[nsp-sec] Possible 700k+ node botnet
Nicholas Ianelli
ni at cert.org
Wed Oct 1 16:53:37 EDT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Rock on! More than happy to talk with anyones customers to see if we can
find any malware.
Nick
Dave Mitchell wrote:
> ----------- nsp-security Confidential --------
>
>
>
> ------------------------------------------------------------------------
>
> Over the past few weeks we noticed a large amount of machines doing odd
> HTTP gets on www.yahoo.com for GET / setting.xls and setting.doc. The
> unique addresses as of the other day totaled 713,813 globally. I'm still
> not sure if this is a botnet or something else, but the large number of
> machines and their rapid checking in for files that don't exist make me
> thing something is awrye with them.
>
> Some of the interesting portions of this include spoofed short cookies
> that do not even look close to our valid cookies. We also had valid
> yahoo users doing these queries with their full legit cookies and some
> hosts that had no cookies at all. Also, some of the listing without ASN lookups
> appear to be 3G phones in Australia. Yay.
>
> The ASN lookup file appears to be too large to upload to the wiki, so I
> gzipped it and am emailing it out. Would be nice to allow the wiki to
> accept .gz files. ;) I was lazy and didn't feel like splitting up this
> into 3 files just to upload to wiki. gunzip + grep should work fine for
> this.
>
> -dave
>
>
> ------------------------------------------------------------------------
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
iEYEARECAAYFAkjj41EACgkQi10dJIBjZIBA1wCg4znNZIMKCw4msJYWqYCNBhKL
HywAn3+aq0iobmlhSMzSVUgWYbVRZ/4e
=pNrN
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list