[Intrusions] We are experiencing a DDoS attacking one ofourdomains - mpecllc.com
Maxime Ducharme
mducharme at cybergeneration.com
Tue Jan 18 22:33:43 GMT 2005
Hey Dave
This is really incredible
DNS relies on UDP tough, it could be spoofed packets.
But if 21k+ hosts are accessing the web site, it surely
creates a huge amount of DNS traffic.
Another good idea would be to create robots.txt and
entry.php with no data in it.
404 errors currently generates more upload traffic
than an empty file.
Continue with ipchain filtering as long as your ISP
didnt give nay help.
I am also interested to know about how you get
this problem out.
Cya
Maxime Ducharme
Programmeur / Spécialiste en sécurité réseau
----- Original Message -----
From: "David McCall" <david at atgi.net>
To: "Intrusions List (GCIA Practicals)" <intrusions at lists.sans.org>
Sent: Tuesday, January 18, 2005 12:16 PM
Subject: RE: [Intrusions] We are experiencing a DDoS attacking one
ofourdomains - mpecllc.com
> > David, best of luck at three today. We are all pulling for you and
> >please keep us posted.
> > your friend in the ether, Richard
> >Golodner
>
> Hi all,
>
> No luck yet with the firewall testing still in progress. Here's a snippen
of
> 1/6 of our load balanced DNS servers just a few min. ago:
>
> As you can see the attack is still alive and kicking.
>
> Jan 18 09:08:27 webserv named[444]: [ID 295310 daemon.info] XX
/213.73.255.54/mpecllc.com/A/IN
> Jan 18 09:08:29 webserv named[444]: [ID 295310 daemon.info] XX
/65.90.83.22/mpecllc.com/A/IN
> Jan 18 09:08:30 webserv named[444]: [ID 295310 daemon.info] XX
/64.158.128.158/mpecllc.com/A/IN
> Jan 18 09:08:36 webserv named[444]: [ID 295310 daemon.info] XX
/138.237.128.7/mpecllc.com/A/IN
> Jan 18 09:08:38 webserv named[444]: [ID 295310 daemon.info] XX
/216.184.32.41/mpecllc.com/A/IN
> Jan 18 09:08:39 webserv named[444]: [ID 295310 daemon.info] XX
/167.206.3.233/mpecllc.com/A/IN
> Jan 18 09:08:41 webserv named[444]: [ID 295310 daemon.info] XX
/209.195.133.4/mpecllc.com/A/IN
> Jan 18 09:08:49 webserv named[444]: [ID 295310 daemon.info] XX
/68.4.16.27/mpecllc.com/A/IN
> Jan 18 09:08:50 webserv named[444]: [ID 295310 daemon.info] XX
/151.198.0.38/mpecllc.com/A/IN
> Jan 18 09:08:50 webserv named[444]: [ID 295310 daemon.info] XX
/216.180.122.6/mpecllc.com/A/IN
> Jan 18 09:08:55 webserv named[444]: [ID 295310 daemon.info] XX
/208.1.87.130/mpecllc.com/A/IN
> Jan 18 09:08:57 webserv named[444]: [ID 295310 daemon.info] XX
/63.93.64.21/mpecllc.com/A/IN
> Jan 18 09:08:59 webserv named[444]: [ID 295310 daemon.info] XX
/204.127.204.134/mpecllc.com/A/IN
> Jan 18 09:08:59 webserv named[444]: [ID 295310 daemon.info] XX
/204.127.199.31/mpecllc.com/A/IN
> Jan 18 09:09:03 webserv named[444]: [ID 295310 daemon.info] XX
/151.164.20.201/mpecllc.com/A/IN
> Jan 18 09:09:11 webserv named[444]: [ID 295310 daemon.info] XX
/149.150.209.29/mpecllc.com/A/IN
