Tuesday, November 25, 2014

Domain: non.digmehl.cu.cc

Domain: non.digmehl.cu.cc

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x034e4f4e && 0x2c&0xFFDFDFDF=0x07444947 && 0x30&0xDFDFDFDF=0x4d45484c && 0x34&0xFFDFDFFF=0x02435502 && 0x38&0xDFDFFF00=0x43430000" -j DROP -m comment --comment "DROP DNS Q non.digmehl.cu.cc"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 59 --algo bm --hex-string '|036e6f6e076469676d65686c02637502636300|' -j DROP -m comment --comment "DROP DNS Q non.digmehl.cu.cc"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
digmehl.cu.cc. 21599 IN NS ken.ns.cloudflare.com.
digmehl.cu.cc. 21599 IN NS chan.ns.cloudflare.com.


Response:


TXT 1
Rsize 4095


Whois



Whois Server Version 2.0

Domain names can now be registered with many different competing registrars.
Go to http://registrar.verisign-grs.com/whois/ for detailed information.

No match for "DIGMEHL.CU.CC".

>>> Last update of whois database: 2014-11-25T22:25:55Z <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the
expiration date of the domain name registrant's agreement with the
sponsoring registrar. Users may consult the sponsoring registrar's
Whois database to view the registrar's reported date of expiration
for this registration.


The Registry database contains ONLY .cc, .tv, and .jobs domains
and Registrars.



Domain: freeinfosys.com

Domain: freeinfosys.com

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x0b465245 && 0x2c&0xDFDFDFDF=0x45494e46 && 0x30&0xDFDFDFDF=0x4f535953 && 0x34&0xFFDFDFDF=0x03434f4d && 0x38&0xFF000000=0x00000000" -j DROP -m comment --comment "DROP DNS Q freeinfosys.com"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 57 --algo bm --hex-string '|0B66726565696e666f73797303636f6d00|' -j DROP -m comment --comment "DROP DNS Q freeinfosys.com"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
freeinfosys.com. 3599 IN NS ns77.domaincontrol.com.
freeinfosys.com. 3599 IN NS ns78.domaincontrol.com.


Response:


A 5
MX 2
NS 2
SOA 1
TXT 7
Rsize 3125


Whois



Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: FREEINFOSYS.COM
Registrar: GODADDY.COM, LLC
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Name Server: NS77.DOMAINCONTROL.COM
Name Server: NS78.DOMAINCONTROL.COM
Status: clientDeleteProhibited
Status: clientRenewProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 25-nov-2014
Creation Date: 25-nov-2014
Expiration Date: 25-nov-2015

>>> Last update of whois database: Tue, 25 Nov 2014 22:14:51 GMT <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.


The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain Name: FREEINFOSYS.COM
Registry Domain ID: 1887105896_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Update Date: 2014-11-25 10:07:51
Creation Date: 2014-11-25 10:03:07
Registrar Registration Expiration Date: 2015-11-25 10:03:07
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.480-624-2505
Domain Status: clientTransferProhibited
Domain Status: clientUpdateProhibited
Domain Status: clientRenewProhibited
Domain Status: clientDeleteProhibited
Registry Registrant ID:
Registrant Name: Ludwig Rhys
Registrant Organization:
Registrant Street: 3796 N Yosemite St
Registrant City: Parkville
Registrant State/Province: MD
Registrant Postal Code: 21267
Registrant Country: China
Registrant Phone: +86.4108394461
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: dt22888@126.com
Registry Admin ID:
Admin Name: Ludwig Rhys
Admin Organization:
Admin Street: 3796 N Yosemite St
Admin City: Parkville
Admin State/Province: MD
Admin Postal Code: 21267
Admin Country: China
Admin Phone: +86.4108394461
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: dt22888@126.com
Registry Tech ID:
Tech Name: Ludwig Rhys
Tech Organization:
Tech Street: 3796 N Yosemite St
Tech City: Parkville
Tech State/Province: MD
Tech Postal Code: 21267
Tech Country: China
Tech Phone: +86.4108394461
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: dt22888@126.com
Name Server: NS77.DOMAINCONTROL.COM
Name Server: NS78.DOMAINCONTROL.COM
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
Last update of WHOIS database: 2014-11-25T22:00:00Z

The data contained in GoDaddy.com, LLC's WhoIs database,
while believed by the company to be reliable, is provided "as is"
with no guarantee or warranties regarding its accuracy. This
information is provided for the sole purpose of assisting you
in obtaining information about domain name registration records.
Any use of this data for any other purpose is expressly forbidden without the prior written
permission of GoDaddy.com, LLC. By submitting an inquiry,
you agree to these terms of usage and limitations of warranty. In particular,
you agree not to use this data to allow, enable, or otherwise make possible,
dissemination or collection of this data, in part or in its entirety, for any
purpose, such as the transmission of unsolicited advertising and
and solicitations of any kind, including spam. You further agree
not to use this data to enable high volume, automated or robotic electronic
processes designed to collect or compile this data for any purpose,
including mining this data for your own personal or commercial purposes.

