[nsp-sec] Inboot.me - vboot.us using DRDoS as a paid service
Rodney Joffe
rjoffe at centergate.com
Tue Sep 30 15:15:43 EDT 2014
Interestingly, I find nothing for smar.vboot.us. I do find some vboot.us records:
{
"info": "12 results found.",
"results": [
{
"domain": "vboot.us",
"qname": "vboot.us",
"qtype": "15",
"date": "2014-08-04T08:48:59Z",
"type": "mx",
"value": "dc-6b04573a.vboot.us"
},
{
"domain": "vboot.us",
"qname": "vboot.us",
"qtype": "1",
"date": "2014-08-04T08:48:59Z",
"type": "ip",
"value": "104.28.27.117",
"value_ip": "104.28.27.117"
},
{
"domain": "vboot.us",
"qname": "vboot.us",
"qtype": "1",
"date": "2014-08-04T08:48:59Z",
"type": "ip",
"value": "104.28.26.117",
"value_ip": "104.28.26.117"
},
{
"domain": "vboot.us",
"qname": "vboot.us",
"qtype": "28",
"date": "2014-08-03T11:27:41Z",
"type": "aaaa",
"value": "2400:cb00:2048:1::681c:1a75"
},
{
"domain": "vboot.us",
"qname": "vboot.us",
"qtype": "28",
"date": "2014-08-03T11:27:41Z",
"type": "aaaa",
"value": "2400:cb00:2048:1::681c:1b75"
},
{
"domain": "vboot.us",
"qname": "vboot.us",
"qtype": "2",
"date": "2014-08-24T12:17:14.000Z",
"type": "ns",
"value": "lucy.ns.cloudflare.com"
},
{
"domain": "vboot.us",
"qname": "vboot.us",
"qtype": "2",
"date": "2014-08-24T12:17:14.000Z",
"type": "ns",
"value": "eric.ns.cloudflare.com"
},
{
"domain": "vboot.us",
"qname": "vboot.us",
"qtype": "15",
"date": "2014-08-24T12:17:14.000Z",
"type": "mx",
"value": "dc-6b04573a.vboot.us"
},
{
"domain": "vboot.us",
"qname": "smar.vboot.us",
"qtype": "1",
"date": "2014-09-27T19:31:11.000Z",
"type": "ip",
"value": "0.0.0.0",
"value_ip": "0.0.0.0"
},
{
"domain": "vboot.us",
"qname": "vboot.us",
"qtype": "1",
"date": "2014-09-29T05:29:48.000Z",
"type": "ip",
"value": "108.162.198.214",
"value_ip": "108.162.198.214"
},
{
"domain": "vboot.us",
"qname": "vboot.us",
"qtype": "1",
"date": "2014-09-29T05:29:48.000Z",
"type": "ip",
"value": "199.233.245.136",
"value_ip": "199.233.245.136"
},
{
"domain": "vboot.us",
"qname": "vboot.us",
"qtype": "1",
"date": "2014-09-29T05:29:48.000Z",
"type": "ip",
"value": "108.162.199.214",
"value_ip": "108.162.199.214"
}
On Sep 30, 2014, at 11:59 AM, Shelton, Steve <sshelton at Cogentco.com> wrote:
> Hello,
>
> Thanks for the feedback! The queries as of late are for smar.vboot.us TXT. The text file is rather large! I assume that they would be hitting a ton of open resolvers.
>
> 07:09:23.558132 IP (tos 0x0, ttl 53, id 51887, offset 0, flags [+], proto UDP (17), length 1500) 38.75.196.20.53 > 192.223.28.x.32644: 31549 1/2/2 smar.vboot.us. TXT[|domain]
> 0x0000: 4500 05dc caaf 2000 3511 cd60 264b c414 E.......5..`&K..
> 0x0010: c0df 1cc2 0035 7f84 105a d153 7b3d 8180 .....5...Z.S{=..
> 0x0020: 0001 0001 0002 0002 0473 6d61 7205 7662 .........smar.vb
> 0x0030: 6f6f 7402 7573 0000 ff00 01c0 0c00 1000 oot.us..........