> Jan 18 09:09:13 webserv named[444]: [ID 295310 daemon.info]
XX+/198.182.162.1/mpecllc.com/A/IN
> Jan 18 09:09:22 webserv named[444]: [ID 295310 daemon.info] XX
/64.114.195.135/mpecllc.com/A/IN
> Jan 18 09:09:22 webserv named[444]: [ID 295310 daemon.info] XX
/165.87.201.244/mpecllc.com/A/IN
> Jan 18 09:09:31 webserv named[444]: [ID 295310 daemon.info] XX
/152.163.102.94/mpecllc.com/A/IN
> Jan 18 09:09:43 webserv named[444]: [ID 295310 daemon.info] XX
/209.114.232.40/mpecllc.com/A/IN
> Jan 18 09:09:49 webserv named[444]: [ID 295310 daemon.info] XX
/205.188.152.10/mpecllc.com/A/IN
> Jan 18 09:09:55 webserv named[444]: [ID 295310 daemon.info] XX
/62.30.0.39/mpecllc.com/A/IN
> Jan 18 09:09:56 webserv named[444]: [ID 295310 daemon.info] XX
/204.60.203.184/mpecllc.com/A/IN
> Jan 18 09:09:57 webserv named[444]: [ID 295310 daemon.info] XX
/207.170.3.6/mpecllc.com/A/IN
> Jan 18 09:09:59 webserv named[444]: [ID 295310 daemon.info] XX
/68.51.128.5/mpecllc.com/A/IN
> Jan 18 09:10:04 webserv named[444]: [ID 295310 daemon.info] XX
/216.47.193.14/mpecllc.com/A/IN
> Jan 18 09:10:11 webserv named[444]: [ID 295310 daemon.info] XX
/64.181.188.3/mpecllc.com/A/IN
> Jan 18 09:10:12 webserv named[444]: [ID 295310 daemon.info] XX
/205.144.225.53/mpecllc.com/A/IN
> Jan 18 09:10:16 webserv named[444]: [ID 295310 daemon.info] XX
/128.210.11.57/mpecllc.com/A/IN
> Jan 18 09:10:19 webserv named[444]: [ID 295310 daemon.info]
XX+/168.95.192.24/mpecllc.com/A/IN
> Jan 18 09:10:22 webserv named[444]: [ID 295310 daemon.info]
XX+/206.47.244.43/mpecllc.com/A/IN
> Jan 18 09:10:23 webserv named[444]: [ID 295310 daemon.info] XX
/137.99.15.64/mpecllc.com/A/IN
> Jan 18 09:10:23 webserv named[444]: [ID 295310 daemon.info] XX
/142.165.20.227/mpecllc.com/A/IN
> Jan 18 09:10:34 webserv named[444]: [ID 295310 daemon.info] XX
/165.230.183.34/mpecllc.com/A/IN
> Jan 18 09:10:37 webserv named[444]: [ID 295310 daemon.info] XX
/216.148.227.110/mpecllc.com/A/IN
> Jan 18 09:10:41 webserv named[444]: [ID 295310 daemon.info] XX
/129.121.254.1/mpecllc.com/A/IN
> Jan 18 09:10:52 webserv named[444]: [ID 295310 daemon.info] XX
/208.190.244.179/mpecllc.com/A/IN
> Jan 18 09:10:55 webserv named[444]: [ID 295310 daemon.info] XX
/64.94.173.37/mpecllc.com/A/IN
> Jan 18 09:10:56 webserv named[444]: [ID 295310 daemon.info] XX
/203.80.96.9/mpecllc.com/A/IN
> Jan 18 09:10:57 webserv named[444]: [ID 295310 daemon.info] XX
/192.206.9.3/mpecllc.com/A/IN
> Jan 18 09:10:58 webserv named[444]: [ID 295310 daemon.info] XX
/130.85.1.3/mpecllc.com/A/IN
> Jan 18 09:10:59 webserv named[444]: [ID 295310 daemon.info] XX
/64.9.156.113/mpecllc.com/A/IN
> Jan 18 09:10:59 webserv named[444]: [ID 295310 daemon.info] XX
/198.70.232.1/mpecllc.com/A/IN
> Jan 18 09:11:02 webserv named[444]: [ID 295310 daemon.info] XX
/24.169.224.230/mpecllc.com/A/IN
> Jan 18 09:11:07 webserv named[444]: [ID 295310 daemon.info] XX
