[nsp-sec] Amazon Attack (06/09/2008)
Chris Calvert
Chris.Calvert at telus.com
Mon Jun 9 16:05:07 EDT 2008
Hi Dave
Any details?
I see lots of flows, and I've asked Abuse to contact the IP's owner to have
them take a look at their host, just in case.
Chris
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Dave Burke
> Sent: Monday, June 09, 2008 12:49 PM
> To: NSP nsp-security
> Subject: [nsp-sec] Amazon Attack (06/09/2008)
> Importance: High
>
> ----------- nsp-security Confidential --------
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> We're under attack again. All ASN's (7224/39111/16509)
>
> We're seeing Apache/Linux/PHP server hitting us....
>
> 224 | 129.241.56.151 | UNINETT UNINETT, The Norwegian
> University &
> Research Network
> 703 | 210.80.187.105 | UUNET - MCI Communications Services, Inc.
> d/b/a Verizon Business
> 852 | 209.29.150.120 | ASN852 - Telus Advanced Communications
> 1267 | 151.8.99.84 | ASN-INFOSTRADA Infostrada S.p.A.
> 2119 | 195.134.48.84 | TELENOR-NEXTEL T.net
> 2586 | 194.204.43.142 | UNINET-AS AS Uninet
> 3248 | 77.244.242.242 | SIL-AT SILVER SERVER GmbH
> 3292 | 80.232.111.20 | TDC TDC Data Networks
> 3292 | 80.232.111.203 | TDC TDC Data Networks
> 3313 | 194.177.98.149 | INET-AS I.NET S.p.A.
> 3561 | 209.67.63.2 | SAVVIS - Savvis
> 3561 | 216.35.197.52 | SAVVIS - Savvis
> 3561 | 72.21.33.138 | SAVVIS - Savvis
> 3595 | 69.73.160.136 | GNAXNET-AS - Global Net Access, LLC
> 4589 | 89.207.168.12 | EASYNET Easynet Group Plc
> 5413 | 81.21.68.50 | AS5413 GX Networks
> 5606 | 193.226.140.158 | KQRO KPNQwest Romania AS
> 6461 | 62.93.239.142 | MFNX MFN - Metromedia Fiber Network
> 6461 | 62.93.239.144 | MFNX MFN - Metromedia Fiber Network
> 6724 | 81.169.143.210 | STRATO Strato AG
> 6724 | 81.169.145.25 | STRATO Strato AG
> 6724 | 81.169.175.177 | STRATO Strato AG
> 6939 | 66.160.178.217 | HURRICANE - Hurricane Electric
> 8001 | 216.118.97.138 | NET-ACCESS-CORP - Net Access Corporation
> 8001 | 70.47.36.4 | NET-ACCESS-CORP - Net Access Corporation
> 8220 | 213.215.150.210 | COLT COLT Telecommunications
> 8220 | 80.251.162.65 | COLT COLT Telecommunications
> 8289 | 212.37.7.234 | DATAPHONE
> 8304 | 213.218.133.175 | AS8304 ECRITEL Company
> 8434 | 62.119.28.104 | TELENOR-SE Telenor Sweden
> 8434 | 80.81.165.211 | TELENOR-SE Telenor Sweden
> 8560 | 212.227.118.62 | ONEANDONE-AS 1&1 Internet AG
> 8560 | 212.227.29.3 | ONEANDONE-AS 1&1 Internet AG
> 8560 | 74.208.16.115 | ONEANDONE-AS 1&1 Internet AG
> 8560 | 74.208.16.179 | ONEANDONE-AS 1&1 Internet AG
> 8560 | 74.208.16.80 | ONEANDONE-AS 1&1 Internet AG
> 8608 | 62.100.48.20 | QINIP XB Networks B.V.
> 8622 | 85.233.165.91 | ISIONUK Formerly NetDirect Internet Ltd
> 8708 | 82.76.35.141 | RDSNET RCS & RDS S.A.
> 8912 | 62.128.149.72 | NETBENEFIT Group NBT plc
> (formaly NetBenefit)
> 8972 | 85.25.151.205 | PLUSSERVER-AS PlusServer AG, Germany
> 9150 | 213.207.108.37 | INTERCONNECT InterConnect Services BV
> 9556 | 202.6.141.214 | ADAM-AS-AP Adam Internet Pty Ltd
> 10316 | 69.64.64.72 | ABACUS-NET-AS - Abacus America Inc.
> 10439 | 216.75.30.115 | CARI - San Diego Commercial
> Internet Exchange
> 10532 | 64.49.216.180 | RACKSPACE - Rackspace.com, Ltd.
