[nsp-sec] packet love at 81.21.73.240 - 10.7 Gb / 1.2m pps
Danny McPherson
danny at tcb.net
Mon Jul 14 13:19:30 EDT 2008
On Jul 14, 2008, at 7:57 AM, Steve Colam wrote:
> ----------- nsp-security Confidential --------
>
> Hi Folks,
>
> We have an attack at 81.21.73.240 which mostly consists
> of ICMP, with some tcp 80 and udp 80 just for fun.
>
> The ICMP packet size varies.
>
> The bots seem to be tracking the A record for
> www.av-sales.co.uk
>
> It's been going on since Friday and has just peaked
> at 10.7Gb/1.2m pps (12:45 GMT0 14/July/2008)
>
> It appears that most src IPs are spoofed.
>
> With some help from Hillar (tx!) we know the C&C
> is hosted on life-tablets.cn
>
> So if would be rather splendid if someone can help shut
> this down...
Steve,
We're tracking this C&C as well.. We've seen 132 discrete
attacks between 2008-07-11 10:10:00 and today. Targets
we've seen were by IP, but we saw both .119 and .240.
Let Jose or I know if you need any more details..
Most recent:
Attack Detail: Attack 616072
Timestamp: 2008-07-14 12:11:13
C&C IP: 91.203.92.30
C&C Hostname: life-tablets.cn
C&C Port: 80
C&C ASN: 44997
C&C CC: UK
C&C Channel: Command URL:
http://life-tablets.cn/ddd/stat.php
Command Given:
8;3000;10;1;0;30;100;3;20;1000;2000#flood icmp 81.21.73.240#10#
Target IP: 81.21.73.240
Target Hostname: 81.21.73.240
Target ASN: 5413
Target CC: UK
Report Origin: Arbor
....
First:
Attack Detail: Attack 608256
Timestamp: 2008-07-11 10:10:00
C&C IP: 91.203.92.30
C&C Hostname: life-tablets.cn
C&C Port: 80
C&C ASN: 44997
C&C CC: UK
C&C Channel: Command URL:
http://life-tablets.cn/ddd/stat.php
Command Given:
8;3000;10;1;0;30;100;3;20;1000;2000#flood icmp 81.21.73.240#10#
Target IP: 81.21.73.240
Target Hostname: 81.21.73.240
Target ASN: 5413
Target CC: UK
Report Origin: Arbor
-danny
More information about the nsp-security
mailing list