Thursday, October 23, 2014

Domain: domenamocy.pl

Domain: domenamocy.pl

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x0a444f4d && 0x2c&0xDFDFDFDF=0x454e414d && 0x30&0xDFDFDFFF=0x4f435902 && 0x34&0xDFDFFFFF=0x504c0000 && 0x38&0xFF000000=0xFF000000" -j DROP -m comment --comment "DROP DNS Q domenamocy.pl"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 57 --algo bm --hex-string '|0A646f6d656e616d6f637902706c0000ff|' -j DROP -m comment --comment "DROP DNS Q domenamocy.pl"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
domenamocy.pl. 21599 IN NS dns30.hosteam.pl.
domenamocy.pl. 21599 IN NS dns22.hosteam.pl.
domenamocy.pl. 21599 IN NS dns9.hosteam.pl.
domenamocy.pl. 21599 IN NS dns31.hosteam.pl.
domenamocy.pl. 21599 IN NS dns.hosteam.pl.
domenamocy.pl. 21599 IN NS dns6.hosteam.pl.
domenamocy.pl. 21599 IN NS dns24.hosteam.pl.
domenamocy.pl. 21599 IN NS dns15.hosteam.pl.
domenamocy.pl. 21599 IN NS dns21.hosteam.pl.
domenamocy.pl. 21599 IN NS dns4.hosteam.pl.
domenamocy.pl. 21599 IN NS dns26.hosteam.pl.
domenamocy.pl. 21599 IN NS dns13.hosteam.pl.
domenamocy.pl. 21599 IN NS fns2.42.pl.
domenamocy.pl. 21599 IN NS dns14.hosteam.pl.
domenamocy.pl. 21599 IN NS dns5.hosteam.pl.
domenamocy.pl. 21599 IN NS dns27.hosteam.pl.
domenamocy.pl. 21599 IN NS dns18.hosteam.pl.
domenamocy.pl. 21599 IN NS dns3.hosteam.pl.
domenamocy.pl. 21599 IN NS fns1.42.pl.
domenamocy.pl. 21599 IN NS dns25.hosteam.pl.
domenamocy.pl. 21599 IN NS dns17.hosteam.pl.
domenamocy.pl. 21599 IN NS dns8.hosteam.pl.
domenamocy.pl. 21599 IN NS dns10.hosteam.pl.
domenamocy.pl. 21599 IN NS dns32.hosteam.pl.
domenamocy.pl. 21599 IN NS dns29.hosteam.pl.
domenamocy.pl. 21599 IN NS dns16.hosteam.pl.
domenamocy.pl. 21599 IN NS dns11.hosteam.pl.
domenamocy.pl. 21599 IN NS dns28.hosteam.pl.
domenamocy.pl. 21599 IN NS dns7.hosteam.pl.
domenamocy.pl. 21599 IN NS dns12.hosteam.pl.
domenamocy.pl. 21599 IN NS dns2.hosteam.pl.
domenamocy.pl. 21599 IN NS dns19.hosteam.pl.
domenamocy.pl. 21599 IN NS dns23.hosteam.pl.
domenamocy.pl. 21599 IN NS dns20.hosteam.pl.


Response:


NS 34
SOA 1
Rsize 760


Whois



DOMAIN NAME: domenamocy.pl
registrant type: individual
nameservers: fns1.42.pl. [79.98.145.34]
fns2.42.pl. [2a02:2978::a503:4209:2][195.80.237.194]
created: 2014.10.19 02:37:25
last modified: 2014.10.19 03:59:36
renewal date: 2015.10.19 02:37:25

no option

dnssec: Unsigned


REGISTRAR:
nazwa.pl S.A.(dawniej NetArt Spolka Akcyjna S.K.A.)
ul. Cystersow 20A
31-553 Krakow
Polska/Poland
+48.801 33 22 33
+48.12 297 88 10
+48.12 297 88 08
kontakt@nazwa.pl
www.nazwa.pl

