[nsp-sec] DSL reports under ddos -- C&C info - AS 9121 (TR)
Jose Nazario
jose at arbor.net
Wed Mar 19 08:56:14 EDT 2008
i was alerted to this attack via the freenode shadowserver IRC channel.
http://www.dslreports.com/front/shutdown.html
"""
Wed Mar 19 04:05:17 EDT 2008
============================
unfortunately we have a DDOS (distributed denial of
service attack) currently aimed at our pages, rather
than give you page timeouts and errors I've decided to
show this page so I have some time to work around the
problem (eta uncertain).
If a forensic engineer with ISP NOC contacts would be
interested in the partial list of client IPs that comprise
this botnet, please check out:
http://docs.google.com/Doc?id=dpbj3qz_10s6p5z4dn
if we get alternate access setup today, I'll update
this page! It may just show for members only.
"""
here's your C&C info:
Timestamp 2008-03-19 08:03:50
C&C IPs
79.135.166.122
C&C Hostnames
04ccc408.org
bdb7beb6.org
a9da6.org
C&C Port 80
C&C ASN 9121
C&C CC TR
C&C Channel
Command URLs
http://04ccc408.org/in.php?data=YmlkPTU0ODc2MDk5MSZ2ZXI9MTcmb3M9V2luWFA=
http://bdb7beb6.org/logadus/in.php?data=dmVyPTUmdWlkPTMwODU3MjE4NiZjb25uPSZvcz1YUCZzb2Nrcz0maXA9MTcyLjI0LjEzNy4yMQ==
http://a9da6.org/in.php?data=dmVyPTUmdWlkPTMwODU3MjE4NiZjb25uPSZvcz1YUCZzb2Nrcz0maXA9MTcyLjI0LjEzNy4yMQ==
Command Given
wait 30
tid 4
rgttp 10 www.dslreports.com /
Target IP 209.123.109.175
Target Hostname www.dslreports.com
Target ASN 8001
Target CC US
Report Origin Arbor
attack first seen: 2008-03-19 04:03:23
attack most recently seen: 2008-03-19 08:03:50
this info can be shared with the appropriate people to help mitigate the
attack, per list rules please strip list headers. i am happy to be
contacted by the appropriate parties for cleanup and takedown.
thanks.
-------------------------------------------------------------
jose nazario, ph.d. <jose at arbor.net>
security researcher, office of the CTO, arbor networks
v: (734) 821 1427 http://asert.arbornetworks.com/
More information about the nsp-security
mailing list