Tuesday, February 24, 2015

Domain: cdnmyhost.com

Domain: cdnmyhost.com


If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.


If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x0943444e && 0x2c&0xDFDFDFDF=0x4d59484f && 0x30&0xDFDFFFDF=0x53540343 && 0x34&0xDFDFFFFF=0x4f4d0000 && 0x38&0xFF000000=0xFF000000" -j DROP -m comment --comment "DROP DNS Q cdnmyhost.com"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt


String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 57 --algo bm --hex-string '|0963646e6d79686f737403636f6d0000ff|' -j DROP -m comment --comment "DROP DNS Q cdnmyhost.com"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
cdnmyhost.com. 21599 IN NS brad.ns.cloudflare.com.
cdnmyhost.com. 21599 IN NS amber.ns.cloudflare.com.


Response:


A 2
NS 2
SOA 1
TXT 2
Rsize 4031


Whois



Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: CDNMYHOST.COM
Registrar: ENOM, INC.
Sponsoring Registrar IANA ID: 48
Whois Server: whois.enom.com
Referral URL: http://www.enom.com
Name Server: AMBER.NS.CLOUDFLARE.COM
Name Server: BRAD.NS.CLOUDFLARE.COM
Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Updated Date: 18-feb-2015
Creation Date: 13-dec-2014
Expiration Date: 13-dec-2015

>>> Last update of whois database: Tue, 24 Feb 2015 09:59:05 GMT <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.


The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.

For more information on Whois status codes, please visit
https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en.


Domain Name: CDNMYHOST.COM
Registry Domain ID: 1890194452_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.enom.com
Registrar URL: www.enom.com
Updated Date: 2014-12-13T11:23:42.00Z
Creation Date: 2014-12-13T19:23:00.00Z
Registrar Registration Expiration Date: 2015-12-13T19:23:00.00Z
Registrar: ENOM, INC.
Registrar IANA ID: 48
Registrar Abuse Contact Email: abuse@enom.com
Registrar Abuse Contact Phone: +1.4252982646
Reseller: NAMECHEAP.COM
Domain Status: clientTransferProhibited
Registry Registrant ID:
Registrant Name: WHOISGUARD PROTECTED
Registrant Organization: WHOISGUARD, INC.
Registrant Street: P.O. BOX 0823-03411
Registrant City: PANAMA
Registrant State/Province: PANAMA
Registrant Postal Code: 00000
Registrant Country: PA
Registrant Phone: +507.8365503
Registrant Phone Ext:
Registrant Fax: +51.17057182
Registrant Fax Ext:
Registrant Email: 96DB3259BF024660997FDD41F8605E22.PROTECT@WHOISGUARD.COM
Registry Admin ID:
Admin Name: WHOISGUARD PROTECTED
Admin Organization: WHOISGUARD, INC.
Admin Street: P.O. BOX 0823-03411
Admin City: PANAMA
Admin State/Province: PANAMA
Admin Postal Code: 00000
Admin Country: PA
Admin Phone: +507.8365503
Admin Phone Ext:
Admin Fax: +51.17057182
Admin Fax Ext:
Admin Email: 96DB3259BF024660997FDD41F8605E22.PROTECT@WHOISGUARD.COM
Registry Tech ID:
Tech Name: WHOISGUARD PROTECTED
Tech Organization: WHOISGUARD, INC.
Tech Street: P.O. BOX 0823-03411
Tech City: PANAMA
Tech State/Province: PANAMA
Tech Postal Code: 00000
Tech Country: PA
Tech Phone: +507.8365503
Tech Phone Ext:
Tech Fax: +51.17057182
Tech Fax Ext:
Tech Email: 96DB3259BF024660997FDD41F8605E22.PROTECT@WHOISGUARD.COM
Name Server: AMBER.NS.CLOUDFLARE.COM
Name Server: BRAD.NS.CLOUDFLARE.COM
DNSSEC: unSigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
Last update of WHOIS database: 2014-12-13T11:23:42.00Z


We reserve the right to modify these terms at any time. By submitting
this query, you agree to abide by these terms.
Version 6.3 4/3/2002


Domain: pidarastik.ru

Domain: pidarastik.ru


If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.


