[nsp-sec] FW: DSL reports under ddos -- C&C info - AS 9121 (TR)

Krista Hickey Krista.Hickey at cogeco.com
Thu Apr 10 13:59:57 EDT 2008 

I see they're getting nailed again today,

<snip>
Thu Apr 10 13:35:27 EDT 2008
============================

since the ddos has taken out a nac router, the secondary
site isn't much help right now. I'm basically stuck waiting
for nac to blackhole the traffic upstream ..
</snip>

Anything we can do to help?

Krista
7992
 

-----Original Message-----
From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Jose Nazario
Sent: Wednesday, March 19, 2008 8:56 AM
To: nsp-security NSP
Subject: [nsp-sec] DSL reports under ddos -- C&C info - AS 9121 (TR)

----------- nsp-security Confidential --------

i was alerted to this attack via the freenode shadowserver IRC channel.

http://www.dslreports.com/front/shutdown.html

"""
Wed Mar 19 04:05:17 EDT 2008
============================

unfortunately we have a DDOS (distributed denial of service attack)
currently aimed at our pages, rather than give you page timeouts and
errors I've decided to show this page so I have some time to work around
the problem (eta uncertain).

If a forensic engineer with ISP NOC contacts would be interested in the
partial list of client IPs that comprise this botnet, please check out:

http://docs.google.com/Doc?id=dpbj3qz_10s6p5z4dn

if we get alternate access setup today, I'll update this page! It may
just show for members only.
"""

here's your C&C info:

Timestamp	2008-03-19 08:03:50
C&C IPs
 	79.135.166.122
C&C Hostnames
 	04ccc408.org
 	bdb7beb6.org
 	a9da6.org
C&C Port	80
C&C ASN	9121
C&C CC	TR
C&C Channel
Command URLs
http://04ccc408.org/in.php?data=YmlkPTU0ODc2MDk5MSZ2ZXI9MTcmb3M9V2luWFA=
http://bdb7beb6.org/logadus/in.php?data=dmVyPTUmdWlkPTMwODU3MjE4NiZjb25u
PSZvcz1YUCZzb2Nrcz0maXA9MTcyLjI0LjEzNy4yMQ==
http://a9da6.org/in.php?data=dmVyPTUmdWlkPTMwODU3MjE4NiZjb25uPSZvcz1YUCZ
zb2Nrcz0maXA9MTcyLjI0LjEzNy4yMQ==

Command Given

wait 30
tid 4
rgttp 10 www.dslreports.com /

Target IP	209.123.109.175
Target Hostname	www.dslreports.com
Target ASN	8001
Target CC	US
Report Origin	Arbor


attack first seen: 		2008-03-19 04:03:23
attack most recently seen:	2008-03-19 08:03:50


this info can be shared with the appropriate people to help mitigate the
attack, per list rules please strip list headers. i am happy to be
contacted by the appropriate parties for cleanup and takedown.

thanks.

-------------------------------------------------------------
jose nazario, ph.d.     <jose at arbor.net>
security researcher, office of the CTO,  arbor networks
v: (734) 821 1427 	      http://asert.arbornetworks.com/


_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security community. Confidentiality is essential for effective
Internet security counter-measures.
_______________________________________________ 
 
Do you really need to print this email? Help preserve our environment! Devez-vous vraiment imprimer ce courriel? Pensons a l'environnement!
__________________________________________________________
 
The information in this message, including in all attachments, is confidential or privileged. In the event you have received this message in error and are not the intended recipient, you are hereby advised that any use, copying or reproduction of this document is strictly forbidden. Please notify immediately the sender of this error and destroy this message, including its attachments, as the case may be.
 
L'information apparaissant dans ce message electronique et dans les documents qui y sont joints est de nature confidentielle ou privilegiee. Si ce message vous est parvenu par erreur et que vous n'en etes pas le destinataire vise, vous etes par les presentes avise que toute utilisation, copie ou distribution de ce message est strictement interdite. Vous etes donc prie d'en informer immediatement l'expediteur et de detruire ce message, ainsi que les documents qui y sont joints, le cas echeant.

__________________________________________________________

More information about the nsp-security mailing list