// DomainTrackr by Chris Clark
// chris@xenosec.org / xen0ph0n @ github.com
// Copyright and Licenced GPL v3
DomainTrackr is a PHP & MySQL tool which allows researchers to eaisly track
the resolution of malicious domains, and be pro-activly alerted to changes.
Install Requires a MySQL database with the following structure:
ID int(10) No auto_increment Primary Unique
domain varchar(100) utf8_bin Index Fulltext
oldip varchar(15) utf8_bin Index
newip varchar(15) utf8_bin Index
changedate datetime
notes varchar(250) utf8_bin Fulltext
contact varchar(100) utf8_bin
Then just put the relevant DB info in the //dbconnection sections at the top of index & trackr
Also change the send from email address at the bottom of trackr to something relevant to your domain.
Version .01a
Next Features to be Added: Pretty Webfront, Optional Email updates, pivotable ip's and domains to OSI tools
Usage:
- Enter Domain, Relevant Notes, and Email Address on the index page
- Chose to either enter additional domains, or go to Trackr
- You can delete domains from Trackr you no longer wish to track (30 Domains Per Account)
- Leave a browser window open to Trackr, it will refresh every 30 minutes
all domains ever entered by a user will be tracked (email address is account)
if any IP Resolution changes are detected an alert email will be sent to the
account email containing details.
Live Example:
http://www.dtrackr.com/ <-- Enter Domains
http://www.dtrackr.com/trackr.php <-- Track Your Domains
https://www.xenosec.org/trackr/trackr.php?email=chris@xenosec.org <-- Example with domains added (google to show deltas)
NOTE: Currently DomainTrackr does not support sites which resolve to multiple
IP Addresses. This functionality isn't needed in tracking malicious C2 domains
and malicious infrastructure. (IE Google.com, Yahoo.com etc).
Additionally included is a super lightweight PHP DNS and Reverse lookup page:
http://www.dtrackr.com/lookup.php <-- Full DNS Lookup Page
Upload to your site of choice, free hosing provider etc. just needs PHP
Use as an API to scrape/check lots of stuffs..
lookup.php?full=yes&domain=DOMAIN.NAME (full DNS results)
" ""/?domain=DOMAIN.NAME (quick lookup of IPs it resolves too)
IP reverse lookup: (sucks , and will only give one random result if multiple domains hosted)
" ""/?full=yes&ip=xxx.xxx.xxx.xxx (Full reverse results)
" ""/?IP=xxx.xxx.xxx.xxx (quick lookup of DNS name)
Example of Alert Email:
As of 2012-10-29 03:06:13 the following Domains you are tracking resolve to new IPs:
Domain: google.com Previous IP: 74.125.225.41 NEW IP 74.125.225.34 Notes on Domain: Please buy me!!
Domain: google.com Previous IP: 74.125.225.2 NEW IP 74.125.225.135 Notes on Domain: Steal all your info here
Domain: yahoo.com Previous IP: 98.139.183.24 NEW IP 98.138.253.109 Notes on Domain: People Still Visit This sitE?
Provided by DomainTrackr by Xen0ph0n