Please note: the registrant of the domain name is specified
in the "registrant" section. In most cases, GoDaddy.com, LLC
is not the registrant of domain names listed in this database.



Wednesday, November 12, 2014

Domain: svist21.cz

Domain: svist21.cz

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x07535649 && 0x2c&0xDFDFFFFF=0x53543231 && 0x30&0xFFDFDFFF=0x02435a00 && 0x34&0xFFFF0000=0x00FF0000" -j DROP -m comment --comment "DROP DNS Q svist21.cz"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 54 --algo bm --hex-string '|077376697374323102637a0000ff|' -j DROP -m comment --comment "DROP DNS Q svist21.cz"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
svist21.cz. 1770 IN NS ns5.gransy.com.
svist21.cz. 1770 IN NS ns.gransy.com.
svist21.cz. 1770 IN NS ns2.gransy.com.
svist21.cz. 1770 IN NS ns4.gransy.com.
svist21.cz. 1770 IN NS ns3.gransy.com.


Response:


A 15
DNSKEY 5
MX 8
NS 13
NSEC 2
RRSIG 10
SOA 3
SPF 3
TXT 4
Rsize 6800





Tuesday, November 11, 2014

Domain: 067.cz

Domain: 067.cz

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28=0x03303637 && 0x2c&0xFFDFDFFF=0x02435a00 && 0x30&0xFFFF0000=0x00FF0000" -j DROP -m comment --comment "DROP DNS Q 067.cz"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 50 --algo bm --hex-string '|0330363702637a0000ff|' -j DROP -m comment --comment "DROP DNS Q 067.cz"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
067.cz. 958 IN NS ns4.gransy.com.
067.cz. 958 IN NS ns5.gransy.com.
067.cz. 958 IN NS ns3.gransy.com.
067.cz. 958 IN NS ns.gransy.com.
067.cz. 958 IN NS ns2.gransy.com.


Response:


A 14
DNSKEY 5
MX 4
NS 12
NSEC 2
RRSIG 10
SOA 3
SPF 3
TXT 4
Rsize 6684


Whois


% (c) 2006-2014 CZ.NIC, z.s.p.o.
%
% Intended use of supplied data and information
%
% Data contained in the domain name register, as well as information
% supplied through public information services of CZ.NIC association,
% are appointed only for purposes connected with Internet network
% administration and operation, or for the purpose of legal or other
% similar proceedings, in process as regards a matter connected
% particularly with holding and using a concrete domain name.
%
% Full text available at:
% http://www.nic.cz/page/306/intended-use-of-supplied-data-and-information/
%
% See also a search service at http://www.nic.cz/whois/
%
%
% Whoisd Server Version: 3.10.0
% Timestamp: Tue Nov 11 22:32:56 2014

domain: 067.cz
registrant: A24CONTACT-53436
admin-c: SB:SVIST21-S
nsset: NSS:GRANSY:3
registrar: REG-GRANSY
registered: 07.02.2013 15:06:26
changed: 11.01.2014 14:56:04
expire: 07.02.2015

contact: A24CONTACT-53436
org: Petr Koubský
name: Petr Koubský
address: Chvalova 1202/8
address: Praha 3
address: 130 00
address: CZ
registrar: REG-ACTIVE24
created: 01.12.2011 14:26:48

contact: SB:SVIST21-S
org: Svist 21 s.r.o.
name: Svist 21 s.r.o.
address: Dobrovskeho 36
address: Praha 7
address: 17000
address: CZ
registrar: REG-GRANSY
created: 05.10.2005 11:55:00
changed: 30.07.2014 09:47:05

nsset: NSS:GRANSY:3
nserver: ns.gransy.com
nserver: ns2.gransy.com
nserver: ns3.gransy.com
nserver: ns4.gransy.com
nserver: ns5.gransy.com
tech-c: GRANSY
registrar: REG-GRANSY
created: 01.10.2007 02:00:00
changed: 16.08.2010 00:39:13

contact: GRANSY
org: Gransy s.r.o.
name: Jan Horák
address: Bořivojova 878/35
address: Praha 3
address: 130 00
address: CZ
phone: +420.732954549
fax-no: +420.226517341
e-mail: info@gransy.com
registrar: REG-MOJEID
created: 23.08.2004 17:35:00
changed: 20.04.2011 14:22:45