[nsp-sec] "Simplebot" -- a basic HTTP ddos bot
Stephen Gill
gillsr at cymru.com
Tue Jul 15 12:31:22 EDT 2008
That's actually known as Tsunami.
Lot's of those samples available... I'll try to compile a list of Live C&Cs.
A few telltale signs are the 'Panel' realm, update.txt file, online.php,
etc.
-- steve
On 7/15/08 9:11 AM, "Jose Nazario" <jose at arbor.net> wrote:
> ----------- nsp-security Confidential --------
>
> On Tue, 15 Jul 2008, Jose Nazario wrote:
>
>> C&C http://reno.wu.lt/ddos/update.php
>> COMMAND
>> 1 http://deface.lt 80
>
> btw a simple "GET" to this URL will yield the attack command.
>
> reno.wu.lt A INET 193.46.84.8
>
> AS | IP | AS Name
> 43463 | 193.46.84.8 | BST-AS Biuro sprendimu tinklas UAB
>
> -------------------------------------------------------------
> jose nazario, ph.d. <jose at arbor.net>
> security researcher, office of the CTO, arbor networks
> v: (734) 821 1427 http://asert.arbornetworks.com/
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
--
Stephen Gill, Chief Scientist, Team Cymru
http://www.cymru.com | +1 312 924 4023 | gillsr at cymru.com
More information about the nsp-security
mailing list