Botnet Malware issue on bind BIND 9.7.1-P2
Hi, Pls suggest on this. Thanks, Jagan www3.cbox.ws.barnasinternational.com. (65) 14:24:41.223958 IP 211.164.230.208.17125 103.145.184.40.domain: 64+ A? mlvabdz.ws. (28) 14:24:41.300652 IP 61.246.253.55.44111 208.73.210.76.domain: 47143 [1au] A? xoguzsdl.ws. (40) 14:24:41.338215 IP 211.178.172.128.fpitp 103.145.184.32.domain: 20686+ A? ppckbydtbr.ws. (31) 14:24:41.342505 IP 61.246.253.53.7628 208.73.210.76.domain: 28787 [1au] A? lodqbvd.ws. (39) 14:24:41.346545 IP 211.178.164.175.23186 103.145.184.32.domain: 2298+ A? jdzojm.ws. (27) 14:24:41.350427 IP 211.164.232.28.1028 103.145.184.32.domain: 52540+ A? ujtkmid.ws. (28) 14:24:41.518083 IP 211.174.99.37.10290 103.145.184.40.domain: 17039+ A? phkaxt.ws. (27) 14:24:41.597469 IP 61.246.253.53.53556 208.73.210.76.domain: 5848 [1au] A? jdzojm.ws. (38) 14:24:41.608805 IP 61.246.253.55.gbs-stp 208.73.210.76.domain: 60602 [1au] A? rvoykpdvuw.ws. (42) 14:24:41.613744 IP 211.174.93.126.10443 103.145.184.32.domain: 57+ A? yphpeqeq.ws. (29) 14:24:41.647610 IP 211.174.158.140.20813 103.145.184.32.domain: 119+ A? qhfibjvct.ws. (30) 14:24:41.648165 IP 211.174.158.140.20814 103.145.184.40.domain: 119+ A? qhfibjvct.ws. (30) 14:24:41.649318 IP 211.174.158.140.20813 103.145.184.32.domain: 120+ A? aplsmxcne.ws. (30) 14:24:41.650589 IP 211.174.158.140.20814 103.145.184.40.domain: 120+ A? aplsmxcne.ws. (30) 14:24:41.651435 IP 211.174.69.219.fpitp 103.145.184.32.domain: 18969+ A? xoguzsdl.ws. (29) 14:24:41.802136 IP 211.174.110.194.mcp-port 103.145.184.32.domain: 63099+ A? ujtkmid.ws. (28) 14:24:41.828624 IP 211.174.77.240.12803 103.145.184.32.domain: 42241+ A? ujtkmid.ws. (28) 14:24:41.896891 IP 211.174.96.42.10349 103.145.184.32.domain: 10320+ A? rvoykpdvuw.ws.HUL-RS.COM. (42) 14:24:41.951168 IP 211.174.76.161.directv-tick 103.145.184.32.domain: 51760+ A? jdzojm.ws. (27) 14:24:41.978719 IP 61.246.253.51.60690 208.73.210.76.domain: 22757 A? ppckbydtbr.ws. (31) 14:24:41.992364 IP 211.178.145.35.18834 103.145.184.40.domain: 102+ A? bfrdqsraipi.ws. (32) 14:24:41.995598 IP 211.164.42.255.iad1 103.145.184.32.domain: 62681+ A? mdbyqndydim.ws. (32) 14:24:41.998899 IP 211.164.42.255.1028 103.145.184.32.domain: 49093+ A? xopcz.ws. (26) 14:24:41.999731 IP 211.174.98.2.unet 103.145.184.32.domain: 8066+ A? plzpbuzykzi.ws. (32) 14:24:42.063680 IP 211.164.24.202.traversal 103.145.184.32.domain: 29788+ A? mlvabdz.ws. (28) 14:24:42.080591 IP 211.178.149.74.26153 103.145.184.40.domain: 94+ A? plzpbuzykzi.ws. (32) 14:24:42.081309 IP 211.178.149.74.26152 103.145.184.32.domain: 94+ A? plzpbuzykzi.ws. (32) 14:24:42.083018 IP 211.178.149.74.26153 103.145.184.40.domain: 95+ A? ofqliyah.ws. (29) 14:24:42.084333 IP 211.178.149.74.26152 103.145.184.32.domain: 95+ A? ofqliyah.ws. (29) 14:24:42.212815 IP 211.164.230.208.17132 103.145.184.40.domain: 73+ A? mlvabdz.ws. (28) 