[nsp-sec] Possible 700k+ node botnet

Thu Oct 2 14:28:39 EDT 2008

Steve,
  Yeah, I didn't see the little file upload at the bottom of the text
entry box to open a file. I guess scrolling down would be useful. :) 

Sorry for the dupes. I thought'd I'd uniq'ed the entire >> file, but I
guess I had a slow moment. 

Next time I'll work on splitting them up per ASN. Just rare I get huge
datasets like this on a frequent basis.

Thanks!

-dave

On Thu, Oct 02, 2008 at 08:48:54AM -0700, Stephen Gill wrote:
> Hi Dave,
> 
> > Can we bump the upload limit on the nsp-sec upload portion of the cymru
> > site? I can't even upload the list there.
> 
> Are you referring to https://asn.cymru.com/nsp-sec/ ?
> 
> It takes a file of just Ips, no ASN formatting necessary.  This is the
> format one would use to send to whois.cymru.com manually.
> 
> # cat asn-2008-09-30.txt | awk -F \| '{print $2}' | sort | uniq | wc -l
>   551575
> 
> Looks like the file has 200K of IP Dups.  Taking the Ips out of the file,
> uniquing them and uploading them to the web page should do the trick.
> 
> # cat asn-2008-09-30.txt | awk -F \| '{print $2}' | sort | uniq >
> /tmp/asn.txt
> 
> # du -h /tmp/asn.txt
> 10.0M   /tmp/asn.txt
> 
> The upload limit has been raised to 15MB which should do the trick. FYI
> timestamps are ideal and they are supported as a second field in the data
> after the IP.  Be warned, this takes a bit to process once the file is
> uploaded.
> 
> Actually, it might be too big of a file for it to process in a reasonable
> length of time.  Your mileage may vary as to how large of a file to upload
> and how long it takes to get a fully formatted response...
> 
> For really large datasets such as this one, generally I recommend splitting
> the IPs up after processing into individual text files, one per ASN so that
> each person doesn't have to download the full list for their ASNs.  This is
> a feature not yet added to the GUI.
> 
> -- steve
> 
> > 
> > Error! 413 Request entity too large. 5MB maximum
> > 
> > In the interim, I've put the ASN lookup on Danny's server.
> > 
> > http://www.tcb.net/asn-2008-09-30.txt.gz
> > 
> > -dave
> > 
> > 
> > On Wed, Oct 01, 2008 at 04:10:35PM -0500, Rob Thomas wrote:
> >> ----------- nsp-security Confidential --------
> >> 
> >> Possibly related:
> >> 
> >> <http://www.anchiva.com/virus/view.asp?vname=Worm/Sohanad.AACA@im>
> >> <http://www.threatexpert.com/report.aspx?uid=b68593a2-5121-4391-b714-54765980
> >> 8785>
> >> 
> >> 
> >> -- 
> >> Rob Thomas
> >> Team Cymru
> >> http://www.team-cymru.org/
> >> cmn_err(CEO_PANIC, "Out of coffee!");
> >> 
> >> 
> >> 
> >> _______________________________________________
> >> nsp-security mailing list
> >> nsp-security at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/nsp-security
> >> 
> >> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> >> community. Confidentiality is essential for effective Internet security
> >> counter-measures.
> >> _______________________________________________
> > 
> > 
> > _______________________________________________
> > nsp-security mailing list
> > nsp-security at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/nsp-security
> > 
> > Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> > community. Confidentiality is essential for effective Internet security
> > counter-measures.
> > _______________________________________________
> 
> -- 
> Stephen Gill, Chief Scientist, Team Cymru
> http://www.cymru.com | +1 312 924 4023 | gillsr at cymru.com
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20081002/6e58222e/attachment-0001.sig>