Thursday, January 1, 2015

Domain: ohhr.ru

Domain: ohhr.ru

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x044f4848 && 0x2c&0xDFFFDFDF=0x52025255 && 0x30&0xFFFFFF00=0x0000FF00" -j DROP -m comment --comment "DROP DNS Q ohhr.ru"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 51 --algo bm --hex-string '|046f6868720272750000ff|' -j DROP -m comment --comment "DROP DNS Q ohhr.ru"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
ohhr.ru. 3599 IN NS ns1.reg.ru.
ohhr.ru. 3599 IN NS ns2.reg.ru.


Response:


A 244
NS 2
SOA 1
Rsize 4000


Whois


% By submitting a query to RIPN's Whois Service
% you agree to abide by the following terms of use:
% http://www.ripn.net/about/servpol.html#3.2 (in Russian)
% http://www.ripn.net/about/en/servpol.html#3.2 (in English).

domain: OHHR.RU
nserver: ns1.reg.ru.
nserver: ns2.reg.ru.
state: REGISTERED, DELEGATED, VERIFIED
person: Private Person
registrar: REGRU-RU
admin-contact: http://www.reg.ru/whois/admin_contact
created: 2014.11.07
paid-till: 2015.11.07
free-date: 2015.12.08
source: TCI

Last updated on 2015.01.01 17:31:31 MSK




Domain: gransy.com

Domain: gransy.com

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x06475241 && 0x2c&0xDFDFDFFF=0x4e535903 && 0x30&0xDFDFDFFF=0x434f4d00 && 0x34&0xFFFF0000=0x00FF0000" -j DROP -m comment --comment "DROP DNS Q gransy.com"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 54 --algo bm --hex-string '|066772616e737903636f6d0000ff|' -j DROP -m comment --comment "DROP DNS Q gransy.com"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
gransy.com. 1799 IN NS ns2.gransy.com.
gransy.com. 1799 IN NS ns5.gransy.com.
gransy.com. 1799 IN NS ns3.gransy.com.
gransy.com. 1799 IN NS ns4.gransy.com.
gransy.com. 1799 IN NS ns.gransy.com.


Response:


A 14
AAAA 5
DNSKEY 5
MX 4
NS 14
NSEC 2
RRSIG 9
SOA 3
Rsize 5885


Whois



Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: GRANSY.COM
Registrar: GRANSY S.R.O D/B/A SUBREG.CZ
Whois Server: whois.regtons.com
Referral URL: http://regtons.com
Name Server: NS.GRANSY.COM
Name Server: NS2.GRANSY.COM
Name Server: NS3.GRANSY.COM
Name Server: NS4.GRANSY.COM
Name Server: NS5.GRANSY.COM
Status: clientDeleteProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 10-jul-2014
Creation Date: 21-oct-2002
Expiration Date: 21-oct-2021

>>> Last update of whois database: Thu, 01 Jan 2015 14:35:56 GMT <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.


The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain Name: gransy.com
Registry Domain ID: 91407614_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.regtons.com
Registrar URL: http://regtons.com
Updated Date: 2014-07-10T00:00:00Z
Creation Date: 2002-10-21T00:00:00Z
Registrar Registration Expiration Date: 2021-10-21T00:00:00Z
Registrar: GRANSY S.R.O D/B/A SUBREG.CZ
Registrar IANA ID: 1505
Registrar Abuse Contact Email: abuse@regtons.com
Registrar Abuse Contact Phone: +420.734463373
Domain Status: clientTransferProhibited
Domain Status: clientUpdateProhibited
Domain Status: clientDeleteProhibited
Registry Registrant ID: G-000050
Registrant Name: Jan Horak
Registrant Organization: Gransy s.r.o.
Registrant Street: Borivojova 35
Registrant City: Prague
Registrant State/Province:
Registrant Postal Code: 13000
Registrant Country: CZ
Registrant Phone: +420.732954549
Registrant Phone Ext:
Registrant Fax: +420.226517341
Registrant Fax Ext:
Registrant Email: info@gransy.com
Registry Admin ID: G-000050
Admin Name: Jan Horak
Admin Organization: Gransy s.r.o.
Admin Street: Borivojova 35
Admin City: Prague
Admin State/Province:
Admin Postal Code: 13000
Admin Country: CZ
Admin Phone: +420.732954549
Admin Phone Ext:
Admin Fax: +420.226517341
Admin Fax Ext:
Admin Email: info@gransy.com
Registry Tech ID: G-000050
Tech Name: Jan Horak
Tech Organization: Gransy s.r.o.
Tech Street: Borivojova 35
Tech City: Prague
Tech State/Province:
Tech Postal Code: 13000
Tech Country: CZ
Tech Phone: +420.732954549
Tech Phone Ext:
Tech Fax: +420.226517341
Tech Fax Ext:
Tech Email: info@gransy.com
Name Server: ns.gransy.com
Name Server: ns5.gransy.com
Name Server: ns3.gransy.com
Name Server: ns2.gransy.com
Name Server: ns4.gransy.com
DNSSEC: signedDelegation
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2015-01-01T14:00:00Z <<<

#
# This domain is registered by http://g-hosting.cz
#
# G-Hosting.CZ - This is good place for your website
#
# PHP, Java, Ruby, Python and VPS hosting services
#