14:24:42.213857 IP 211.164.230.208.17133 103.145.184.32.domain: 73+ A? mlvabdz.ws. (28) 14:24:42.254075 IP 211.178.182.51.17331 103.145.184.32.domain: 31124+ A? xopcz.ws. (26) 14:24:42.257642 IP 211.174.43.2.21902 103.145.184.32.domain: 22199+ A? vqdqp.ws. (26) 14:24:42.257967 IP 61.246.253.53.62271 208.73.210.76.domain: 10273 A? xoguzsdl.ws. (29) 14:24:42.259110 IP 211.174.43.2.21919 103.145.184.32.domain: 22704+ A? kuatmftlz.ws. (30) 14:24:42.360653 IP 211.165.222.201.av-emb-config 103.145.184.32.domain: 16608+ A? phkaxt.ws. (27) 14:24:42.376847 IP 211.174.36.28.danf-ak2 103.145.184.32.domain: 18594+ A? xopcz.ws. (26) 14:24:42.389801 IP 211.164.230.208.17132 103.145.184.40.domain: 75+ A? mlvabdz.ws.DOMAIN. (35) 14:24:42.390902 IP 211.164.230.208.17133 103.145.184.32.domain: 75+ A? mlvabdz.ws.DOMAIN. (35) 14:24:42.392527 IP 61.246.253.51.36056 192.36.148.17.domain: 18602 [1au] A? mlvabdz.ws.DOMAIN. (46) 14:24:42.393726 IP 61.246.253.55.43598 192.33.4.12.domain: 42970 [1au] A? mlvabdz.ws.DOMAIN. (46) 14:24:42.398797 IP 61.246.253.51.30802 208.73.210.76.domain: 1409 A? kuatmftlz.ws. (30) 14:24:42.424327 IP 211.165.57.59.10944 103.145.184.32.domain: 4917+ A? ymkvpdpwls.ws. (31) 14:24:42.432527 IP 211.174.74.193.4668 103.145.184.32.domain: 35472+ A? vqdqp.ws. (26) 14:24:42.434196 IP 61.246.253.53.6805 208.73.210.76.domain: 17224 [1au] A? aplsmxcne.ws. (41) 14:24:42.484865 IP 61.246.253.55.27520 208.73.210.76.domain: 51875 A? ymkvpdpwls.ws. (31) 14:24:42.512574 IP 61.246.253.53.36451 208.73.210.76.domain: 5405 A? wlxmyclyaht.ws. (32) 14:24:42.589319 IP 61.246.253.51.34837 208.73.210.76.domain: 34857 [1au] A? qpuhhohm.ws. (40) 14:24:42.599949 IP 61.246.253.51.28712 208.73.210.76.domain: 62962 [1au] A? etvmtyf.ws. (39) 14:24:42.603904 IP 211.174.93.126.10452 103.145.184.32.domain: 64+ A? rvoykpdvuw.ws. (31) 14:24:42.609177 IP 211.165.218.206.14730 103.145.184.32.domain: 33533+ A? tmwijxdp.ws. (29) 14:24:42.673250 IP 211.164.212.189.55838 103.145.184.32.domain: 49878+ ? www.cbox.ws. (29) 14:24:42.743605 IP 61.246.253.53.25801
Re: Botnet Malware issue on bind BIND 9.7.1-P2
Hi, There are huge request are coming frm the valid ip with .ws domain which are not exist and causes degrade the server performance. Thanks, Jagan www3.cbox.ws.barnasinternational.com. (65) 14:24:41.223958 IP 211.164.230.208.17125 103.145.184.40.domain: 64+ A? mlvabdz.ws. (28) 14:24:41.300652 IP 61.246.253.55.44111 208.73.210.76.domain: 47143 [1au] A? xoguzsdl.ws. (40) 14:24:41.338215 IP 211.178.172.128.fpitp 103.145.184.32.domain: 20686+ A? ppckbydtbr.ws. (31) 14:24:41.342505 IP 61.246.253.53.7628 208.73.210.76.domain: 28787 [1au] A? lodqbvd.ws. (39) 14:24:41.346545 IP 211.178.164.175.23186 103.145.184.32.domain: 2298+ A? jdzojm.ws. (27) 14:24:41.350427 IP 211.164.232.28.1028 103.145.184.32.domain: 52540+ A? ujtkmid.ws. (28) 14:24:41.518083 IP 211.174.99.37.10290 