cnドメインを利用したインジェクション関連　追記2

えっと、ただのアドレス変化なのですが2009/6/10 16:30ごろから複数Aレコードが登録される形に変わったということでとりあえず追記しておきます。

fast-fluxにでもしたかと思いましたが、ただのDNSラウンドロビン化のようです。

前述のとおり、リダイレクトされて別URLへ飛ばされますが、その飛び先のドメインもやはり同じDNSラウンドロビンです。

インジェクションされているドメイン。

 ;; QUESTION SECTION:
 ;mixmaxgroup.cn.                        IN      A
 ;; ANSWER SECTION:
 mixmaxgroup.cn.         300     IN      A       72.38.121.90
 mixmaxgroup.cn.         300     IN      A       82.115.86.94
 mixmaxgroup.cn.         300     IN      A       87.106.103.122
 mixmaxgroup.cn.         300     IN      A       212.84.166.131
 mixmaxgroup.cn.         300     IN      A       69.59.28.225
 
 ;; AUTHORITY SECTION:
 mixmaxgroup.cn.         300     IN      NS      ns1.mixmaxgroup.cn.
 mixmaxgroup.cn.         300     IN      NS      ns2.mixmaxgroup.cn.
 mixmaxgroup.cn.         300     IN      NS      ns3.mixmaxgroup.cn.
 
 ;; ADDITIONAL SECTION:
 ns1.mixmaxgroup.cn.     300     IN      A       72.0.255.141
 ns2.mixmaxgroup.cn.     300     IN      A       200.111.65.244
 ns3.mixmaxgroup.cn.     300     IN      A       222.214.218.61

マルウェアダウンロードのためにリダイレクトされるドメイン。

 ;; QUESTION SECTION:
 ;readymixbet.cn.                        IN      A
 
 ;; ANSWER SECTION:
 readymixbet.cn.         130     IN      A       87.106.103.122
 readymixbet.cn.         130     IN      A       212.84.166.131
 readymixbet.cn.         130     IN      A       69.59.28.225
 readymixbet.cn.         130     IN      A       72.38.121.90
 readymixbet.cn.         130     IN      A       82.115.86.94 
 
 ;; AUTHORITY SECTION:
 readymixbet.cn.         130     IN      NS      ns3.readymixbet.cn.
 readymixbet.cn.         130     IN      NS      ns1.readymixbet.cn.
 readymixbet.cn.         130     IN      NS      ns2.readymixbet.cn.
 
 ;; ADDITIONAL SECTION:
 ns1.readymixbet.cn.     130     IN      A       72.0.255.141
 ns2.readymixbet.cn.     130     IN      A       200.111.65.244
 ns3.readymixbet.cn.     130     IN      A       222.214.218.61

 OrgName:    Cogeco Cable Inc. 
 OrgID:      CGOC
 Address:    PO Box 5076, Stn. Main
 Address:    950 Syscon Road
 City:       Burlington
 StateProv:  ON
 PostalCode: L7R-4S6
 Country:    CA
 
 NetRange:   72.38.112.0 - 72.38.127.255 
 CIDR:       72.38.112.0/20 
 OriginAS:   AS7992
 NetName:    CGOC-COMM6
 NetHandle:  NET-72-38-112-0-1
 Parent:     NET-72-38-0-0-1
 NetType:    Reallocated
 Comment:    Please email security@cogeco.net for abuse/security violations
 RegDate:    2008-04-16
 Updated:    2008-04-16

 inetnum:        82.115.65.0 - 82.115.95.255
 netname:        IS-NET
 descr:          Internet Solutions ISP
 country:        PL
 admin-c:        ISIA2-RIPE
 tech-c:         ISIA2-RIPE
 status:         ASSIGNED PA
 mnt-by:         IS-NET-MNT
 changed:        lt@is.net.pl 20090127
 source:         RIPE

 inetnum:        87.106.100.0 - 87.106.103.255
 netname:        SCHLUND-CUSTOMERS
 descr:          1&1 Internet AG
 country:        GB
 admin-c:        IPAD-RIPE
 tech-c: 	IPOP-RIPE
 remarks:        INFRA-AW
 remarks:        in case of abuse or spam, please mailto: abuse@oneandone.net
 status:         ASSIGNED PA
 notify: 	ripe-role@oneandone.net
 mnt-by:         AS8560-MNT
 changed:        ncc@schlund.net 20061129
 changed:        ripe-role@oneandone.net 20090528
 source:         RIPE

 inetnum:        212.84.166.128 - 212.84.166.135
 netname:        EDWIN-BUCKLEY
 descr:          Skymarket Hosting Network
 country:        GB
 rev-srv:        ns1.dnsmaster.net
 rev-srv:        ns2.dnsmaster.net
 admin-c:        EB1386-RIPE
 tech-c:         JB5654-RIPE
 status:         ASSIGNED PA
 notify:         ripe@skymarket.net.uk
 mnt-by:         SKYMARKET-MNT
 changed:        ripe@skymarket.net.uk 20060328
 source:         RIPE

 OrgName:    CaroNet Managed Hosting 
 OrgID:      CIL-56
 Address:    900 Center Park Dr
 Address:    Suite A
 City:       Charlotte
 StateProv:  NC
 PostalCode: 28217
 Country:    US
 
 ReferralServer: rwhois://rwhois.carohosting.com:43
 
 NetRange:   69.59.28.0 - 69.59.28.255 
 CIDR:       69.59.28.0/24 
 NetName:    CI-69-59-28-0-24
 NetHandle:  NET-69-59-28-0-1
 Parent:     NET-69-59-16-0-1
 NetType:    Reallocated
 NameServer: NS1.CAROHOSTING.COM
 NameServer: NS2.CAROHOSTING.COM
 Comment:    
 RegDate:    2007-02-27
 Updated:    2007-02-27

[カテゴリ:インジェクション観察日記]

by jyake