Re: [botnets] Domain list query...
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- I see two possibilities: My first guess would be a DDOS type attack - if an attacker could find a number of DNS servers that would actually request a transfer in response to a NOTIFY for an arbitrary domain, and at least one nameserver for that domain allows zone transfers, then he could have an enormous bandwidth amplifier - send out a hundred NOTIFY's per second, and your target gets stuck transferring the entire zone a hundred times a second. The second possibility I can imagine would be a DNS cache poisoning attack - if you can trick your victim's nameserver into launching a NS query, and spoof the response, then you can become the nameserver for that domain for a time. Checking a few of those domains at random, I got NXDOMAIN responses - which suggests the DDOS angle doesn't make much sense. Regards Mark On 9/5/07, Alan Clegg [EMAIL PROTECTED] wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- I have a client who's nameservers are being flooded by DNS NOTIFY packets for the list of domains at the bottom of this message. Beyond the domains being used as spam sources, does anyone on the list see anything that links these domains? We are trying to figure out the commonality between them that would cause the behavior that we are seeing... Why would about eight machines be pummeling a major provider's DNS servers with NOTIFY (ie, domain updated, please do a transfer) messages? Here's the list: abysscastor.info advizehint.com ailisar.com applander.com baserocket.com betgisarmer.com blousecollar.com bunkerlock.com calmorphan.com carlotpro.com carrycartrter.com cessful.com chaudtas.com checkonline.hk cnnmk.hk commacomma.hk copeckstable.com cornamusement.com cpluscrayons.com crimefooler.com croquetroof.com cyberbox.hk deafanddum.com deargraler.com densitylow.com depiberry.com dogderopero.com dynastycost.com erranter.com fadedtraveller.com ficientt.com fresthikom.com gratefuldenial.net grindingpolka.com guideleper.com guideleper.net harrowingbut.com hazefoul.com hazefoul.net hoerillugad.com honeymandarin.info hugguide.com hutchilo.com inveterat.com justlom.com justnaw.com laryslarys.com lookprouv.com lossfeeler.com mainyachting.com manegeincision.info marchobny.com mattingkoot.com meanignik.com medsbuyonline.com mikosal.cd motorampere.com newekind.com nzmipanel.com penrockyt.net pokuureto.net pretentiou.com prolinor.com proseassembly.com rationboo.com satyrholl.com serinti.com simmqwi.cd spirefakter.com spirefakter.net stafegiyngu.com sugaryextortion.net tamosaqui.com thithera.com townelection.com ttqase.hk uaikq.hk uickesho.com uija.hk ujjia.hk ujnn.hk ujud.hk usadd.hk usagg.hk usapro.hk usjol.hk vividquiz.com voomco.hk vvik.hk witouta.cn wrungworld.com wrungworld.info yourhalo.hk ysdh.hk yyhjks.hk ziikaol.hk zinamol.cd zippoguides.com zxasd.hk zxiak.hk zzzaz.hk Thanks, AlanC -- In the beginning of a change, the patriot is a scarce man, brave, hated, and scorned. When his cause succeeds however, the timid join him, for then it cost nothing to be a patriot. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] Domain list query...
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- I have a client who's nameservers are being flooded by DNS NOTIFY packets for the list of domains at the bottom of this message. Beyond the domains being used as spam sources, does anyone on the list see anything that links these domains? We are trying to figure out the commonality between them that would cause the behavior that we are seeing... Why would about eight machines be pummeling a major provider's DNS servers with NOTIFY (ie, domain updated, please do a transfer) messages? Here's the list: abysscastor.info advizehint.com ailisar.com applander.com baserocket.com betgisarmer.com blousecollar.com bunkerlock.com calmorphan.com carlotpro.com carrycartrter.com cessful.com chaudtas.com checkonline.hk cnnmk.hk commacomma.hk copeckstable.com cornamusement.com cpluscrayons.com crimefooler.com croquetroof.com cyberbox.hk deafanddum.com deargraler.com densitylow.com depiberry.com dogderopero.com dynastycost.com erranter.com fadedtraveller.com ficientt.com fresthikom.com gratefuldenial.net grindingpolka.com guideleper.com guideleper.net harrowingbut.com hazefoul.com hazefoul.net hoerillugad.com honeymandarin.info hugguide.com hutchilo.com inveterat.com justlom.com justnaw.com laryslarys.com lookprouv.com lossfeeler.com mainyachting.com manegeincision.info marchobny.com mattingkoot.com meanignik.com medsbuyonline.com mikosal.cd motorampere.com newekind.com nzmipanel.com penrockyt.net pokuureto.net pretentiou.com prolinor.com proseassembly.com rationboo.com satyrholl.com serinti.com simmqwi.cd spirefakter.com spirefakter.net stafegiyngu.com sugaryextortion.net tamosaqui.com thithera.com townelection.com ttqase.hk uaikq.hk uickesho.com uija.hk ujjia.hk ujnn.hk ujud.hk usadd.hk usagg.hk usapro.hk usjol.hk vividquiz.com voomco.hk vvik.hk witouta.cn wrungworld.com wrungworld.info yourhalo.hk ysdh.hk yyhjks.hk ziikaol.hk zinamol.cd zippoguides.com zxasd.hk zxiak.hk zzzaz.hk Thanks, AlanC -- In the beginning of a change, the patriot is a scarce man, brave, hated, and scorned. When his cause succeeds however, the timid join him, for then it cost nothing to be a patriot. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] Domain list query...