If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x0a504944 && 0x2c&0xDFDFDFDF=0x41524153 && 0x30&0xDFDFDFFF=0x54494b02 && 0x34&0xDFDFFFFF=0x52550000 && 0x38&0xFF000000=0xFF000000" -j DROP -m comment --comment "DROP DNS Q pidarastik.ru"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt


String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 57 --algo bm --hex-string '|0A7069646172617374696b0272750000ff|' -j DROP -m comment --comment "DROP DNS Q pidarastik.ru"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
pidarastik.ru. 599 IN NS ns2.spaceweb.ru.
pidarastik.ru. 599 IN NS ns1.spaceweb.ru.


Response:


A 2
MX 2
NS 2
SOA 1
TXT 22
Rsize 4076


Whois


% By submitting a query to RIPN's Whois Service
% you agree to abide by the following terms of use:
% http://www.ripn.net/about/servpol.html#3.2 (in Russian)
% http://www.ripn.net/about/en/servpol.html#3.2 (in English).

domain: PIDARASTIK.RU
nserver: ns1.spaceweb.ru.
nserver: ns2.spaceweb.ru.
state: REGISTERED, DELEGATED, VERIFIED
person: Private Person
registrar: R01-RU
admin-contact: https://partner.r01.ru/contact_admin.khtml
created: 2015.01.10
paid-till: 2016.01.10
free-date: 2016.02.10
source: TCI

Last updated on 2015.02.24 12:56:31 MSK



Domain: viareality.cz

Domain: viareality.cz


If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.


If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x0a564941 && 0x2c&0xDFDFDFDF=0x5245414c && 0x30&0xDFDFDFFF=0x49545902 && 0x34&0xDFDFFFFF=0x435a0000 && 0x38&0xFF000000=0xFF000000" -j DROP -m comment --comment "DROP DNS Q viareality.cz"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt


String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 57 --algo bm --hex-string '|0A7669617265616c69747902637a0000ff|' -j DROP -m comment --comment "DROP DNS Q viareality.cz"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
viareality.cz. 3599 IN NS ns1.regzone.cz.
viareality.cz. 3599 IN NS ns1.regzone.de.
viareality.cz. 3599 IN NS ns1.regzone.info.


Response:


A 14
AAAA 2
DNSKEY 4
MX 6
NS 10
NSEC3PARAM 2
RRSIG 8
SOA 2
Rsize 3779


Whois


% (c) 2006-2015 CZ.NIC, z.s.p.o.
%
% Intended use of supplied data and information
%
% Data contained in the domain name register, as well as information
% supplied through public information services of CZ.NIC association,
% are appointed only for purposes connected with Internet network
% administration and operation, or for the purpose of legal or other
% similar proceedings, in process as regards a matter connected
% particularly with holding and using a concrete domain name.
%
% Full text available at:
% http://www.nic.cz/page/306/intended-use-of-supplied-data-and-information/
%
% See also a search service at http://www.nic.cz/whois/
%
%
% Whoisd Server Version: 3.10.0
% Timestamp: Tue Feb 24 10:58:50 2015

domain: viareality.cz
registrant: MSC-VIACENTRUM
admin-c: MSC-TUMA
nsset: NSSET:ZONER
keyset: KS:ZONER:1289219690
registrar: REG-INTERNET-CZ
registered: 29.08.2008 13:01:54
changed: 08.02.2012 15:58:13
expire: 29.08.2015

contact: MSC-VIACENTRUM
org: viaCentrum s.r.o.
name: Michal Valta
address: Ztracená 268/34
address: Olomouc
address: 77200
address: CZ
phone: +420.739025939
e-mail: domain@viacentrum.net
registrar: REG-INTERNET-CZ
created: 29.08.2008 11:12:16

contact: MSC-TUMA
name: Pavel Tuma
address: Pechackova 968/35
address: Plzen
address: 31800
address: CZ
registrar: REG-INTERNET-CZ
created: 03.07.2004 17:35:00
changed: 15.10.2013 20:00:32

nsset: NSSET:ZONER
nserver: ns1.regzone.info
nserver: ns1.regzone.de
nserver: ns1.regzone.cz (217.198.113.10, 2a00:19a0:2:300::2)
tech-c: ZONER
registrar: REG-ZONER
created: 08.04.2010 12:23:52
changed: 28.04.2011 14:16:23

contact: ZONER
org: ZONER software, a.s.
name: ZONER software, a.s.
address: Nové Sady 583/18
address: Brno
address: 602 00
address: CZ
phone: +420.543257244
fax-no: +420.543257245
e-mail: admin@zoner.cz
registrar: REG-ZONER
created: 10.11.2006 13:45:00
changed: 01.12.2011 10:55:14

