Monday, September 30, 2013

domain: zaikapaika.com

Seen a scan for this domain on 30-09-2013.

IPtables:


iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x0a5a4149 && 0x2c&0xDFDFDFDF=0x4b415041 && 0x30&0xDFDFDFFF=0x494b4103 && 0x34&0xDFDFDFFF=0x434f4d00" -j DROP -m comment --comment "DROP DNS Q zaikapaika.com"

Source:


89.248.174.54 - Ecatel (everytime)

Also seen this IP for:

 kiddy3233655.ru

Name server:


zaikapaika.com.         10800   IN      NS      b.dns.gandi.net.
zaikapaika.com.         10800   IN      NS      a.dns.gandi.net.
zaikapaika.com.         10800   IN      NS      c.dns.gandi.net.

;; ADDITIONAL SECTION:
c.dns.gandi.net.        85933   IN      AAAA    2001:4b98:c:521::20
b.dns.gandi.net.        85933   IN      AAAA    2001:4b98:b:a::40
a.dns.gandi.net.        85933   IN      AAAA    2604:3400:a::2
a.dns.gandi.net.        85933   IN      A       173.246.97.2
b.dns.gandi.net.        85933   IN      A       217.70.184.40
c.dns.gandi.net.        85933   IN      A       217.70.182.20


Response:


241 A records in the 204.46.43.x range.

Whois

domain: zaikapaika.com
reg_created: 2013-09-23 08:41:35
expires: 2014-09-23 08:41:35
created: 2013-09-23 10:41:36
changed: 2013-09-26 22:32:45
transfer-prohibited: yes
ns0: a.dns.gandi.net
ns1: b.dns.gandi.net
ns2: c.dns.gandi.net
owner-c:
  nic-hdl: VV1405-GANDI
  organisation: ~
  person: Vyacheslav Volkov
  obfuscated: Obfuscated by Gandi
  address: (Gandi) 63-65 boulevard Massena
  zipcode: (Gandi) 75013
  city: (Gandi) Paris
  country: (Gandi) France
  phone: (Gandi) +33.170377666
  fax: (Gandi) +33.143730576
  email: 5e2223699a84baf9c6365442bfa79494-1782482@contact.gandi.net
  lastupdated: 2013-09-20 18:00:18
admin-c:
  nic-hdl: VV1405-GANDI
  organisation: ~
  person: Vyacheslav Volkov
  obfuscated: Obfuscated by Gandi
  address: (Gandi) 63-65 boulevard Massena
  zipcode: (Gandi) 75013
  city: (Gandi) Paris
  country: (Gandi) France
  phone: (Gandi) +33.170377666
  fax: (Gandi) +33.143730576
  email: 5e2223699a84baf9c6365442bfa79494-1782482@contact.gandi.net
  lastupdated: 2013-09-20 18:00:18
tech-c:
  nic-hdl: VV1405-GANDI
  organisation: ~
  person: Vyacheslav Volkov
  obfuscated: Obfuscated by Gandi
  address: (Gandi) 63-65 boulevard Massena
  zipcode: (Gandi) 75013
  city: (Gandi) Paris
  country: (Gandi) France
  phone: (Gandi) +33.170377666
  fax: (Gandi) +33.143730576
  email: 5e2223699a84baf9c6365442bfa79494-1782482@contact.gandi.net
  lastupdated: 2013-09-20 18:00:18
bill-c:
  nic-hdl: VV1405-GANDI
  organisation: ~
  person: Vyacheslav Volkov
  obfuscated: Obfuscated by Gandi
  address: (Gandi) 63-65 boulevard Massena
  zipcode: (Gandi) 75013
  city: (Gandi) Paris
  country: (Gandi) France
  phone: (Gandi) +33.170377666
  fax: (Gandi) +33.143730576
  email: 5e2223699a84baf9c6365442bfa79494-1782482@contact.gandi.net
  lastupdated: 2013-09-20 18:00:18

Saturday, September 28, 2013

Domain: Sandia.gov

Some attacks are using this legit domain with ANY queries.
Seeing as ANY queries are not really used in a legit manner I have no problem dropping these.. like its hot.

IPtables:


iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x0653414e && 0x2c&0xDFDFDFFF=0x44494103 && 0x30&0xDFDFDFFF=0x474f5600 && 0x34&0xFFFFFFFF=0x00ff0001" -j DROP -m comment --comment "DROP DNS Q ANY sandia.gov"


More rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

Source:


First scan I observed for Sandia.gov came from sweden:

First:

94.185.81.128 - Netrouting

Later on:
89.248.172.121 - Ecatel
-hackwhatlol.cc
-edelion.su
-2soe.ru

Name server:


sandia.gov. 3600 IN NS ns8.sandia.gov.
sandia.gov. 3600 IN NS ns2.ca.sandia.gov.
sandia.gov. 3600 IN NS ns9.sandia.gov.
sandia.gov. 3600 IN NS ns1.ca.sandia.gov.

;; ADDITIONAL SECTION:
ns1.ca.sandia.gov. 3600 IN A 198.206.219.65
ns9.sandia.gov. 3600 IN A 132.175.7.210
ns2.ca.sandia.gov. 3600 IN A 198.206.219.66
ns8.sandia.gov. 3600 IN A 132.175.7.209

Response:


Just massive!