/205.133.114.7/mpecllc.com/A/IN
> Jan 18 09:11:24 webserv named[444]: [ID 295310 daemon.info] XX
/24.154.1.38/mpecllc.com/A/IN
> Jan 18 09:11:26 webserv named[444]: [ID 295310 daemon.info] XX
/12.33.81.251/mpecllc.com/A/IN
> Jan 18 09:11:37 webserv named[444]: [ID 295310 daemon.info] XX
/68.238.96.14/mpecllc.com/A/IN
> Jan 18 09:11:39 webserv named[444]: [ID 295310 daemon.info] XX
/209.244.7.56/mpecllc.com/A/IN
> Jan 18 09:11:42 webserv named[444]: [ID 295310 daemon.info] XX
/68.87.64.197/mpecllc.com/A/IN
> Jan 18 09:11:48 webserv named[444]: [ID 295310 daemon.info] XX
/192.77.139.1/mpecllc.com/A/IN
> Jan 18 09:11:56 webserv named[444]: [ID 295310 daemon.info] XX
/12.34.129.27/mpecllc.com/A/IN
> Jan 18 09:11:57 webserv named[444]: [ID 295310 daemon.info] XX
/24.121.85.2/mpecllc.com/A/IN
> Jan 18 09:11:58 webserv named[444]: [ID 295310 daemon.info] XX
/66.80.130.98/mpecllc.com/AAAA/IN
> Jan 18 09:12:01 webserv named[444]: [ID 295310 daemon.info] XX
/152.38.30.122/mpecllc.com/A/IN
> Jan 18 09:12:03 webserv named[444]: [ID 295310 daemon.info] XX
/207.18.176.23/mpecllc.com/A/IN
> Jan 18 09:12:06 webserv named[444]: [ID 295310 daemon.info] XX
/204.124.121.229/mpecllc.com/A/IN
> Jan 18 09:12:10 webserv named[444]: [ID 295310 daemon.info] XX
/209.253.113.10/mpecllc.com/A/IN
> Jan 18 09:12:17 webserv named[444]: [ID 295310 daemon.info] XX
/206.13.30.27/mpecllc.com/A/IN
> Jan 18 09:12:34 webserv named[444]: [ID 295310 daemon.info] XX
/204.127.198.85/mpecllc.com/A/IN
> Jan 18 09:12:40 webserv named[444]: [ID 295310 daemon.info] XX
/216.248.29.10/mpecllc.com/A/IN
> Jan 18 09:12:43 webserv named[444]: [ID 295310 daemon.info] XX
/140.198.8.15/mpecllc.com/A/IN
> Jan 18 09:12:46 webserv named[444]: [ID 295310 daemon.info] XX
/164.119.1.2/mpecllc.com/A/IN
> Jan 18 09:13:01 webserv named[444]: [ID 295310 daemon.info] XX
/209.98.98.98/mpecllc.com/A/IN
> Jan 18 09:13:28 webserv named[444]: [ID 295310 daemon.info] XX
/68.189.122.26/mpecllc.com/A/IN
> Jan 18 09:13:48 webserv named[444]: [ID 295310 daemon.info] XX
/64.52.192.68/mpecllc.com/A/IN
> Jan 18 09:13:50 webserv named[444]: [ID 295310 daemon.info] XX
/147.31.184.111/mpecllc.com/A/IN
> Jan 18 09:13:53 webserv named[444]: [ID 295310 daemon.info] XX
/130.18.80.13/mpecllc.com/A/IN
>
> David C.McCall
> UNIX Administrator
> ===================
> EschelonTelecom
> admin at atgi.net
> david at atgi.net
>
> -----Original Message-----
> From: David McCall [mailto:david at atgi.net]
> Sent: Monday, January 17, 2005 4:01 PM
> To: Intrusions List (GCIA Practicals)
> Subject: RE: [Intrusions] We are experiencing a DDoS attacking one of
> ourdomains - mpecllc.com
>
>
> we're still getting attacked. @ 3pm PST, we'll try another type of
firewall
> and re-enable the domain, but since the attack is still going on, by
hitting
> our name servers, I don't know how well this will help in the long run....