keyset: KS:ZONER:1289219690
dnskey: 257 3 7 AwEAAb7N/rX8zrMtOG0qenf6jAI15VSC0Dv9feUbDh93AyxoJH/I2PaSGRWx29emlf9u21nAlnlJ0GiBMLPc/4/IBkI4QFf3TQ+z4Ox87x+NP8d1yEoO8yNdx0I9wDGIUe95djRMbI4T/wADeq8Dwcf7HGOLof7aQnTCV5lKLjrZkfpdw8ZJb+L4gI9s2u205WmfNQ0W6ZPvLXbbDT/kBnKxhhKHLkqxJH/tuqfg0E0SLZU97qC91tKRg9VfvaNEv498njkOU4eZ5C53iaE03MK4tPrlHDuwENFbHbbCxjQ66vc+v9UGmQOJbxNJJe/Q3HxmCDjKbtZfzxpaFte8bV47ZoKzip1gCk1xt7yr8reTekuLRp7dXMIM4EXp2MjgGtK2ExGji93yxvDn4uIh7pchi61aTPEPWx5P2rWjlFX5DbUaM6IWGeA7jcyTLGO+U8vYjSKgBoWhlVNyoCipWJ6VOUOVW4ii52VCBBBfahO0J1qIyym46raaylw6UDUn0Ziu2DR/FUOW3bB8TSNHi1sHu3UEktZciq85KL4nKHIhQdyFqOZQKcktNQJrRHHfLkgAvzyVTUwbA5cOGlc4V8S7yWjnew21WGapBAJsuF5Kpi7ZC2+cbqcoqR62VDBCa7Io/WRtA9xFbInsMJAHqoA8jBQY0xiRnBbA7ThNS2Cugv4z
tech-c: ZONER
registrar: REG-ZONER
created: 08.11.2010 13:34:55
changed: 30.11.2012 14:51:29




Monday, February 9, 2015

Domain: uzuzuu.ru

Domain: uzuzuu.ru

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x06555a55 && 0x2c&0xDFDFDFFF=0x5a555502 && 0x30&0xDFDFFF00=0x52550000" -j DROP -m comment --comment "DROP DNS Q uzuzuu.ru"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 51 --algo bm --hex-string '|06757a757a757502727500|' -j DROP -m comment --comment "DROP DNS Q uzuzuu.ru"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
uzuzuu.ru. 599 IN NS ns2.spaceweb.ru.
uzuzuu.ru. 599 IN NS ns1.spaceweb.ru.


Response:


A 2
MX 2
NS 2
SOA 1
TXT 22
Rsize 4072


Whois


% By submitting a query to RIPN's Whois Service
% you agree to abide by the following terms of use:
% http://www.ripn.net/about/servpol.html#3.2 (in Russian)
% http://www.ripn.net/about/en/servpol.html#3.2 (in English).

domain: UZUZUU.RU
nserver: ns1.spaceweb.ru.
nserver: ns2.spaceweb.ru.
state: REGISTERED, DELEGATED, VERIFIED
person: Private Person
registrar: R01-RU
admin-contact: https://partner.r01.ru/contact_admin.khtml
created: 2015.01.10
paid-till: 2016.01.10
free-date: 2016.02.10
source: TCI

Last updated on 2015.02.10 01:31:32 MSK




Thursday, January 1, 2015

Domain: ohhr.ru

Domain: ohhr.ru

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x044f4848 && 0x2c&0xDFFFDFDF=0x52025255 && 0x30&0xFFFFFF00=0x0000FF00" -j DROP -m comment --comment "DROP DNS Q ohhr.ru"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 51 --algo bm --hex-string '|046f6868720272750000ff|' -j DROP -m comment --comment "DROP DNS Q ohhr.ru"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
ohhr.ru. 3599 IN NS ns1.reg.ru.
ohhr.ru. 3599 IN NS ns2.reg.ru.