;; ANSWER SECTION:
Sandia.gov. 3600 IN SOA taurus.Sandia.gov. dnsadmin.Sandia.gov. 448880 1800 900 604800 3600
Sandia.gov. 0 IN RRSIG NSEC3PARAM 7 2 0 20131009150422 20130909150422 30602 sandia.gov. lqLdGBXNggppzQAHk0F3LsG70+AMHJVEgOj0+tYV7i7F3EguhK1K/wWg NmMmm2s2yhuOQDHOvKc3RXoVLbumXqIuu9cr/Mqbnx06dsTrlbmfoSNM Lc9+Lye/hf57u2etlsLt2krwAvSliOcIARg5CxyRj1ckbRoBvoMpsFt4 SkiHJlpw2/YpAb30MsPz0HHNwL4kwidv3HS+kR6RlSy0bBpPIrQBit7A 1OwxaWnzpB645EJjVAB5CBi7edGFQL9dyOh8PTWKAC4dOxo6MObukIDX 81sd1DeVj/aTvaZzK/ImXlZnraw1qwO9B90caQG6+lPKmXVJQK8pxQvQ 9Dz2gg==
Sandia.gov. 0 IN NSEC3PARAM 1 0 2 8BEC6F
Sandia.gov. 3600 IN RRSIG DNSKEY 7 2 3600 20131009150422 20130909150422 20739 sandia.gov. UIKkraXl1rSrpCORN6+0XFjNQFeJXBSiF9UT/nPabh3g+BGaBcZqpIjW NloD2cgW+Q43VsRlSwoiDYzB9OafzYknVxhI2WaG9aNrrtoCuCl+Bz7r auHhmN/HQq7VVSPp0YOL4Tw2RasvbLmNT/mKAEFGPmHm5dVWtmR/aiJj Fx4vUFCoquG1FUYdE8cwhOutIfhNulzCm41HsRoleKLy3yzwqZCtMoeg ow8g+HBSEt3j1ZrFyIg1WjOuPi2Il66EIz7yCBi3PKLKMJYd9DNpU+BR xx9viNX+jI05w7Ds96AO6zVyE1wRxj3twPOTTuVFvWeRVWFpxzUv9iR9 1z75EQ==
Sandia.gov. 3600 IN RRSIG DNSKEY 7 2 3600 20131009150422 20130909150422 30602 sandia.gov. nFKdZ1BJAqsOt2M8J50nFjRwrMs3Om0x2LHx/bW8PgE5i4r/OE8yl5Or qBS34MpNSJG9y059OALcSVWv/Y7yzEhnFuAJw1JM0gbXjTDWAvdOJToI 7B0lQ2rZU+REvZzgp6FVcEzH1MgoR/LRqlxaP/93/CSvOBEsQfnTcH/+ YdD4TYw02jHYSFYCGbvDSn+Z6RmvvLdlcSn9FyMDes8uDshW+niPGEr2 iET5UHnn7TMFk/nnj8f8esP7Rgc5PDMbSFj4w3AkCyWT7K5dqk5IwpfL coKMAf+2i4/PmaPHQySBie0JirKGufuTpIllKEVXMOdu/nGQjSdCXd8B UaHFVg==
Sandia.gov. 3600 IN RRSIG DNSKEY 7 2 3600 20131009150422 20130909150422 36033 sandia.gov. bOwF9y4fTZvEeWwJYEQfwpkzAaQz1jjuP/vrcODtNWIZjPCH2r+KAq9P NIyRMlPxveybfJPqVT0xhDL97stjhUldzXH3hgFnra/OnhSC/4xH5ipR +ExCuuL6vsJHiORpIMXKZ2IqDdbIqYCiy2pOdYlFXDliI264AF/kp1V9 5zwuz2ohKIjtEU9eeZdgdynFlpFNt7Cl0HrdlOBsOLZAQdT6Tfvrh73T zuW3kkYXUiDo4z1FE8SwcMoSULyP8YBU10Es1JBBQNIVcv3artgzz4q1 L2ZqpTuvZ+bwZUfY93QYHTnEvjCo14psTAK3lAhEoU62CKPPxhmmsToR kFuwSg==
Sandia.gov. 3600 IN DNSKEY 256 3 7 AwEAAZ0oH+W7xJXP7f/O7J25tQQEG9xqj6LecK9pESLccr0MwEO+Xha9 4qMClFvQ8uCjogyPuFizBNk0s0WjOa+XyBVzhZg2djpqARmq8VmPMXEx GpkDgkP1ukdoTESrc1XC+Sbi0uE8tRGmu+eus4n3Yk/+tS9L3ka3daOZ CJuaCV0Om9XTnDP+m8ElUdHju0RUFN63hKdx++/7PNzTw6prj2ddeKW6 Zao3naBvYsGbfzKpAd1d7NDK29QYh+MFUe1s3ccBhTmgvCiRjsl1LAAQ jaZ9KZYOPT0JJZQ9Qtlxmj6enQtdIPOYzyjALkIv193dXlE+G0S5Arr9 fjMaf7lEyNc=
Sandia.gov. 3600 IN DNSKEY 256 3 7 AwEAAfaaLgwMLLou2EXeq0lw3dHUos46XgWEGczA2xz1r2RttO8ATyrR gx4rW+MaIyLLO5es0Et8Fum5qRHa9uwAqkrF5mNC2o05HyA4lv8zr9Px Q6xWDBlvkQMSBVmfgyMT0hLBt4wwrKycYsDEpxJFuQcZih8lZaInSRG2 RNZL7ThwycRawvgKMDWO59giOcU51AWAks8BQN5z/33jvFgbPwYJObV1 CytBZlyDdLlCryOn+xRKZKtF6TTCzOfvlquKcEeqzfhGNn5nUquZWAay klBDYM6NnSjmui2482/KRImoygE8DayJ9aN9BIH5v+ehdegWsRtX/U8m HIA4/E/2//U=
Sandia.gov. 3600 IN DNSKEY 257 3 7 AwEAAb80HHQXbrsrmm8L5T1V3QDoXEEDJpts4S6ttkFVOa+fb4anMU3B 7KNK4jgg8sDXMhDfgTWHOc9EEAuy3Obv/6ArD4+385P+EuH5NGLd5f/l Wl8GC9S24mDTpe2sNKi4AHJQxnREuI8Oxr/Mh92W5+HWDdIBt5IKH/nu 9Wlf76Yg3x8jHZYgxVBMgPGF+UYUMQLKAjtJ/XFRObLLL+RQNdNkBqrQ LDkPBxbG1m8rDNa+uCbBiOWGBjZxrjEyQCA/2ZAKQ9lhVFZWuxb8DA3m eiu8sfhWb3tbuZHhCb2HniV43oPKICN4GdIDrHQkZCUOzEMKLSyX98VW QoHdaaOT1is=
