Iyo Domain Name System (DNS) yakafanana nebhuku renhare rinoturikira mazita anoshandiswa nevashandisi akaita se "ussc.ru" kuisa ma IP kero. Sezvo DNS chiitiko chiripo mune dzinenge dzese masesheni ekutaurirana, zvisinei neprotocol. Saka, DNS kutema matanda inzvimbo yakakosha yedata kune nyanzvi yekuchengetedza ruzivo, ichivabvumira kuti vaone zvisizvo kana kuwana imwe data nezve system iri kuferefetwa.
Muna 2004, Florian Weimer akaronga nzira yekutema miti inonzi Passive DNS, iyo inokutendera iwe kudzoreredza nhoroondo yeDNS data shanduko nekugona index uye kutsvaga, iyo inogona kupa mukana kune inotevera data:
- Zita reimba
- IP kero yezita rakumbirwa rezita
- Zuva uye nguva yekupindura
- Rudzi rwemhinduro
- uye zvakadaro.
Dhata yePassive DNS inounganidzwa kubva kune inodzokororwa DNS maseva nemamodule akavakirwa-mukati kana nekubvunzurudza mhinduro kubva kumaseva eDNS ane mutoro wenzvimbo.
Mufananidzo 1. Passive DNS (yakatorwa kubva panzvimbo
Iyo peculiarity yePassive DNS ndeyekuti hapana chikonzero chekunyoresa IP kero yemutengi, iyo inobatsira kuchengetedza kuvanzika kwemushandisi.
Parizvino, kune akawanda masevhisi anopa mukana wePassive DNS data:
The company
Farsight Security
VirusTotal
Riskiq
SafeDNS
nzira dzekuchengetedza
Cisco
Kuwana
Pakukumbira
Hazvidi kunyoreswa
Kunyoresa mahara
Pakukumbira
Hazvidi kunyoreswa
Pakukumbira
API
Parizvino
Parizvino
Parizvino
Parizvino
Parizvino
Parizvino
Kuvapo kwemutengi
Parizvino
Parizvino
Parizvino
kwete
kwete
kwete
Kutanga kwekuunganidza data
2010 gore
2013 gore
2009 gore
Inoratidza chete mwedzi mitatu yapfuura
2008 gore
2006 gore
Tafura 1. Masevhisi ane mukana wePassive DNS data
Shandisa makesi ePassive DNS
Uchishandisa Passive DNS, unogona kuvaka hukama pakati pemazita emazita, maseva eNS uye IP kero. Izvi zvinokutendera kuti uvake mamepu emasisitimu ari pasi pekudzidza uye kuona shanduko mumepu yakadai kubva pakatanga kuwanikwa kusvika panguva ino.
Passive DNS zvakare inoita kuti zvive nyore kuona anomalies mu traffic. Semuenzaniso, kuronda shanduko munzvimbo dzeNS uye marekodhi emhando A uye AAAA inobvumidza iwe kuona nzvimbo dzakaipa dzinoshandisa nzira yekukurumidza kuyerera, yakagadzirirwa kuvanza C&C kubva pakuona uye kuvharira. Nekuti zviri pamutemo mazita emadomasi (kunze kweaya anoshandiswa pakuremedza kuenzanisa) haazochinji kero yavo yeIP nguva zhinji, uye nzvimbo zhinji dziri pamutemo hadziwanzo chinja maseva avo eNS.
Passive DNS, mukupesana nekunyorwa kwakananga kwema subdomain uchishandisa maduramazwi, inobvumidza iwe kuti uwane nyangwe ekunze mazita edomasi, semuenzaniso, "222qmxacaiqaaaaazibq4aaidhmbqaaa0undefined7140c0.p.hoff.ru". Iyo zvakare dzimwe nguva inobvumidza iwe kuti uwane bvunzo (uye dzisina njodzi) nzvimbo dzewebhusaiti, zvigadzirwa zvekuvandudza, nezvimwe.
Kuongorora chinongedzo kubva kune email uchishandisa Passive DNS
Parizvino, spam ndiyo imwe yenzira huru idzo anorwisa anopinda nepakombuta yemunhu anenge abatwa kana kuba ruzivo rwakavanzika. Ngatiedzei kuongorora chinongedzo kubva kune yakadaro email tichishandisa Passive DNS kuongorora kushanda kweiyi nzira.