>
> keep yer fingers xed.
>
>
> David C.McCall
> UNIX Administrator
> ===================
> EschelonTelecom
> admin at atgi.net
> david at atgi.net
>
> -----Original Message-----
> From: intrusions-bounces at lists.sans.org
> [mailto:intrusions-bounces at lists.sans.org]On Behalf Of Ken Connelly
> Sent: Monday, January 17, 2005 9:58 AM
> To: Intrusions List (GCIA Practicals)
> Subject: Re: [Intrusions] We are experiencing a DDoS attacking one of
> ourdomains - mpecllc.com
>
>
> This must have gotten lost in the moderator's queue... What ended up
> happening here?
>
> - ken
>
> David McCall wrote:
>
> >At last count I have isolated 21,000 unique IP addresses that are
pounding
> our dns and web servers
> >for robots.txt and entry.php.......
> >
> >This domain is effectively down because of this issue. We had to move it
> to a sand box server and
> >this was ineffective after 24 hours. If I enable the domain and turn on
> the web site the initial
> >attack is 200-400 attacks per second, consisting of a GET for robots.txt
or
> entry.php, neither of
> >which exist on the site.
> >
> >I've notified mci.com and verio.net abuse depts.
> >
> >I've filed a report with FBI and wanted to make you all aware of what is
> going on:
> >
> >IFCC COMPLAINT REFERRAL REPORT
> >Complaint Number: I05011113017305
> >The following information was provided by the victim and will be
forwarded
> to the appropriate law
> >enforcement or regulatory agency.
> >Computer Intrusion/Hacking
> >Date of Complaint: 1/11/2005 1:01:35 PM
> >Victim Information
> >Business Name: Eschelon Telecom
> >Name: David Chester McCall
> >DOB: 11/21/1954
> >Gender: M
> >Phone #: 707-284-5695
> >Email: david at atgi.net
> >Address: 19 Old Courthouse Square
> >Santa Rosa, CA 95404
> >Live in city limits: No
> >County: Sonoma
> >Country: USA
> >Do you have pertinent documents in paper form? No
> >Please indicate who your local law enforcement agency is:
> >http://ci.santa-rosa.ca.us/default.aspx?PageId=119
> >Please List the easiest way and most convenient time to contact you:
> >david at atgi.net
> >707-477-7466 cell phone
> >707-792-0482 home
> >Information about the Business that victimized you.
> >Name:
> >Gender: U
> >Phone #:
> >Current Email:
> >Address:
> >Country: USA
> >
> >Contact between you and the Person/company that victimized you.
> >Type of Contact: Web Page
> >Date of Contact: 01/05/2005
> >Contact Information:
> >DDoS attack on one of our hosted domains: www.mpecllc.com
> >Brief log exerpt below:
> >www.mpecllc.com 68.70.227.25 - - [10/Jan/2005:11:10:49 -
> >0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
> >MSIE 6.0; Windows NT 5.1)"
> >www.mpecllc.com 24.247.2.226 - - [10/Jan/2005:11:10:49 -
> >0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
> >MSIE 6.0; Windows NT 5.1)"
> >www.mpecllc.com 68.253.255.21 - - [10/Jan/2005:11:10:49 -
> >0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
> >MSIE 6.0; Windows NT 5.1)"
> >www.mpecllc.com 68.80.225.249 - - [10/Jan/2005:11:10:49 -