Sandia.gov. 3600 IN DNSKEY 257 3 7 AwEAAeWCWZhMfUwZSU+3Sqqk3OvDCDPw9sBWL7HioNjo8FI90QdbNYRh 6z9Ks2fEoguMRHlTobVbptJ2wlRQPWTyC8qlaWnT82hdj5tpOzNlfuWy wRu7Yw+DOBJUT1d1ygwGVl9YbNl2gw4JCbVjqyZl2SogXAXWJecQKrJZ gToYW/hkoTUWEnW80j60wwXyeBR6TExVNTsuimV4vNas1nDqKd3jf8fS pszH5CFR/Ytw29f4qaZRxGfgtQf05AwMLrKNfiHXjRnhQ/Wc4irjW4o6 J07xJumdVm2edvevOwPc5HvoTcHKueBn+8cyq7FDc0pwutB190FV8WU6 XTTQMJQpOAE=
Sandia.gov. 3600 IN RRSIG TXT 7 2 3600 20131009150422 20130909150422 30602 sandia.gov. 5qOYnmGkx1fdXmDe5gtUNeFFqEJFcQ9EFxQ4Txl1ptaDHQasmN1FZBvP YKR1bZB6hPTfxDnUZt8vNwuMNOquoRYRjUOerfs6l6BrrY5K/9ax9w3I 5v9TwsfSf9CtQBRJPg+Rlmu5hHk1CqtR3D9SmDiTyTxmItOW24uoPz3f ZW5d652/laiIU8i1YKSVlOdUXzyuyBRfCyjH4K83h/dsne5tKM8qtKAK g+5zPJq1F48jfROwO8JFtxDSB7jya1Kdg5vGPSJqFsWKGGkDoz52Axen d4qPLcb2bOSo2JGRBcGuPj8glSMzWAInD5Jswmsc1cqrPZoN9MxXNrq+ Afa+SQ==
Sandia.gov. 3600 IN TXT "v=spf1 mx ip4:132.175.109.20 ip4:132.175.109.21  ip4:132.175.109.1  ip4:132.175.109.4 ~all"
Sandia.gov. 1200 IN RRSIG MX 7 2 1200 20131009150422 20130909150422 30602 sandia.gov. 6VIvlQ0KK1YsBmArv9XcVNbhRygoMRxyi1iNEWZ1Unv3UF46tMu/oW/r hxkOpZvnAhf4hQvXh21Mkd2m4N+MLo9iYV8E+Abwy+ppDg2AbFqmk6jh GFwdq2Ea3Lm3cRU4es0paBNmyJjl5TMV9LVcyBjJps9xA157p0qBJThW EqRadUpk/e0AJydsIjTC5v1iss5QjuTmZW8TmSIWRvHa1WHi0W3VWRiA Q3REr+t45ADgvRHOUFf4fxvwjx7/7rXrQNlUpoMJDzZhNb2in2m3p1Yo BezZH5pGsj0bwVSlaBvAmxUGUIsydrTppGF20TgwwyDxx98/YJbwYZLN 8wV82g==
Sandia.gov. 1200 IN MX 10 sentry-three.Sandia.gov.
Sandia.gov. 1200 IN MX 30 hubble.ca.Sandia.gov.
Sandia.gov. 1200 IN MX 10 sentry-two.Sandia.gov.
Sandia.gov. 3600 IN RRSIG A 7 2 3600 20131009150422 20130909150422 30602 sandia.gov. psOBfXIvGsNDNeSJQyGvRdo33ewhWmMrUxazO8n2/elAuyv9o58/TXKO O+D2NtjuqFcBg22oYm2Yj0zEBWmYl7QsjH5Ys1HJT3kfQUex9NeS9yvF iUA5mNeP9iynByZYDW5ySkunOgrpVz4T6VafEfZKrckj41Q4dVa71h8h ksSVRmhSE5WWM9qcs/emrssdSqLz9ea/UrylzZVtdrUxbDe7wYZ1SRli I5FKv8KLHY/XyY8mYRWD8dKx7VAdyOP3P2y5J12V5ueZkLYBuYKqFXdI Z2ZAG3X6pA1fEEkIRO1oAufMNtVkzQflgOVopuJVTwNd8IPgjqtpNSwZ 2JXNDg==
Sandia.gov. 3600 IN A 132.175.81.4
Sandia.gov. 3600 IN RRSIG NS 7 2 3600 20131009150422 20130909150422 30602 sandia.gov. 00A++N5y/op/NXmIeV3MSVKn+qOtpWkrGXxX+Z1xn/n+VXRiLsC0hSO2 AKf+WsdlQ8mfs3k91ez2ecYg/MTwjGkwy4ZGieuG4t7yLxKBC3yc9cXm 7VYKpFEvDZAJo/5pk8BjN2y8dzZ78vB1xt+vkBdpgFZe8L1SRCOLVtKz HuAIsG9g3WU1S6VIKog9kOECnSaQ5iTfKSbc7SgqY+1Qfk66DSpulELL 8TL8vlW8THgwqYLbJ/mgOvQ+6MmTzKR5ydeDc4/8W0SkQzQe6TYVFNLo sa4KLJxPKoCZ2eiulrvh2HD+usrLTMRs10jMCyORQAwgdRn3a8bjrMa4 11x+sQ==
Sandia.gov. 3600 IN NS ns1.ca.Sandia.gov.
Sandia.gov. 3600 IN NS ns2.ca.Sandia.gov.
Sandia.gov. 3600 IN NS ns9.Sandia.gov.
Sandia.gov. 3600 IN NS ns8.Sandia.gov.
Sandia.gov. 3600 IN RRSIG SOA 7 2 3600 20131027181002 20130927171002 30602 sandia.gov. OkmrnYqJU9TMCebksFWYaCPkd2UGZNL/z7rVm2YkbyBk+HpTZvQbF8DA lPUZFTLycHEjaGxlR7Gd/W2cYnkuIol9X7zq+/+KSd13CTLJBS2kbneZ vV98yzzNDNH56BoIEG6A8xTyaZ4sSyiO5rm2aJxoMpvypF9niKjIPcmn 74vsBRsTbWMxsAj4cwhz8K9T3EhzuD1DlS4TPivsWMyS7nWCVHQEK+0R fBNfWWbLRTREpGBF0FFSLewztbIhmCtHKhoWvreWoylfMiDXaEooImjx sVswO6AEO4nqjK7qGEak2P8nBzLpIzSnqgln2Bk/5/qfmfIkSmKz+4wo XVTYAg==

