[nsp-sec] DDoS against 213.27.239.85 (paging L3+NTT)
Stephen Gill
gillsr at cymru.com
Thu Jan 31 17:08:18 EST 2008
Hey Nico,
> Yes, the customer has the following ranges (and got hit on all 3):
>
> 213.27.150.168/29
> 213.27.239.80/28
> 213.27.146.180/30
Now they are attacking other Ips, so you can rest easy for a little bit :D.
Is it okay to have the botnet taken down?
> Thanks. Can the people with bots on the list try to get a copy of the
> malware ?
Sure :)
->> this is basically your attacker
http://www.vsm.gov.tr/pwnd/bot.txt
->> these samples were seen spreading via RFI/XSS attacks also present on
the same host:
http://www.vsm.gov.tr/pwnd/http.txt
http://www.vsm.gov.tr/pwnd/safe.gif
http://www.vsm.gov.tr/gorselbasin/docs/gorselbasin/aw128.txt
>> If you'd like we can set the wayback machine for before 27 JAN 2008
>> and see if there are any other attacks or discourse.
>
> We only saw attacks this week so far, nothing in PFSP for the weeks
> before.
Here is a list of current/actual attacking Ips connected to the botnet:
701 | 74.85.126.2 | UUNET - MCI Communications Services, Inc. d/b/a
Verizon Business
2819 | 212.65.242.233 | GTSCZ GTS NOVERA (GTS CZ)
2914 | 128.121.21.48 | NTT-COMMUNICATIONS-2914 - NTT America, Inc.
2914 | 198.64.129.165 | NTT-COMMUNICATIONS-2914 - NTT America, Inc.
3221 | 193.40.0.77 | EENet Autonomous System
3313 | 213.92.95.80 | INET-AS I.NET S.p.A.
3320 | 84.177.65.151 | DTAG Deutsche Telekom AG
3356 | 62.67.235.50 | LEVEL3 Level 3 Communications
3462 | 125.229.160.217 | HINET Data Communication Business Group
3561 | 72.232.12.234 | SAVVIS - Savvis
3561 | 72.36.152.194 | SAVVIS - Savvis
3561 | 72.36.225.130 | SAVVIS - Savvis
4266 | 12.130.64.131 | CERNET-ASN-BLOCK - California Education and
Research Federation Network
4618 | 203.151.217.29 | INET-TH-AS Internet Thailand Company Limited
4713 | 219.163.200.103 | OCN NTT Communications Corporation
4713 | 219.163.200.92 | OCN NTT Communications Corporation
4713 | 219.163.200.94 | OCN NTT Communications Corporation
4713 | 219.163.5.182 | OCN NTT Communications Corporation
4713 | 219.163.5.188 | OCN NTT Communications Corporation
4713 | 221.186.251.79 | OCN NTT Communications Corporation
4713 | 221.186.251.87 | OCN NTT Communications Corporation
4713 | 60.32.201.102 | OCN NTT Communications Corporation
4741 | 210.246.192.133 | SAMART-BOARDER-AS Samart Corporation Co., Ltd.
4750 | 203.146.127.150 | CSLOXINFO-ISP-AS-AP CSLOXINFO Public Company
Limited.
4750 | 203.146.140.172 | CSLOXINFO-ISP-AS-AP CSLOXINFO Public Company
Limited.
4765 | 221.128.124.188 | WORLDNET-AS World Net & Services Co., Ltd.
4765 | 61.47.2.218 | WORLDNET-AS World Net & Services Co., Ltd.
6453 | 80.231.130.106 | GLOBEINTERNET Teleglobe America Inc.
7303 | 190.225.141.138 | Telecom Argentina S.A.
7303 | 200.43.222.198 | Telecom Argentina S.A.
7654 | 202.57.163.225 | SIAMGLOBE-AS-AP Internet Service Provider Co.,
Ltd.
7693 | 203.155.19.67 | COMNET-TH KSC Commercial Internet Co. Ltd.
7738 | 189.24.125.110 | Telecomunicacoes da Bahia S.A.