> >0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
> >MSIE 6.0; Windows NT 5.1)"
> >www.mpecllc.com 128.227.58.20 - - [10/Jan/2005:11:10:50 -
> >0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
> >MSIE 6.0; Windows NT 5.1)"
> >www.mpecllc.com 24.211.249.43 - - [10/Jan/2005:11:10:50 -
> >0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
> >MSIE 6.0; Windows NT 5.1)"
> >www.mpecllc.com 70.178.8.21 - - [10/Jan/2005:11:10:50 -
> >0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
> >MSIE 6.0; Windows NT 5.1)"
> >www.mpecllc.com 4.29.92.66 - - [10/Jan/2005:11:10:50 -
> >0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
> >MSIE 6.0; Windows NT 5.1)"
> >www.mpecllc.com 207.81.81.85 - - [10/Jan/2005:11:10:50 -
> >0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
> >MSIE 6.0; Windows NT 5.1)"
> >www.mpecllc.com 68.36.53.42 - - [10/Jan/2005:11:10:50 -
> >0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
> >MSIE 6.0; Windows NT 5.1)"
> >www.mpecllc.com 63.198.19.106 - - [10/Jan/2005:11:10:50 -
> >0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
> >MSIE 6.0; Windows NT 5.1)"
> >www.mpecllc.com 65.196.186.6 - - [10/Jan/2005:11:10:50 -
> >0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
> >MSIE 6.0; Windows NT 5.1)"
> >
> >www.mpecllc.com 69.211.75.13 - - [10/Jan/2005:11:10:50 -
> >0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
> >MSIE 6.0; Windows NT 5.1)"
> >www.mpecllc.com 65.40.1.55 - - [10/Jan/2005:11:10:50 -
> >0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
> >MSIE 6.0; Windows NT 5.1)"
> >www.mpecllc.com 141.157.196.180 - - [10/Jan/2005:11:10:50 -
> >0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
> >MSIE 6.0; Windows NT 5.1)"
> >www.mpecllc.com 216.170.177.114 - - [10/Jan/2005:11:10:50 -
> >0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
> >MSIE 6.0; Windows NT 5.1)"
> >www.mpecllc.com 24.250.111.104 - - [10/Jan/2005:11:10:50 -
> >0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
> >MSIE 6.0; Windows NT 5.1)"
> >www.mpecllc.com 66.69.186.184 - - [10/Jan/2005:11:10:50 -
> >0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
> >MSIE 6.0; Windows NT 5.1)"
> >Additional Information:
> >We have had to disable this customer site as the attack eventually
> >brings down the server. However this attack continues and can be
> >viewed by the DNS queries from our name servers (brief listing below):
> >Jan 11 09:27:03 e4500a named[280]: XX /24.25.195.1/mpecllc.com/A/IN
> >Jan 11 09:27:09 e4500a named[280]: XX /66.186.224.158/mpecllc.com/A/IN
> >Jan 11 09:27:12 e4500a named[280]: XX /68.1.208.23/mpecllc.com/A/IN
> >Jan 11 09:27:20 e4500a named[280]: XX /66.129.37.38/mpecllc.com/A/IN
> >Jan 11 09:27:23 e4500a named[280]: XX /68.73.225.60/mpecllc.com/A/IN
> >Jan 11 09:27:26 e4500a named[280]: XX /167.206.3.247/mpecllc.com/A/IN
> >Jan 11 09:27:43 e4500a named[280]: XX /209.204.64.3/mpecllc.com/A/IN
> >Jan 11 09:27:25 e4500B named[20019]: XX /68.35.192.6/mpecllc.com/A/IN
