Hello To get a bit of a change to that IPv6 topic...
In the last few days I observer strange virus DNS behaviour... We get complaints that infected customers computer run webservers spreding viruses: example: http://ei.adorelyric.com/happy_valentine.exe $ for i in 1 2 3 4 5; do host ei.adorelyric.com; done ei.adorelyric.com has address 83.1.99.8 ei.adorelyric.com has address 85.193.231.237 ei.adorelyric.com has address 86.16.162.235 ei.adorelyric.com has address 88.167.171.94 ei.adorelyric.com has address 86.16.162.235 and so on, sometimes pointing to the IP of one of our customers. TTL is Zero, so the entry expires immediately. adorelyric.com has SOA record ns1.adorelyric.com. root.adorelyric.com. 20081223 300 300 300 0 ;; QUESTION SECTION: ;adorelyric.com. IN NS ;; ANSWER SECTION: adorelyric.com. 0 IN NS ns1.adorelyric.com. adorelyric.com. 0 IN NS ns2.adorelyric.com. adorelyric.com. 0 IN NS ns3.adorelyric.com. adorelyric.com. 0 IN NS ns4.adorelyric.com. adorelyric.com. 0 IN NS ns5.adorelyric.com. adorelyric.com. 0 IN NS ns6.adorelyric.com. No additional section with an IP being sent, so the resolver has to do more queries... $ for i in 1 2 3 4 5; do host ns1.adorelyric.com.; done ns1.adorelyric.com has address 24.79.83.148 ns1.adorelyric.com has address 88.185.130.161 ns1.adorelyric.com has address 76.210.63.46 ns1.adorelyric.com has address 82.36.169.65 ns1.adorelyric.com has address 76.210.63.46 Well that virus runs an own dns server randomly pointing to other infected machines. Domain Name: ADORELYRIC.COM Name Server: NS1.BESTMAZDADEALER.COM Name Server: NS2.BESTMAZDADEALER.COM Name Server: NS3.BESTMAZDADEALER.COM Name Server: NS4.BESTMAZDADEALER.COM Name Server: NS5.BESTMAZDADEALER.COM Name Server: NS6.BESTMAZDADEALER.COM Even the registered DNS point to infected machines: $ for i in 1 2 3 4 5; do host NS1.BESTMAZDADEALER.COM; done NS1.BESTMAZDADEALER.COM has address 212.87.4.145 NS1.BESTMAZDADEALER.COM has address 213.226.69.14 NS1.BESTMAZDADEALER.COM has address 61.92.213.121 NS1.BESTMAZDADEALER.COM has address 88.168.97.28 NS1.BESTMAZDADEALER.COM has address 88.168.97.28 Well one is static: $ for i in 1 2 3 4 5; do host NS6.BESTMAZDADEALER.COM; done NS6.BESTMAZDADEALER.COM has address 82.239.175.129 NS6.BESTMAZDADEALER.COM has address 82.239.175.129 NS6.BESTMAZDADEALER.COM has address 82.239.175.129 NS6.BESTMAZDADEALER.COM has address 82.239.175.129 NS6.BESTMAZDADEALER.COM has address 82.239.175.129 So this is the comand and control server? But also this IP seams to change from time to time. So what's the best option to get those hosts down? Kind regards Benoit Panizzon -- I m p r o W a r e A G - Leiter IT Customer Care ______________________________________________________ Zurlindenstrasse 29 Tel +41 61 826 93 07 CH-4133 Pratteln Fax +41 61 826 93 02 Schweiz Web http://www.imp.ch ______________________________________________________
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