103.145.184.40.domain: 17039+ A? phkaxt.ws. (27) 14:24:41.597469 IP 61.246.253.53.53556 208.73.210.76.domain: 5848 [1au] A? jdzojm.ws. (38) 14:24:41.608805 IP 61.246.253.55.gbs-stp 208.73.210.76.domain: 60602 [1au] A? rvoykpdvuw.ws. (42) 14:24:41.613744 IP 211.174.93.126.10443 103.145.184.32.domain: 57+ A? yphpeqeq.ws. (29) 14:24:41.647610 IP 211.174.158.140.20813 103.145.184.32.domain: 119+ A? qhfibjvct.ws. (30) 14:24:41.648165 IP 211.174.158.140.20814 103.145.184.40.domain: 119+ A? qhfibjvct.ws. (30) 14:24:41.649318 IP 211.174.158.140.20813 103.145.184.32.domain: 120+ A? aplsmxcne.ws. (30) 14:24:41.650589 IP 211.174.158.140.20814 103.145.184.40.domain: 120+ A? aplsmxcne.ws. (30) 14:24:41.651435 IP 211.174.69.219.fpitp 103.145.184.32.domain: 18969+ A? xoguzsdl.ws. (29) 14:24:41.802136 IP 211.174.110.194.mcp-port 103.145.184.32.domain: 63099+ A? ujtkmid.ws. (28) 14:24:41.828624 IP 211.174.77.240.12803 103.145.184.32.domain: 42241+ A? ujtkmid.ws. (28) 14:24:41.896891 IP 211.174.96.42.10349 103.145.184.32.domain: 10320+ A? rvoykpdvuw.ws.HUL-RS.COM http://rvoykpdvuw.ws.hul-rs.com/. (42) 14:24:41.951168 IP 211.174.76.161.directv-tick 103.145.184.32.domain: 51760+ A? jdzojm.ws. (27) 14:24:41.978719 IP 61.246.253.51.60690 208.73.210.76.domain: 22757 A? ppckbydtbr.ws. (31) 14:24:41.992364 IP 211.178.145.35.18834 103.145.184.40.domain: 102+ A? bfrdqsraipi.ws. (32) 14:24:41.995598 IP 211.164.42.255.iad1 103.145.184.32.domain: 62681+ A? mdbyqndydim.ws. (32) 14:24:41.998899 IP 211.164.42.255.1028 103.145.184.32.domain: 49093+ A? xopcz.ws. (26) 14:24:41.999731 IP 211.174.98.2.unet 103.145.184.32.domain: 8066+ A? plzpbuzykzi.ws. (32) 14:24:42.063680 IP 211.164.24.202.traversal 103.145.184.32.domain: 29788+ A? mlvabdz.ws. (28) 14:24:42.080591 IP 211.178.149.74.26153 103.145.184.40.domain: 94+ A? plzpbuzykzi.ws. (32) 14:24:42.081309 IP 211.178.149.74.26152 103.145.184.32.domain: 94+ A? plzpbuzykzi.ws. (32) 14:24:42.083018 IP 211.178.149.74.26153 103.145.184.40.domain: 95+ A? ofqliyah.ws. (29) 14:24:42.084333 IP 211.178.149.74.26152 103.145.184.32.domain: 95+ A? ofqliyah.ws. (29) 14:24:42.212815 IP 211.164.230.208.17132 103.145.184.40.domain: 73+ A? mlvabdz.ws. (28) 14:24:42.213857 IP 211.164.230.208.17133 103.145.184.32.domain: 73+ A? mlvabdz.ws. (28) 14:24:42.254075 IP 211.178.182.51.17331 103.145.184.32.domain: 31124+ A? xopcz.ws. (26) 14:24:42.257642 IP 211.174.43.2.21902 103.145.184.32.domain: 22199+ A? vqdqp.ws. (26) 14:24:42.257967 IP 61.246.253.53.62271 208.73.210.76.domain: 10273 A? xoguzsdl.ws. (29) 14:24:42.259110 IP 211.174.43.2.21919 103.145.184.32.domain: 22704+ A? kuatmftlz.ws. (30) 14:24:42.360653 IP 211.165.222.201.av-emb-config 103.145.184.32.domain: 16608+ A? phkaxt.ws. (27) 14:24:42.376847 IP 211.174.36.28.danf-ak2 103.145.184.32.domain: 18594+ A? xopcz.ws. (26) 14:24:42.389801 IP 211.164.230.208.17132 