Mufananidzo 2. Spam email
Iyo link kubva mutsamba iyi yakatungamira kune saiti magnit-boss.rocks, iyo yakapa kuunganidza otomatiki mabhonasi uye kugamuchira mari:
Mufananidzo 3. Peji yakabatwa pane magnit-boss.rocks domain
Kudzidza kwenzvimbo iyi kwakashandiswa
Chekutanga pane zvese, isu tichawana nhoroondo yese yezita rezita iri, nekuda kweizvi isu tichashandisa murairo:
pt-client pdns --query magnit-boss.rocks
Uyu murairo uchadzosa ruzivo nezve zvese DNS resolution zvine chekuita neiyi zita rezita.
Mufananidzo 4. Mhinduro kubva kuRiskiq API
Ngatiunzei mhinduro kubva kuAPI kune imwe fomu yekuona:
Mufananidzo 5. Zvose zvinyorwa kubva mumhinduro
Kuti tiwedzere tsvakiridzo, takatora kero dzeIP dzakagadziriswa zita renzvimbo iyi panguva yakagamuchirwa tsamba musi wa01.08.2019/92.119.113.112/85.143.219.65, kero dzakadai dzeIP ndidzo dzinotevera kero XNUMX uye XNUMX.
Kushandisa murairo:
pt-client pdns --query
unogona kuwana ese mazita emadomasi akabatana neakapihwa IP kero.
Iyo IP kero 92.119.113.112 ine 42 akasiyana mazita edomasi akagadziriswa kune ino IP kero, pakati pawo pane mazita anotevera:
- magnet-boss.club
- igrovie-automaty.me
- pro-x-audit.xyz
- zep3-www.xyz
- uye nezvimwe
Iyo IP kero 85.143.219.65 ine 44 akasiyana mazita edomasi akagadziriswa kune ino IP kero, pakati pawo pane mazita anotevera:
- cvv2.name (webhusaiti yekutengesa kadhi rechikwereti data)
- emails.world
- www.mailru.space
- uye nezvimwe
Kubatana nemazita aya emazita kunotungamirira ku phishing, asi isu tinotenda kune vanhu vane mutsa, saka ngatiedze kuwana bhonasi ye 332 rubles? Mushure mekudzvanya bhatani re "YES", saiti inotikumbira kuendesa 501.72 rubles kubva pakadhi kuti tivhure account uye inotitumira kune saiti as-torpay.info kuti tiise data.
Mufananidzo 6. Peji huru yesaiti ac-pay2day.net
Inotaridzika sesaiti yepamutemo, kune https chitupa, uye iyo huru peji inopa kubatanidza iyi yekubhadhara sisitimu kune yako saiti, asi, maiwe, zvese zvinongedzo zvekubatanidza hazvishande. Iri zita rezita rinogadzirisa kune 1 chete ip kero - 190.115.19.74. Iyo, zvakare, ine 1475 yakasarudzika mazita emazita anotsunga kune iyi IP kero, kusanganisira mazita akadai se:
- ac-pay2day.net
- ac-payfit.com
- as-manypay.com
- fletkass.net
- as-magicpay.com
- uye nezvimwe
Sezvatinoona, Passive DNS inokutendera kuti utore nekukurumidza uye nemazvo kuunganidza dhata pamusoro pechishandiso chiri pasi pechidzidzo uye kunyange kuvaka rudzi rwekudhindisa iyo inokutendera kuti uvhure hurongwa hwese hwekuba data rako pachako, kubva pairi risiti kuenda kune ingangoita nzvimbo yekutengesa.
Mufananidzo 7. Mepu yehurongwa huri pasi pekudzidza
Hazvisi zvese zvine mutsindo sezvatinoda. Semuenzaniso, kuferefeta kwakadaro kunogona kukundikana nyore pa CloudFlare kana masevhisi akafanana. Uye kushanda kweiyo yakaunganidzwa dhatabhesi kunoenderana nehuwandu hwezvikumbiro zveDNS zvinopfuura nemodule yekuunganidza Passive DNS data. Asi zvakadaro, Passive DNS ndiyo sosi yekuwedzera ruzivo rwemuongorori.
Munyori: Nyanzvi yeUral Center yeSecurity Systems
Source: www.habr.com