[nsp-sec] DDoS against 213.27.239.85 (paging L3+NTT)
Chris Morrow
morrowc at ops-netman.net
Thu Jan 31 22:03:05 EST 2008
On Thu, 31 Jan 2008, Stephen Gill wrote:
> ----------- nsp-security Confidential --------
>
> BTW, google you might want to look at this address if you haven't already:
>
> morgan.rx at gmail.com
asking to have this killed off...
>
> They LOVE to use your search engine for scanning.
>
weee.. uhm, any idea what form the query gets to? we may get lucky and be
able to disable this query... maybe. (like what is 'gstring' and maybe you
have all the code for this problem which might make this easier? :) )
> EG:
>
> foreach $dom (@dominios)^M
> {^M
> push (@str,"@gstring");^M
> }^M
> ^M
> my $query="www.google.com.ar/custom?q=";^M
> $query.=$str[(rand(scalar(@str)))];^M
> $query.="&num=$n&start=$s";^M
> my @lst=();^M
> #sendraw("privmsg #Morgan :DEBUG only test googling: ".$query.""); ^M
> my $page = http_query($query);^M
> while ($page =~ m/<a class=l href=\"?http:\/\/([^>\"]+)\"?>/g){^M
> if ($1 !~ m/google|cache|translate/){^M
> push (@lst,$1);^M
> }^M
> }^M
> return (@lst);^M
>
> -- steve
>
>
> On 1/31/08 3:08 PM, "Stephen Gill" <gillsr at cymru.com> wrote:
>
>> Hey Nico,
>>
>>> Yes, the customer has the following ranges (and got hit on all 3):
>>>
>>> 213.27.150.168/29
>>> 213.27.239.80/28
>>> 213.27.146.180/30
>>
>> Now they are attacking other Ips, so you can rest easy for a little bit :D.
>>
>> Is it okay to have the botnet taken down?
>>
>>> Thanks. Can the people with bots on the list try to get a copy of the
>>> malware ?
>>
>> Sure :)
>>
>> ->> this is basically your attacker
>> http://www.vsm.gov.tr/pwnd/bot.txt
>>
>> ->> these samples were seen spreading via RFI/XSS attacks also present on the
>> same host:
>>
>> http://www.vsm.gov.tr/pwnd/http.txt
>
>> http://www.vsm.gov.tr/pwnd/safe.gif
>
>> http://www.vsm.gov.tr/gorselbasin/docs/gorselbasin/aw128.txt
>
>
>>
>>>> If you'd like we can set the wayback machine for before 27 JAN 2008
>>>> and see if there are any other attacks or discourse.
>>>
>>> We only saw attacks this week so far, nothing in PFSP for the weeks
>>> before.
>>
>> Here is a list of current/actual attacking Ips connected to the botnet:
>>
>> 701 | 74.85.126.2 | UUNET - MCI Communications Services, Inc. d/b/a
>> Verizon Business
>> 2819 | 212.65.242.233 | GTSCZ GTS NOVERA (GTS CZ)
>> 2914 | 128.121.21.48 | NTT-COMMUNICATIONS-2914 - NTT America, Inc.
>> 2914 | 198.64.129.165 | NTT-COMMUNICATIONS-2914 - NTT America, Inc.
>> 3221 | 193.40.0.77 | EENet Autonomous System
>> 3313 | 213.92.95.80 | INET-AS I.NET S.p.A.
>> 3320 | 84.177.65.151 | DTAG Deutsche Telekom AG
>> 3356 | 62.67.235.50 | LEVEL3 Level 3 Communications
>> 3462 | 125.229.160.217 | HINET Data Communication Business Group
>> 3561 | 72.232.12.234 | SAVVIS - Savvis
>> 3561 | 72.36.152.194 | SAVVIS - Savvis
>> 3561 | 72.36.225.130 | SAVVIS - Savvis
>> 4266 | 12.130.64.131 | CERNET-ASN-BLOCK - California Education and
>> Research Federation Network
>> 4618 | 203.151.217.29 | INET-TH-AS Internet Thailand Company Limited
>> 4713 | 219.163.200.103 | OCN NTT Communications Corporation
>> 4713 | 219.163.200.92 | OCN NTT Communications Corporation
>> 4713 | 219.163.200.94 | OCN NTT Communications Corporation
>> 4713 | 219.163.5.182 | OCN NTT Communications Corporation
>> 4713 | 219.163.5.188 | OCN NTT Communications Corporation
>> 4713 | 221.186.251.79 | OCN NTT Communications Corporation
>> 4713 | 221.186.251.87 | OCN NTT Communications Corporation
>> 4713 | 60.32.201.102 | OCN NTT Communications Corporation
>> 4741 | 210.246.192.133 | SAMART-BOARDER-AS Samart Corporation Co., Ltd.
>> 4750 | 203.146.127.150 | CSLOXINFO-ISP-AS-AP CSLOXINFO Public Company
>> Limited.
>> 4750 | 203.146.140.172 | CSLOXINFO-ISP-AS-AP CSLOXINFO Public Company
>> Limited.
>> 4765 | 221.128.124.188 | WORLDNET-AS World Net & Services Co., Ltd.