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- So, what they share is the same dirty nameservers. I picked one domain you listed below at random: Domain ID:D15763363-LRMS Domain Name:ABYSSCASTOR.INFO Created On:18-Dec-2006 19:56:35 UTC Last Updated On:16-Feb-2007 20:36:18 UTC Expiration Date:18-Dec-2007 19:56:35 UTC Sponsoring Registrar:CSL Computer Service Langenbach GmbH d/b/a joker.com (R161-LRMS) Status:CLIENT DELETE PROHIBITED Status:CLIENT RENEW PROHIBITED Status:CLIENT TRANSFER PROHIBITED Status:CLIENT UPDATE PROHIBITED Registrant ID:CAFI-234229 Registrant Name:Wang Tim Registrant Organization:Wang Tim Registrant Street1:5905 N Oketo Ave Registrant Street2: Registrant Street3: Registrant City:Chicago Registrant State/Province:IL Registrant Postal Code:60631 Registrant Country:US Registrant Phone:+1.7736318184 Registrant Phone Ext.: Registrant FAX: Registrant FAX Ext.: Registrant Email:[EMAIL PROTECTED] Admin ID:CAFI-234228 Admin Name:Wang Tim Admin Organization:Wang Tim Admin Street1:5905 N Oketo Ave Admin Street2: Admin Street3: Admin City:Chicago Admin State/Province:IL Admin Postal Code:60631 Admin Country:US Admin Phone:+1.7736318184 Admin Phone Ext.: Admin FAX: Admin FAX Ext.: Admin Email:[EMAIL PROTECTED] Billing ID:CAFI-234228 Billing Name:Wang Tim Billing Organization:Wang Tim Billing Street1:5905 N Oketo Ave Billing Street2: Billing Street3: Billing City:Chicago Billing State/Province:IL Billing Postal Code:60631 Billing Country:US Billing Phone:+1.7736318184 Billing Phone Ext.: Billing FAX: Billing FAX Ext.: Billing Email:[EMAIL PROTECTED] Tech ID:CAFI-234228 Tech Name:Wang Tim Tech Organization:Wang Tim Tech Street1:5905 N Oketo Ave Tech Street2: Tech Street3: Tech City:Chicago Tech State/Province:IL Tech Postal Code:60631 Tech Country:US Tech Phone:+1.7736318184 Tech Phone Ext.: Tech FAX: Tech FAX Ext.: Tech Email:[EMAIL PROTECTED] Name Server:NS1.XETOPNET.COM Name Server:NS2.LOERJAMM.COM Name Server:NS2.ASDERDUB.COM Name Server:NS1.THEBLACKRAINS.NET Every single domain served by NS1.XETOPNET.COM is RBL listed because of previous malicious activity or spamming: ns host ip: 201.236.86.60 There are 6 ns hosts in same /24 domain Date SURBL aswaldo.cd wi cwi p2007-Jul-02 hpbootery.cdwi cwi p2007-Aug-16 moolad.cd wi cwi p2007-Aug-16 samailo.cd wi cwi p2007-Aug-16 separety.cd wi cwi p2007-Aug-16 zinamol.cd wi cwi p2007-Aug-16 xetopnet.comwi cwi p2007-Aug-16 fraternaldeal.com wi cwi p2007-Aug-16 shatterserw.com wi cwi p2007-Aug-16 eacheagle.com wi cwi p2007-Aug-16 coolinhydrogen.com wi cwi p2007-Aug-16 beastlanguor.comwi cwi p2007-Jul-02 innerfruit.com wi cwi p2007-Aug-16 mastvulture.com wi cwi p2007-Aug-16 menhes.com wi cwi p2007-Aug-16 winterwolfer.comwi cwi p2007-Aug-16 bundlero.comwi cwi p2007-Jul-02 faktioner.com wi cwi p2007-Aug-16 titikako.comwi cwi p2007-Aug-16 dubintko.comwi cwi p2007-Aug-16 exotunes.comwi cwi p2007-Aug-16 grapemod.comwi cwi p2007-Aug-16 praymire.comwi cwi p2007-Aug-16 imalonline.com wi cwi p2007-Aug-16 ominioslot.com wi cwi p2007-Aug-16 purgernol.com wi cwi p2007-Aug-16 payerweeding.comwi cwi p2007-Aug-16 reasonarrival.com wi cwi p2007-Aug-16 dinnerwhiner.comwi cwi p2007-Aug-16 countryschange.com wi cwi p2007-Aug-16 advisersable.comwi cwi p2007-Jul-02 townelection.comwi cwi p2007-Aug-16 benddotted.com wi cwi p2007-Jul-02 dripmes.com wi cwi p2007-Aug-16 thithera.comwi cwi p2007-Aug-16 ourselfp.comwi cwi p