> 11022 | 65.109.239.242 | ALABANZA-BALT - Alabanza, Inc.
> 11388 | 209.25.170.22 | MAXIM - Peer 1 Dedicated Hosting
> 12306 | 82.98.82.30 | Plus.Line AG IP-Services
> 12414 | 212.45.63.21 | NL-SOLCON SOLCON-NL
> 12989 | 81.171.99.220 | HWNG Highwinds Network Group, Inc.
> 12996 | 194.63.248.33 | DOMENESHOP Domeneshop AS
> 12996 | 194.63.248.42 | DOMENESHOP Domeneshop AS
> 13030 | 194.126.200.24 | INIT7 Init Seven AG, Zurich, Switzerland
> 13194 | 79.98.25.6 | BITE Bite Lietuva
> 13213 | 83.170.105.36 | UK2NET-AS UK-2 Ltd Autonomous System
> 13224 | 213.147.64.13 | NAIROBINET
> 13594 | 204.209.169.170 | MTC - Microtek Corporation
> 14361 | 209.160.33.97 | HOPONE-GLOBAL - HopOne Internet
> Corporation
> 14501 | 66.34.224.164 | CIHOST - C I Host
> 15772 | 217.20.175.116 | WNET W-NET Kiev
> 15967 | 77.55.84.2 | NETART NetArt Autonomous System
> 16095 | 86.58.131.39 | JAYNET jay.net a/s
> 16237 | 217.148.95.149 | NXS Nxs Internet BV
> 16245 | 195.47.247.120 | NGDC NetGroup DataCenter A/S - ngdc.net
> 16245 | 195.47.247.134 | NGDC NetGroup DataCenter A/S - ngdc.net
> 16245 | 195.47.247.139 | NGDC NetGroup DataCenter A/S - ngdc.net
> 16245 | 195.47.247.140 | NGDC NetGroup DataCenter A/S - ngdc.net
> 16245 | 195.47.247.44 | NGDC NetGroup DataCenter A/S - ngdc.net
> 16245 | 195.47.247.62 | NGDC NetGroup DataCenter A/S - ngdc.net
> 16265 | 77.75.126.133 | LEASEWEB LEASEWEB AS
> 16265 | 82.192.66.27 | LEASEWEB LEASEWEB AS
> 16276 | 213.251.189.201 | OVH OVH
> 16276 | 213.251.189.203 | OVH OVH
> 16276 | 87.98.222.150 | OVH OVH
> 16276 | 91.121.64.190 | OVH OVH
> 16276 | 91.121.69.137 | OVH OVH
> 17014 | 66.96.128.64 | NAIILLC - North Atlantic
> Internet, Inc., LLC
> 17379 | 200.157.179.26 | Intelig Telecomunica Ltda
> 17393 | 63.245.198.14 | TRIPNET-HOU - Trip.net, Inc.
> 17819 | 122.201.81.6 | ASN-EQUINIX-AP Equinix Asia Pacific
> 19166 | 64.72.112.158 | ALPHARED-HOUSTON - Alpha Red, INC
> 19166 | 69.80.227.87 | ALPHARED-HOUSTON - Alpha Red, INC
> 19318 | 69.10.35.10 | NJIIX-AS-1 - NEW JERSEY INTERNATIONAL
> INTERNET EXCHANGE LLC
> 19318 | 69.10.36.250 | NJIIX-AS-1 - NEW JERSEY INTERNATIONAL
> INTERNET EXCHANGE LLC
> 19916 | 69.94.25.47 | ASTRUM-0001 - OLM LLC
> 20218 | 69.27.110.65 | BLACKSUN - Black Sun Inc.
> 20495 | 84.244.149.29 | WEDARE We Dare BV Autonomous System
> 20773 | 80.237.132.79 | HOSTEUROPE-AS AS of Hosteurope Germany /
> Cologne
> 21155 | 81.4.97.189 | ASN-PROSERVE ProServe B.V. Networks
> 21155 | 83.172.148.22 | ASN-PROSERVE ProServe B.V. Networks
> 21844 | 67.19.111.2 | THEPLANET-AS - ThePlanet.com Internet
> Services, Inc.
> 21844 | 67.19.74.18 | THEPLANET-AS - ThePlanet.com Internet
> Services, Inc.
> 21844 | 74.52.104.116 | THEPLANET-AS - ThePlanet.com Internet
> Services, Inc.
> 21844 | 74.54.74.98 | THEPLANET-AS - ThePlanet.com Internet
> Services, Inc.
> 21844 | 74.55.30.114 | THEPLANET-AS - ThePlanet.com Internet
> Services, Inc.
