Saturday, June 22, 2013

Domain: mydnsscan.us

The domain name MyDnsScan.us made me think of the DirectedAt.Asia.

After a quick comparison of the whois data, I see they have matching Registrars. (Internet.bs Corp) Perhaps its a lead.

A definite link can be made between the two domains when looking at the 'Name Server:' details in the whois data of MyDnsScan.Us, as it contains directedat.asia records.

The asia domain has whois guard but the MyDnsScan one has some contact details.

--- Directed at asia ---
    Domain ID:D2608645-ASIA
    Domain Name:DIRECTEDAT.ASIA
    Domain Create Date:12-Apr-2013 03:21:04 UTC
    Domain Expiration Date:12-Apr-2014 03:21:04 UTC
    Domain Last Updated Date:11-Jun-2013 20:50:05 UTC
    Last Transferred Date:
    Created by:Internet.bs Corp. R176-ASIA (814)
    Last Updated by Registrar:ASIA Registry R6-ASIA (9996)
    Sponsoring Registrar:Internet.bs Corp. R176-ASIA (814)
    Domain Status:CLIENT TRANSFER PROHIBITED
    Registrant ID:INTE9l5othfpmebj
    Registrant Name:
    Domain Administrator
    Registrant Organization:Fundacion Private Whois
    Registrant Address:
    Attn: directedat.asia
    Registrant Address2: Aptds. 0850-   00056
    Registrant Address3:
    Registrant City:Panama
    Registrant State/Province:Registrant Country/Economy:PA
    Registrant Postal Code:Zona 15Registrant Phone:+507.65995877

source: http://whois.domaintools.com/directedat.asia

--- My DNS Scan US ---

    Domain Name:    MYDNSSCAN.US
    Domain ID:      D40566976-US
    Sponsoring Registrar:    INTERNET.BS CORP.
    Sponsoring Registrar IANA ID:                814
    Registrar URL (registration services):       http://www.internet.bs
    Domain Status:                               clientTransferProhibited
    Registrant ID:                               INTESKAXRHT1B2G3
    Registrant Name:                             Herman Singh
    Registrant Address1:                         9049 180th St
    Registrant City:                             Jamaica
    Registrant Postal Code:                      11432
    Registrant Country:                          United States
    Registrant Country Code:                     US
    Registrant Phone Number:                     +1.5267675
    Registrant Email:                            hermansinghs@gmail.com
<snip>
    name Server:   NS-UK.TOPDNS.COM
    Name Server:   NS-USA.TOPDNS.COM
    Name Server:   NS-CANADA.TOPDNS.COM
    Name Server:   NS2.MYDNSSCAN.US
    Name Server:   NS1.MYDNSSCAN.US
    Name Server:   NS3.MYDNSSCAN.US
    Name Server:   NS4.MYDNSSCAN.US
    Name Server:   NS1.DIRECTEDAT.ASIA
    Name Server:   NS2.DIRECTEDAT.ASIA
    Created by Registrar:     INTERNET.BS CORP.
    Last Updated by Registrar:  INTERNET.BS CORP.
    Domain Registration Date:   Thu May 23 20:58:15 GMT 2013
    Domain Expiration Date:     Thu May 22 23:59:59 GMT 2014
    Domain Last Updated Date:   Fri Jun 21 12:23:35 GMT 2013

source: http://whois.domaintools.com/mydnsscan.us


Since June 7th I've seen a few different IPs but all very very low amounds, same as directedat.asia that will do about only one a hour.

At the moment MyDnsScan.us is using the following two name servers:

    mydnsscan.us. 14400 IN NS ns1.mydnsscan.us.
    mydnsscan.us. 14400 IN NS ns2.mydnsscan.us.

UPDATE: 23/06/2013

Just seen requests for dd0s.asia this domain is registered at the same registrar and has the same ip range in its response. Also the name server IPs show similarities.