Whois


% DOTGOV WHOIS Server ready
   Domain Name: SANDIA.GOV
   Status: ACTIVE




Domain: 4fwhk.com

Received a few tips for this domain: 4fwhk.com that is related to mmtac1.com.

IPtables:


iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFFFDFDF=0x05344657 && 0x2c&0xDFDFFFDF=0x484b0343 && 0x30&0xDFDFFFFF=0x4f4d0000" -j DROP -m comment --comment "DROP DNS Q 4fwhk.com"


More rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

Source:


Unknown


Name server:


4fwhk.com. 7200 IN NS ns3.mmtac1.com.
4fwhk.com. 7200 IN NS ns2.mmtac1.com.
4fwhk.com. 7200 IN NS ns1.mmtac1.com.
4fwhk.com. 7200 IN NS ns4.mmtac1.com.


Name servers 1-4 point to:

222.163.192.106
222.163.192.104


The name server domain looked familiar:

http://dnsamplificationattacks.blogspot.com/2013/09/domain-aammtac1com.html

Response:


257 records in the 121.122.157.x range

Whois


Domain: 4fwhk.com
Status: Protected

DNS:
        ns1.mmtac1.com
        ns2.mmtac1.com

Created: 2013-09-14 16:33:56
Expires: 2014-09-14 08:33:56
Last Modified: 2013-09-14 16:33:54

Registrant Contact:
        Hong Yuan
        yuan hong (asdf@gmail.com)
        No.236, Jingai Road
        Huaihu, Hunan, cn 418000
        P: +745.2714381 F: +0.0

Administrative Contact:
        Hong Yuan
        yuan hong (asdf@gmail.com)
        No.236, Jingai Road
        Huaihu, Hunan, cn 418000
        P: +745.2714381 F: +0.0

Technical Contact:
        Hong Yuan
        yuan hong (asdf@gmail.com)
        No.236, Jingai Road
        Huaihu, Hunan, cn 418000
        P: +745.2714381 F: +0.0

Billing Contact:
        Hong Yuan
        yuan hong (asdf@gmail.com)
        No.236, Jingai Road
        Huaihu, Hunan, cn 418000
        P: +745.2714381 F: +0.0


Domain: cmiui.com

Seen a scan for this domain yesterday. Query was for TXT


IPtables:


iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x05434d49 && 0x2c&0xDFDFFFDF=0x55490343 && 0x30&0xDFDFFFFF=0x4f4d0000" -j DROP -m comment --comment "DROP DNS Q cmiui.com"

Source:


96.46.2.82 - AS19853 USONL-2 - US Online Sales, Inc.

Also seen this IP for:

16-Aug-2013 - bfhmm.com in TXT
19-Aug-2013 - bfhmm.com in AAAA

Name server:


cmiui.com. 1334 IN NS pdns03.domaincontrol.com.
cmiui.com. 1334 IN NS pdns04.domaincontrol.com.


Response:


TXT "\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\""

Whois


Registrars.
Domain Name: CMIUI.COM
Registrar URL: http://www.godaddy.com
Updated Date: 2013-09-24 23:55:27
Creation Date: 2013-09-23 13:19:22
Registrar Expiration Date: 2014-09-23 13:19:22
Registrar: GoDaddy.com, LLC
Registrant Name: Peter Wang
Registrant Organization:
Registrant Street: No.10 Nanjing Rd, Huangpu DIST
Registrant City: Shanghai
Registrant State/Province: Shanghai
Registrant Postal Code: 200010
Registrant Country: China
Admin Name: Peter Wang
Admin Organization:
Admin Street: No.10 Nanjing Rd, Huangpu DIST
Admin City: Shanghai
Admin State/Province: Shanghai
Admin Postal Code: 200010
Admin Country: China
Admin Phone: +0.862065739586
Admin Fax:
Admin Email: jjhenteng@gmail.com
Tech Name: Peter Wang
Tech Organization:
Tech Street: No.10 Nanjing Rd, Huangpu DIST
Tech City: Shanghai
Tech State/Province: Shanghai
Tech Postal Code: 200010
Tech Country: China
Tech Phone: +0.862065739586
Tech Fax:
Tech Email: jjhenteng@gmail.com
Name Server: PDNS03.DOMAINCONTROL.COM
Name Server: PDNS04.DOMAINCONTROL.COM

Tuesday, September 24, 2013

Domain: grappyblog.com

Received a tip!

Source:

Not observed myself.

