[Intrusions] We are experiencing a DDoS attacking one ofourdomains - mpecllc.com
Barnett, Ryan C. (EDS)
Ryan.Barnett at atf.gov
Wed Jan 19 21:41:18 GMT 2005
Hey David,
I see that your domain is back up! So, what happened? Did you implement something that could handle the DDoS attack or did they just give up?
Regardless, it is good to see that it is back online.
Most Respectfully,
Ryan C. Barnett
SANS: GCIA, GCFA, GCIH, GCUX, GSEC
Department of Justice - ATF
Information Services Division
Operations Security Team Lead
> -----Original Message-----
> From: intrusions-bounces at lists.sans.org
> [mailto:intrusions-bounces at lists.sans.org]On Behalf Of David McCall
> Sent: Tuesday, January 18, 2005 12:17 PM
> To: Intrusions List (GCIA Practicals)
> Subject: RE: [Intrusions] We are experiencing a DDoS attacking one
> ofourdomains - mpecllc.com
>
>
> > David, best of luck at three today. We are all pulling
> for you and
> >please keep us posted.
> > your friend in the
> ether, Richard
> >Golodner
>
> Hi all,
>
> No luck yet with the firewall testing still in progress.
> Here's a snippen of
> 1/6 of our load balanced DNS servers just a few min. ago:
>
> As you can see the attack is still alive and kicking.
>
> Jan 18 09:08:27 webserv named[444]: [ID 295310 daemon.info]
> XX /213.73.255.54/mpecllc.com/A/IN
> Jan 18 09:08:29 webserv named[444]: [ID 295310 daemon.info]
> XX /65.90.83.22/mpecllc.com/A/IN
> Jan 18 09:08:30 webserv named[444]: [ID 295310 daemon.info]
> XX /64.158.128.158/mpecllc.com/A/IN
> Jan 18 09:08:36 webserv named[444]: [ID 295310 daemon.info]
> XX /138.237.128.7/mpecllc.com/A/IN
> Jan 18 09:08:38 webserv named[444]: [ID 295310 daemon.info]
> XX /216.184.32.41/mpecllc.com/A/IN
> Jan 18 09:08:39 webserv named[444]: [ID 295310 daemon.info]
> XX /167.206.3.233/mpecllc.com/A/IN
> Jan 18 09:08:41 webserv named[444]: [ID 295310 daemon.info]
> XX /209.195.133.4/mpecllc.com/A/IN
> Jan 18 09:08:49 webserv named[444]: [ID 295310 daemon.info]
> XX /68.4.16.27/mpecllc.com/A/IN
> Jan 18 09:08:50 webserv named[444]: [ID 295310 daemon.info]
> XX /151.198.0.38/mpecllc.com/A/IN
> Jan 18 09:08:50 webserv named[444]: [ID 295310 daemon.info]
> XX /216.180.122.6/mpecllc.com/A/IN
> Jan 18 09:08:55 webserv named[444]: [ID 295310 daemon.info]
> XX /208.1.87.130/mpecllc.com/A/IN
> Jan 18 09:08:57 webserv named[444]: [ID 295310 daemon.info]
> XX /63.93.64.21/mpecllc.com/A/IN
> Jan 18 09:08:59 webserv named[444]: [ID 295310 daemon.info]
> XX /204.127.204.134/mpecllc.com/A/IN
> Jan 18 09:08:59 webserv named[444]: [ID 295310 daemon.info]
> XX /204.127.199.31/mpecllc.com/A/IN
> Jan 18 09:09:03 webserv named[444]: [ID 295310 daemon.info]
> XX /151.164.20.201/mpecllc.com/A/IN
> Jan 18 09:09:11 webserv named[444]: [ID 295310 daemon.info]
> XX /149.150.209.29/mpecllc.com/A/IN
> Jan 18 09:09:13 webserv named[444]: [ID 295310 daemon.info]
> XX+/198.182.162.1/mpecllc.com/A/IN