----------------
<snip>
    dd0s.asia. 3600 IN A 172.33.43.37
    dd0s.asia. 3600 IN A 172.33.43.7
    dd0s.asia. 3600 IN A 172.33.43.38
    dd0s.asia. 3600 IN A 172.33.43.63
    dd0s.asia. 3600 IN A 172.33.43.6
    dd0s.asia. 3600 IN A 172.33.43.48
    dd0s.asia. 3600 IN A 172.33.43.54
    dd0s.asia. 3600 IN A 172.33.43.68
    dd0s.asia. 3600 IN A 172.33.43.43
    dd0s.asia. 3600 IN A 172.33.43.3
    dd0s.asia. 3600 IN A 172.33.43.32
    dd0s.asia. 3600 IN A 172.33.43.26
<snip>
------------------

Whois info:

    Domain ID:D2709804-ASIA
    Domain Name:DD0S.ASIA
    Domain Create Date:23-Jun-2013 01:38:11 UTC
    Domain Expiration Date:23-Jun-2014 01:38:11 UTC
    Domain Last Updated Date:23-Jun-2013 01:51:33 UTC
    Last Transferred Date:
    Created by:Internet.bs Corp. R176-ASIA (814)
    Last Updated by Registrar:Internet.bs Corp. R176-ASIA (814)
    Sponsoring Registrar:Internet.bs Corp. R176-ASIA (814)
    Domain Status:CLIENT TRANSFER PROHIBITED
    Domain Status:TRANSFER PROHIBITED
    Status:ADDPERIOD
    Registrant ID:INTEfa270xohhrs2
    Registrant Name:Domain Administrator
    Registrant Organization:Fundacion Private Whois
    Registrant Address:
    Attn: dd0s.asia
    Registrant Address2:Aptds. 0850-00056
    Registrant Address3:
    Registrant City:Panama
    Registrant State/Province:
    Registrant Country/Economy:PA
    Registrant Postal Code:Zona 15
    Registrant Phone:+507.65995877

Name servers:

The domains DirectedAt.Asia and Dd0s.Asia are using the same Name Server IPs:


    ns1.dd0s.asia. 3600 IN A 74.91.18.226
    ns2.dd0s.asia. 3600 IN A 74.91.18.226

    ns1.directedat.asia. 53633 IN A 74.91.18.226
    ns2.directedat.asia. 53633 IN A 74.91.18.226


UPDATE 26/06/2013

Just seen activity for 1rip.com. Response contains 244 Ips in the 204.46.43.0/24 range. Same name servers as the above mentioned servers.

    Domain 1rip.com
    Date Registered: 2013-6-26
    Expiry Date: 2014-6-26
    DNS1: ns1.1rip.com
    DNS2: ns2.1rip.com
    Registrant    Fundacion Private Whois    
    Domain Administrator    Email:  
    Attn: 1rip.com    
    Aptds. 0850-00056    
    Zona 15 Panama    Panama    Tel: +507.65995877

    Registrar: Internet.bs Corp.

Name servers:

ns1.1rip.com. 78501 IN A 74.91.18.226ns2.1rip.com. 78501 IN A 74.91.18.226


Update 28/06/2013

One new day two new domains. This time it is ScanDns.tk and Xcqv.de and I have enough reason to beleave this is the same guy as above DirectedAt.Asia. 


Whois details ScanDns.Tk:

    Domain name:      SCANDNS.TK
    Organisation:      BV Dot TK      Dot TK 
    administrator      P.O. Box 11774      1001 GT  Amsterdam      Netherlands      
    Phone: +31 20 5315725      
    Fax: +31 20 5315721      
    E-mail: abuse: 
    copyright infringement: 



Returns

1350 A records in the ranges 1. - 223.

    scandns.tk. 2181 IN NS ns1.cloudns.net.
    scandns.tk. 2181 IN NS ns2.cloudns.net.
    scandns.tk. 2181 IN NS ns3.cloudns.net.
    scandns.tk. 2181 IN NS ns4.cloudns.net.