WHOIS displays data with a delay not exceeding 15 minutes in relation to the .pl Registry system
Registrant data available at http://dns.pl/cgi-bin/en_whois.pl



Friday, October 17, 2014

Domain: oggr.ru

Domain: oggr.ru

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x044f4747 && 0x2c&0xDFFFDFDF=0x52025255 && 0x30&0xFFFFFF00=0x0000FF00" -j DROP -m comment --comment "DROP DNS Q oggr.ru"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 51 --algo bm --hex-string '|046f6767720272750000ff|' -j DROP -m comment --comment "DROP DNS Q oggr.ru"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
oggr.ru. 21599 IN NS ns2.reg.ru.
oggr.ru. 21599 IN NS ns1.reg.ru.


Response:


A 245
NS 2
SOA 1
Rsize 4016


Whois


% By submitting a query to RIPN's Whois Service
% you agree to abide by the following terms of use:
% http://www.ripn.net/about/servpol.html#3.2 (in Russian)
% http://www.ripn.net/about/en/servpol.html#3.2 (in English).

domain: OGGR.RU
nserver: ns1.reg.ru.
nserver: ns2.reg.ru.
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
registrar: REGRU-RU
admin-contact: http://www.reg.ru/whois/admin_contact
created: 2014.04.14
paid-till: 2015.04.14
free-date: 2015.05.15
source: TCI

Last updated on 2014.10.17 22:51:33 MSK




Domain: nlhosting.nl

Domain: nlhosting.nl

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x094e4c48 && 0x2c&0xDFDFDFDF=0x4f535449 && 0x30&0xDFDFFFDF=0x4e47024e && 0x34&0xDFFFFFFF=0x4c0000FF" -j DROP -m comment --comment "DROP DNS Q nlhosting.nl"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 56 --algo bm --hex-string '|096e6c686f7374696e67026e6c0000ff|' -j DROP -m comment --comment "DROP DNS Q nlhosting.nl"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
nlhosting.nl. 10799 IN NS ns.nlhosting.net.
nlhosting.nl. 10799 IN NS ns1.nlhosting.net.


Response:


A 14
DNSKEY 4
MX 4
NS 9
NSEC3PARAM 2
RRSIG 9
SOA 2
TXT 2
TYPE65534 3
Rsize 3635


Whois


Domain name: nlhosting.nl
Status: active

Registrar:
NL Hosting Internet Solutions bv
Kerkstraat 1
6669DA DODEWAARD
Netherlands

DNSSEC: yes

Domain nameservers:
ns.nlhosting.net
ns1.nlhosting.net

Record maintained by: NL Domain Registry

Copyright notice
No part of this publication may be reproduced, published, stored in a
retrieval system, or transmitted, in any form or by any means,
electronic, mechanical, recording, or otherwise, without prior
permission of the Foundation for Internet Domain Registration in the
Netherlands (SIDN).
These restrictions apply equally to registrars, except in that
reproductions and publications are permitted insofar as they are
reasonable, necessary and solely in the context of the registration
activities referred to in the General Terms and Conditions for .nl
Registrars.
Any use of this material for advertising, targeting commercial offers or
similar activities is explicitly forbidden and liable to result in legal
action. Anyone who is aware or suspects that such activities are taking
place is asked to inform the Foundation for Internet Domain Registration
in the Netherlands.
(c) The Foundation for Internet Domain Registration in the Netherlands
(SIDN) Dutch Copyright Act, protection of authors' rights (Section 10,
subsection 1, clause 1).