> Jan 18 09:09:22 webserv named[444]: [ID 295310 daemon.info]
> XX /64.114.195.135/mpecllc.com/A/IN
> Jan 18 09:09:22 webserv named[444]: [ID 295310 daemon.info]
> XX /165.87.201.244/mpecllc.com/A/IN
> Jan 18 09:09:31 webserv named[444]: [ID 295310 daemon.info]
> XX /152.163.102.94/mpecllc.com/A/IN
> Jan 18 09:09:43 webserv named[444]: [ID 295310 daemon.info]
> XX /209.114.232.40/mpecllc.com/A/IN
> Jan 18 09:09:49 webserv named[444]: [ID 295310 daemon.info]
> XX /205.188.152.10/mpecllc.com/A/IN
> Jan 18 09:09:55 webserv named[444]: [ID 295310 daemon.info]
> XX /62.30.0.39/mpecllc.com/A/IN
> Jan 18 09:09:56 webserv named[444]: [ID 295310 daemon.info]
> XX /204.60.203.184/mpecllc.com/A/IN
> Jan 18 09:09:57 webserv named[444]: [ID 295310 daemon.info]
> XX /207.170.3.6/mpecllc.com/A/IN
> Jan 18 09:09:59 webserv named[444]: [ID 295310 daemon.info]
> XX /68.51.128.5/mpecllc.com/A/IN
> Jan 18 09:10:04 webserv named[444]: [ID 295310 daemon.info]
> XX /216.47.193.14/mpecllc.com/A/IN
> Jan 18 09:10:11 webserv named[444]: [ID 295310 daemon.info]
> XX /64.181.188.3/mpecllc.com/A/IN
> Jan 18 09:10:12 webserv named[444]: [ID 295310 daemon.info]
> XX /205.144.225.53/mpecllc.com/A/IN
> Jan 18 09:10:16 webserv named[444]: [ID 295310 daemon.info]
> XX /128.210.11.57/mpecllc.com/A/IN
> Jan 18 09:10:19 webserv named[444]: [ID 295310 daemon.info]
> XX+/168.95.192.24/mpecllc.com/A/IN
> Jan 18 09:10:22 webserv named[444]: [ID 295310 daemon.info]
> XX+/206.47.244.43/mpecllc.com/A/IN
> Jan 18 09:10:23 webserv named[444]: [ID 295310 daemon.info]
> XX /137.99.15.64/mpecllc.com/A/IN
> Jan 18 09:10:23 webserv named[444]: [ID 295310 daemon.info]
> XX /142.165.20.227/mpecllc.com/A/IN
> Jan 18 09:10:34 webserv named[444]: [ID 295310 daemon.info]
> XX /165.230.183.34/mpecllc.com/A/IN
> Jan 18 09:10:37 webserv named[444]: [ID 295310 daemon.info]
> XX /216.148.227.110/mpecllc.com/A/IN
> Jan 18 09:10:41 webserv named[444]: [ID 295310 daemon.info]
> XX /129.121.254.1/mpecllc.com/A/IN
> Jan 18 09:10:52 webserv named[444]: [ID 295310 daemon.info]
> XX /208.190.244.179/mpecllc.com/A/IN
> Jan 18 09:10:55 webserv named[444]: [ID 295310 daemon.info]
> XX /64.94.173.37/mpecllc.com/A/IN
> Jan 18 09:10:56 webserv named[444]: [ID 295310 daemon.info]
> XX /203.80.96.9/mpecllc.com/A/IN
> Jan 18 09:10:57 webserv named[444]: [ID 295310 daemon.info]
> XX /192.206.9.3/mpecllc.com/A/IN
> Jan 18 09:10:58 webserv named[444]: [ID 295310 daemon.info]
> XX /130.85.1.3/mpecllc.com/A/IN
> Jan 18 09:10:59 webserv named[444]: [ID 295310 daemon.info]
> XX /64.9.156.113/mpecllc.com/A/IN
> Jan 18 09:10:59 webserv named[444]: [ID 295310 daemon.info]
> XX /198.70.232.1/mpecllc.com/A/IN
> Jan 18 09:11:02 webserv named[444]: [ID 295310 daemon.info]
> XX /24.169.224.230/mpecllc.com/A/IN
> Jan 18 09:11:07 webserv named[444]: [ID 295310 daemon.info]
> XX /205.133.114.7/mpecllc.com/A/IN
