[nsp-sec] Inboot.me - vboot.us using DRDoS as a paid service
Shelton, Steve
sshelton at Cogentco.com
Tue Sep 30 14:59:10 EDT 2014
Hello,
Thanks for the feedback! The queries as of late are for smar.vboot.us TXT. The text file is rather large! I assume that they would be hitting a ton of open resolvers.
07:09:23.558132 IP (tos 0x0, ttl 53, id 51887, offset 0, flags [+], proto UDP (17), length 1500) 38.75.196.20.53 > 192.223.28.x.32644: 31549 1/2/2 smar.vboot.us. TXT[|domain]
0x0000: 4500 05dc caaf 2000 3511 cd60 264b c414 E.......5..`&K..
0x0010: c0df 1cc2 0035 7f84 105a d153 7b3d 8180 .....5...Z.S{=..
0x0020: 0001 0001 0002 0002 0473 6d61 7205 7662 .........smar.vb
0x0030: 6f6f 7402 7573 0000 ff00 01c0 0c00 1000 oot.us..........
0x0040: 0100 0000 3b0f d0fc 696e 626f 6f74 2e6d ....;...inboot.m
0x0050: 652d e-
Steve Shelton
-----Original Message-----
From: Rodney Joffe [mailto:rjoffe at centergate.com]
Sent: Tuesday, September 30, 2014 2:49 PM
To: Shelton, Steve
Cc: NSP-SEC List
Subject: Re: [nsp-sec] Inboot.me - vboot.us using DRDoS as a paid service
We've seen:
{
"info": "22 results found.",
"results": [
{
"domain": "inboot.me",
"qname": "inboot.me",
"qtype": "1",
"date": "2014-08-01T04:01:01Z",
"type": "ip",
"value": "104.28.31.68",
"value_ip": "104.28.31.68"
},
{
"domain": "inboot.me",
"qname": "inboot.me",
"qtype": "1",
"date": "2014-08-01T04:01:01Z",
"type": "ip",
"value": "104.28.30.68",
"value_ip": "104.28.30.68"
},
{
"domain": "inboot.me",
"qname": "inboot.me",
"qtype": "28",
"date": "2014-08-05T07:23:03Z",
"type": "aaaa",
"value": "2400:cb00:2048:1::681c:1f44"
},
{
"domain": "inboot.me",
"qname": "inboot.me",
"qtype": "28",
"date": "2014-08-05T07:23:03Z",
"type": "aaaa",
"value": "2400:cb00:2048:1::681c:1e44"
},
{
"domain": "inboot.me",
"qname": "inboot.me",
"qtype": "28",
"date": "2014-08-15T19:13:45Z",
"type": "aaaa",
"value": "2400:cb00:2048:1::6ca2:cdc3"
},
{
"domain": "inboot.me",
"qname": "inboot.me",
"qtype": "28",
"date": "2014-08-15T19:13:45Z",
"type": "aaaa",
"value": "2400:cb00:2048:1::6ca2:cec3"
},
{
"domain": "inboot.me",
"qname": "inboot.me",
"qtype": "1",
"date": "2014-08-14T22:36:53Z",
"type": "ip",
"value": "108.162.205.195",
"value_ip": "108.162.205.195"
},
{
"domain": "inboot.me",
"qname": "inboot.me",
"qtype": "1",
"date": "2014-08-14T22:36:53Z",
"type": "ip",
"value": "108.162.206.195",
"value_ip": "108.162.206.195"
},
{
"domain": "inboot.me",
"qname": "www.inboot.me",
"qtype": "1",
"date": "2014-08-17T07:10:14Z",
"type": "name",
"value": "inboot.me"
},
{
"domain": "inboot.me",
"qname": "www.inboot.me",
"qtype": "1",
"date": "2014-08-17T07:10:14Z",
"type": "ip",
"value": "108.162.206.195",
"value_ip": "108.162.206.195"
},
{
"domain": "inboot.me",
"qname": "www.inboot.me",
"qtype": "1",
"date": "2014-08-17T07:10:14Z",
"type": "ip",
"value": "108.162.205.195",
"value_ip": "108.162.205.195"
},
{
"domain": "inboot.me",
"qname": "www.inboot.me",
"qtype": "1",
"date": "2014-08-17T07:10:14Z",
"type": "cname",
"value": "inboot.me"
},
{
"domain": "inboot.me",
"qname": "www.inboot.me",
"qtype": "28",
"date": "2014-08-17T07:15:08Z",
"type": "name",
"value": "inboot.me"
},
{
"domain": "inboot.me",
"qname": "www.inboot.me",
"qtype": "28",
"date": "2014-08-17T07:15:08Z",
"type": "aaaa",
"value": "2400:cb00:2048:1::6ca2:cec3"
},
{
"domain": "inboot.me",
"qname": "www.inboot.me",
"qtype": "28",
"date": "2014-08-17T07:15:08Z",
"type": "aaaa",
"value": "2400:cb00:2048:1::6ca2:cdc3"
},
{
"domain": "inboot.me",
"qname": "www.inboot.me",
"qtype": "28",
"date": "2014-08-17T07:15:08Z",
"type": "cname",
"value": "inboot.me"
},
{
"domain": "inboot.me",
"qname": "inboot.me",
"qtype": "1",
"date": "2014-08-19T14:45:07Z",
"type": "ip",
"value": "67.215.66.149",
"value_ip": "67.215.66.149"
},
{
"domain": "inboot.me",
"qname": "inboot.me",
"qtype": "2",
"date": "2014-08-29T18:48:22.000Z",
"type": "ns",
"value": "lucy.ns.cloudflare.com"
},
{
"domain": "inboot.me",
"qname": "inboot.me",
"qtype": "2",
"date": "2014-08-29T18:48:22.000Z",
"type": "ns",
"value": "eric.ns.cloudflare.com"
},
{
"domain": "inboot.me",
"qname": "inboot.me",
"qtype": "1",
"date": "2014-09-15T12:53:37.000Z",
"type": "ip",
"value": "107.23.255.195",
"value_ip": "107.23.255.195"
},
{
"domain": "inboot.me",
"qname": "inboot.me",
"qtype": "1",
"date": "2014-09-30T12:27:37.000Z",
"type": "ip",
"value": "190.93.254.153",
"value_ip": "190.93.254.153"
},
{
"domain": "inboot.me",
"qname": "inboot.me",
"qtype": "1",
"date": "2014-09-30T12:27:37.000Z",
"type": "ip",
"value": "190.93.255.153",
"value_ip": "190.93.255.153"
}
On Sep 30, 2014, at 9:04 AM, John Kristoff <jtk at cymru.com> wrote:
> ----------- nsp-security Confidential --------
>
> On Tue, 30 Sep 2014 11:01:32 +0000
> "Shelton, Steve" <sshelton at Cogentco.com> wrote:
>
>> Did anyone happen to see this yesterday hitting their resolvers?
>
> The DRG and my own resolvers have seen some ANY queries for
> smar.vboot.us from 81.17.20.38 on September 27, 2014, all happening
> around the 1930 UTC time frame.
>
> In a cursory search, I've not seen the inboot.me name queried for
> anywhere recently.
>
> John
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
More information about the nsp-security
mailing list