasdasdsadasdasdasdasdasdasdasdasdasdasdasd3.com.
lalka.com.ru. 600 IN MX 10 mx.asghgghghghghsdasdasdasdsadasdasdasdasdasdasdasdasdasdasdasd4.com.
lalka.com.ru. 600 IN MX 10 mx.asghgghghghghsdasdasdasdsadasdasdasdasdasdasdasdasdasdasdasd5.com.
lalka.com.ru. 600 IN MX 10 mx.asghgghghghghsdasdasdasdsadasdasdasdasdasdasdasdasdasdasdasd7.com.
lalka.com.ru. 600 IN MX 10 mx.asdasdffasdasdasdsadasdasdasdasdasdasdasdassdaghghghghsdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asghgghghghghsdasdasdasdsadasdasdasdasdasdasdasdasdasdasdasd10.com.
lalka.com.ru. 600 IN MX 10 mx.asghgghghghghsdasdasdasdsadasdasdasdasdasdasdasdasdasdasdasd11.com.
lalka.com.ru. 600 IN MX 10 mx.asdasdffagfhgfhfghsdasdasdsadasdasdasdasdasdasdasdassdasdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asdashghgdfgdgdffasdasdasdsadasdasdasdasdasdasdasdassdasdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asghgghghghghsdasdasdasdsadasdasdasdasdasdasdasdasdasdasdasd564.com.
lalka.com.ru. 600 IN MX 10 mx.asghgghghghghsdasdasdasdsadasdasdasdasdasdasdasdasdasdasdasdjkj.com.
lalka.com.ru. 600 IN MX 20 mx2.spaceweb.ru.
lalka.com.ru. 600 IN MX 10 mx.asdasdasdasdasdsadasdasdasdasdasdasdasdasdasdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asdasdaesdasdasdsadasdasdasdasdasdasdasdasdasdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asdasdasdasdasdsadasdasdasdasdasdasdasdasdasdasfdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asdasdasdasdasdsadasdasdasdasdasdasdasddasdasdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asdasdasdffasdasdsadasdasdasdasdasdasdasdasdasdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asdasdffasdasdasdsadasdasdasdasdasdasdasdassdasdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asdaccsdasdffasdasdsadasdasdasdasdasdasdasdasdasdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asdasdashhhhdasdasdsadasdasdasdasdasdasdasdasdasdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asdasjjjjdasdasdasdsadasdasdasdasdasdasdasdasdasdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asdjjjjasdasdasdasdsadasdasdasdasdasdasdasdasdasdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asdasdgfffgasdasdasdsadasdasdasdasdasdasdasdasdasdasdasd.com.
lalka.com.ru. 600 IN TXT "asdasdasdasdasdasdasdasdasfasgvasvascascasxcascascascsdvgsdvscvsxvsdvsdvsdbvsdsdvsddvsdfsdfasdasdsadasdasdasdasdasdasfwfrwef15ER"
lalka.com.ru. 600 IN TXT "asdasdasdasdasdasdasdasdasfasgvasvascascasxcascascascsdvgsdvscvsxvsdvsdvsdbvsdsdvsddvsdfsdfasdasdsadasdasdasdasdasdasfwfrwef15Gp"
lalka.com.ru. 600 IN TXT "asdasdasdasdasdasdasdasdasfasgvasvascascasxcascascascsdvgsdvscvsxvsdvsdvsdbvsdsdvsddvsdfsdfasdasdsadasdasdasdasdasdasfwfrwef15II"
lalka.com.ru. 600 IN TXT "asdasdasdasdasdasdasdasdasfasgvasvascascasxcascascascsdvgsdvscvsxvsdvsdvsdbvsdsdvsddvsdfsdfasdasdsadasdasdasdasdasdasfwfrwef15OO"
lalka.com.ru. 600 IN TXT "asdasdasdasdasdasdasdasdasfasgvasvascascasxcascascascsdvgsdvscvsxvsdvsdvsdbvsdsdvsddvsdfsdfasdasdsadasdasdasdasdasdasfwfrwef15SA"
lalka.com.ru. 600 IN TXT "asdasdasdasdasdasdasdasdasfasgvasvascascasxcascascascsdvgsdvscvsxvsdvsdvsdbvsdsdvsddvsdfsdfasdasdsadasdasdasdasdasdasfwfrwef15WW"
lalka.com.ru. 600 IN TXT "asdasdasdasdasdasdasdasdasfasgvasvascascasxcascascascsdvgsdvscvsxvsdvsdvsdbvsdsdvsddvsdfsdfasdasdsadasdasdasdasdasdasfwfrwef15YY"
lalka.com.ru. 600 IN TXT "asdasdasdasdasdas"
lalka.com.ru. 600 IN TXT "asdasdasdasdasdasdasdasdasfasgvasvascascasxcascascascsdvgsdvscvsxvsdvsdvsdbvsdsdvsddvsdfsdfasdasdsadasdasdasdasdasdasfwfrwef15"
lalka.com.ru. 600 IN TXT "asdasdasdasdasdasdasdasdasfasgvasvascascasxcascascascsdvgsdvscvsxvsdvsdvsdbvsdsdvsddvsdfsdfasdasdsadasdasdasdasdasdasfwfrwef15A"
lalka.com.ru. 600 IN TXT "asdasdasdasdasdasdasdasdasfasgvasvascascasxcascascascsdvgsdvscvsxvsdvsdvsdbvsdsdvsddvsdfsdfasdasdsadasdasdasdasdasdasfwfrwef15Q"
lalka.com.ru. 600 IN TXT "asdasdasdasdasdasdasdasdasfasgvasvascascasxcascascascsdvgsdvscvsxvsdvsdvsdbvsdsdvsddvsdfsdfasdasdsadasdasdasdasdasdasfwfrwef15S"

A 4
MX 32
NS 2
SOA 1
TXT 12
Rsize 4155