[nsp-sec] [DDoS - City of New York]
Rob Thomas
robt at cymru.com
Tue Aug 23 11:51:04 EDT 2011
Hey, Beth & Kris.
> From Kris Trower's research, 141.136.16.14 using similar domains. The click* domains were serving up FakeAV.
>
> 141.136.16.14:
Interesting, thanks! I ran the query-o-nator on 141.136.16.0/24,
figuring there might be a collection of badness across it. We see some
interesting DNS RRs in it.
stamp | qname | class | type |
rdata
--------------------- ---------------------------- ------- ------
---------------
2011-08-01 00:01:34 | findtry.org | IN | A
| 141.136.16.13
2011-08-01 00:01:34 | findtube.org | IN | A
| 141.136.16.13
2011-08-01 23:33:20 | clickaugusta.org | IN | A
| 141.136.16.14
2011-08-01 23:34:53 | finddelightful.org | IN | A
| 141.136.16.13
2011-08-01 23:34:54 | findtrace.org | IN | A
| 141.136.16.14
2011-08-01 23:34:54 | findtune.org | IN | A
| 141.136.16.13
2011-08-01 23:34:54 | findtoy.org | IN | A
| 141.136.16.14
2011-08-01 23:34:54 | findtrack.org | IN | A
| 141.136.16.14
2011-08-04 00:51:21 | findturn.org | IN | A
| 141.136.16.13
2011-08-04 00:51:22 | findtraffic.org | IN | A
| 141.136.16.14
2011-08-05 14:49:38 | privjuisei.dlinkddns.com | IN | A
| 141.136.16.50
2011-08-06 05:41:33 | tuqlifittiru.ax.lt | IN | A
| 141.136.16.50
2011-08-06 11:32:14 | lerssanlo.dlinkddns.com | IN | A
| 141.136.16.50
2011-08-06 18:49:16 | padddiracos.sytes.net | IN | A
| 141.136.16.50
2011-08-07 02:51:08 | findtrail.org | IN | A
| 141.136.16.14
2011-08-07 02:51:08 | findtwenty.org | IN | A
| 141.136.16.13
2011-08-07 16:04:25 | neomwojin.dlinkddns.com | IN | A
| 141.136.16.50
2011-08-07 17:28:03 | d0llyrifiljitt.jpe.gs | IN | A
| 141.136.16.50
2011-08-07 20:34:19 | jiillililijul.jul.li | IN | A
| 141.136.16.50
2011-08-07 22:50:35 | keycilla.dlinkddns.com | IN | A
| 141.136.16.50
2011-08-08 12:04:38 | inmapo.dlinkddns.com | IN | A
| 141.136.16.50
2011-08-08 12:57:44 | uijlftirijillim.mil.nf | IN | A
| 141.136.16.50
2011-08-08 14:36:00 | quelareakc.dlinkddns.com | IN | A
| 141.136.16.50
2011-08-08 23:47:20 | dregorparcau.sytes.net | IN | A
| 141.136.16.50
2011-08-09 10:32:18 | liftifirigjrea.ax.lt | IN | A
| 141.136.16.50
2011-08-09 12:44:38 | kaigifworl.dlinkddns.com | IN | A
| 141.136.16.50
2011-08-09 13:26:44 | sillifjivver.cf.gs | IN | A
| 141.136.16.50
2011-08-09 18:53:46 | vauconshuff.dlinkddns.com | IN | A
| 141.136.16.50
2011-08-10 09:16:59 | yjlilijul.jul.li | IN | A
| 141.136.16.50
2011-08-10 17:25:30 | ijilihlhuvv.cf.gs | IN | A
| 141.136.16.50
2011-08-10 20:17:02 | pheocrazol.dlinkddns.com | IN | A
| 141.136.16.50
2011-08-10 22:19:40 | lasacar.dlinkddns.com | IN | A
| 141.136.16.50
2011-08-11 05:39:17 | nosaho.dlinkddns.com | IN | A
| 141.136.16.50
2011-08-11 05:47:01 | vv0llyif0lliift.jpe.gs | IN | A
| 141.136.16.50
2011-08-11 06:04:58 | whonapeno.sytes.net | IN | A
| 141.136.16.50
2011-08-11 18:30:54 | iflfiffiflflij.jul.li | IN | A
| 141.136.16.50
2011-08-11 20:42:15 | fasifrilljilir.ax.lt | IN | A
| 141.136.16.50
2011-08-12 03:33:24 | imgarea.org | IN | A
| 141.136.16.50
2011-08-12 04:56:37 | findtrain.org | IN | A