Thursday, October 16, 2014

Domain: doleta.gov

Domain: doleta.gov

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x06444f4c && 0x2c&0xDFDFDFFF=0x45544103 && 0x30&0xDFDFDFFF=0x474f5600 && 0x34&0xFFFF0000=0x00FF0000" -j DROP -m comment --comment "DROP DNS Q doleta.gov"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 54 --algo bm --hex-string '|06646f6c65746103676f760000ff|' -j DROP -m comment --comment "DROP DNS Q doleta.gov"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
doleta.gov. 899 IN NS ns06.dol.gov.
doleta.gov. 899 IN NS ns4.dol.gov.
doleta.gov. 899 IN NS ns2.dol.gov.
doleta.gov. 899 IN NS ns1.dol.gov.
doleta.gov. 899 IN NS ns05.dol.gov.
doleta.gov. 899 IN NS dino.doleta.gov.


Response:


A 15
AAAA 2
DNSKEY 4
MX 7
NS 14
NSEC3PARAM 2
RRSIG 9
SOA 2
TXT 2
Rsize 3691






Domain: bmw.digmehl.cu.cc

Domain: bmw.digmehl.cu.cc

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x03424d57 && 0x2c&0xFFDFDFDF=0x07444947 && 0x30&0xDFDFDFDF=0x4d45484c && 0x34&0xFFDFDFFF=0x02435502 && 0x38&0xDFDFFF00=0x43430000" -j DROP -m comment --comment "DROP DNS Q bmw.digmehl.cu.cc"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 59 --algo bm --hex-string '|03626d77076469676d65686c02637502636300|' -j DROP -m comment --comment "DROP DNS Q bmw.digmehl.cu.cc"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
digmehl.cu.cc. 21599 IN NS ken.ns.cloudflare.com.
digmehl.cu.cc. 21599 IN NS chan.ns.cloudflare.com.


Response:


TXT 1
Rsize 4095






Monday, October 13, 2014

Domain: guessinfosys.com

Domain: guessinfosys.com

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x0c475545 && 0x2c&0xDFDFDFDF=0x5353494e && 0x30&0xDFDFDFDF=0x464f5359 && 0x34&0xDFFFDFDF=0x5303434f && 0x38&0xDFFFFFFF=0x4d0000FF" -j DROP -m comment --comment "DROP DNS Q guessinfosys.com"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 60 --algo bm --hex-string '|0C6775657373696e666f73797303636f6d0000ff|' -j DROP -m comment --comment "DROP DNS Q guessinfosys.com"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
guessinfosys.com. 1461 IN NS ns72.domaincontrol.com.
guessinfosys.com. 1461 IN NS ns71.domaincontrol.com.


Response:


A 6
MX 2
NS 2
SOA 1
TXT 7
Rsize 3195


Whois



Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: GUESSINFOSYS.COM
Registrar: GODADDY.COM, LLC
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Name Server: NS71.DOMAINCONTROL.COM
Name Server: NS72.DOMAINCONTROL.COM
Status: clientDeleteProhibited
Status: clientRenewProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 12-sep-2014
Creation Date: 12-sep-2014
Expiration Date: 12-sep-2015

>>> Last update of whois database: Mon, 13 Oct 2014 23:04:03 GMT <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.


The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain Name: GUESSINFOSYS.COM
Registry Domain ID: 1875368893_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Update Date: 2014-09-11 23:02:31
Creation Date: 2014-09-11 22:52:05
Registrar Registration Expiration Date: 2015-09-11 22:52:05
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.480-624-2505
Domain Status: clientTransferProhibited
Domain Status: clientUpdateProhibited
Domain Status: clientRenewProhibited
Domain Status: clientDeleteProhibited
Registry Registrant ID:
Registrant Name: paopao sun
Registrant Organization:
Registrant Street: NO.4-2-401,FengNianCun,DongLi Dist.
Registrant City: Tianjin
Registrant State/Province: tianjin
Registrant Postal Code: 300010
Registrant Country: China
Registrant Phone: +86.13920258784
Registrant Phone Ext:
Registrant Fax: +86.13920258784
Registrant Fax Ext:
Registrant Email: quinnxaa@hotmail.com
Registry Admin ID:
Admin Name: paopao sun
Admin Organization:
Admin Street: NO.4-2-401,FengNianCun,DongLi Dist.
Admin City: Tianjin
Admin State/Province: tianjin
Admin Postal Code: 300010
Admin Country: China
Admin Phone: +86.13920258784
Admin Phone Ext:
Admin Fax: +86.13920258784
Admin Fax Ext:
Admin Email: quinnxaa@hotmail.com
Registry Tech ID:
Tech Name: paopao sun
Tech Organization:
Tech Street: NO.4-2-401,FengNianCun,DongLi Dist.
Tech City: Tianjin
Tech State/Province: tianjin
Tech Postal Code: 300010
Tech Country: China
Tech Phone: +86.13920258784
Tech Phone Ext:
Tech Fax: +86.13920258784
Tech Fax Ext:
Tech Email: quinnxaa@hotmail.com
Name Server: NS71.DOMAINCONTROL.COM
Name Server: NS72.DOMAINCONTROL.COM
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
Last update of WHOIS database: 2014-10-13T23:00:00Z

