[nsp-sec] Attack on www.betinternet.com TCP 80
Ian Dickinson
iand at as5413.net
Mon Apr 6 10:03:41 EDT 2009
Yo nsp-sec,
We've been dealing with an attack on www.betinternet.com TCP 80 since Friday.
Service was originally on 83.218.15.248, but moved to 83.218.15.248 on the
Friday, and the customer moved it to 83.218.15.254 yesterday.
It isn't a high volume attack and we've managed to largely mitigate it, but
the volume appears to be ramping up slowly - snapshot at 14:01 UTC today:
pps bps
Unfiltered traffic: 1586 1836620
Filtered traffic: 46778 44189660
It appears to be mostly windows zombies afaik. Originally we had a lot of
User-Agent: headers containing the following, but they're mostly gone now:
www.lolyousuck.com
i.love.teh.cock
www.googlebawt.com
ODI3 Navigator
Hotbar 4.3.1.0
DigExt
We also found that a lot of the attackers were issuing this:
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd\.ms-excel, application/msword
though they moved to */* once we filtered this.
Also lots of 41 byte packets containing a single character and then timeout.
Originally the character was always "G", but they adapted.
Would appreciate it if anyone can identify C&C and kill it, and/or clean up
any of the drones that can be got at. List attached - timestamps in UTC.
Thanks in advance,
--
Ian Dickinson INOC-DBA: 5413*426
Senior Network Development Engineer Mobile: +44 7967 463023
GX Networks Direct: +44 208 587 6113
iand at as5413.net
ian.dickinson at gxn.net http://bgp.gxn.net/peering
PGP Fingerprint: 1A5E 74B1 2BDD 214A 2131 69E9 C3B3 B72A DDF8 862A
This email is subject to http://www.vialtus.com/disclaimer.html
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: betinternet-report.txt
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20090406/5d30a733/attachment-0001.txt>
More information about the nsp-security
mailing list