103.145.184.40.domain: 75+ A? mlvabdz.ws.DOMAIN. (35) 14:24:42.390902 IP 211.164.230.208.17133 103.145.184.32.domain: 75+ A? mlvabdz.ws.DOMAIN. (35) 14:24:42.392527 IP 61.246.253.51.36056 192.36.148.17.domain: 18602 [1au] A? mlvabdz.ws.DOMAIN. (46) 14:24:42.393726 IP 61.246.253.55.43598 192.33.4.12.domain: 42970 [1au] A? mlvabdz.ws.DOMAIN. (46) 14:24:42.398797 IP 61.246.253.51.30802 208.73.210.76.domain: 1409 A? kuatmftlz.ws. (30) 14:24:42.424327 IP 211.165.57.59.10944 103.145.184.32.domain: 4917+ A? ymkvpdpwls.ws. (31) 14:24:42.432527 IP 211.174.74.193.4668 103.145.184.32.domain: 35472+ A? vqdqp.ws. (26) 14:24:42.434196 IP 61.246.253.53.6805 208.73.210.76.domain: 17224 [1au] A? aplsmxcne.ws. (41) 14:24:42.484865 IP 61.246.253.55.27520 208.73.210.76.domain: 51875 A? ymkvpdpwls.ws. (31) 14:24:42.512574 IP 61.246.253.53.36451 208.73.210.76.domain: 5405 A? wlxmyclyaht.ws. (32) 14:24:42.589319 IP 61.246.253.51.34837 208.73.210.76.domain: 34857 [1au] A? qpuhhohm.ws. (40) 14:24:42.599949 IP 61.246.253.51.28712 208.73.210.76.domain: 62962 [1au] A? etvmtyf.ws. (39) 14:24:42.603904 IP 211.174.93.126.10452 103.145.184.32.domain: 64+ A?
Re: Botnet Malware issue on bind BIND 9.7.1-P2
I see many valid IP addresses in your list. But that said, are the responses going back large individually, or is it the number of them that is large? If you think this is attempting to crash the server with a single large answer, that's different than if your server is getting a lot of queries from others, where the number of them is large. Is your server crashing due to these queries? Are these clients ones you intend to provide service to? If not, can you limit access to your server to only those clients you intend to provide service for? --Michael On Dec 5, 2011, at 10:42 AM, jagan padhi wrote: Hi, There are huge request are coming frm the valid ip with .ws domain which are not exist and causes degrade the server performance. Thanks, Jagan www3.cbox.ws.barnasinternational.com. (65) 14:24:41.223958 IP 211.164.230.208.17125 103.145.184.40.domain: 64+ A? mlvabdz.ws. (28) 14:24:41.300652 IP 61.246.253.55.44111 208.73.210.76.domain: 47143 [1au] A? xoguzsdl.ws. (40) 14:24:41.338215 IP 211.178.172.128.fpitp 103.145.184.32.domain: 20686+ A? ppckbydtbr.ws. (31) 14:24:41.342505 IP 61.246.253.53.7628 208.73.210.76.domain: 28787 [1au] A? lodqbvd.ws. (39) 14:24:41.346545 IP 211.178.164.175.23186 103.145.184.32.domain: 2298+ A? jdzojm.ws. (27) 14:24:41.350427 IP 211.164.232.28.1028 103.145.184.32.domain: 52540+ A? ujtkmid.ws. (28) 14:24:41.518083 IP 211.174.99.37.10290 103.145.184.40.domain: 17039+ A? phkaxt.ws. (27) 14:24:41.597469 IP 61.246.253.53.53556 208.73.210.76.domain: 5848 [1au] A? jdzojm.ws. (38) 14:24:41.608805 IP 61.246.253.55.gbs-stp 208.73.210.76.domain: 60602 [1au] A? rvoykpdvuw.ws. (42) 14:24:41.613744 IP 211.174.93.126.10443 103.145.184.32.domain: 