> 21844 | 75.125.150.194 | THEPLANET-AS - ThePlanet.com Internet
> Services, Inc.
> 24557 | 117.55.224.113 | AUSSIEHQ-AS-AP AussieHQ Pty Ltd
> 24557 | 203.88.117.57 | AUSSIEHQ-AS-AP AussieHQ Pty Ltd
> 24557 | 203.88.123.12 | AUSSIEHQ-AS-AP AussieHQ Pty Ltd
> 24557 | 203.88.123.6 | AUSSIEHQ-AS-AP AussieHQ Pty Ltd
> 24931 | 78.31.109.72 | DEDIPOWER DediPower Managed
> Hosting Limited
> 24938 | 81.29.214.195 | TELECITYREDBUS-IT TELECITYREDBUS IT
> 24940 | 213.133.104.107 | HETZNER-AS Hetzner Online AG RZ-Nuernberg
> 24940 | 88.198.201.4 | HETZNER-AS Hetzner Online AG RZ-Nuernberg
> 25525 | 85.92.129.103 | REASONNET Reasonnet IP Networks -
> Autonomous System Number
> 25525 | 85.92.129.106 | REASONNET Reasonnet IP Networks -
> Autonomous System Number
> 25525 | 85.92.129.204 | REASONNET Reasonnet IP Networks -
> Autonomous System Number
> 25525 | 85.92.129.206 | REASONNET Reasonnet IP Networks -
> Autonomous System Number
> 25532 | 87.242.98.48 | MASTERHOST-AS .masterhost
> autonomous system
> 25847 | 207.58.166.86 | SERVINT - ServInt Corporation
> 25973 | 203.22.204.159 | MZIMA - Mzima Networks, Inc.
> 25973 | 209.200.224.216 | MZIMA - Mzima Networks, Inc.
> 26300 | 216.174.135.162 | SASK-RESEARCH-NETWORK - SRNet
> Saskatchewan
> Research Network Inc.
> 26347 | 208.113.133.155 | DREAMHOST-AS - New Dream Network, LLC
> 26347 | 64.111.112.10 | DREAMHOST-AS - New Dream Network, LLC
> 26496 | 64.202.161.130 | PAH-INC - GoDaddy.com, Inc.
> 26496 | 64.202.165.201 | PAH-INC - GoDaddy.com, Inc.
> 27229 | 64.187.101.31 | WEBHOST-ASN1 - Webhosting.Net, Inc.
> 27229 | 64.187.111.71 | WEBHOST-ASN1 - Webhosting.Net, Inc.
> 27715 | 200.234.200.44 | LocaWeb Ltda
> 28907 | 193.178.144.180 | ICG Internet Consulting Group
> 28907 | 193.178.144.48 | ICG Internet Consulting Group
> 29017 | 195.8.196.23 | GYRON ====
> 29131 | 78.129.158.150 | RAPIDSWITCH-AS RapidSwitch Ltd
> 29222 | 84.16.84.54 | INFOMANIAK-AS Infomaniak Network SA
> 29550 | 85.234.147.230 | EUROCONNEX-AS Blueconnex Networks Ltd
> 29650 | 84.51.232.128 | HOSTING365-AS AS Number for Hosting 365
> Ireland Limited
> 29671 | 77.232.68.226 | SERVAGE Servage GmbH
> 29671 | 92.61.146.10 | SERVAGE Servage GmbH
> 29863 | 216.7.185.15 | DATA393 - Data393 Inc.
> 29863 | 65.38.168.196 | DATA393 - Data393 Inc.
> 29873 | 65.254.224.34 | BIZLAND-SD - Endurance
> International Group,
> Inc.
> 29873 | 65.254.224.35 | BIZLAND-SD - Endurance
> International Group,
> Inc.
> 29873 | 66.96.128.64 | BIZLAND-SD - Endurance
> International Group,
> Inc.
> 30083 | 69.64.34.240 | SERVER4YOU - Server4You Inc.
> 30781 | 85.31.205.181 | JAGUAR-AS AS for Jaguar Network
> 30802 | 193.22.244.24 | WEB-MANIA Web Mania
> 31034 | 195.225.168.219 | ARUBA-ASN Aruba.it Network
> 31034 | 85.235.130.15 | ARUBA-ASN Aruba.it Network
> 31673 | 195.69.72.2 | UNISERVER-AS Uniserver Internet C.V.
> 31673 | 83.143.186.59 | UNISERVER-AS Uniserver Internet C.V.
> 31731 | 195.8.208.30 | ADIX-AS ADIX hosting
> 32065 | 216.81.70.192 | VORTECH-INC - Vortech Inc.
> 32244 | 67.225.203.66 | LIQUID-WEB-INC - Liquid Web, Inc.
> 32392 | 71.18.111.224 | OPENTRANSFER-ECOMMERCE -
> Ecommerce Corporation
> 32392 | 71.18.216.23 | OPENTRANSFER-ECOMMERCE -
> Ecommerce Corporation
> 32392 | 72.41.223.208 | OPENTRANSFER-ECOMMERCE -
> Ecommerce Corporation
> 32392 | 72.41.255.195 | OPENTRANSFER-ECOMMERCE -
> Ecommerce Corporation
> 32392 | 76.162.253.11 | OPENTRANSFER-ECOMMERCE -
> Ecommerce Corporation
> 32392 | 76.162.253.54 | OPENTRANSFER-ECOMMERCE -
> Ecommerce Corporation
> 32392 | 76.163.252.85 | OPENTRANSFER-ECOMMERCE -
> Ecommerce Corporation
> 32392 | 98.131.15.18 | OPENTRANSFER-ECOMMERCE -
> Ecommerce Corporation
> 32475 | 216.104.33.78 | SINGLEHOP-INC - SingleHop
> 33070 | 67.192.190.80 | RMH-14 - Rackspace.com, Ltd.
> 33070 | 72.32.57.155 | RMH-14 - Rackspace.com, Ltd.
> 33182 | 66.7.202.252 | DIMENOC---HOSTDIME - HostDime.com, Inc.
> 33182 | 66.7.205.123 | DIMENOC---HOSTDIME - HostDime.com, Inc.
> 34173 | 80.245.60.68 | MAILCLUB-AS AS for Mailclub -
> Marseille, France
> 34762 | 217.19.236.151 | COMBELL-AS Combell group NV
> 34788 | 85.13.131.133 | NMM-AS Neue Medien Muennich GmbH
> 34788 | 85.13.135.176 | NMM-AS Neue Medien Muennich GmbH
> 34788 | 85.13.136.87 | NMM-AS Neue Medien Muennich GmbH
> 34788 | 85.13.137.242 | NMM-AS Neue Medien Muennich GmbH
> 35017 | 194.126.173.32 | SWIFTWAY-AS SWIFTWAY Autonomous System
> 35449 | 193.223.101.120 | HWRO-AS SC theVault SRL
> 35569 | 80.93.57.211 | PETERHOST-MOSCOW PeterHost.Ru Hosting
> Provider at Moscow
> 35592 | 87.236.199.52 | COOLHOUSING-AS COOLHOUSING
> Autonomous System
> 36351 | 67.228.159.131 | SOFTLAYER - SoftLayer Technologies Inc.
> 36351 | 74.86.204.19 | SOFTLAYER - SoftLayer Technologies Inc.
> 36351 | 75.126.100.74 | SOFTLAYER - SoftLayer Technologies Inc.
> 39023 | 88.80.197.6 | IU-AS InternetUniversum GmbH
> 39451 | 77.240.2.136 | MELBOURNE-AS Melbourne Network Solutions
> connectivity
> 39582 | 89.106.16.243 | GRID Grid Bilisim Teknolojileri A.S.
> 40092 | 208.68.104.107 | LOOSEFOOT - Loose Foot Computing Limited
> 41027 | 195.189.228.18 | NETEX-AS NETEX Company, Kyiv, Ukraine
> 41197 | 89.207.168.12 | SWITCHMEDIA Switch Media PLC
> 41550 | 91.196.0.6 | HBUA-AS HostBizUa network
> 41798 | 91.185.7.197 | TTC-AS Kazakhstan Transtelecom AS Number
> 42363 | 195.144.11.40 | PHPNET-AS AS for PHPNET
> 42612 | 82.98.136.13 | DINAHOSTING-AS ASN de Dinahosting SL
> 42751 | 77.222.33.61 | PETERHOST-MOSCOW-DC2 Concorde Ltd.
> 43362 | 78.108.81.121 | MAJORDOMO MAJORDOMO LLC
> 43560 | 193.34.167.152 | PANTHERIT Panther IT Services
> 44286 | 89.207.144.10 | XIP-AS crossip communications gmbh
>
>
> Any help mitigating is appreciated.
>
> dave
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFITXse6xddYR6j4jARAj//AJ9AogorO+IPMsjvYsiY8jmQ4ZP+JgCgiz0e
> FiC3xqNgSn7PliMtV2D+yBg=
> =9cZm
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security
> community. Confidentiality is essential for effective
> Internet security counter-measures.
> _______________________________________________
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4858 bytes
Desc: not available
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20080609/c6dfa512/attachment-0001.bin>
More information about the nsp-security
mailing list