> 0x0040: 0100 0000 3b0f d0fc 696e 626f 6f74 2e6d ....;...inboot.m
> 0x0050: 652d e-
>
> Steve Shelton
>
> -----Original Message-----
> From: Rodney Joffe [mailto:rjoffe at centergate.com]
> Sent: Tuesday, September 30, 2014 2:49 PM
> To: Shelton, Steve
> Cc: NSP-SEC List
> Subject: Re: [nsp-sec] Inboot.me - vboot.us using DRDoS as a paid service
>
> We've seen:
> {
> "info": "22 results found.",
> "results": [
> {
> "domain": "inboot.me",
> "qname": "inboot.me",
> "qtype": "1",
> "date": "2014-08-01T04:01:01Z",
> "type": "ip",
> "value": "104.28.31.68",
> "value_ip": "104.28.31.68"
> },
> {
> "domain": "inboot.me",
> "qname": "inboot.me",
> "qtype": "1",
> "date": "2014-08-01T04:01:01Z",
> "type": "ip",
> "value": "104.28.30.68",
> "value_ip": "104.28.30.68"
> },
> {
> "domain": "inboot.me",
> "qname": "inboot.me",
> "qtype": "28",
> "date": "2014-08-05T07:23:03Z",
> "type": "aaaa",
> "value": "2400:cb00:2048:1::681c:1f44"
> },
> {
> "domain": "inboot.me",
> "qname": "inboot.me",
> "qtype": "28",
> "date": "2014-08-05T07:23:03Z",
> "type": "aaaa",
> "value": "2400:cb00:2048:1::681c:1e44"
> },
> {
> "domain": "inboot.me",
> "qname": "inboot.me",
> "qtype": "28",
> "date": "2014-08-15T19:13:45Z",
> "type": "aaaa",
> "value": "2400:cb00:2048:1::6ca2:cdc3"
> },
> {
> "domain": "inboot.me",
> "qname": "inboot.me",
> "qtype": "28",
> "date": "2014-08-15T19:13:45Z",
> "type": "aaaa",
> "value": "2400:cb00:2048:1::6ca2:cec3"
> },
> {
> "domain": "inboot.me",
> "qname": "inboot.me",
> "qtype": "1",
> "date": "2014-08-14T22:36:53Z",
> "type": "ip",
> "value": "108.162.205.195",
> "value_ip": "108.162.205.195"
> },
> {
> "domain": "inboot.me",
> "qname": "inboot.me",
> "qtype": "1",
> "date": "2014-08-14T22:36:53Z",
> "type": "ip",
> "value": "108.162.206.195",
> "value_ip": "108.162.206.195"
> },
> {
> "domain": "inboot.me",
> "qname": "www.inboot.me",
> "qtype": "1",
> "date": "2014-08-17T07:10:14Z",
> "type": "name",
> "value": "inboot.me"
> },
> {
> "domain": "inboot.me",
> "qname": "www.inboot.me",
> "qtype": "1",
> "date": "2014-08-17T07:10:14Z",
> "type": "ip",
> "value": "108.162.206.195",
> "value_ip": "108.162.206.195"
> },
> {
> "domain": "inboot.me",
> "qname": "www.inboot.me",
> "qtype": "1",
> "date": "2014-08-17T07:10:14Z",
> "type": "ip",
> "value": "108.162.205.195",
> "value_ip": "108.162.205.195"
> },
> {
> "domain": "inboot.me",
> "qname": "www.inboot.me",
> "qtype": "1",
> "date": "2014-08-17T07:10:14Z",
> "type": "cname",
> "value": "inboot.me"
> },
> {
> "domain": "inboot.me",
> "qname": "www.inboot.me",
> "qtype": "28",
> "date": "2014-08-17T07:15:08Z",
> "type": "name",
> "value": "inboot.me"
> },
> {
> "domain": "inboot.me",
> "qname": "www.inboot.me",
> "qtype": "28",
> "date": "2014-08-17T07:15:08Z",
> "type": "aaaa",
> "value": "2400:cb00:2048:1::6ca2:cec3"
> },
> {
> "domain": "inboot.me",
> "qname": "www.inboot.me",
> "qtype": "28",
> "date": "2014-08-17T07:15:08Z",
> "type": "aaaa",
> "value": "2400:cb00:2048:1::6ca2:cdc3"
> },
> {
> "domain": "inboot.me",
> "qname": "www.inboot.me",
> "qtype": "28",
> "date": "2014-08-17T07:15:08Z",
> "type": "cname",
> "value": "inboot.me"
> },
> {
> "domain": "inboot.me",
> "qname": "inboot.me",
> "qtype": "1",
> "date": "2014-08-19T14:45:07Z",
> "type": "ip",
> "value": "67.215.66.149",
> "value_ip": "67.215.66.149"
> },
> {
> "domain": "inboot.me",
> "qname": "inboot.me",
> "qtype": "2",
> "date": "2014-08-29T18:48:22.000Z",
> "type": "ns",
> "value": "lucy.ns.cloudflare.com"
> },
> {
> "domain": "inboot.me",
> "qname": "inboot.me",
> "qtype": "2",
> "date": "2014-08-29T18:48:22.000Z",
> "type": "ns",
> "value": "eric.ns.cloudflare.com"
> },
> {
> "domain": "inboot.me",
> "qname": "inboot.me",
> "qtype": "1",
> "date": "2014-09-15T12:53:37.000Z",
> "type": "ip",
> "value": "107.23.255.195",
> "value_ip": "107.23.255.195"
> },
> {
> "domain": "inboot.me",
> "qname": "inboot.me",
> "qtype": "1",
> "date": "2014-09-30T12:27:37.000Z",
> "type": "ip",
> "value": "190.93.254.153",
> "value_ip": "190.93.254.153"
> },
> {
> "domain": "inboot.me",
> "qname": "inboot.me",
> "qtype": "1",
> "date": "2014-09-30T12:27:37.000Z",
> "type": "ip",
> "value": "190.93.255.153",
> "value_ip": "190.93.255.153"
> }
>
>
> On Sep 30, 2014, at 9:04 AM, John Kristoff <jtk at cymru.com> wrote:
>
>> ----------- nsp-security Confidential --------
>>
>> On Tue, 30 Sep 2014 11:01:32 +0000
>> "Shelton, Steve" <sshelton at Cogentco.com> wrote:
>>
>>> Did anyone happen to see this yesterday hitting their resolvers?
>>
>> The DRG and my own resolvers have seen some ANY queries for
>> smar.vboot.us from 81.17.20.38 on September 27, 2014, all happening
>> around the 1930 UTC time frame.
>>
>> In a cursory search, I've not seen the inboot.me name queried for
>> anywhere recently.
>>
>> John
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the
>> nsp-security community. Confidentiality is essential for effective Internet security counter-measures.
>> _______________________________________________
>
More information about the nsp-security
mailing list