Friday, July 19, 2013

Domain: theswat.net

TheSwat.Net seen requested for the first time.

Domain registered at Gandi.net

"query: theswat.net IN A +E"

Returns:

The query returns about 242 A records in the 204.46.43.x range.

Name servers:

Namservers same as DirectedAt.Asia

ns2.theswat.net. 84052 IN A 74.91.18.226
ns1.theswat.net. 84052 IN A 74.91.18.226


Whois

domain: theswat.net
reg_created: 2013-01-18 15:32:20
expires: 2014-01-18 15:32:20
created: 2013-01-18 16:32:21
changed: 2013-07-05 04:59:43
transfer-prohibited: yes
ns0: ns1.theswat.net 74.91.18.226
owner-c:
  nic-hdl: JK2889-GANDI
  owner-name: Julius Kivimäki
  organisation: ~
  person: Julius Kivimäki
  address: Urho Kekkosen katu 1
  zipcode: 00100
  city: Helsinki
  country: Canada
  phone: +358.207710710
  fax: ~
  email: 
  lastupdated: 2013-02-16 11:32:57
admin-c:
  nic-hdl: JK2889-GANDI
  owner-name: Julius Kivimäki
  organisation: ~
  person: Julius Kivimäki
  address: Urho Kekkosen katu 1
  zipcode: 00100
  city: Helsinki
  country: Canada
  phone: +358.207710710
  fax: ~
  email: 
  lastupdated: 2013-02-16 11:32:57
tech-c:
  nic-hdl: JK2889-GANDI
  owner-name: Julius Kivimäki
  organisation: ~
  person: Julius Kivimäki
  address: Urho Kekkosen katu 1
  zipcode: 00100
  city: Helsinki
  country: Canada
  phone: +358.207710710
  fax: ~
  email: 
  lastupdated: 2013-02-16 11:32:57
bill-c:
  nic-hdl: JK2889-GANDI
  owner-name: Julius Kivimäki
  organisation: ~
  person: Julius Kivimäki
  address: Urho Kekkosen katu 1
  zipcode: 00100
  city: Helsinki
  country: Canada
  phone: +358.207710710
  fax: ~
  email: 
  lastupdated: 2013-02-16 11:32:57


Source:

Domain was requested from IP: 

93.174.93.175 AS29073 Ecatel Network 

I've previously seen this IP request 1rip.com 4 times throughout July as well as Ddos.cat.


2 comments:

  1. Regarding disabling all the bind error logging for recursive queries such as
    query (cache) 'theswat.net/ANY/IN' denied

    The below in /etc/named.conf redirect these to /var/named/data/named.security
    with a total size limit of 15mbytes of rolling over logs.
    Note that category security is only “Approval and denial of requests.”

    logging {
    channel default_debug {
    file "data/named.run";
    severity dynamic;
    };
    // Redirect all of those 'denied' logs for non-existing domains or external ones (we are 'recursion no;')
    // logs to /var/named/data/named.security, up to 3 files of 5mbytes each
    // independent hack_detect processes can then scan for flooders and known abusers and block their IPs
    channel hd_security {
    file "data/named.security" versions 3 size 5m;
    print-time yes;
    print-severity yes;
    print-category yes;
    };
    category security { hd_security; };
    };

    ReplyDelete
    Replies
    1. Good tip. My server is responding though ;) I'm using a custom logging script that listens on the interface. Giving me the informtation that I want.

      Delete