Response:


A 244
NS 2
SOA 1
Rsize 4000


Whois


% By submitting a query to RIPN's Whois Service
% you agree to abide by the following terms of use:
% http://www.ripn.net/about/servpol.html#3.2 (in Russian)
% http://www.ripn.net/about/en/servpol.html#3.2 (in English).

domain: OHHR.RU
nserver: ns1.reg.ru.
nserver: ns2.reg.ru.
state: REGISTERED, DELEGATED, VERIFIED
person: Private Person
registrar: REGRU-RU
admin-contact: http://www.reg.ru/whois/admin_contact
created: 2014.11.07
paid-till: 2015.11.07
free-date: 2015.12.08
source: TCI

Last updated on 2015.01.01 17:31:31 MSK




Domain: gransy.com

Domain: gransy.com

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x06475241 && 0x2c&0xDFDFDFFF=0x4e535903 && 0x30&0xDFDFDFFF=0x434f4d00 && 0x34&0xFFFF0000=0x00FF0000" -j DROP -m comment --comment "DROP DNS Q gransy.com"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 54 --algo bm --hex-string '|066772616e737903636f6d0000ff|' -j DROP -m comment --comment "DROP DNS Q gransy.com"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
gransy.com. 1799 IN NS ns2.gransy.com.
gransy.com. 1799 IN NS ns5.gransy.com.
gransy.com. 1799 IN NS ns3.gransy.com.
gransy.com. 1799 IN NS ns4.gransy.com.
gransy.com. 1799 IN NS ns.gransy.com.


Response:


A 14
AAAA 5
DNSKEY 5
MX 4
NS 14
NSEC 2
RRSIG 9
SOA 3
Rsize 5885


Whois



Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: GRANSY.COM
Registrar: GRANSY S.R.O D/B/A SUBREG.CZ
Whois Server: whois.regtons.com
Referral URL: http://regtons.com
Name Server: NS.GRANSY.COM
Name Server: NS2.GRANSY.COM
Name Server: NS3.GRANSY.COM
Name Server: NS4.GRANSY.COM
Name Server: NS5.GRANSY.COM
Status: clientDeleteProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 10-jul-2014
Creation Date: 21-oct-2002
Expiration Date: 21-oct-2021

>>> Last update of whois database: Thu, 01 Jan 2015 14:35:56 GMT <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.


The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain Name: gransy.com
Registry Domain ID: 91407614_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.regtons.com
Registrar URL: http://regtons.com
Updated Date: 2014-07-10T00:00:00Z
Creation Date: 2002-10-21T00:00:00Z
Registrar Registration Expiration Date: 2021-10-21T00:00:00Z
Registrar: GRANSY S.R.O D/B/A SUBREG.CZ
Registrar IANA ID: 1505
Registrar Abuse Contact Email: abuse@regtons.com
Registrar Abuse Contact Phone: +420.734463373
Domain Status: clientTransferProhibited
Domain Status: clientUpdateProhibited
Domain Status: clientDeleteProhibited
Registry Registrant ID: G-000050
Registrant Name: Jan Horak
Registrant Organization: Gransy s.r.o.
Registrant Street: Borivojova 35
Registrant City: Prague
Registrant State/Province:
Registrant Postal Code: 13000
Registrant Country: CZ
Registrant Phone: +420.732954549
Registrant Phone Ext:
Registrant Fax: +420.226517341
Registrant Fax Ext:
Registrant Email: info@gransy.com
Registry Admin ID: G-000050
Admin Name: Jan Horak
Admin Organization: Gransy s.r.o.
Admin Street: Borivojova 35
Admin City: Prague
Admin State/Province:
Admin Postal Code: 13000
Admin Country: CZ
Admin Phone: +420.732954549
Admin Phone Ext:
Admin Fax: +420.226517341
Admin Fax Ext:
Admin Email: info@gransy.com
Registry Tech ID: G-000050
Tech Name: Jan Horak
Tech Organization: Gransy s.r.o.
Tech Street: Borivojova 35
Tech City: Prague
Tech State/Province:
Tech Postal Code: 13000
Tech Country: CZ
Tech Phone: +420.732954549
Tech Phone Ext:
Tech Fax: +420.226517341
Tech Fax Ext:
Tech Email: info@gransy.com
Name Server: ns.gransy.com
Name Server: ns5.gransy.com
Name Server: ns3.gransy.com
Name Server: ns2.gransy.com
Name Server: ns4.gransy.com
DNSSEC: signedDelegation
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2015-01-01T14:00:00Z <<<

#
# This domain is registered by http://g-hosting.cz
#
# G-Hosting.CZ - This is good place for your website
#
# PHP, Java, Ruby, Python and VPS hosting services
#