> Jan 18 09:11:24 webserv named[444]: [ID 295310 daemon.info]
> XX /24.154.1.38/mpecllc.com/A/IN
> Jan 18 09:11:26 webserv named[444]: [ID 295310 daemon.info]
> XX /12.33.81.251/mpecllc.com/A/IN
> Jan 18 09:11:37 webserv named[444]: [ID 295310 daemon.info]
> XX /68.238.96.14/mpecllc.com/A/IN
> Jan 18 09:11:39 webserv named[444]: [ID 295310 daemon.info]
> XX /209.244.7.56/mpecllc.com/A/IN
> Jan 18 09:11:42 webserv named[444]: [ID 295310 daemon.info]
> XX /68.87.64.197/mpecllc.com/A/IN
> Jan 18 09:11:48 webserv named[444]: [ID 295310 daemon.info]
> XX /192.77.139.1/mpecllc.com/A/IN
> Jan 18 09:11:56 webserv named[444]: [ID 295310 daemon.info]
> XX /12.34.129.27/mpecllc.com/A/IN
> Jan 18 09:11:57 webserv named[444]: [ID 295310 daemon.info]
> XX /24.121.85.2/mpecllc.com/A/IN
> Jan 18 09:11:58 webserv named[444]: [ID 295310 daemon.info]
> XX /66.80.130.98/mpecllc.com/AAAA/IN
> Jan 18 09:12:01 webserv named[444]: [ID 295310 daemon.info]
> XX /152.38.30.122/mpecllc.com/A/IN
> Jan 18 09:12:03 webserv named[444]: [ID 295310 daemon.info]
> XX /207.18.176.23/mpecllc.com/A/IN
> Jan 18 09:12:06 webserv named[444]: [ID 295310 daemon.info]
> XX /204.124.121.229/mpecllc.com/A/IN
> Jan 18 09:12:10 webserv named[444]: [ID 295310 daemon.info]
> XX /209.253.113.10/mpecllc.com/A/IN
> Jan 18 09:12:17 webserv named[444]: [ID 295310 daemon.info]
> XX /206.13.30.27/mpecllc.com/A/IN
> Jan 18 09:12:34 webserv named[444]: [ID 295310 daemon.info]
> XX /204.127.198.85/mpecllc.com/A/IN
> Jan 18 09:12:40 webserv named[444]: [ID 295310 daemon.info]
> XX /216.248.29.10/mpecllc.com/A/IN
> Jan 18 09:12:43 webserv named[444]: [ID 295310 daemon.info]
> XX /140.198.8.15/mpecllc.com/A/IN
> Jan 18 09:12:46 webserv named[444]: [ID 295310 daemon.info]
> XX /164.119.1.2/mpecllc.com/A/IN
> Jan 18 09:13:01 webserv named[444]: [ID 295310 daemon.info]
> XX /209.98.98.98/mpecllc.com/A/IN
> Jan 18 09:13:28 webserv named[444]: [ID 295310 daemon.info]
> XX /68.189.122.26/mpecllc.com/A/IN
> Jan 18 09:13:48 webserv named[444]: [ID 295310 daemon.info]
> XX /64.52.192.68/mpecllc.com/A/IN
> Jan 18 09:13:50 webserv named[444]: [ID 295310 daemon.info]
> XX /147.31.184.111/mpecllc.com/A/IN
> Jan 18 09:13:53 webserv named[444]: [ID 295310 daemon.info]
> XX /130.18.80.13/mpecllc.com/A/IN
>
> David C.McCall
> UNIX Administrator
> ===================
> EschelonTelecom
> admin at atgi.net
> david at atgi.net
>
> -----Original Message-----
> From: David McCall [mailto:david at atgi.net]
> Sent: Monday, January 17, 2005 4:01 PM
> To: Intrusions List (GCIA Practicals)
> Subject: RE: [Intrusions] We are experiencing a DDoS attacking one of
> ourdomains - mpecllc.com
>
>
> we're still getting attacked. @ 3pm PST, we'll try another
> type of firewall
> and re-enable the domain, but since the attack is still going
> on, by hitting
> our name servers, I don't know how well this will help in the
> long run....