Response:

About 255 A records in the 204.46.43.x range.


IPtables rule:

iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x0a475241 && 0x2c&0xDFDFDFDF=0x50505942 && 0x30&0xDFDFDFFF=0x4c4f4703 && 0x34&0xDFDFDFFF=0x434f4d00" -j DROP -m comment --comment "DROP DNS Q grappyblog.com"

More rules here

Name servers:

grappyblog.com.         10720   IN      NS      a.dns.gandi.net.
grappyblog.com.         10720   IN      NS      c.dns.gandi.net.
grappyblog.com.         10720   IN      NS      b.dns.gandi.net.

;; ADDITIONAL SECTION:
b.dns.gandi.net.        86164   IN      A       217.70.184.40
c.dns.gandi.net.        86164   IN      A       217.70.182.20
c.dns.gandi.net.        86164   IN      AAAA    2001:4b98:c:521::20
a.dns.gandi.net.        86164   IN      AAAA    2604:3400:a::2
b.dns.gandi.net.        86164   IN      AAAA    2001:4b98:b:a::40
a.dns.gandi.net.        86164   IN      A       173.246.97.2

Whois:

domain: grappyblog.com
reg_created: 2013-06-13 09:30:21
expires: 2014-06-13 09:30:21
created: 2013-06-13 11:30:23
changed: 2013-09-22 14:52:54
transfer-prohibited: yes
ns0: a.dns.gandi.net
ns1: b.dns.gandi.net
ns2: c.dns.gandi.net
owner-c:
  nic-hdl: CKV4-GANDI
  organisation: ~
  person: charlotte karila vaillant
  obfuscated: Obfuscated by Gandi
  address: (Gandi) 63-65 boulevard Massena
  zipcode: (Gandi) 75013
  city: (Gandi) Paris
  country: (Gandi) France
  phone: (Gandi) +33.170377666
  fax: (Gandi) +33.143730576
  email: 7cbec7cb44a69cc598cc257f51c3604e-1728756@contact.gandi.net
  lastupdated: 2013-06-04 20:18:53
admin-c:
  nic-hdl: CKV4-GANDI
  organisation: ~
  person: charlotte karila vaillant
  obfuscated: Obfuscated by Gandi
  address: (Gandi) 63-65 boulevard Massena
  zipcode: (Gandi) 75013
  city: (Gandi) Paris
  country: (Gandi) France
  phone: (Gandi) +33.170377666
  fax: (Gandi) +33.143730576
  email: 7cbec7cb44a69cc598cc257f51c3604e-1728756@contact.gandi.net
  lastupdated: 2013-06-04 20:18:53
tech-c:
  nic-hdl: CKV4-GANDI
  organisation: ~
  person: charlotte karila vaillant
  obfuscated: Obfuscated by Gandi
  address: (Gandi) 63-65 boulevard Massena
  zipcode: (Gandi) 75013
  city: (Gandi) Paris
  country: (Gandi) France
  phone: (Gandi) +33.170377666
  fax: (Gandi) +33.143730576
  email: 7cbec7cb44a69cc598cc257f51c3604e-1728756@contact.gandi.net
  lastupdated: 2013-06-04 20:18:53
bill-c:
  nic-hdl: CKV4-GANDI
  organisation: ~
  person: charlotte karila vaillant
  obfuscated: Obfuscated by Gandi
  address: (Gandi) 63-65 boulevard Massena
  zipcode: (Gandi) 75013
  city: (Gandi) Paris
  country: (Gandi) France
  phone: (Gandi) +33.170377666
  fax: (Gandi) +33.143730576
  email: 7cbec7cb44a69cc598cc257f51c3604e-1728756@contact.gandi.net
  lastupdated: 2013-06-04 20:18:53

Monday, September 23, 2013

Domain: fkfkfkfa.com

Received a Tip for this domain

Source:

--

Response:

About 255 A records in the 204.46.43.x range.

IPtables rule:

iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x08464b46 && 0x2c&0xDFDFDFDF=0x4b464b46 && 0x30&0xDFFFDFDF=0x4103434f" -j DROP -m comment --comment "DROP DNS Q fkfkfkfa.com"

More rules here

Name servers:

fkfkfkfa.com.           86400   IN      NS      ns2.fkfkfkfa.com.
fkfkfkfa.com.           86400   IN      NS      ns1.fkfkfkfa.com.

;; ADDITIONAL SECTION:
ns1.fkfkfkfa.com.       86400   IN      A       94.102.56.154
ns2.fkfkfkfa.com.       86400   IN      A       94.102.56.154

Whois:


http://www.networksolutions.com

Visit AboutUs.org for more information about FKFKFKFA.COM
<a href="http://www.aboutus.org/FKFKFKFA.COM">AboutUs: FKFKFKFA.COM </a>




Registrant:
Rattani, Altaf
   ATTN FKFKFKFA.COM
   care of Network Solutions
   PO Box 459
   Drums, PA.  US  18222


   Domain Name: FKFKFKFA.COM

   ------------------------------------------------------------------------
   Promote your business to millions of viewers for only $1 a month
   Learn how you can get an Enhanced Business Listing here for your domain name.
   Learn more at http://www.NetworkSolutions.com/
   ------------------------------------------------------------------------

   Administrative Contact, Technical Contact:
      Rattani, Altaf            nr25b87p72b@networksolutionsprivateregistration.com
      ATTN FKFKFKFA.COM
      care of Network Solutions
      PO Box 459
      Drums, PA 18222
      US
      570-708-8780


   Record expires on 22-Sep-2014.
   Record created on 22-Sep-2013.
   Database last updated on 23-Sep-2013 17:13:08 EDT.

