Monday, February 10, 2014

Domain: sheshows.com

Domain: sheshows.com

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x08534845 && 0x2c&0xDFDFDFDF=0x53484f57 && 0x30&0xDFFFDFDF=0x5303434f && 0x34&0xDFFF0000=0x4d000000" -j DROP -m comment --comment "DROP DNS Q sheshows.com"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 54 --algo bm --hex-string '|0873686573686f777303636f6d00|' -j DROP -m comment --comment "DROP DNS Q sheshows.com"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


40.187.114.250

Name server:


;; ANSWER SECTION:
sheshows.com. 598 IN NS safe.qycn.cn.
sheshows.com. 598 IN NS safe.qycn.com.
sheshows.com. 598 IN NS safe.qycn.org.
sheshows.com. 598 IN NS safe.qycn.net.


Response:


A 1
Rsize 46


Whois



Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: SHESHOWS.COM
Registrar: THREADTRADE.COM, INC
Whois Server: whois.yourjungle.com
Referral URL: http://secure.bellnames.com
Name Server: SAFE.QYCN.CN
Name Server: SAFE.QYCN.COM
Status: ok
Updated Date: 10-feb-2014
Creation Date: 29-dec-2013
Expiration Date: 29-dec-2014

>>> Last update of whois database: Tue, 11 Feb 2014 00:12:17 UTC <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.


The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.

Domain Name: SHESHOWS.COM

Registrant:
registrant_org:
registrant_name: lirong shi
registrant_email: gl@beianX.com
registrant_address: beijing
registrant_city: beijing
registrant_state: beijing
registrant_zip: 100100
registrant_country: CN
registrant_phone:

Administrative Contact:
admin_org:
admin_name: lirong shi
admin_email: gl@beianX.com
admin_address: beijing
admin_city: beijing
admin_state: beijing
admin_zip: 100100
admin_country: CN
admin_phone:

Technical Contact:
tech_org:
tech_name: lirong shi
tech_email: gl@beianX.com
tech_address: beijing
tech_city: beijing
tech_state: beijing
tech_zip: 100100
tech_country: CN
tech_phone:

Billing Contact:
bill_org:
bill_name: lirong shi
bill_email: gl@beianX.com
bill_address: beijing
bill_city: beijing
bill_state: beijing
bill_zip: 100100
bill_country: CN
bill_phone:

Creation Date: 2013-12-29
Expiration Date: 2014-12-29
Name Servers:
SAFE.QYCN.CN
SAFE.QYCN.COM






2 comments: