[nsp-sec] amazon attack
Chris Morrow
morrowc at ops-netman.net
Fri Jun 6 16:45:19 EDT 2008
On Fri, 6 Jun 2008, Dave Burke wrote:
> ----------- nsp-security Confidential --------
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> We're trying to get one now from the frontend LB.
>
> All requests are for: HTTP/1.1 GET
> http://www.amazon.com/gp/product/B000JO1IPI/ref=s9alfix_c2_at2-rfc_p-2991_g1?redirect=true&pf_rd_m=ATVPDKIKX0DER&pf_rd_s=center-2&pf_rd_r=14C7VX4RTA06GC04AX7A&pf_rd_t=101&pf_rd_p=397916001&pf_rd_i=507846
>
I'd note that that is filterable on the guards... so if you had those, or
ping'ed 701's folks for help they could as well.
-Chris
> dave
>
> Smith, Donald wrote:
>> Dave do you have any attack packet details?
>> What address are they attacking www.amazon.com I presume?
>>
>>
>> Security through obscurity WORKS against some worms and ssh attacks:)
>> Donald.Smith at qwest.com giac
>>
>>> -----Original Message-----
>>> From: nsp-security-bounces at puck.nether.net
>>> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Dave Burke
>>> Sent: Friday, June 06, 2008 2:09 PM
>>> To: NSP nsp-security
>>> Subject: [nsp-sec] amazon attack
>>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> FYI,
>>
>> Here is the top 10 offenders we have blocked so far on our border
>>
>> 208.86.157.28/32
>> np-43-142.netpoint.ee (194.204.43.142/32)
>> 149-98-177-194.serverdedicati.seflow.net (194.177.98.149/32)
>> bearnaise.andreas-knepper.de (213.239.192.233/32)
>> 166849-web1.mysticnet.com (67.192.190.80/32)
>> hyatt.domeneshop.no (194.63.248.42/32)
>> 2green.veraserve.com (65.38.168.196/32)
>> dd6832.kasserver.com (85.13.131.133/32)
>> mx.phpnet.org (195.144.11.40/32)
>> esc92.midphase.com (216.104.33.78/32)
>> 66.160.178.217/32
>> ip-216-69-175-89.ip.secureserver.net (216.69.175.89/32)
>> bearnaise.andreas-knepper.de (213.239.192.233/32)
>> web26.webfaction.com (74.54.74.98/32)
>>
>> 208.86.157.28 was being controlled via script from 194.85.89.245
>>
>> I've attached the loc.php script being used.
>>
>> So far, all of the top offenders, we're seeing are linux servers running
>> apache/php
>>
>>
>> dave
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.6 (GNU/Linux)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>>
>> iD8DBQFISZlp6xddYR6j4jARAvd8AJ9/+9qsHkPVEYDx7DIMeD0OezluOgCfePGy
>> fD4bZDSjPyU/u7ZlHKssalc=
>> =2TGm
>> -----END PGP SIGNATURE-----
>>> ----------- nsp-security Confidential --------
>>>
>>>
>>
>>
>> This communication is the property of Qwest and may contain confidential or
>> privileged information. Unauthorized use of this communication is strictly
>> prohibited and may be unlawful. If you have received this communication
>> in error, please immediately notify the sender by reply e-mail and destroy
>> all copies of the communication and any attachments.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFISZ4N6xddYR6j4jARAnRUAKCow4T1pQ3Il1FD428lkCMgWYPyqQCgkDQp
> cJe+iphSupqayQ5onVKdeX8=
> =vgmM
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>
More information about the nsp-security
mailing list