[Intrusions] What is it?
Bill Royds
broyds at rogers.com
Mon May 30 22:57:10 GMT 2005
These first domain just about to expire (June 4) and the second is disabled by
registrar so there may have been problems with the registrar delegation. The IP
addresses belong to the supposed authoritative servers (from registration), but
they know nothing about the domains (therefore are lame servers).
Here are the whois information.
C:\Documents and Settings\Bill>whois blackdove.net
Whois Server Version 1.3
Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.
Domain Name: BLACKDOVE.NET
Registrar: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE
Whois Server: whois.melbourneit.com
Referral URL: http://www.melbourneit.com
Name Server: YNS1.YAHOO.COM
Name Server: YNS2.YAHOO.COM
Status: ACTIVE
Updated Date: 23-may-2005
Creation Date: 03-jun-2004
Expiration Date: 03-jun-2006
>>> Last update of whois database: Mon, 30 May 2005 08:57:04 EDT <<<
The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain Name.......... blackdove.net
Creation Date........ 2004-06-04
Registration Date.... 2004-06-04
Expiry Date.......... 2006-06-04
Organisation Name.... Elizabeth Chappell
Organisation Address. 135-2 Gloucester ct
Organisation Address.
Organisation Address. Newington
Organisation Address. 06111
Organisation Address. CT
Organisation Address. UNITED STATES
Admin Name........... Elizabeth Chappell
Admin Address........ 135-2 Gloucester ct
Admin Address........
Admin Address........ Newington
Admin Address........ 06111
Admin Address........ CT
Admin Address........ UNITED STATES
Admin Email.......... echappll at cox.net
Admin Phone.......... +1.8606651405
Admin Fax............
Tech Name............ YahooDomains TechContact
Tech Address......... 701 First Ave.
Tech Address.........
Tech Address......... Sunnyvale
Tech Address......... 94089
Tech Address......... CA
Tech Address......... UNITED STATES
Tech Email........... domain.tech at YAHOO-INC.COM
Tech Phone........... +1.6198813096
Tech Fax............. +1.6198813010
Name Server.......... yns1.yahoo.com
Name Server.......... yns2.yahoo.com
C:\Documents and Settings\Bill>whois jordydejong.com
Whois Server Version 1.3
Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.
Domain Name: JORDYDEJONG.COM
Registrar: BULKREGISTER, LLC.
Whois Server: whois.bulkregister.com
Referral URL: http://www.bulkregister.com
Name Server: NS.4UA.COM
Name Server: NS2.4UA.COM
Status: ACTIVE
Updated Date: 24-sep-2004
Creation Date: 12-sep-2000
Expiration Date: 12-sep-2005
>>> Last update of whois database: Mon, 30 May 2005 08:57:04 EDT <<<
Jordy de Jong
Hilvertsweg 203
Hilversum, Noord-Holl 1214 JD
NL
Domain Name: JORDYDEJONG.COM
Administrative Contact::
Jordy de Jong: jordydejong at cable.a2000.nl
Jordy de Jong
Hilvertsweg 203
Hilversum, Noord-Holl 1214 JD
NL
Phone:: 06-22729781
Fax::
Technical Contact::
Domain Services: availes at apex.net
none
299 Midway Rd
Murray, KY 42071
US
Phone:: 270-226-9179
Fax:: 603-452-7778
Billing Contact::
Jordy de Jong: jordydejong at cable.a2000.nl
Jordy de Jong
Hilvertsweg 203
Hilversum, Noord-Holl 1214 JD
NL
Phone:: 06-22729781
Fax::
Record updated date on: 2004-09-24 09:04:31
Record created date on: 2000-09-12
Record will be expiring on date: 2005-09-12
Database last updated on: 2005-05-30 17:39:33 EST
Domain servers in listed order:
NS.4UA.COM 216.147.28.113
NS2.4UA.COM 216.147.1.37
TransferGuard LOCK Status => DISABLED
-----Original Message-----
From: intrusions-bounces at lists.sans.org
[mailto:intrusions-bounces at lists.sans.org] On Behalf Of Rodrigo Ramos
Sent: Monday, May 30, 2005 2:10 PM
To: security-basics at securityfocus.com
Cc: intrusions at lists.sans.org; secevents at securityfocus.com
Subject: [Intrusions] What is it?
Hi,
I am seen it many times per day in one of our machines?
Anybody have been hit by it?
Others blocks of machines are coming too.
May 28 03:00:00 brasil named[1664]: lame server resolving
'blackdove.net' (in 'blackdove.NET'?): 216.109.116.20#53
May 28 03:00:00 brasil named[1664]: lame server resolving
'jordydejong.com' (in 'jordydejong.com'?): 216.147.1.37#53
May 28 03:00:00 brasil named[1664]: lame server resolving
'blackdove.net' (in 'blackdove.NET'?): 66.218.71.205#53
May 28 03:00:01 brasil named[1664]: lame server resolving
'jordydejong.com' (in 'jordydejong.com'?): 216.147.28.113#53
May 28 03:00:01 brasil named[1664]: lame server resolving
'blackdove.net' (in 'blackdove.NET'?): 216.109.116.20#53
May 28 03:00:01 brasil named[1664]: lame server resolving
'jordydejong.com' (in 'jordydejong.com'?): 216.147.28.113#53
May 28 03:00:01 brasil named[1664]: lame server resolving
'blackdove.net' (in 'blackdove.NET'?): 66.218.71.205#53
May 28 03:00:01 brasil named[1664]: lame server resolving
'jordydejong.com' (in 'jordydejong.com'?): 216.147.1.37#53
May 28 03:00:01 brasil named[1664]: lame server resolving
'blackdove.net' (in 'blackdove.NET'?): 216.109.116.20#53
May 28 03:00:01 brasil named[1664]: lame server resolving
'jordydejong.com' (in 'jordydejong.com'?): 216.147.1.37#53
May 28 03:00:01 brasil named[1664]: lame server resolving
'blackdove.net' (in 'blackdove.NET'?): 66.218.71.205#53
May 28 03:00:01 brasil named[1664]: lame server resolving
'jordydejong.com' (in 'jordydejong.com'?): 216.147.28.113#53
May 28 03:00:01 brasil named[1664]: lame server resolving
'blackdove.net' (in 'blackdove.NET'?): 216.109.116.20#53
May 28 03:00:01 brasil named[1664]: lame server resolving
'jordydejong.com' (in 'jordydejong.com'?): 216.147.1.37#53
May 28 03:00:02 brasil named[1664]: lame server resolving
'jordydejong.com' (in 'jordydejong.com'?): 216.147.28.113#53
May 28 03:00:02 brasil named[1664]: lame server resolving
'blackdove.net' (in 'blackdove.NET'?): 66.218.71.205#53
May 28 03:00:04 brasil named[1664]: lame server resolving 'fsbti.com'
(in 'fsbti.com'?): 66.150.15.226#53
May 28 03:00:04 brasil named[1664]: lame server resolving 'fsbti.com'
(in 'fsbti.com'?): 67.89.232.133#53
Best regards,
--
Rodrigo Ramos
55 81 3463.1593
55 81 8851.3524
http://www.triforsec.com.br
http://www.defenselayer.com
_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org
http://www.dshield.org/mailman/listinfo/intrusions
More information about the Intrusions
mailing list