>
> keep yer fingers xed.
>
>
> David C.McCall
> UNIX Administrator
> ===================
> EschelonTelecom
> admin at atgi.net
> david at atgi.net
>
> -----Original Message-----
> From: intrusions-bounces at lists.sans.org
> [mailto:intrusions-bounces at lists.sans.org]On Behalf Of Ken Connelly
> Sent: Monday, January 17, 2005 9:58 AM
> To: Intrusions List (GCIA Practicals)
> Subject: Re: [Intrusions] We are experiencing a DDoS attacking one of
> ourdomains - mpecllc.com
>
>
> This must have gotten lost in the moderator's queue... What ended up
> happening here?
>
> - ken
>
> David McCall wrote:
>
> >At last count I have isolated 21,000 unique IP addresses
> that are pounding
> our dns and web servers
> >for robots.txt and entry.php.......
> >
> >This domain is effectively down because of this issue. We
> had to move it
> to a sand box server and
> >this was ineffective after 24 hours. If I enable the domain
> and turn on
> the web site the initial
> >attack is 200-400 attacks per second, consisting of a GET
> for robots.txt or
> entry.php, neither of
> >which exist on the site.
> >
> >I've notified mci.com and verio.net abuse depts.
> >
> >I've filed a report with FBI and wanted to make you all
> aware of what is
> going on:
> >
> >IFCC COMPLAINT REFERRAL REPORT
> >Complaint Number: I05011113017305
> >The following information was provided by the victim and
> will be forwarded
> to the appropriate law
> >enforcement or regulatory agency.
> >Computer Intrusion/Hacking
> >Date of Complaint: 1/11/2005 1:01:35 PM
> >Victim Information
> >Business Name: Eschelon Telecom
> >Name: David Chester McCall
> >DOB: 11/21/1954
> >Gender: M
> >Phone #: 707-284-5695
> >Email: david at atgi.net
> >Address: 19 Old Courthouse Square
> >Santa Rosa, CA 95404
> >Live in city limits: No
> >County: Sonoma
> >Country: USA
> >Do you have pertinent documents in paper form? No
> >Please indicate who your local law enforcement agency is:
> >http://ci.santa-rosa.ca.us/default.aspx?PageId=119
> >Please List the easiest way and most convenient time to contact you:
> >david at atgi.net
> >707-477-7466 cell phone
> >707-792-0482 home
> >Information about the Business that victimized you.
> >Name:
> >Gender: U
> >Phone #:
> >Current Email:
> >Address:
> >Country: USA
> >
> >Contact between you and the Person/company that victimized you.
> >Type of Contact: Web Page
> >Date of Contact: 01/05/2005
> >Contact Information:
> >DDoS attack on one of our hosted domains: www.mpecllc.com
> >Brief log exerpt below:
> >www.mpecllc.com 68.70.227.25 - - [10/Jan/2005:11:10:49 -
> >0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0
> (compatible;
> >MSIE 6.0; Windows NT 5.1)"
> >www.mpecllc.com 24.247.2.226 - - [10/Jan/2005:11:10:49 -
> >0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0
> (compatible;
> >MSIE 6.0; Windows NT 5.1)"
> >www.mpecllc.com 68.253.255.21 - - [10/Jan/2005:11:10:49 -
> >0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0
> (compatible;
> >MSIE 6.0; Windows NT 5.1)"
> >www.mpecllc.com 68.80.225.249 - - [10/Jan/2005:11:10:49 -