-----------------------------------------------------------------------

Whois details xcqv.de:
Domain: xcqv.de
Nserver: ns.inwx.de
Nserver: ns2.inwx.de
Nserver: ns3.inwx.eu
Nserver: ns4.inwx.com
Nserver: ns5.inwx.net
Status: connect
Changed: 2013-06-27T22:37:52+02:00

[Tech-C]
Type: ROLE
Name: Hostmaster Of The Day
Organisation: InterNetworX Ltd. & Co. KG
Address: Tempelhofer Damm 140
PostalCode: 12099
City: Berlin
CountryCode: DE
Phone: +49.180.3730000
Phone: +49.30.66400137
Fax: +49.30.66400138
Email: 
Remarks: role account for Hostmaster of the Day
Changed: 2009-01-07T16:28:43+01:00
Returns:

501 A records in the 178.100 range.


Name servers:

    xcqv.de. 20837 IN NS ns2.inwx.de.
    xcqv.de. 20837 IN NS ns5.inwx.net.
    xcqv.de. 20837 IN NS ns4.inwx.com.
    xcqv.de. 20837 IN NS ns.inwx.de.
    xcqv.de. 20837 IN NS ns3.inwx.eu.


Update 07/07/2013


New domain and new sub-domain:



formality.directedat.asia returns 511 records in the 172.33.43.0 and 172.33.44.0 range.

--------------

Aanonsc.com returns 511 A records in the 172.33.43.0 and 172.33.44.0 range.

Seen the AnonSc.com domain only once. That same source IP also once requested Nukes.DirectedAt.Asia on the 25th of June.

Name servers:

    anonsc.com. 86400 IN NS ns3.anonsc.com.
    anonsc.com. 86400 IN NS ns4.anonsc.com.

    ns3.anonsc.com. 86400 IN A 89.221.247.170
    ns4.anonsc.com. 86400 IN A 89.221.247.170

SOA:

    anonsc.com. 77002 IN SOA ns3.anonsc.com. shit.anonsc.com. (
2053191001 ; serial
86400      ; refresh (1 day)
7200       ; retry (2 hours)
3600000    ; expire (5 weeks 6 days 16 hours)
86400      ; minimum (1 day)

)


Whois:

    Technical Contact
        Fundacion Private Whois
        Domain Administrator
        Email:
        Attn: anonsc.com
        Aptds. 0850-00056
        Zona 15 Panama
        Panama
        Tel: +507.65995877

    Registrar: Internet.bs Corp.

source: http://whois.domaintools.com/anonsc.com




7 comments:

  1. The fact that all of these domains are registered with Internet.bs is more due to its status as a safe harbor to domains used by spammers, malware peddlers, phishers, and other scum. They are almost completely unresponsive to abuse reports and every lowlife knows this, which is why you see all of these domains registered there. It's not necessarily indicative of the same person or group being behind these domains.

    ReplyDelete
    Replies
    1. This is true, but I also base it on the fact that a couple of these domains use(d) the same Name Server IPs and initial first request often came from the same IP ranges or even the same hosts. Got Any more information to share on the internet.bs registrar?

      Delete
  2. My backdoor connection to my place of work is getting DoS'ed pretty much with UDP DNS queries for A Record mydnsscan.us and A Record 1rip.com. My backdoor connection isn't too great but this traffic is managing to cause many more connection problems. Really annoying :( I am sometimes getting hit by 3 different address' out there at the same time.

    ReplyDelete
    Replies
    1. 'sometimes getting hit by 3 different address out there at the same time'

      Do you mean IPs or Domains?

      If it is IPs than perhaps you are actually running a DNS server on that line..

      Delete
    2. I mean IPs.

      This connection ran a DNS server until the other day, I closed it down and I'm now dropping inbound packets on port 53. Firewall is still getting hit hard, but is no longer replying.

      By 3 different addresses I mean that I have 3 unique IPs sending hundreds of thousands of DNS queries for mydnsscan.us or 1rip.com at one point in time.

      Delete
  3. iam being Hitted by a very big and distributed UDP and all i see on .cap is anonsc.com
    .cap file:
    www.helbreathnemesis.com/downloads/11.rar

    ReplyDelete
    Replies
    1. Hi calu, thanks for the pcap.
      I will look further in to this, but you have been hit by atleast two types of attacks. I the majority is a Chargen attack and also some traffic related to DNS amplification.

      Delete