   Domain servers in listed order:

   NS1.FKFKFKFA.COM             94.102.56.154
   NS2.FKFKFKFA.COM             94.102.56.153

This listing is a Network Solutions Private Registration. Mail
correspondence to this address must be sent via USPS Express Mail(TM) or
USPS Certified Mail(R); all other mail will not be processed. Be sure to
include the registrant's domain name in the address.


Domain: aa3247.com

Just observed this a scan for this domain. No attacks just yet. 

Source:

122.136.196.116 - AS4837 CHINA169-BACKBONE CNCGROUP

Response:

About 255 A records in the 182.156.202.x range.

IPtables rule:

iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFFF=0x06414133 && 0x2c&0xFFFFFFFF=0x32343703 && 0x30&0xDFDFDFFF=0x434f4d00" -j DROP -m comment --comment "DROP DNS Q aa3247.com"

More rules here

Name servers:

aa3247.com.             7200    IN      NS      ns3.mmtac1.com.
aa3247.com.             7200    IN      NS      ns4.mmtac1.com.
aa3247.com.             7200    IN      NS      ns1.mmtac1.com.
aa3247.com.             7200    IN      NS      ns2.mmtac1.com.

;; ADDITIONAL SECTION:
ns3.mmtac1.com.         300     IN      A       222.163.192.106
ns2.mmtac1.com.         86400   IN      A       162.212.182.165
ns2.mmtac1.com.         86400   IN      A       162.212.182.66
ns2.mmtac1.com.         86400   IN      A       64.62.186.91
ns2.mmtac1.com.         86400   IN      A       222.163.192.106
ns1.mmtac1.com.         300     IN      A       222.163.192.106
ns1.mmtac1.com.         300     IN      A       222.163.192.104
ns4.mmtac1.com.         300     IN      A       222.163.192.106
ns4.mmtac1.com.         300     IN      A       222.163.192.104
ns3.mmtac1.com.         300     IN      A       222.163.192.104
ns2.mmtac1.com.         86400   IN      A       64.62.186.74
ns2.mmtac1.com.         86400   IN      A       222.163.192.104
ns2.mmtac1.com.         86400   IN      A       64.62.186.77

Whois:


Domain: aa3247.com
Status: Protected

DNS:
        ns1.mmtac1.com
        ns2.mmtac1.com

Created: 2013-09-14 16:33:55
Expires: 2014-09-14 08:33:55
Last Modified: 2013-09-14 16:33:54

Registrant Contact:
        Whoisprotection.cc
        Domain Admin  (reg_1358531@whoisprotection.cc)
        Lot 2-1, Incubator 1, Technology Park Malaysia, Bukit Jalil
        Kuala Lumpur, Wilayah Persekutuan, Malaysia 57000
        P: +603.89966788 F: +0.0

Administrative Contact:
        Whoisprotection.cc
        Domain Admin  (adm_1358531@whoisprotection.cc)
        Lot 2-1, Incubator 1, Technology Park Malaysia, Bukit Jalil
        Kuala Lumpur, Wilayah Persekutuan, Malaysia 57000
        P: +603.89966788 F: +0.0

Technical Contact:
        Whoisprotection.cc
        Domain Admin  (tec_1358531@whoisprotection.cc)
        Lot 2-1, Incubator 1, Technology Park Malaysia, Bukit Jalil
        Kuala Lumpur, Wilayah Persekutuan, Malaysia 57000
        P: +603.89966788 F: +0.0

Billing Contact:
        Whoisprotection.cc
        Domain Admin  (bil_1358531@whoisprotection.cc)
        Lot 2-1, Incubator 1, Technology Park Malaysia, Bukit Jalil
        Kuala Lumpur, Wilayah Persekutuan, Malaysia 57000
        P: +603.89966788 F: +0.0

Domain: d6991.com

From 3 or 4 sources I received tips about this domain. Funny enough, I haven't seen this domain at all!

Thanks for all the tips, warm feeling :)

Well here it goes!

Source:

Not observed myself.


Response:

About 255 A records in the 121.100.152.x range.


IPtables rule:

iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFFFFF=0x05443639 && 0x2c&0xFFFFFFDF=0x39310343 && 0x30&0xDFDFFFFF=0x4f4d0000" -j DROP -m comment --comment "DROP DNS Q d6991.com"

More rules here

Name servers:

d6991.com.              4354    IN      NS      ns2.mmtac1.com.
d6991.com.              4354    IN      NS      ns1.mmtac1.com.
d6991.com.              4354    IN      NS      ns3.mmtac1.com.
d6991.com.              4354    IN      NS      ns4.mmtac1.com.


Whois:


Domain: d6991.com
Status: Protected

DNS:
        ns1.mmtac1.com
        ns2.mmtac1.com

Created: 2013-09-14 16:33:56
Expires: 2014-09-14 08:33:55
Last Modified: 2013-09-14 16:33:54

Registrant Contact:
        Whoisprotection.cc
        Domain Admin  (reg_1358532@whoisprotection.cc)
        Lot 2-1, Incubator 1, Technology Park Malaysia, Bukit Jalil
        Kuala Lumpur, Wilayah Persekutuan, Malaysia 57000
        P: +603.89966788 F: +0.0

Administrative Contact:
        Whoisprotection.cc
        Domain Admin  (adm_1358532@whoisprotection.cc)
        Lot 2-1, Incubator 1, Technology Park Malaysia, Bukit Jalil
        Kuala Lumpur, Wilayah Persekutuan, Malaysia 57000
        P: +603.89966788 F: +0.0

Technical Contact:
        Whoisprotection.cc
        Domain Admin  (tec_1358532@whoisprotection.cc)
        Lot 2-1, Incubator 1, Technology Park Malaysia, Bukit Jalil
        Kuala Lumpur, Wilayah Persekutuan, Malaysia 57000
        P: +603.89966788 F: +0.0

Billing Contact:
        Whoisprotection.cc
        Domain Admin  (bil_1358532@whoisprotection.cc)
        Lot 2-1, Incubator 1, Technology Park Malaysia, Bukit Jalil
        Kuala Lumpur, Wilayah Persekutuan, Malaysia 57000
        P: +603.89966788 F: +0.0

Saturday, September 21, 2013

Domain: kiddy3233655.ru

89.248.174.54

Source:

Observed the first requests for this domain on September 21th from:

89.248.174.54 - Ecatel !