> >Jan 11 09:27:26 e4500B named[20019]:
> >XX /167.206.3.248/mpecllc.com/A/IN
> >Jan 11 09:27:27 e4500B named[20019]: XX /68.73.225.60/mpecllc.com/A/IN
> >Jan 11 09:27:28 e4500B named[20019]:
> >XX /213.129.10.130/mpecllc.com/A/IN
> >Jan 11 09:27:30 e4500B named[20019]: XX /65.32.1.79/mpecllc.com/A/IN
> >Jan 11 09:27:34 e4500B named[20019]:
> >XX /209.244.4.189/mpecllc.com/A/IN
> >Jan 11 09:27:40 e4500B named[20019]:
> >XX /167.206.3.184/mpecllc.com/A/IN
> >Jan 11 09:27:45 e4500B named[20019]: XX /24.140.1.132/mpecllc.com/A/IN
> >Jan 11 09:27:58 e4500B named[20019]:
> >XX /204.127.202.35/mpecllc.com/A/IN
> >
> >Jan 11 09:28:10 e4500B named[20019]:
> >XX /206.135.241.66/mpecllc.com/A/IN
> >Jan 11 09:27:30 queue named[26183]: [ID 295310 daemon.info]
> >XX /137.39.110.165/mpecllc.com/A/IN
> >Jan 11 09:27:32 queue named[26183]: [ID 295310 daemon.info]
> >XX /208.204.150.212/mpecllc.com/A/IN
> >Jan 11 09:27:33 queue named[26183]: [ID 295310 daemon.info]
> >XX+/152.1.1.206/mpecllc.com/A/IN
> >Jan 11 09:27:37 queue named[26183]: [ID 295310 daemon.info]
> >XX /152.38.30.122/mpecllc.com/A/IN
> >Jan 11 09:27:44 queue named[26183]: [ID 295310 daemon.info]
> >XX /63.64.9.19/mpecllc.com/A/IN
> >Jan 11 09:27:47 queue named[26183]: [ID 295310 daemon.info]
> >XX /207.65.122.221/mpecllc.com/A/IN
> >Jan 11 09:27:52 queue named[26183]: [ID 295310 daemon.info]
> >XX /24.92.32.23/mpecllc.com/AAAA/IN
> >Jan 11 09:27:55 queue named[26183]: [ID 295310 daemon.info]
> >XX /209.86.63.205/mpecllc.com/A/IN
> >Jan 11 09:28:03 queue named[26183]: [ID 295310 daemon.info]
> >XX /216.162.16.130/mpecllc.com/A/IN
> >Jan 11 09:28:05 queue named[26183]: [ID 295310 daemon.info]
> >XX /206.64.117.231/mpecllc.com/A/IN
> >Jan 11 09:28:05 queue named[26183]: [ID 295310 daemon.info]
> >XX /216.162.16.131/mpecllc.com/A/IN
> >Jan 11 09:28:07 queue named[26183]: [ID 295310 daemon.info]
> >XX /68.57.192.6/mpecllc.com/A/IN
> >Jan 11 09:28:09 queue named[26183]: [ID 295310 daemon.info]
> >XX /68.168.192.5/mpecllc.com/A/IN
> >Jan 11 09:28:17 queue named[26183]: [ID 295310 daemon.info]
> >XX /152.3.250.1/mpecllc.com/A/IN
> >Jan 11 09:28:21 queue named[26183]: [ID 295310 daemon.info]
> >XX /24.28.99.62/mpecllc.com/A/IN
> >Jan 11 09:28:25 queue named[26183]: [ID 295310 daemon.info]
> >XX /137.159.198.137/mpecllc.com/A/IN
> >Jan 11 09:28:31 queue2 named[29380]: [ID 295310 daemon.info]
> >XX /12.38.46.250/mpecllc.com/A/IN
> >Jan 11 09:28:31 queue2 named[29380]: [ID 295310 daemon.info]
> >XX /209.244.4.51/mpecllc.com/A/IN
> >Jan 11 09:28:31 queue2 named[29380]: [ID 295310 daemon.info]
> >XX /63.243.88.30/mpecllc.com/A/IN
> >Jan 11 09:28:32 queue2 named[29380]: [ID 295310 daemon.info]
> >XX /69.152.0.5/mpecllc.com/A/IN
> >Jan 11 09:28:36 queue2 named[29380]: [ID 295310 daemon.info]
> >XX /64.78.119.1/mpecllc.com/A/IN
> >
> >Jan 11 09:28:37 queue2 named[29380]: [ID 295310 daemon.info]
> >XX /192.216.106.50/mpecllc.com/A/IN
> >Jan 11 09:28:37 queue2 named[29380]: [ID 295310 daemon.info]
> >XX /32.97.118.68/mpecllc.com/A/IN