7738 | 201.79.97.98 | Telecomunicacoes da Bahia S.A.
8167 | 200.203.183.62 | TELESC - Telecomunicacoes de Santa Catarina SA
8167 | 200.96.181.60 | TELESC - Telecomunicacoes de Santa Catarina SA
8342 | 81.176.226.50 | RTCOMM-AS RTComm.RU Autonomous System
8560 | 217.160.252.231 | ONEANDONE-AS 1&1 Internet AG
8560 | 87.106.68.155 | ONEANDONE-AS 1&1 Internet AG
8584 | 212.150.164.23 | BARAK Netvision 013 Barak - Barak Network
8708 | 82.76.253.82 | RDSNET RCS & RDS S.A.
9024 | 212.40.64.89 | DRAVANET-AS Dravanet Co Ltd.
9120 | 212.97.132.103 | COHAESIONET Cohaesio A/S
9120 | 212.97.132.118 | COHAESIONET Cohaesio A/S
9120 | 212.97.132.130 | COHAESIONET Cohaesio A/S
9120 | 212.97.134.11 | COHAESIONET Cohaesio A/S
9600 | 218.216.67.40 | SONYTELECOM SONY CORPORATION
9931 | 61.7.225.34 | CAT-AP The Communication Authoity of Thailand,
CAT
10481 | 200.32.8.16 | Prima S.A.
11351 | 69.207.1.21 | RR-NYSREGION-ASN-01 - Road Runner HoldCo LLC
12129 | 66.51.147.10 | 123NET - Internet 123
12594 | 212.40.96.82 | EXTERNET-AS EXTERNET Autonomus System
12876 | 195.154.77.64 | AS12876 Telecom Italia France
14992 | 209.200.117.138 | CRYSTALTECH - CrystalTech Web Hosting Inc.
15857 | 84.40.155.152 | DIALOG-AS DIALOG-NET Autonomuos System
16301 | 213.148.182.69 | DATACOM-AS Novgorod Datacom Autonomous System
16814 | 200.68.98.226 | NSS S.A.
17676 | 219.101.229.138 | GIGAINFRA BB TECHNOLOGY Corp.
18403 | 210.245.120.6 | FPT-AS-AP The Corporation for Financing &
Promoting Technology
18479 | 189.14.101.1 | Plug-In Vanet Sistemas de Comunicao LTDA
18479 | 189.14.101.4 | Plug-In Vanet Sistemas de Comunicao LTDA
20312 | 150.187.103.20 | CNTI-REACCIUN
20312 | 150.187.25.5 | CNTI-REACCIUN
21470 | 81.17.72.133 | SWISP-AS Data Centre and ISP SWT Networks
Limited Communications House Moor
23974 | 202.143.176.197 | MOE-EDNET-AS-AP Ministry of education
23974 | 203.172.180.250 | MOE-EDNET-AS-AP Ministry of education
24806 | 81.2.194.152 | INTERNET-CZ INTERNET CZ, a.s.,
25137 | 81.92.211.4 | NFSI NFSi Telecom, Lda.
25653 | 69.72.161.50 | FORTRESSITX - FortressITX
28590 | 201.54.26.98 | Neovia Telecomunicacoes S.A.
29208 | 82.119.225.27 | DIALTELECOM-AS Dial Telecom A.S., Bratislava
29300 | 82.148.187.66 | DIRECTCONNECT-AS Direct Connect, ISP, Norway
33660 | 75.145.57.237 | DNEO-OSP7 - Comcast Cable Communications, Inc.
39134 | 88.212.201.3 | SKYMEDIA Sky-Media Ltd. AS number
41003 | 194.153.116.180 | IP-INTERACTIVE IP-Interactive Colocation / IP
Transit Provider
41126 | 89.111.180.245 | CENTROHOST-AS JSC Centrohost
Cheers,
Steve, Team Cymru.
--
Stephen Gill, Chief Scientist, Team Cymru
http://www.cymru.com | +1 312 924 4023 | gillsr at cymru.com
More information about the nsp-security
mailing list