> >0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0
> (compatible;
> >MSIE 6.0; Windows NT 5.1)"
> >www.mpecllc.com 128.227.58.20 - - [10/Jan/2005:11:10:50 -
> >0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0
> (compatible;
> >MSIE 6.0; Windows NT 5.1)"
> >www.mpecllc.com 24.211.249.43 - - [10/Jan/2005:11:10:50 -
> >0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0
> (compatible;
> >MSIE 6.0; Windows NT 5.1)"
> >www.mpecllc.com 70.178.8.21 - - [10/Jan/2005:11:10:50 -
> >0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0
> (compatible;
> >MSIE 6.0; Windows NT 5.1)"
> >www.mpecllc.com 4.29.92.66 - - [10/Jan/2005:11:10:50 -
> >0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0
> (compatible;
> >MSIE 6.0; Windows NT 5.1)"
> >www.mpecllc.com 207.81.81.85 - - [10/Jan/2005:11:10:50 -
> >0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0
> (compatible;
> >MSIE 6.0; Windows NT 5.1)"
> >www.mpecllc.com 68.36.53.42 - - [10/Jan/2005:11:10:50 -
> >0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0
> (compatible;
> >MSIE 6.0; Windows NT 5.1)"
> >www.mpecllc.com 63.198.19.106 - - [10/Jan/2005:11:10:50 -
> >0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0
> (compatible;
> >MSIE 6.0; Windows NT 5.1)"
> >www.mpecllc.com 65.196.186.6 - - [10/Jan/2005:11:10:50 -
> >0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0
> (compatible;
> >MSIE 6.0; Windows NT 5.1)"
> >
> >www.mpecllc.com 69.211.75.13 - - [10/Jan/2005:11:10:50 -
> >0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0
> (compatible;
> >MSIE 6.0; Windows NT 5.1)"
> >www.mpecllc.com 65.40.1.55 - - [10/Jan/2005:11:10:50 -
> >0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0
> (compatible;
> >MSIE 6.0; Windows NT 5.1)"
> >www.mpecllc.com 141.157.196.180 - - [10/Jan/2005:11:10:50 -
> >0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0
> (compatible;
> >MSIE 6.0; Windows NT 5.1)"
> >www.mpecllc.com 216.170.177.114 - - [10/Jan/2005:11:10:50 -
> >0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0
> (compatible;
> >MSIE 6.0; Windows NT 5.1)"
> >www.mpecllc.com 24.250.111.104 - - [10/Jan/2005:11:10:50 -
> >0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0
> (compatible;
> >MSIE 6.0; Windows NT 5.1)"
> >www.mpecllc.com 66.69.186.184 - - [10/Jan/2005:11:10:50 -
> >0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0
> (compatible;
> >MSIE 6.0; Windows NT 5.1)"
> >Additional Information:
> >We have had to disable this customer site as the attack eventually
> >brings down the server. However this attack continues and can be
> >viewed by the DNS queries from our name servers (brief
> listing below):
> >Jan 11 09:27:03 e4500a named[280]: XX /24.25.195.1/mpecllc.com/A/IN
> >Jan 11 09:27:09 e4500a named[280]: XX
> /66.186.224.158/mpecllc.com/A/IN
> >Jan 11 09:27:12 e4500a named[280]: XX /68.1.208.23/mpecllc.com/A/IN
> >Jan 11 09:27:20 e4500a named[280]: XX /66.129.37.38/mpecllc.com/A/IN
> >Jan 11 09:27:23 e4500a named[280]: XX /68.73.225.60/mpecllc.com/A/IN
> >Jan 11 09:27:26 e4500a named[280]: XX
> /167.206.3.247/mpecllc.com/A/IN