Response:

About 257 A records in the 204.46.43.x range.


IPtables rule:

iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x0c4b4944 && 0x2c&0xDFDFFFFF=0x44593332 && 0x30&0xFFFFFFFF=0x33333635 && 0x34&0xFFFFDFDF=0x35025255" -j DROP -m comment --comment "DROP DNS Q kiddy3233655.ru"

More rules here

Name servers:

kiddy3233655.ru.        43200   IN      NS      ns1.reg.ru.
kiddy3233655.ru.        43200   IN      NS      ns2.reg.ru.

;; ADDITIONAL SECTION:
ns1.reg.ru.             86399   IN      AAAA    2a00:f940::25
ns1.reg.ru.             86399   IN      A       31.31.205.39
ns2.reg.ru.             86399   IN      A       88.212.207.122
ns1.reg.ru.             86399   IN      A       31.31.204.37
ns2.reg.ru.             86399   IN      AAAA    2a00:f940::37
ns1.reg.ru.             86399   IN      A       31.31.205.55
ns1.reg.ru.             86399   IN      A       31.31.204.52
ns2.reg.ru.             86399   IN      A       144.76.40.132
ns2.reg.ru.             86399   IN      A       31.31.205.56
ns2.reg.ru.             86399   IN      A       198.100.149.22
ns1.reg.ru.             86399   IN      A       31.31.204.25
ns2.reg.ru.             86399   IN      A       31.31.205.74
ns1.reg.ru.             86399   IN      A       31.31.205.73


Whois:

domain:        KIDDY3233655.RU
nserver:       ns1.reg.ru.
nserver:       ns2.reg.ru.
state:         REGISTERED, DELEGATED, UNVERIFIED
person:        Private Person
registrar:     REGRU-REG-RIPN
admin-contact: http://www.reg.ru/whois/admin_contact
created:       2013.01.27
paid-till:     2014.01.27
free-date:     2014.02.27
source:        TCI

Last updated on 2013.09.22 00:56:37 MSK



Domain: aa.mmtac1.com


Source:

Observed the first requests for this domain on September 20th from:

122.136.196.117 - CNCGROUP China169 Backbone


Response:

About 257 A records in the 221.152.187.x range.


IPtables rule:

iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFFF=0x02414106 && 0x2c&0xDFDFDFDF=0x4d4d5441 && 0x30&0xDFFFFFDF=0x43310343 && 0x34&0xDFDFFFFF=0x4f4d0000" -j DROP -m comment --comment "DROP DNS Q aa.mmtac1.com"

More rules here

Name servers:

mmtac1.com.             86395   IN      NS      ns2.mmtac1.com.
mmtac1.com.             86395   IN      NS      ns1.mmtac1.com.

;; ADDITIONAL SECTION:
ns2.mmtac1.com.         86395   IN      A       64.62.186.77
ns1.mmtac1.com.         86395   IN      A       222.163.192.106
ns2.mmtac1.com.         86395   IN      A       222.163.192.104
ns2.mmtac1.com.         86395   IN      A       64.62.186.74
ns2.mmtac1.com.         86395   IN      A       222.163.192.106
ns1.mmtac1.com.         86395   IN      A       222.163.192.104
ns1.mmtac1.com.         86395   IN      A       162.212.182.165
ns1.mmtac1.com.         86395   IN      A       64.62.186.77
ns1.mmtac1.com.         86395   IN      A       64.62.186.74
ns2.mmtac1.com.         86395   IN      A       162.212.182.165
ns1.mmtac1.com.         86395   IN      A       64.62.186.91
ns2.mmtac1.com.         86395   IN      A       64.62.186.91


Whois:

Domain: mmtac1.com
Status: Protected

DNS:
        ns1.mmtac1.com
        ns2.mmtac1.com

Created: 2013-09-14 16:33:54
Expires: 2014-09-14 08:33:54
Last Modified: 2013-09-14 16:33:54

Registrant Contact:
        Whoisprotection.cc
        Domain Admin  (reg_1358530@whoisprotection.cc)
        Lot 2-1, Incubator 1, Technology Park Malaysia, Bukit Jalil
        Kuala Lumpur, Wilayah Persekutuan, Malaysia 57000
        P: +603.89966788 F: +0.0

Administrative Contact:
        Whoisprotection.cc
        Domain Admin  (adm_1358530@whoisprotection.cc)
        Lot 2-1, Incubator 1, Technology Park Malaysia, Bukit Jalil
        Kuala Lumpur, Wilayah Persekutuan, Malaysia 57000
        P: +603.89966788 F: +0.0

Technical Contact:
        Whoisprotection.cc
        Domain Admin  (tec_1358530@whoisprotection.cc)
        Lot 2-1, Incubator 1, Technology Park Malaysia, Bukit Jalil
        Kuala Lumpur, Wilayah Persekutuan, Malaysia 57000
        P: +603.89966788 F: +0.0

Billing Contact:
        Whoisprotection.cc
        Domain Admin  (bil_1358530@whoisprotection.cc)
        Lot 2-1, Incubator 1, Technology Park Malaysia, Bukit Jalil
        Kuala Lumpur, Wilayah Persekutuan, Malaysia 57000
        P: +603.89966788 F: +0.0


Domain: bitstress.com

Received a tip about this domain before I had the time to discover it in my log files. Thanks! :)

Source:

Observed the first requests for this domain on September 18th from:

80.82.65.204 - Ecatel


Response:

About 242 A records in the 204.46.43.x range.