>> 4765 | 61.47.2.218 | WORLDNET-AS World Net & Services Co., Ltd.
>> 6453 | 80.231.130.106 | GLOBEINTERNET Teleglobe America Inc.
>> 7303 | 190.225.141.138 | Telecom Argentina S.A.
>> 7303 | 200.43.222.198 | Telecom Argentina S.A.
>> 7654 | 202.57.163.225 | SIAMGLOBE-AS-AP Internet Service Provider Co.,
>> Ltd.
>> 7693 | 203.155.19.67 | COMNET-TH KSC Commercial Internet Co. Ltd.
>> 7738 | 189.24.125.110 | Telecomunicacoes da Bahia S.A.
>> 7738 | 201.79.97.98 | Telecomunicacoes da Bahia S.A.
>> 8167 | 200.203.183.62 | TELESC - Telecomunicacoes de Santa Catarina SA
>> 8167 | 200.96.181.60 | TELESC - Telecomunicacoes de Santa Catarina SA
>> 8342 | 81.176.226.50 | RTCOMM-AS RTComm.RU Autonomous System
>> 8560 | 217.160.252.231 | ONEANDONE-AS 1&1 Internet AG
>> 8560 | 87.106.68.155 | ONEANDONE-AS 1&1 Internet AG
>> 8584 | 212.150.164.23 | BARAK Netvision 013 Barak - Barak Network
>> 8708 | 82.76.253.82 | RDSNET RCS & RDS S.A.
>> 9024 | 212.40.64.89 | DRAVANET-AS Dravanet Co Ltd.
>> 9120 | 212.97.132.103 | COHAESIONET Cohaesio A/S
>> 9120 | 212.97.132.118 | COHAESIONET Cohaesio A/S
>> 9120 | 212.97.132.130 | COHAESIONET Cohaesio A/S
>> 9120 | 212.97.134.11 | COHAESIONET Cohaesio A/S
>> 9600 | 218.216.67.40 | SONYTELECOM SONY CORPORATION
>> 9931 | 61.7.225.34 | CAT-AP The Communication Authoity of Thailand,
>> CAT
>> 10481 | 200.32.8.16 | Prima S.A.
>> 11351 | 69.207.1.21 | RR-NYSREGION-ASN-01 - Road Runner HoldCo LLC
>> 12129 | 66.51.147.10 | 123NET - Internet 123
>> 12594 | 212.40.96.82 | EXTERNET-AS EXTERNET Autonomus System
>> 12876 | 195.154.77.64 | AS12876 Telecom Italia France
>> 14992 | 209.200.117.138 | CRYSTALTECH - CrystalTech Web Hosting Inc.
>> 15857 | 84.40.155.152 | DIALOG-AS DIALOG-NET Autonomuos System
>> 16301 | 213.148.182.69 | DATACOM-AS Novgorod Datacom Autonomous System
>> 16814 | 200.68.98.226 | NSS S.A.
>> 17676 | 219.101.229.138 | GIGAINFRA BB TECHNOLOGY Corp.
>> 18403 | 210.245.120.6 | FPT-AS-AP The Corporation for Financing &
>> Promoting Technology
>> 18479 | 189.14.101.1 | Plug-In Vanet Sistemas de Comunicao LTDA
>> 18479 | 189.14.101.4 | Plug-In Vanet Sistemas de Comunicao LTDA
>> 20312 | 150.187.103.20 | CNTI-REACCIUN
>> 20312 | 150.187.25.5 | CNTI-REACCIUN
>> 21470 | 81.17.72.133 | SWISP-AS Data Centre and ISP SWT Networks Limited
>> Communications House Moor
>> 23974 | 202.143.176.197 | MOE-EDNET-AS-AP Ministry of education
>> 23974 | 203.172.180.250 | MOE-EDNET-AS-AP Ministry of education
>> 24806 | 81.2.194.152 | INTERNET-CZ INTERNET CZ, a.s.,
>> 25137 | 81.92.211.4 | NFSI NFSi Telecom, Lda.
>> 25653 | 69.72.161.50 | FORTRESSITX - FortressITX
>> 28590 | 201.54.26.98 | Neovia Telecomunicacoes S.A.
>> 29208 | 82.119.225.27 | DIALTELECOM-AS Dial Telecom A.S., Bratislava
>> 29300 | 82.148.187.66 | DIRECTCONNECT-AS Direct Connect, ISP, Norway
>> 33660 | 75.145.57.237 | DNEO-OSP7 - Comcast Cable Communications, Inc.
>> 39134 | 88.212.201.3 | SKYMEDIA Sky-Media Ltd. AS number
>> 41003 | 194.153.116.180 | IP-INTERACTIVE IP-Interactive Colocation / IP
>> Transit Provider
>> 41126 | 89.111.180.245 | CENTROHOST-AS JSC Centrohost
>>
>> Cheers,
>> Steve, Team Cymru.
>
> --
> Stephen Gill, Chief Scientist, Team Cymru
> http://www.cymru.com | +1 312 924 4023 | gillsr at cymru.com
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>
More information about the nsp-security
mailing list