57+ A? yphpeqeq.ws. (29) 14:24:41.647610 IP 211.174.158.140.20813 103.145.184.32.domain: 119+ A? qhfibjvct.ws. (30) 14:24:41.648165 IP 211.174.158.140.20814 103.145.184.40.domain: 119+ A? qhfibjvct.ws. (30) 14:24:41.649318 IP 211.174.158.140.20813 103.145.184.32.domain: 120+ A? aplsmxcne.ws. (30) 14:24:41.650589 IP 211.174.158.140.20814 103.145.184.40.domain: 120+ A? aplsmxcne.ws. (30) 14:24:41.651435 IP 211.174.69.219.fpitp 103.145.184.32.domain: 18969+ A? xoguzsdl.ws. (29) 14:24:41.802136 IP 211.174.110.194.mcp-port 103.145.184.32.domain: 63099+ A? ujtkmid.ws. (28) 14:24:41.828624 IP 211.174.77.240.12803 103.145.184.32.domain: 42241+ A? ujtkmid.ws. (28) 14:24:41.896891 IP 211.174.96.42.10349 103.145.184.32.domain: 10320+ A? rvoykpdvuw.ws.HUL-RS.COM. (42) 14:24:41.951168 IP 211.174.76.161.directv-tick 103.145.184.32.domain: 51760+ A? jdzojm.ws. (27) 14:24:41.978719 IP 61.246.253.51.60690 208.73.210.76.domain: 22757 A? ppckbydtbr.ws. (31) 14:24:41.992364 IP 211.178.145.35.18834 103.145.184.40.domain: 102+ A? bfrdqsraipi.ws. (32) 14:24:41.995598 IP 211.164.42.255.iad1 103.145.184.32.domain: 62681+ A? mdbyqndydim.ws. (32) 14:24:41.998899 IP 211.164.42.255.1028 103.145.184.32.domain: 49093+ A? xopcz.ws. (26) 14:24:41.999731 IP 211.174.98.2.unet 103.145.184.32.domain: 8066+ A? plzpbuzykzi.ws. (32) 14:24:42.063680 IP 211.164.24.202.traversal 103.145.184.32.domain: 29788+ A? mlvabdz.ws. (28) 14:24:42.080591 IP 211.178.149.74.26153 103.145.184.40.domain: 94+ A? plzpbuzykzi.ws. (32) 14:24:42.081309 IP 211.178.149.74.26152 103.145.184.32.domain: 94+ A? plzpbuzykzi.ws. (32) 14:24:42.083018 IP 211.178.149.74.26153 103.145.184.40.domain: 95+ A? ofqliyah.ws. (29) 14:24:42.084333 IP 211.178.149.74.26152 103.145.184.32.domain: 95+ A? ofqliyah.ws. (29) 14:24:42.212815 IP 211.164.230.208.17132 103.145.184.40.domain: 73+ A? mlvabdz.ws. (28) 14:24:42.213857 IP 211.164.230.208.17133 103.145.184.32.domain: 73+ A? mlvabdz.ws. (28) 14:24:42.254075 IP 211.178.182.51.17331 103.145.184.32.domain: 31124+ A? xopcz.ws. (26) 14:24:42.257642 IP 211.174.43.2.21902 103.145.184.32.domain: 22199+ A? vqdqp.ws. (26) 14:24:42.257967 IP 61.246.253.53.62271 208.73.210.76.domain: 10273 A? xoguzsdl.ws. (29) 14:24:42.259110 IP 211.174.43.2.21919 103.145.184.32.domain: 22704+ A? kuatmftlz.ws. (30) 14:24:42.360653 IP 211.165.222.201.av-emb-config 103.145.184.32.domain: 16608+ A? phkaxt.ws. (27) 14:24:42.376847 IP 211.174.36.28.danf-ak2 103.145.184.32.domain: 18594+ A? xopcz.ws. (26) 14:24:42.389801 IP 211.164.230.208.17132 103.145.184.40.domain: 75+ A? mlvabdz.ws.DOMAIN. (35) 14:24:42.390902 IP 211.164.230.208.17133 103.145.184.32.domain: 75+ A? mlvabdz.ws.DOMAIN. (35) 14:24:42.392527 IP 61.246.253.51.36056 192.36.148.17.domain: 18602 [1au] A? mlvabdz.ws.DOMAIN. (46) 14:24:42.393726 IP 61.246.253.55.43598 192.33.4.12.domain: 42970 [1au] A? mlvabdz.ws.DOMAIN. (46) 14:24:42.398797 IP 61.246.253.51.30802 208.73.210.76.domain: 1409 A? kuatmftlz.ws. (30) 14:24:42.424327 IP 211.165.57.59.10944 103.145.184.32.domain: 4917+ A? ymkvpdpwls.ws. (31) 14:24:42.432527
