[nsp-sec] ACK: Possible 700k+ node botnet

Thu Oct 2 14:26:56 EDT 2008

Kauto,
  They were unique per site that they were hitting and I agg'ed them
into one file. We did see many of the same IP's using multiple cookies,
faked cookies or no cookies at all which makes me think some of these
may be being proxied. I guess we had some machines not behaving with geolocation 
and hitting our EU sites as well as US domestic.

I thought I'd uniq'ed the full list, so apologies if during my fun with
trying to upload it I screwed that up.

-dave

On Thu, Oct 02, 2008 at 12:49:21PM +0300, Huopio Kauto wrote:
> ----------- nsp-security Confidential --------
> 
> ACK on 719-1741-5515-21856-28723-39699-39784. Sanitized info
> being forwarded to relevant abuse teams. 
> 
> My processing run on the file indicated a lot of dupes. Is each
> individual
> entry correlating a single hit at your site or are multiple entries 
> result of multiple URLs being tried from same source IP?
> 
> Also..some unusual sources here. Interesting. 
> 
> Regards
> 
> Kauto Huopio
> CERT-FI
> 
> Kauto Huopio - kauto.huopio at ficora.fi
> Senior information security adviser
> Finnish Communications Regulatory Authority  / CERT-FI
> tel. +358-9-6966772, fax +358-9-6966515, mobile +358-50-5826131
> CERT-FI watch desk daytime: +358-9-6966510 / http://www.cert.fi
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20081002/370fdf1b/attachment-0001.sig>