> >Jan 11 09:28:39 queue2 named[29380]: [ID 295310 daemon.info]
> >XX /206.230.181.2/mpecllc.com/A/IN
> >Jan 11 09:28:40 queue2 named[29380]: [ID 295310 daemon.info]
> >XX /205.188.118.22/mpecllc.com/A/IN
> >Jan 11 09:28:43 queue2 named[29380]: [ID 295310 daemon.info]
> >XX /64.7.232.10/mpecllc.com/A/IN
> >Jan 11 09:28:46 queue2 named[29380]: [ID 295310 daemon.info]
> >XX /216.226.178.11/mpecllc.com/A/IN
> >Jan 11 09:28:51 queue2 named[29380]: [ID 295310 daemon.info]
> >XX /129.219.13.81/mpecllc.com/A/IN
> >Jan 11 09:28:31 webserv named[24989]: [ID 295310 daemon.info]
> >XX /24.247.24.41/mpecllc.com/A/IN
> >Jan 11 09:28:35 webserv named[24989]: [ID 295310 daemon.info]
> >XX /151.164.1.3/mpecllc.com/A/IN
> >Jan 11 09:28:37 webserv named[24989]: [ID 295310 daemon.info]
> >XX /216.144.187.199/mpecllc.com/A/IN
> >Jan 11 09:28:38 webserv named[24989]: [ID 295310 daemon.info]
> >XX /12.34.129.27/mpecllc.com/A/IN
> >Jan 11 09:28:38 webserv named[24989]: [ID 295310 daemon.info]
> >XX /205.152.132.23/mpecllc.com/A/IN
> >Jan 11 09:28:42 webserv named[24989]: [ID 295310 daemon.info]
> >XX /66.133.128.138/mpecllc.com/A/IN
> >Jan 11 09:28:42 webserv named[24989]: [ID 295310 daemon.info]
> >XX /204.127.198.60/mpecllc.com/A/IN
> >Jan 11 09:28:56 webserv named[24989]: [ID 295310 daemon.info]
> >XX /24.29.99.16/mpecllc.com/A/IN
> >Jan 11 09:28:56 webserv named[24989]: [ID 295310 daemon.info]
> >XX /167.206.3.249/mpecllc.com/A/IN
> >Jan 11 09:28:56 webserv named[24989]: [ID 295310 daemon.info]
> >XX /216.110.87.10/mpecllc.com/A/IN
> >Jan 11 09:28:58 webserv named[24989]: [ID 295310 daemon.info]
> >XX+/66.189.130.21/mpecllc.com/A/IN
> >Jan 11 09:28:59 webserv named[24989]: [ID 295310 daemon.info]
> >XX /216.47.193.14/mpecllc.com/A/IN
> >Jan 11 09:29:03 webserv named[24989]: [ID 295310 daemon.info]
> >XX /66.189.130.5/mpecllc.com/A/IN
> >Jan 11 09:29:07 webserv named[24989]: [ID 295310 daemon.info]
> >XX /129.22.4.3/mpecllc.com/A/IN
> >Jan 11 09:29:07 webserv named[24989]: [ID 295310 daemon.info]
> >XX+/206.47.244.102/mpecllc.com/A/IN
> >Jan 11 09:29:07 webserv named[24989]: [ID 295310 daemon.info]
> >XX /199.18.39.5/mpecllc.com/A/IN
> >
> >I have no immediate power to isolate where this is coming from but I can
> make you all aware of
> >what it is doing exactly. mpecllc.com is now pointed to a 127. IP
address
> but this has not
> >stopped the queries on our name servers, as you can see above.
> >
> >thanks ahead of time for any help you can offer..
> >
> >regards
> >
> > Domain Name Services - AdvancedTelcomInc
> > David C. McCall - david at atgi.net
> >_______________________________________________
> >Intrusions mailing list
> >Intrusions at lists.sans.org
> >http://www.dshield.org/mailman/listinfo/intrusions
> >
> >
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>
>
>
>
>
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>
>
> !DSPAM:41ed3bad318072074238717!
>
>
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>
More information about the Intrusions
mailing list