Re: Botnet Malware issue on bind BIND 9.7.1-P2
Yes Michael, First of all i would like to know what all these .*ws* domians.due to this junk domain query CDNS servers load are getting very high. Yes There is a limit set in my CDND server,however out of 100 query 60 queries are coming for these junk domains. I am running with BIND 9.7.1-P2 and all of my servers are effected with the same problem for last one week. what could be the reason and work around/permenant solution for the same. Thanks for your response. Regards, Jagan On Mon, Dec 5, 2011 at 10:24 PM, Michael Graff mgr...@isc.org wrote: I see many valid IP addresses in your list. But that said, are the responses going back large individually, or is it the number of them that is large? If you think this is attempting to crash the server with a single large answer, that's different than if your server is getting a lot of queries from others, where the number of them is large. Is your server crashing due to these queries? Are these clients ones you intend to provide service to? If not, can you limit access to your server to only those clients you intend to provide service for? --Michael On Dec 5, 2011, at 10:42 AM, jagan padhi wrote: Hi, There are huge request are coming frm the valid ip with .ws domain which are not exist and causes degrade the server performance. Thanks, Jagan www3.cbox.ws.barnasinternational.com. (65) 14:24:41.223958 IP 211.164.230.208.17125 103.145.184.40.domain: 64+ A? mlvabdz.ws. (28) 14:24:41.300652 IP 61.246.253.55.44111 208.73.210.76.domain: 47143 [1au] A? xoguzsdl.ws. (40) 14:24:41.338215 IP 211.178.172.128.fpitp 103.145.184.32.domain: 20686+ A? ppckbydtbr.ws. (31) 14:24:41.342505 IP 61.246.253.53.7628 208.73.210.76.domain: 28787 [1au] A? lodqbvd.ws. (39) 14:24:41.346545 IP 211.178.164.175.23186 103.145.184.32.domain: 2298+ A? jdzojm.ws. (27) 14:24:41.350427 IP 211.164.232.28.1028 103.145.184.32.domain: 52540+ A? ujtkmid.ws. (28) 14:24:41.518083 IP 211.174.99.37.10290 103.145.184.40.domain: 17039+ A? phkaxt.ws. (27) 14:24:41.597469 IP 61.246.253.53.53556 208.73.210.76.domain: 5848 [1au] A? jdzojm.ws. (38) 14:24:41.608805 IP 61.246.253.55.gbs-stp 208.73.210.76.domain: 60602 [1au] A? rvoykpdvuw.ws. (42) 14:24:41.613744 IP 211.174.93.126.10443 103.145.184.32.domain: 57+ A? yphpeqeq.ws. (29) 14:24:41.647610 IP 211.174.158.140.20813 103.145.184.32.domain: 119+ A? qhfibjvct.ws. (30) 14:24:41.648165 IP 211.174.158.140.20814 103.145.184.40.domain: 119+ A? qhfibjvct.ws. (30) 14:24:41.649318 IP 211.174.158.140.20813 103.145.184.32.domain: 120+ A? aplsmxcne.ws. (30) 14:24:41.650589 IP 211.174.158.140.20814 103.145.184.40.domain: 120+ A? aplsmxcne.ws. (30) 