[nsp-sec] DDoS against 213.27.239.85 (paging L3+NTT)
Chris Morrow
morrowc at ops-netman.net
Thu Jan 31 23:26:35 EST 2008
(note, account disabled, ask LEA to follow up with our compliance folks?)
On Fri, 1 Feb 2008, Chris Morrow wrote:
> On Thu, 31 Jan 2008, Stephen Gill wrote:
>>>> weee.. uhm, any idea what form the query gets to? we may get lucky and be
>>>> able to disable this query... maybe. (like what is 'gstring' and maybe you
>>>> have all the code for this problem which might make this easier? :) )
>>
>> Please see:
>>
>> http://www.vsm.gov.tr/pwnd/bot.txt
>
> ah, I had dl'd the other links in the last email :( I'll have a look and
> see if we can do something about the query pattern even :)
So, it seems to:
1) require a command/scan in IRC (I presume this would let you scan for
phpBB, axis-cam, whatever... without changing the bot code)
2) find a random set of page returns from that result-set
3) infect new hosts
I could be wrong, but i don't think I can filter out the queries :(
-Chris
More information about the nsp-security
mailing list