| 141.136.16.14
2011-08-12 04:56:37 | findtwice.org | IN | A
| 141.136.16.13
2011-08-12 05:46:15 | vijiriftiff.ax.lt | IN | A
| 141.136.16.50
2011-08-12 07:46:37 | finsandcor.dlinkddns.com | IN | A
| 141.136.16.50
2011-08-12 22:08:08 | q0nilirifflib.cf.gs | IN | A
| 141.136.16.50
2011-08-13 08:03:37 | prosyzprot.dlinkddns.com | IN | A
| 141.136.16.50
2011-08-13 09:24:40 | j0ilifittir0jyx.jpe.gs | IN | A
| 141.136.16.50
2011-08-13 09:57:26 | blansuppfirmpu.sytes.net | IN | A
| 141.136.16.50
2011-08-13 19:43:27 | njinililljivv.mil.nf | IN | A
| 141.136.16.50
2011-08-14 08:40:07 | illilli0ffit.ax.lt | IN | A
| 141.136.16.50
2011-08-14 09:36:49 | unuffjtritlij.mil.nf | IN | A
| 141.136.16.50
2011-08-14 16:41:42 | trapunvil.dlinkddns.com | IN | A
| 141.136.16.50
2011-08-14 22:45:31 | hochebes.dlinkddns.com | IN | A
| 141.136.16.50
2011-08-15 01:52:56 | jacksici.dlinkddns.com | IN | A
| 141.136.16.50
2011-08-15 12:58:41 | ftijrittilil.ax.lt | IN | A
| 141.136.16.51
2011-08-15 17:47:14 | granpokhsa.dlinkddns.com | IN | A
| 141.136.16.50
2011-08-16 12:27:15 | findtwo.org | IN | A
| 141.136.16.13
2011-08-16 17:51:55 | vvtifillirilm.mil.nf | IN | A
| 141.136.16.51
2011-08-16 20:45:44 | www.dxugbfdk.cjb.net | IN | A
| 141.136.16.50
2011-08-16 21:39:32 | kaconsi.dlinkddns.com | IN | A
| 141.136.16.50
2011-08-17 02:51:17 | findtransportation.org | IN | A
| 141.136.16.14
2011-08-17 06:24:16 | jeftfrilirififtt.cf.gs | IN | A
| 141.136.16.51
2011-08-17 18:45:34 | jiujillijiujui.jul.li | IN | A
| 141.136.16.51
2011-08-17 21:16:21 | diametica.sytes.net | IN | A
| 141.136.16.50
2011-08-18 04:39:36 | ejiirtittililex.ax.lt | IN | A
| 141.136.16.51
2011-08-18 10:50:20 | puedunbu.dlinkddns.com | IN | A
| 141.136.16.50
2011-08-18 21:54:32 | trrillifilm.mil.nf | IN | A
| 141.136.16.51
2011-08-18 22:16:49 | www.ztcayptfb.cjb.net | IN | A
| 141.136.16.50
2011-08-19 06:44:51 | tifirillijins.ro.lt | IN | A
| 141.136.16.51
2011-08-19 12:01:03 | cunana.dlinkddns.com | IN | A
| 141.136.16.50
2011-08-19 17:51:10 | findtrap.org | IN | A
| 141.136.16.14
2011-08-20 10:10:19 | menbirdgi.dlinkddns.com | IN | A
| 141.136.16.50
2011-08-20 13:20:02 | dfdggh6jds.cx.cc | IN | A
| 141.136.16.50
2011-08-20 14:21:06 | bloghapci.dlinkddns.com | IN | A
| 141.136.16.50
2011-08-20 15:51:08 | findtype.org | IN | A
| 141.136.16.13
2011-08-20 22:36:58 | rattranming.dlinkddns.com | IN | A
| 141.136.16.50
2011-08-21 01:44:29 | dfg54hdfd.cx.cc | IN | A
| 141.136.16.50
2011-08-21 10:45:17 | gestsibea.dlinkddns.com | IN | A
| 141.136.16.50
2011-08-22 11:56:09 | prompate.dlinkddns.com | IN | A
| 141.136.16.50
2011-08-23 01:30:43 | prosipthroug.dlinkddns.com | IN | A
| 141.136.16.50
We see 630 malware samples pointed to hosts in 141.136.16.0/24.
Anyone have a trusted contact here:
AS | IP | BGP Prefix | CC | Registry |
Allocated | AS Name
50515 | 141.136.16.0 | 141.136.16.0/24 | RO | ripencc |
2011-06-29 | TIER-DATA-CENTER Tier SRL
Thanks,
Rob.
--
Rob Thomas
Team Cymru
https://www.team-cymru.org/
"Say little and do much." M Avot 1:15
More information about the nsp-security
mailing list