14:24:41.651435 IP 211.174.69.219.fpitp 103.145.184.32.domain: 18969+ A? xoguzsdl.ws. (29) 14:24:41.802136 IP 211.174.110.194.mcp-port 103.145.184.32.domain: 63099+ A? ujtkmid.ws. (28) 14:24:41.828624 IP 211.174.77.240.12803 103.145.184.32.domain: 42241+ A? ujtkmid.ws. (28) 14:24:41.896891 IP 211.174.96.42.10349 103.145.184.32.domain: 10320+ A? rvoykpdvuw.ws.HUL-RS.COM http://rvoykpdvuw.ws.hul-rs.com/. (42) 14:24:41.951168 IP 211.174.76.161.directv-tick 103.145.184.32.domain: 51760+ A? jdzojm.ws. (27) 14:24:41.978719 IP 61.246.253.51.60690 208.73.210.76.domain: 22757 A? ppckbydtbr.ws. (31) 14:24:41.992364 IP 211.178.145.35.18834 103.145.184.40.domain: 102+ A? bfrdqsraipi.ws. (32) 14:24:41.995598 IP 211.164.42.255.iad1 103.145.184.32.domain: 62681+ A? mdbyqndydim.ws. (32) 14:24:41.998899 IP 211.164.42.255.1028 103.145.184.32.domain: 49093+ A? xopcz.ws. (26) 14:24:41.999731 IP 211.174.98.2.unet 103.145.184.32.domain: 8066+ A? plzpbuzykzi.ws. (32) 14:24:42.063680 IP 211.164.24.202.traversal 103.145.184.32.domain: 29788+ A? mlvabdz.ws. (28) 14:24:42.080591 IP 211.178.149.74.26153 103.145.184.40.domain: 94+ A? plzpbuzykzi.ws. (32) 14:24:42.081309 IP 211.178.149.74.26152 103.145.184.32.domain: 94+ A? plzpbuzykzi.ws. (32) 14:24:42.083018 IP 211.178.149.74.26153 103.145.184.40.domain: 95+ A? ofqliyah.ws. (29) 14:24:42.084333 IP 211.178.149.74.26152 103.145.184.32.domain: 95+ A? ofqliyah.ws. (29) 14:24:42.212815 IP 211.164.230.208.17132 103.145.184.40.domain: 73+ A? mlvabdz.ws. (28) 14:24:42.213857 IP 211.164.230.208.17133 103.145.184.32.domain: 73+ A? mlvabdz.ws. (28) 14:24:42.254075 IP 211.178.182.51.17331 103.145.184.32.domain: 31124+ A? xopcz.ws. (26) 14:24:42.257642 IP 211.174.43.2.21902 103.145.184.32.domain: 22199+ A? vqdqp.ws. (26) 14:24:42.257967 IP 61.246.253.53.62271 208.73.210.76.domain: 10273 A? xoguzsdl.ws. (29) 14:24:42.259110 IP 211.174.43.2.21919 103.145.184.32.domain: 22704+ A? kuatmftlz.ws. (30) 14:24:42.360653 IP 211.165.222.201.av-emb-config 103.145.184.32.domain: 16608+ A? phkaxt.ws. (27) 14:24:42.376847 IP 211.174.36.28.danf-ak2 103.145.184.32.domain: 18594+ A? xopcz.ws. (26) 14:24:42.389801 IP 211.164.230.208.17132
Re: Botnet Malware issue on bind BIND 9.7.1-P2
jagan padhi wrote on 12/05/2011 12:16:19 PM: First of all i would like to know what all these .ws domians.due to this junk domain query CDNS servers load are getting very high. Yes There is a limit set in my CDND server,however out of 100 query 60 queries are coming for these junk domains. Without the RPZ feature of bind 9.8, you could add a bogus zone for the .ws domain to your servers. Either return an answer for *.ws as whatever you want, or have just the SOA record. Either way, you're not waiting for a recursive query to time out. What kind of host is the source of the queries? Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users