[nsp-sec] Possible 700k+ node botnet
Klaus Moeller
moeller at dfn-cert.de
Thu Oct 2 05:27:02 EDT 2008
Am Mittwoch, 1. Oktober 2008 22:23:40 schrieb Dave Mitchell:
> Over the past few weeks we noticed a large amount of machines doing odd
> HTTP gets on www.yahoo.com for GET / setting.xls and setting.doc. The
> unique addresses as of the other day totaled 713,813 globally. I'm still
> not sure if this is a botnet or something else, but the large number of
> machines and their rapid checking in for files that don't exist make me
> thing something is awrye with them.
ACK AS 553, 680.
However, a significant portion seems to come from anonymizing proxies like
TOR and JAP.
Regards,
Klaus Möller, DFN-CERT
--
Dipl. Inform. Klaus Moeller (CSIRT)
Phone: +49 40 808077-555, Fax: +49 40 808077-556
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstrase 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski
Automatische Warnmeldungen https://www.cert.dfn.de/autowarn
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 486 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20081002/ea224cf7/attachment-0001.sig>
More information about the nsp-security
mailing list