[nsp-sec] More bots to swat
Dave Burke
dave at amazon.com
Wed Jul 8 09:43:51 EDT 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
ACK 14618, report santized and sent to abuse team.
14618 | 75.101.147.123 | 02-jul-2009 06:03:12 | AMAZON-AES - Amazon.com, Inc.
dave
Joel Rosenblatt wrote:
> ----------- nsp-security Confidential --------
>
> Hi,
>
> Last week, we had a compromised ID that was used to set up a Cialis store on the personal web space of one of our users. I noticed that we seemed to be getting
> a lot of logins for the Id ddos - a few hundred thousand - here is what they were trying to do:
>
> unknown25.126.65.69.defenderhosting.com - ddos [02/Jul/2009:06:03:19 -0400] "(GET
> http:/www.columbia.edu/~nsn1/local/dir/index.php???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
> HTTP/1.1)" 200 256 "(ref -)" "(client Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1))"
> eracle.com - ddos [02/Jul/2009:06:03:19 -0400] "(GET
> http:/www.columbia.edu/~nsn1/local/dir/index.php????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????cialis-prof
> HTTP/1.1)" 200 256 "(ref -)" "(client Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1))"
> unknown25.126.65.69.defenderhosting.com - ddos [02/Jul/2009:06:03:19 -0400] "(GET
> http:/www.columbia.edu/~nsn1/local/dir/index.php???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
> HTTP/1.1)" 200 256 "(ref -)" "(client Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1))"
> unknown25.126.65.69.defenderhosting.com - ddos [02/Jul/2009:06:03:19 -0400] "(GET
> http:/www.columbia.edu/~nsn1/local/dir/index.php???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
> HTTP/1.1)" 200 256 "(ref -)" "(client Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1))"
> serv007.configbox.com - ddos [02/Jul/2009:06:03:18 -0400] "(GET
> http:/www.columbia.edu/~nsn1/local/dir/index.php?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????cialis-canada-sale
> HTTP/1.1)" 200 256 "(ref -)" "(client Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; ru) Opera 8.00)"
> ariel.ldn.kgix.net - ddos [02/Jul/2009:06:03:16 -0400] "(GET
> http:/www.columbia.edu/~nsn1/local/dir/index.php???????????????????????????cialis-professional-sale HTTP/1.1)" 200 256 "(ref -)" "(client Mozilla/4.0
> (compatible; MSIE 6.0; Windows NT 5.1))"
> 216.237.125.130 - ddos [02/Jul/2009:06:03:22 -0400] "(GET
> http:/www.columbia.edu/~nsn1/local/dir/index.php???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????cialis-canada-sale
> HTTP/1.1)" 200 256 "(ref -)" "(client Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1))"
> cl09.gs02.gridserver.com - ddos [02/Jul/2009:06:03:26 -0400] "(GET http:/www.columbia.edu/~nsn1/local/dir/index.php????cialis-canada-sale HTTP/1.1)" 200 256
> "(ref -)" "(client Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; ru) Opera 8.00)"
> 216.237.125.130 - ddos [02/Jul/2009:06:03:22 -0400] "(GET
> http:/www.columbia.edu/~nsn1/local/dir/index.php????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????cialis-canada-sale
> HTTP/1.1)" 200 256 "(ref -)" "(client Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1))"
> unknown25.126.65.69.defenderhosting.com - ddos [02/Jul/2009:06:03:19 -0400] "(GET
> http:/www.columbia.edu/~nsn1/local/dir/index.php???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
> HTTP/1.1)" 200 256 "(ref -)" "(client Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1))"
> eracle.com - ddos [02/Jul/2009:06:03:19 -0400] "(GET
> http:/www.columbia.edu/~nsn1/local/dir/index.php??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????cialis-professional-sale
> HTTP/1.1)" 200 256 "(ref -)" "(client Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1))"
> unknown25.126.65.69.defenderhosting.com - ddos [02/Jul/2009:06:03:19 -0400] "(GET
> http:/www.columbia.edu/~nsn1/local/dir/index.php???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
> HTTP/1.1)" 200 256 "(ref -)" "(client Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1))"
> eracle.com - ddos [02/Jul/2009:06:03:19 -0400] "(GET
> http:/www.columbia.edu/~nsn1/local/dir/index.php???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????cialis-professio
> HTTP/1.1)" 200 256 "(ref -)" "(client Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1))"
> unknown25.126.65.69.defenderhosting.com - ddos [02/Jul/2009:06:03:19 -0400] "(GET
> http:/www.columbia.edu/~nsn1/local/dir/index.php???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
> HTTP/1.1)" 200 256 "(ref -)" "(client Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1))"
> gator30.hostgator.com - ddos [02/Jul/2009:06:03:26 -0400] "(GET
> http:/www.columbia.edu/~nsn1/local/dir/index.php??????????????????????????????????????????cialis-canada-sale HTTP/1.1)" 200 256 "(ref -)" "(client Mozilla/4.0
> (compatible; MSIE 6.0; Windows NT 5.0; ru) Opera 8.00)"
> eracle.com - ddos [02/Jul/2009:06:03:19 -0400] "(GET
> http:/www.columbia.edu/~nsn1/local/dir/index.php?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????cialis
> HTTP/1.1)" 200 256 "(ref -)" "(client Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1))"
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkpUopcACgkQvMJ1IGjTxcFj0gCggkNd/052njXeecBB3in0yrK0
1JgAoKyNWSmFBOy1PapNfkc0VXycFl/K
=ZlFS
-----END PGP SIGNATURE-----
Amazon Data Services Ireland Limited registered office: Riverside One, Sir John Rogerson's Quay, Dublin 2, Ireland. Registered in Ireland. Registration number 390566.
More information about the nsp-security
mailing list