[nsp-sec] DDoS to Joomla site

Alfredo Sola alfredo at solucionesdinamicas.net
Fri Apr 11 06:16:47 EDT 2008 

	Hi,

	We have received a plea for help from an editorial company which is 
getting DDoS'd with TCP. They run PHP on their sites and mixed with 
everything there are a handful of PHP exploits. It looks like the TCP 
attack is a decoy to try to hide the exploit attempts.

	Even though the attack looks like a decoy, it's harming more than a bit.

	The first list here are the suspected decoys. The most interesting 
suspected actual exploit attempts follow (there are many of these as well).

	Thanks for any squashing or inputs.

Bulk mode; whois.cymru.com [2008-04-11 10:04:47 +0000]
766     | 212.128.136.65   | REDIRIS RedIRIS Autonomous System
3352    | 193.152.232.174  | TELEFONICA-DATA-ESPANA Internet Access 
Network of TDE
3352    | 212.170.254.78   | TELEFONICA-DATA-ESPANA Internet Access 
Network of TDE
3352    | 213.98.78.122    | TELEFONICA-DATA-ESPANA Internet Access 
Network of TDE
3352    | 79.146.153.184   | TELEFONICA-DATA-ESPANA Internet Access 
Network of TDE
3352    | 80.24.246.80     | TELEFONICA-DATA-ESPANA Internet Access 
Network of TDE
3352    | 80.25.119.9      | TELEFONICA-DATA-ESPANA Internet Access 
Network of TDE
3352    | 80.31.203.240    | TELEFONICA-DATA-ESPANA Internet Access 
Network of TDE
3352    | 80.39.91.161     | TELEFONICA-DATA-ESPANA Internet Access 
Network of TDE
3352    | 80.58.205.47     | TELEFONICA-DATA-ESPANA Internet Access 
Network of TDE
3352    | 80.58.205.49     | TELEFONICA-DATA-ESPANA Internet Access 
Network of TDE
3352    | 80.59.57.119     | TELEFONICA-DATA-ESPANA Internet Access 
Network of TDE
3352    | 81.44.16.184     | TELEFONICA-DATA-ESPANA Internet Access 
Network of TDE
3352    | 83.37.131.144    | TELEFONICA-DATA-ESPANA Internet Access 
Network of TDE
3352    | 83.42.167.196    | TELEFONICA-DATA-ESPANA Internet Access 
Network of TDE
3352    | 83.43.212.46     | TELEFONICA-DATA-ESPANA Internet Access 
Network of TDE
3352    | 83.53.145.40     | TELEFONICA-DATA-ESPANA Internet Access 
Network of TDE
3352    | 83.55.239.22     | TELEFONICA-DATA-ESPANA Internet Access 
Network of TDE
3352    | 83.55.239.22     | TELEFONICA-DATA-ESPANA Internet Access 
Network of TDE
3352    | 88.0.12.2        | TELEFONICA-DATA-ESPANA Internet Access 
Network of TDE
3352    | 88.16.194.12     | TELEFONICA-DATA-ESPANA Internet Access 
Network of TDE
3352    | 88.18.103.27     | TELEFONICA-DATA-ESPANA Internet Access 
Network of TDE
3352    | 88.18.206.85     | TELEFONICA-DATA-ESPANA Internet Access 
Network of TDE
3352    | 88.2.214.3       | TELEFONICA-DATA-ESPANA Internet Access 
Network of TDE
3352    | 88.25.72.105     | TELEFONICA-DATA-ESPANA Internet Access 
Network of TDE
6147    | 190.42.131.33    | Telefonica del Peru S.A.A.
6197    | 74.231.24.220    | BATI-ATL - BellSouth Network Solutions, Inc
6332    | 201.143.184.223  | Telefonos del Noroeste S.A. de C.V.
6400    | 200.88.224.15    | Compañía Dominicana de Teléfonos, C. por 
A. - CODETEL
6458    | 190.56.121.51    | Telgua
6621    | 66.82.9.88       | HNS-DIRECPC - Hughes Network Systems
6739    | 81.202.17.104    | ONO-AS Cableuropa - ONO
6739    | 81.202.198.145   | ONO-AS Cableuropa - ONO
6739    | 84.120.92.38     | ONO-AS Cableuropa - ONO
6739    | 84.120.92.38     | ONO-AS Cableuropa - ONO
6739    | 84.125.192.100   | ONO-AS Cableuropa - ONO
6739    | 84.125.242.151   | ONO-AS Cableuropa - ONO
6901    | 195.16.142.34    | BITMAILERAS bitMAILER
7303    | 190.138.143.87   | Telecom Argentina S.A.
7303    | 190.139.227.4    | Telecom Argentina S.A.
7910    | 66.128.41.239    | COLDECON
8048    | 190.199.92.226   | CANTV Servicios, Venezuela
8048    | 190.36.238.174   | CANTV Servicios, Venezuela