The data contained in GoDaddy.com, LLC's WhoIs database,
while believed by the company to be reliable, is provided "as is"
with no guarantee or warranties regarding its accuracy. This
information is provided for the sole purpose of assisting you
in obtaining information about domain name registration records.
Any use of this data for any other purpose is expressly forbidden without the prior written
permission of GoDaddy.com, LLC. By submitting an inquiry,
you agree to these terms of usage and limitations of warranty. In particular,
you agree not to use this data to allow, enable, or otherwise make possible,
dissemination or collection of this data, in part or in its entirety, for any
purpose, such as the transmission of unsolicited advertising and
and solicitations of any kind, including spam. You further agree
not to use this data to enable high volume, automated or robotic electronic
processes designed to collect or compile this data for any purpose,
including mining this data for your own personal or commercial purposes.

Please note: the registrant of the domain name is specified
in the "registrant" section. In most cases, GoDaddy.com, LLC
is not the registrant of domain names listed in this database.



Domain: energystar.gov

Domain: energystar.gov

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x0a454e45 && 0x2c&0xDFDFDFDF=0x52475953 && 0x30&0xDFDFDFFF=0x54415203 && 0x34&0xDFDFDFFF=0x474f5600 && 0x38&0xFFFF0000=0x00FF0000" -j DROP -m comment --comment "DROP DNS ANY  Q energystar.gov"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 58 --algo bm --hex-string '|0A656e657267797374617203676f760000ff|' -j DROP -m comment --comment "DROP DNS ANY Q energystar.gov"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
energystar.gov. 21599 IN NS ns01-100.energystar.gov.
energystar.gov. 21599 IN NS ns02-100.energystar.gov.


Response:


A 21
AAAA 3
DNSKEY 11
MX 6
NS 16
NSEC 2
RRSIG 10
SOA 3
TXT 3
Rsize 5423


Whois


% DOTGOV WHOIS Server ready
Domain Name: ENERGYSTAR.GOV
Status: ACTIVE


>>> Last update of whois database: 2014-10-13T23:01:26Z <<<
Please be advised that this whois server only contains information pertaining
to the .GOV domain. For information for other domains please use the whois
server at RS.INTERNIC.NET.



Domain: etk.heckbro.cu.cc

Domain: etk.heckbro.cu.cc

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x0345544b && 0x2c&0xFFDFDFDF=0x07484543 && 0x30&0xDFDFDFDF=0x4b42524f && 0x34&0xFFDFDFFF=0x02435502 && 0x38&0xDFDFFF00=0x43430000" -j DROP -m comment --comment "DROP DNS Q etk.heckbro.cu.cc"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 59 --algo bm --hex-string '|0365746b076865636b62726f02637502636300|' -j DROP -m comment --comment "DROP DNS Q etk.heckbro.cu.cc"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
heckbro.cu.cc. 21536 IN NS coby.ns.cloudflare.com.
heckbro.cu.cc. 21536 IN NS alla.ns.cloudflare.com.


Response:


TXT 1
Rsize 4095