> >Jan 11 09:27:43 e4500a named[280]: XX /209.204.64.3/mpecllc.com/A/IN
> >Jan 11 09:27:25 e4500B named[20019]: XX
> /68.35.192.6/mpecllc.com/A/IN
> >Jan 11 09:27:26 e4500B named[20019]:
> >XX /167.206.3.248/mpecllc.com/A/IN
> >Jan 11 09:27:27 e4500B named[20019]: XX
> /68.73.225.60/mpecllc.com/A/IN
> >Jan 11 09:27:28 e4500B named[20019]:
> >XX /213.129.10.130/mpecllc.com/A/IN
> >Jan 11 09:27:30 e4500B named[20019]: XX /65.32.1.79/mpecllc.com/A/IN
> >Jan 11 09:27:34 e4500B named[20019]:
> >XX /209.244.4.189/mpecllc.com/A/IN
> >Jan 11 09:27:40 e4500B named[20019]:
> >XX /167.206.3.184/mpecllc.com/A/IN
> >Jan 11 09:27:45 e4500B named[20019]: XX
> /24.140.1.132/mpecllc.com/A/IN
> >Jan 11 09:27:58 e4500B named[20019]:
> >XX /204.127.202.35/mpecllc.com/A/IN
> >
> >Jan 11 09:28:10 e4500B named[20019]:
> >XX /206.135.241.66/mpecllc.com/A/IN
> >Jan 11 09:27:30 queue named[26183]: [ID 295310 daemon.info]
> >XX /137.39.110.165/mpecllc.com/A/IN
> >Jan 11 09:27:32 queue named[26183]: [ID 295310 daemon.info]
> >XX /208.204.150.212/mpecllc.com/A/IN
> >Jan 11 09:27:33 queue named[26183]: [ID 295310 daemon.info]
> >XX+/152.1.1.206/mpecllc.com/A/IN
> >Jan 11 09:27:37 queue named[26183]: [ID 295310 daemon.info]
> >XX /152.38.30.122/mpecllc.com/A/IN
> >Jan 11 09:27:44 queue named[26183]: [ID 295310 daemon.info]
> >XX /63.64.9.19/mpecllc.com/A/IN
> >Jan 11 09:27:47 queue named[26183]: [ID 295310 daemon.info]
> >XX /207.65.122.221/mpecllc.com/A/IN
> >Jan 11 09:27:52 queue named[26183]: [ID 295310 daemon.info]
> >XX /24.92.32.23/mpecllc.com/AAAA/IN
> >Jan 11 09:27:55 queue named[26183]: [ID 295310 daemon.info]
> >XX /209.86.63.205/mpecllc.com/A/IN
> >Jan 11 09:28:03 queue named[26183]: [ID 295310 daemon.info]
> >XX /216.162.16.130/mpecllc.com/A/IN
> >Jan 11 09:28:05 queue named[26183]: [ID 295310 daemon.info]
> >XX /206.64.117.231/mpecllc.com/A/IN
> >Jan 11 09:28:05 queue named[26183]: [ID 295310 daemon.info]
> >XX /216.162.16.131/mpecllc.com/A/IN
> >Jan 11 09:28:07 queue named[26183]: [ID 295310 daemon.info]
> >XX /68.57.192.6/mpecllc.com/A/IN
> >Jan 11 09:28:09 queue named[26183]: [ID 295310 daemon.info]
> >XX /68.168.192.5/mpecllc.com/A/IN
> >Jan 11 09:28:17 queue named[26183]: [ID 295310 daemon.info]
> >XX /152.3.250.1/mpecllc.com/A/IN
> >Jan 11 09:28:21 queue named[26183]: [ID 295310 daemon.info]
> >XX /24.28.99.62/mpecllc.com/A/IN
> >Jan 11 09:28:25 queue named[26183]: [ID 295310 daemon.info]
> >XX /137.159.198.137/mpecllc.com/A/IN
> >Jan 11 09:28:31 queue2 named[29380]: [ID 295310 daemon.info]
> >XX /12.38.46.250/mpecllc.com/A/IN
> >Jan 11 09:28:31 queue2 named[29380]: [ID 295310 daemon.info]
> >XX /209.244.4.51/mpecllc.com/A/IN
> >Jan 11 09:28:31 queue2 named[29380]: [ID 295310 daemon.info]
> >XX /63.243.88.30/mpecllc.com/A/IN
> >Jan 11 09:28:32 queue2 named[29380]: [ID 295310 daemon.info]
> >XX /69.152.0.5/mpecllc.com/A/IN
> >Jan 11 09:28:36 queue2 named[29380]: [ID 295310 daemon.info]
> >XX /64.78.119.1/mpecllc.com/A/IN
> >
> >Jan 11 09:28:37 queue2 named[29380]: [ID 295310 daemon.info]
> >XX /192.216.106.50/mpecllc.com/A/IN
