Sunday, April 27, 2014

Domain: wradish.com

Domain: wradish.com


If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.


If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x07575241 && 0x2c&0xDFDFDFDF=0x44495348 && 0x30&0xFFDFDFDF=0x03434f4d && 0x34&0xFF000000=0x00000000" -j DROP -m comment --comment "DROP DNS Q wradish.com"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt


String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 53 --algo bm --hex-string '|077772616469736803636f6d00|' -j DROP -m comment --comment "DROP DNS Q wradish.com"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


42.99.130.141

Name server:


;; ANSWER SECTION:
wradish.com. 3599 IN NS ns20.domaincontrol.com.
wradish.com. 3599 IN NS ns19.domaincontrol.com.


Response:


A 2
MX 2
NS 2
SOA 1
Rsize 207


Whois



Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: WRADISH.COM
Registrar: GODADDY.COM, LLC
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Name Server: NS19.DOMAINCONTROL.COM
Name Server: NS20.DOMAINCONTROL.COM
Status: clientDeleteProhibited
Status: clientRenewProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 21-apr-2014
Creation Date: 21-apr-2014
Expiration Date: 21-apr-2015

>>> Last update of whois database: Sun, 27 Apr 2014 15:03:33 UTC <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.


The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain Name: WRADISH.COM
Registry Domain ID: 1855566194_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Update Date: 2014-04-21 09:40:43
Creation Date: 2014-04-21 09:37:53
Registrar Registration Expiration Date: 2015-04-21 09:37:53
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.480-624-2505
Domain Status: clientTransferProhibited
Domain Status: clientUpdateProhibited
Domain Status: clientRenewProhibited
Domain Status: clientDeleteProhibited
Registry Registrant ID:
Registrant Name: Robert M. Jackson
Registrant Organization:
Registrant Street: 2888 Bingamon Road
Registrant City: Willoughby
Registrant State/Province: Ohio
Registrant Postal Code: 44094
Registrant Country: United States
Registrant Phone: +1.4405713304
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: wradish.com@gmail.com
Registry Admin ID:
Admin Name: Robert M. Jackson
Admin Organization:
Admin Street: 2888 Bingamon Road
Admin City: Willoughby
Admin State/Province: Ohio
Admin Postal Code: 44094
Admin Country: United States
Admin Phone: +1.4405713304
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: wradish.com@gmail.com
Registry Tech ID:
Tech Name: Robert M. Jackson
Tech Organization:
Tech Street: 2888 Bingamon Road
Tech City: Willoughby
Tech State/Province: Ohio
Tech Postal Code: 44094
Tech Country: United States
Tech Phone: +1.4405713304
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: wradish.com@gmail.com
Name Server: NS19.DOMAINCONTROL.COM
Name Server: NS20.DOMAINCONTROL.COM
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
Last update of WHOIS database: 2014-04-27T15:00:00Z



Tuesday, April 22, 2014

Domain: iorr.ru

Domain: iorr.ru

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x04494f52 && 0x2c&0xDFFFDFDF=0x52025255 && 0x30&0xFF000000=0x00000000" -j DROP -m comment --comment "DROP DNS Q iorr.ru"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 49 --algo bm --hex-string '|04696f727202727500|' -j DROP -m comment --comment "DROP DNS Q iorr.ru"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


89.248.168.200

Name server:


;; ANSWER SECTION:
iorr.ru. 21599 IN NS ns2.reg.ru.
iorr.ru. 21599 IN NS ns1.reg.ru.


Response:


A 240
NS 2
SOA 1
Rsize 3936


Whois


% By submitting a query to RIPN's Whois Service
% you agree to abide by the following terms of use:
% http://www.ripn.net/about/servpol.html#3.2 (in Russian)
% http://www.ripn.net/about/en/servpol.html#3.2 (in English).

domain: IORR.RU
nserver: ns1.reg.ru.
nserver: ns2.reg.ru.
state: REGISTERED, DELEGATED, VERIFIED
person: Private Person
registrar: REGRU-REG-RIPN
admin-contact: http://www.reg.ru/whois/admin_contact
created: 2014.02.15
paid-till: 2015.02.15
free-date: 2015.03.18
source: TCI

