[nsp-sec] Amazon Attack (06/09/2008)
Jose Nazario
jose at arbor.net
Mon Jun 9 16:01:39 EDT 2008
could be partially contributing:
malware=# SELECT timestamp,cc_ip,cc_host,cc_asn,cc_cc,cc_url,cmd from
ddos_commands where cmd like '%amazon.%';
timestamp | cc_ip | cc_host | cc_asn | cc_cc
| cc_url |
cmd
---------------------+---------------+-------------------+--------+-------+------------------------------------------+-------------------------------------------------------------------
2008-06-09 13:06:20 | 190.183.60.82 | ad.yandexshit.com | 20207 | AR
| http://ad.yandexshit.com/_admin/stat.php |
10;2000;5;0;0;30;100;3;20;1000;2000#flood http www.amazon.com#10#
2008-06-09 13:07:06 | 190.183.60.82 | vse.ohueli.net | 20207 | AR
| http://vse.ohueli.net/_vse_/stat.php |
10;2000;5;0;0;30;100;3;20;1000;2000#flood http www.amazon.com#10#
2008-06-09 13:07:41 | 190.183.60.82 | prosto.pizdos.net | 20207 | AR
| http://prosto.pizdos.net/_lol/stat.php |
10;2000;5;0;0;30;100;3;20;1000;2000#flood http www.amazon.com#10#
2008-06-09 13:07:42 | 190.183.60.82 | vse.ohueli.net | 20207 | AR
| http://vse.ohueli.net/_vse_/stat.php |
10;2000;5;0;0;30;100;3;20;1000;2000#flood http www.amazon.com#10#
(4 rows)
this is a black energy botnet. reachig ot via our friends to the argentina
folks for assistance in mitigating this at the source.
--
-------------------------------------------------------------
jose nazario, ph.d. <jose at arbor.net>
security researcher, office of the CTO, arbor networks
v: (734) 821 1427 http://asert.arbornetworks.com/
More information about the nsp-security
mailing list