IPtables rule:

iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x09424954 && 0x2c&0xDFDFDFDF=0x53545245 && 0x30&0xDFDFDFDF=0x53530343 && 0x34&0xDFDFFFFF=0x4f4d0000" -j DROP -m comment --comment "DROP DNS Q bitstress.com"

More rules here

Name servers:

bitstress.com.          73670   IN      NS      ns2.bitstress.com.
bitstress.com.          73670   IN      NS      ns1.bitstress.com.

;; ADDITIONAL SECTION:
ns1.bitstress.com.      73670   IN      A       94.102.56.151
ns2.bitstress.com.      73670   IN      A       69.42.219.74


Whois:

Domain bitstress.com

Date Registered: 2013-9-16
Expiry Date: 2014-9-16

DNS1: ns1.bitstress.com
DNS2: ns2.bitstress.com

Registrant
    Fundacion Private Whois
    Domain Administrator
    Email:523780aed7qk26dt@5225b4d0pi3627q9.privatewhois.net
    Attn: bitstress.com
    Aptds. 0850-00056
    Zona 15 Panama
    Panama
    Tel: +507.65995877

Administrative Contact
    Fundacion Private Whois
    Domain Administrator
    Email:523780ae2ke1mbef@5225b4d0pi3627q9.privatewhois.net
    Attn: bitstress.com
    Aptds. 0850-00056
    Zona 15 Panama
    Panama
    Tel: +507.65995877

Technical Contact
    Fundacion Private Whois
    Domain Administrator
    Email:523780aen5ps83ng@5225b4d0pi3627q9.privatewhois.net
    Attn: bitstress.com
    Aptds. 0850-00056
    Zona 15 Panama
    Panama
    Tel: +507.65995877

Registrar: Internet.bs Corp.
Registrar's Website : <a href='http://www.internetbs.net/'>http://www.internetbs.net/</a>


Sunday, September 15, 2013

Domain: aa.asd3sc.com

Reveived a tip for the following domain aa.asd3sc.com

Source:

I first observed domain on September 13th the same day as I received a tip of this over email from a reader.

Firs seem from:

50x 122.136.196.117 - AS4837 CHINA169-BACKBONE CNCGROUP

Later seen from:

1x 93.174.93.96 - Ecatel !


Response:

About 300 A records in the 207.251.103.x range.


IPtables rule:

iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFFF=0x02414106 && 0x2c&0xDFDFDFFF=0x41534433 && 0x30&0xDFDFFFDF=0x53430343 && 0x34&0xDFDFFFFF=0x4f4d0000" -j DROP -m comment --comment "DROP DNS Q aa.asd3sc.com"

More rules here

Name servers:

ns1.asd3sc.com


Whois:

Domain: asd3sc.com
Status: Protected

DNS:
        ns1.asd3sc.com
        ns2.asd3sc.com

Created: 2013-09-12 16:04:29
Expires: 2014-09-12 08:04:29
Last Modified: 2013-09-12 16:04:29

Registrant Contact:
        Hong Qun
        qun hong ()
        No.111, aihua Road 
        Huaihua, Hunan, cn 418000
        P: +745.2714381 F: +0.0

Administrative Contact:
        Hong Qun
        qun hong ()
        No.111, aihua Road 
        Huaihua, Hunan, cn 418000
        P: +745.2714381 F: +0.0

Technical Contact:
        Hong Qun
        qun hong ()
        No.111, aihua Road 
        Huaihua, Hunan, cn 418000
        P: +745.2714381 F: +0.0

Billing Contact:
        Hong Qun
        qun hong ()
        No.111, aihua Road 
        Huaihua, Hunan, cn 418000
        P: +745.2714381 F: +0.0

Thursday, September 12, 2013

Domain: xplodin.com

Observed a scan for this domain. No response yet, scan from Ecatel range. Registered at Internet BS with whois guard only a month or so ago. Suspicious maybe?

Source:

80.82.65.204 - Ecatel AS 29073

First seen Sept 11

Response:

None yet... Though Iptable rule below will match any.


IPtables rule:

This rule should match any type of query for this domain:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x0758504c && 0x2c&0xDFDFDFDF=0x4f44494e && 0x30&0xFFDFDFDF=0x03434f4d" -j DROP -m comment --comment "DROP DNS Q xplodin.com"

More rules here

Name servers:

DNS1: ns1.xplodin.com
DNS2: ns2.xplodin.com


Whois:

Domain xplodin.com

Date Registered: 2013-6-28
Expiry Date: 2014-6-28

DNS1: ns1.xplodin.com
DNS2: ns2.xplodin.com

Registrant
    Fundacion Private Whois
    Domain Administrator
    Email:52308847s2zgfym4@5225b4d0pi3627q9.privatewhois.net
    Attn: xplodin.com
    Aptds. 0850-00056
    Zona 15 Panama
    Panama
    Tel: +507.65995877

Administrative Contact
    Fundacion Private Whois
    Domain Administrator
    Email:52308847ktnbfig6@5225b4d0pi3627q9.privatewhois.net
    Attn: xplodin.com
    Aptds. 0850-00056
    Zona 15 Panama
    Panama
    Tel: +507.65995877

Technical Contact
    Fundacion Private Whois
    Domain Administrator
    Email:52308847gwgwphk9@5225b4d0pi3627q9.privatewhois.net
    Attn: xplodin.com
    Aptds. 0850-00056
    Zona 15 Panama
    Panama
    Tel: +507.65995877

Registrar: Internet.bs Corp.
Registrar's Website : <a href='http://www.internetbs.net/'>http://www.internetbs.net/</a>