<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>indeed looks like malware:</p>
<p><a class="moz-txt-link-freetext" href="https://webcache.googleusercontent.com/search?q=cache:rNjG8Ch0VgYJ:https://the-expanse.net/%40briankrebs%40infosec.exchange/&cd=1&hl=en&ct=clnk&gl=ie">https://webcache.googleusercontent.com/search?q=cache:rNjG8Ch0VgYJ:https://the-expanse.net/%40briankrebs%40infosec.exchange/&cd=1&hl=en&ct=clnk&gl=ie</a></p>
<p>The article mentions:<br>
stanislasarnoud[.]ru<br style="box-sizing: border-box; color:
rgb(255, 255, 255); font-family: Raleway, sans-serif; font-size:
16px; font-style: normal; font-variant-ligatures: normal;
font-variant-caps: normal; font-weight: 400; letter-spacing:
normal; orphans: 2; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: 2;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(26, 38, 49); text-decoration-thickness:
initial; text-decoration-style: initial; text-decoration-color:
initial;">
krebson[.]ru<br style="box-sizing: border-box; color: rgb(255,
255, 255); font-family: Raleway, sans-serif; font-size: 16px;
font-style: normal; font-variant-ligatures: normal;
font-variant-caps: normal; font-weight: 400; letter-spacing:
normal; orphans: 2; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: 2;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(26, 38, 49); text-decoration-thickness:
initial; text-decoration-style: initial; text-decoration-color:
initial;">
onthestage[.]ru<br>
<br>
</p>
<p>Marcus<br>
</p>
<p><br>
</p>
<div class="moz-cite-prefix">On 28/03/2023 10:12, Ondřej Surý wrote:<br>
</div>
<blockquote type="cite"
cite="mid:5D18F88D-F684-40A2-8629-A4A22389980D@isc.org">
<pre class="moz-quote-pre" wrap="">More likely, it’s a malware used to do a targeted attack rather than insecure routers.
Also why not both? ;)
Ondrej
--
Ondřej Surý — ISC (He/Him)
My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">On 28. 3. 2023, at 10:44, Borja Marcos <a class="moz-txt-link-rfc2396E" href="mailto:borjam@sarenet.es"><borjam@sarenet.es></a> wrote:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">On 28 Mar 2023, at 09:33, Nyamkhand Buluukhuu <a class="moz-txt-link-rfc2396E" href="mailto:nyamkhand@mobinet.mn"><nyamkhand@mobinet.mn></a> wrote:
Hello,
We are having slowly increasing dns requests from our customer zones all asking mXX.krebson.ru. I think this is a DNS amplification attack.
And source zones/IP addresses are different but sending same requests like below.
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
I wonder, maybe some of your customers have open recursive DNS servers themselves? Some brands of routers
are unfortunately easy to misconfigure.
I must play whack-a-mole now and then.
Borja.
--
Visit <a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list
ISC funds the development of this software with paid support subscriptions. Contact us at <a class="moz-txt-link-freetext" href="https://www.isc.org/contact/">https://www.isc.org/contact/</a> for more information.
bind-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a>
</pre>
</blockquote>
</blockquote>
</body>
</html>