> >Jan 11 09:28:37 queue2 named[29380]: [ID 295310 daemon.info]
> >XX /32.97.118.68/mpecllc.com/A/IN
> >Jan 11 09:28:39 queue2 named[29380]: [ID 295310 daemon.info]
> >XX /206.230.181.2/mpecllc.com/A/IN
> >Jan 11 09:28:40 queue2 named[29380]: [ID 295310 daemon.info]
> >XX /205.188.118.22/mpecllc.com/A/IN
> >Jan 11 09:28:43 queue2 named[29380]: [ID 295310 daemon.info]
> >XX /64.7.232.10/mpecllc.com/A/IN
> >Jan 11 09:28:46 queue2 named[29380]: [ID 295310 daemon.info]
> >XX /216.226.178.11/mpecllc.com/A/IN
> >Jan 11 09:28:51 queue2 named[29380]: [ID 295310 daemon.info]
> >XX /129.219.13.81/mpecllc.com/A/IN
> >Jan 11 09:28:31 webserv named[24989]: [ID 295310 daemon.info]
> >XX /24.247.24.41/mpecllc.com/A/IN
> >Jan 11 09:28:35 webserv named[24989]: [ID 295310 daemon.info]
> >XX /151.164.1.3/mpecllc.com/A/IN
> >Jan 11 09:28:37 webserv named[24989]: [ID 295310 daemon.info]
> >XX /216.144.187.199/mpecllc.com/A/IN
> >Jan 11 09:28:38 webserv named[24989]: [ID 295310 daemon.info]
> >XX /12.34.129.27/mpecllc.com/A/IN
> >Jan 11 09:28:38 webserv named[24989]: [ID 295310 daemon.info]
> >XX /205.152.132.23/mpecllc.com/A/IN
> >Jan 11 09:28:42 webserv named[24989]: [ID 295310 daemon.info]
> >XX /66.133.128.138/mpecllc.com/A/IN
> >Jan 11 09:28:42 webserv named[24989]: [ID 295310 daemon.info]
> >XX /204.127.198.60/mpecllc.com/A/IN
> >Jan 11 09:28:56 webserv named[24989]: [ID 295310 daemon.info]
> >XX /24.29.99.16/mpecllc.com/A/IN
> >Jan 11 09:28:56 webserv named[24989]: [ID 295310 daemon.info]
> >XX /167.206.3.249/mpecllc.com/A/IN
> >Jan 11 09:28:56 webserv named[24989]: [ID 295310 daemon.info]
> >XX /216.110.87.10/mpecllc.com/A/IN
> >Jan 11 09:28:58 webserv named[24989]: [ID 295310 daemon.info]
> >XX+/66.189.130.21/mpecllc.com/A/IN
> >Jan 11 09:28:59 webserv named[24989]: [ID 295310 daemon.info]
> >XX /216.47.193.14/mpecllc.com/A/IN
> >Jan 11 09:29:03 webserv named[24989]: [ID 295310 daemon.info]
> >XX /66.189.130.5/mpecllc.com/A/IN
> >Jan 11 09:29:07 webserv named[24989]: [ID 295310 daemon.info]
> >XX /129.22.4.3/mpecllc.com/A/IN
> >Jan 11 09:29:07 webserv named[24989]: [ID 295310 daemon.info]
> >XX+/206.47.244.102/mpecllc.com/A/IN
> >Jan 11 09:29:07 webserv named[24989]: [ID 295310 daemon.info]
> >XX /199.18.39.5/mpecllc.com/A/IN
> >
> >I have no immediate power to isolate where this is coming
> from but I can
> make you all aware of
> >what it is doing exactly. mpecllc.com is now pointed to a
> 127. IP address
> but this has not
> >stopped the queries on our name servers, as you can see above.
> >
> >thanks ahead of time for any help you can offer..
> >
> >regards
> >
> > Domain Name Services - AdvancedTelcomInc
> > David C. McCall - david at atgi.net
> >_______________________________________________
> >Intrusions mailing list
> >Intrusions at lists.sans.org
> >http://www.dshield.org/mailman/listinfo/intrusions
> >
> >
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>
>
>
>
>
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>
>
> !DSPAM:41ed3bad318072074238717!
>
>
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>
More information about the Intrusions
mailing list