[nsp-sec] DSL reports under ddos -- C&C info - AS 9121 (TR)
Smith, Donald
Donald.Smith at qwest.com
Wed Mar 19 14:36:10 EDT 2008
I checked the ips they identified.
I see NO flows towards the victims ip address.
I see no flows towards the bot cc ip address identified.
Which I could almost believe if the bot cc was fairly quite.
RM=for(1)
{manage_risk(identify_risk(product[i++]) &&
(identify_threat[product[i++]))}
Donald.Smith at qwest.com giac
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> Jose Nazario
> Sent: Wednesday, March 19, 2008 6:56 AM
> To: nsp-security NSP
> Subject: [nsp-sec] DSL reports under ddos -- C&C info - AS 9121 (TR)
>
> ----------- nsp-security Confidential --------
>
> i was alerted to this attack via the freenode shadowserver
> IRC channel.
>
> http://www.dslreports.com/front/shutdown.html
>
> """
> Wed Mar 19 04:05:17 EDT 2008
> ============================
>
> unfortunately we have a DDOS (distributed denial of
> service attack) currently aimed at our pages, rather
> than give you page timeouts and errors I've decided to
> show this page so I have some time to work around the
> problem (eta uncertain).
>
> If a forensic engineer with ISP NOC contacts would be
> interested in the partial list of client IPs that comprise
> this botnet, please check out:
>
> http://docs.google.com/Doc?id=dpbj3qz_10s6p5z4dn
>
> if we get alternate access setup today, I'll update
> this page! It may just show for members only.
> """
>
> here's your C&C info:
>
> Timestamp 2008-03-19 08:03:50
> C&C IPs
> 79.135.166.122
> C&C Hostnames
> 04ccc408.org
> bdb7beb6.org
> a9da6.org
> C&C Port 80
> C&C ASN 9121
> C&C CC TR
> C&C Channel
> Command URLs
> http://04ccc408.org/in.php?data=YmlkPTU0ODc2MDk5MSZ2ZXI9MTcmb3
M9V2luWFA=
> http://bdb7beb6.org/logadus/in.php?data=dmVyPTUmdWlkPTMwODU3Mj
E4NiZjb25uPSZvcz1YUCZzb2Nrcz0maXA9MTcyLjI0LjEzNy4yMQ==
> http://a9da6.org/in.php?data=dmVyPTUmdWlkPTMwODU3MjE4NiZjb25uP
SZvcz1YUCZzb2Nrcz0maXA9MTcyLjI0LjEzNy4yMQ==
>
> Command Given
>
> wait 30
> tid 4
> rgttp 10 www.dslreports.com /
>
> Target IP 209.123.109.175
> Target Hostname www.dslreports.com
> Target ASN 8001
> Target CC US
> Report Origin Arbor
>
>
> attack first seen: 2008-03-19 04:03:23
> attack most recently seen: 2008-03-19 08:03:50
>
>
> this info can be shared with the appropriate people to help
> mitigate the
> attack, per list rules please strip list headers. i am happy to be
> contacted by the appropriate parties for cleanup and takedown.
>
> thanks.
>
> -------------------------------------------------------------
> jose nazario, ph.d. <jose at arbor.net>
> security researcher, office of the CTO, arbor networks
> v: (734) 821 1427 http://asert.arbornetworks.com/
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security
> community. Confidentiality is essential for effective
> Internet security counter-measures.
> _______________________________________________
>
>
This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful. If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.
More information about the nsp-security
mailing list