8048    | 190.75.109.130   | CANTV Servicios, Venezuela
8151    | 189.132.114.106  | Uninet S.A. de C.V.
8151    | 189.133.69.111   | Uninet S.A. de C.V.
8151    | 189.146.104.175  | Uninet S.A. de C.V.
8151    | 189.163.44.246   | Uninet S.A. de C.V.
8151    | 189.169.51.207   | Uninet S.A. de C.V.
8151    | 189.177.78.179   | Uninet S.A. de C.V.
8151    | 189.179.141.213  | Uninet S.A. de C.V.
8167    | 201.24.2.234     | TELESC - Telecomunicacoes de Santa Catarina SA
10299   | 190.99.225.111   | EMCATEL
10318   | 190.16.64.45     | CABLEVISION S.A.
10318   | 201.235.220.239  | CABLEVISION S.A.
11172   | 200.76.155.70    | Alestra
12322   | 88.160.71.247    | PROXAD AS for Proxad/Free ISP
12334   | 213.60.35.140    | AS R Cable y Telecomunicaciones Galicia S.A.
12334   | 91.117.106.155   | AS R Cable y Telecomunicaciones Galicia S.A.
12357   | 87.235.104.3     | COMUNITEL Comunitel Global Autonomous System
12357   | 89.7.116.225     | COMUNITEL Comunitel Global Autonomous System
12430   | 77.208.142.202   | AIRTEL AS
12479   | 80.103.34.60     | UNI2-AS Uni2 Autonomous System
12479   | 85.53.76.127     | UNI2-AS Uni2 Autonomous System
12479   | 85.58.66.129     | UNI2-AS Uni2 Autonomous System
12715   | 87.217.81.132    | JAZZNET Jazz Telecom S.A.
12715   | 87.218.145.181   | JAZZNET Jazz Telecom S.A.
12715   | 87.218.78.219    | JAZZNET Jazz Telecom S.A.
12715   | 87.220.239.216   | JAZZNET Jazz Telecom S.A.
12946   | 81.9.244.219     | TELECABLE TELECABLE Autonomous System
12946   | 81.9.244.219     | TELECABLE TELECABLE Autonomous System
12946   | 83.97.189.250    | TELECABLE TELECABLE Autonomous System
12970   | 212.21.225.196   | TENARIA Retena and Reterioja AS
13591   | 200.53.121.170   | MetroRED Telecom Services
13591   | 200.56.250.193   | MetroRED Telecom Services
13999   | 200.52.164.14    | MegaCable SA de CV
16338   | 213.37.91.138    | AUNA_TELECOM-AS Cableuropa - ONO
16338   | 62.57.233.149    | AUNA_TELECOM-AS Cableuropa - ONO
16338   | 82.158.87.144    | AUNA_TELECOM-AS Cableuropa - ONO
16338   | 85.136.160.204   | AUNA_TELECOM-AS Cableuropa - ONO
16596   | 148.231.129.34   | UNIVERSIDAD AUTONOMA DE BAJA CALIFORNIA
17232   | 206.19.210.7     | AT&T US
18809   | 190.141.88.178   | Cable Onda
19429   | 190.24.61.238    | ETB - Colombia
19429   | 201.244.72.22    | ETB - Colombia
19429   | 201.244.72.22    | ETB - Colombia
20838   | 89.128.160.153   | YIF-AS YIF Autonomous System
20838   | 89.128.234.159   | YIF-AS YIF Autonomous System
20838   | 89.130.120.56    | YIF-AS YIF Autonomous System
20838   | 89.131.40.34     | YIF-AS YIF Autonomous System
22927   | 201.251.100.194  | Telefonica de Argentina
23243   | 200.49.170.20    | COMCEL GUATEMALA S.A.
31458   | 84.203.51.6      | SMARTTELECOM-AS Smart Telecom Autonomous System
35481   | 81.19.183.3      | LIGHTNING-AS Lightning Internet Ltd


Attempting: Mambo.Function.Path.Validation

Bulk mode; whois.cymru.com [2008-04-11 10:12:28 +0000]
3323    | 147.102.106.10   | NTUA National Technical University of Athens
6327    | 64.141.114.113   | SHAW - Shaw Communications Inc.
21219   | 77.222.128.242   | NEWLINE Datagroup Internet project


Attempting: Joomla.Webring.Remote.File.Inclusion

AS      | IP               | AS Name
3269    | 82.104.27.179    | ASN-IBSNAZ TELECOM ITALIA


Attempting: PHP.mail.Function.Control.Character.Header.Spoofing.B

Bulk mode; whois.cymru.com [2008-04-11 10:15:51 +0000]
7470    | 203.144.144.164  | ASIAINFO-AS-AP ASIA INFONET Co.,Ltd.
24445   | 211.142.116.205  | CMNET-V4HENAN-AS-AP Henan Mobile 
Communications Co.,Ltd
24445   | 211.142.116.205  | CMNET-V4HENAN-AS-AP Henan Mobile 
Communications Co.,Ltd

-- 
Alfredo Sola
ASP5-RIPE
http://alfredo.sola.es/

More information about the nsp-security mailing list