[nsp-sec] Possible 700k+ node botnet
Dave Mitchell
davem at yahoo-inc.com
Wed Oct 1 16:23:40 EDT 2008
Over the past few weeks we noticed a large amount of machines doing odd
HTTP gets on www.yahoo.com for GET / setting.xls and setting.doc. The
unique addresses as of the other day totaled 713,813 globally. I'm still
not sure if this is a botnet or something else, but the large number of
machines and their rapid checking in for files that don't exist make me
thing something is awrye with them.
Some of the interesting portions of this include spoofed short cookies
that do not even look close to our valid cookies. We also had valid
yahoo users doing these queries with their full legit cookies and some
hosts that had no cookies at all. Also, some of the listing without ASN lookups
appear to be 3G phones in Australia. Yay.
The ASN lookup file appears to be too large to upload to the wiki, so I
gzipped it and am emailing it out. Would be nice to allow the wiki to
accept .gz files. ;) I was lazy and didn't feel like splitting up this
into 3 files just to upload to wiki. gunzip + grep should work fine for
this.
-dave
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20081001/b352f373/attachment-0001.sig>
More information about the nsp-security
mailing list