Last updated on 2014.04.23 00:07:38 MSK




Saturday, April 5, 2014

Domain: ddosforums.pw

Domain: ddosforums.pw

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x0a44444f && 0x2c&0xDFDFDFDF=0x53464f52 && 0x30&0xDFDFDFFF=0x554d5302 && 0x34&0xDFDFFF00=0x50570000" -j DROP -m comment --comment "DROP DNS Q ddosforums.pw"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 55 --algo bm --hex-string '|0A64646f73666f72756d7302707700|' -j DROP -m comment --comment "DROP DNS Q ddosforums.pw"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


65.181.121.246

Name server:


;; ANSWER SECTION:
ddosforums.pw. 21599 IN NS dina.ns.cloudflare.com.
ddosforums.pw. 21599 IN NS ian.ns.cloudflare.com.


Response:


A 13
NS 6
SOA 2
TXT 12
Rsize 1136 3


Whois


Domain ID:CNIC-DO1547096
Domain Name:DDOSFORUMS.PW
Created On:2013-10-15T00:33:25.0Z
Last Updated On:2013-11-04T16:42:38.0Z
Expiration Date:2014-10-15T23:59:59.0Z
Status:clientTransferProhibited
Status:serverTransferProhibited
Registrant ID:TJKYRCLKH1NE0OMV
Registrant Name:WhoisGuard Protected
Registrant Organization:WhoisGuard, Inc.
Registrant Street1:P.O. Box 0823-03411
Registrant City:Panama
Registrant State/Province:Panama
Registrant Postal Code:NA
Registrant Country:PA
Registrant Phone:+507.8365503
Registrant Fax:+51.17057182
Registrant Email:56c84bcc218944548a75dcba78c7e01f.protect@whoisguard.com
Admin ID:EHUGZGUYQAJRHATN
Admin Name:WhoisGuard Protected
Admin Organization:WhoisGuard, Inc.
Admin Street1:P.O. Box 0823-03411
Admin City:Panama
Admin State/Province:Panama
Admin Postal Code:NA
Admin Country:PA
Admin Phone:+507.8365503
Admin Fax:+51.17057182
Admin Email:56c84bcc218944548a75dcba78c7e01f.protect@whoisguard.com
Tech ID:JDHLEKUW0DARK0EG
Tech Name:WhoisGuard Protected
Tech Organization:WhoisGuard, Inc.
Tech Street1:P.O. Box 0823-03411
Tech City:Panama
Tech State/Province:Panama
Tech Postal Code:NA
Tech Country:PA
Tech Phone:+507.8365503
Tech Fax:+51.17057182
Tech Email:56c84bcc218944548a75dcba78c7e01f.protect@whoisguard.com
Billing ID:0QIKRMW5TJCY5QSZ
Billing Name:WhoisGuard Protected
Billing Organization:WhoisGuard, Inc.
Billing Street1:P.O. Box 0823-03411
Billing City:Panama
Billing State/Province:Panama
Billing Postal Code:NA
Billing Country:PA
Billing Phone:+507.8365503
Billing Fax:+51.17057182
Billing Email:56c84bcc218944548a75dcba78c7e01f.protect@whoisguard.com
Sponsoring Registrar ID:H1772673
Sponsoring Registrar IANA ID:1068
Sponsoring Registrar Organization:Namecheap
Sponsoring Registrar Street1:11400 W Olympic Blvd.
Sponsoring Registrar Street2:Suite 200
Sponsoring Registrar City:Los Angeles
Sponsoring Registrar State/Province:CA
Sponsoring Registrar Postal Code:90064
Sponsoring Registrar Country:US
Sponsoring Registrar Phone:+1.0123456789
Sponsoring Registrar Fax:+1.0123456789
Sponsoring Registrar Website:http://www.namecheap.com
Name Server:DINA.NS.CLOUDFLARE.COM
Name Server:IAN.NS.CLOUDFLARE.COM
DNSSEC:Unsigned

This whois service is provided by CentralNic Ltd and only contains
information pertaining to Internet domain names we have registered for
our customers. By using this service you are agreeing (1) not to use any
information presented here for any purpose other than determining
ownership of domain names, (2) not to store or reproduce this data in
any way, (3) not to use any high-volume, automated, electronic processes
to obtain data from this service. Abuse of this service is monitored and
actions in contravention of these terms will result in being permanently
blacklisted. All data is (c) CentralNic Ltd https://www.centralnic.com/