[nsp-sec] Multiple DDoS attacks

Nicholas Ianelli ni at centergate.net
Thu Jul 9 00:42:42 EDT 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Interesting, here are the hosts I'm seeing:

201.116.58.131 /xampp/img/flash.gif
newrozfm.com /img/glyph/flash.gif
75.151.32.182 /flash.gif
163.19.209.22 /flash.gif
200.6.218.3194 /flash.gif
122.155.5.196 /shop/images/flash.gif
92.63.2.118 /flash.gif
202.14.70.116 /flash.gif

8151    | 201.116.58.131   | Uninet S.A. de C.V.
20214   | 75.151.32.182    | COMCAST-20214 - Comcast Cable
Communications Holdings, Inc
9916    | 163.19.209.22    | NCTU-TW National Chiao Tung University,
14754   | 200.6.218.194    | Telgua
9931    | 122.155.5.196    | CAT-AP The Communication Authoity of
Thailand, CAT
44558   | 92.63.2.118      | NETHOUSE Nethouse Bilgi Islem Merkezi Ltd
45748   | 202.14.70.116    | PIA-ASN PIA

Nick

구자현 wrote:
> ----------- nsp-security Confidential --------
> 
> This site is downloder sites following ddos attack 
> 
> 
> http://117.18.237.20/flash.gif
> http://12.129.242.20/flash.gif
> http://122.208.224.55/flash.gif
> http://124.131.219.22/flash.gif
> http://124.83.226.246/flash.gif
> http://163.19.209.22/flash.gif
> http://174.129.217.8/flash.gif
> http://174.142.97.10/flash.gif
> http://174.35.12.80/flash.gif
> http://174.36.91.30/flash.gif
> http://192.150.18.60/flash.gif
> http://192.150.8.60/flash.gif
> http://195.239.111.51/flash.gif
> http://198.172.86.247/flash.gif
> http://200.6.218.194/flash.gif
> http://201.116.58.131/flash.gif
> http://202.14.70.116/flash.gif
> http://202.143.88.6/flash.gif
> http://202.146.4.17/flash.gif
> http://202.210.130.141/flash.gif
> http://202.222.19.89/flash.gif
> http://202.232.67.114/flash.gif
> http://202.32.225.45/flash.gif
> http://202.93.69.243/flash.gif
> http://203.104.255.196/flash.gif
> http://203.133.238.86/flash.gif
> http://203.66.134.19/flash.gif
> http://203.66.138.31/flash.gif
> http://203.66.138.32/flash.gif
> http://207.199.89.152/flash.gif
> http://208.112.58.116/flash.gif
> http://208.67.226.9/flash.gif
> http://208.70.247.68/flash.gif
> http://208.71.107.54/flash.gif
> http://209.222.148.148/flash.gif
> http://209.222.148.150/flash.gif
> http://210.102.100.150/flash.gif
> http://210.133.105.115/flash.gif
> http://210.133.105.162/flash.gif
> http://210.167.34.106/flash.gif
> http://210.188.221.82/flash.gif
> http://211.108.92.4/flash.gif
> http://211.13.210.84/flash.gif
> http://211.236.177.177/flash.gif
> http://211.236.189.240/flash.gif
> http://211.49.162.205/flash.gif
> http://216.14.84.61/flash.gif
> http://216.38.164.142/flash.gif
> http://218.32.192.107/flash.gif
> http://219.94.194.237/flash.gif
> http://43.253.232.40/flash.gif
> http://43.253.36.45/flash.gif
> http://43.253.37.80/flash.gif
> http://58.158.148.185/flash.gif
> http://58.215.76.82/flash.gif
> http://58.218.201.187/flash.gif
> http://60.191.185.71/flash.gif
> http://61.125.141.51/flash.gif
> http://61.135.133.35/flash.gif
> http://61.135.134.251/flash.gif
> http://61.211.165.140/flash.gif
> http://61.31.202.65/flash.gif
> http://62.193.255.220/flash.gif
> http://63.216.60.71/flash.gif
> http://67.205.112.104/flash.gif
> http://67.207.210.208/flash.gif
> http://67.21.114.16/flash.gif
> http://68.142.234.143/flash.gif
> http://69.162.73.154/flash.gif
> http://69.175.8.234/flash.gif
> http://69.22.138.89/flash.gif
> http://69.43.149.237/flash.gif
> http://72.247.247.35/flash.gif
> http://74.205.62.39/flash.gif
> http://75.151.32.182/flash.gif
> http://8.12.131.30/flash.gif
> http://8.17.248.8/flash.gif
> http://80.239.186.20/flash.gif
> http://80.5.176.140/flash.gif
> http://83.138.162.11/flash.gif
> http://83.231.143.134/flash.gif
> http://85.255.198.237/flash.gif
> http://85.255.207.100/flash.gif
> http://92.63.2.118/flash.gif
> http://93.190.142.11/flash.gif
> http://94.75.218.85/flash.gif
> 
> 
> ---------------------------------------------------------
>  Koo, Jahyun / ITPE 
>   CISSP,CISA,CSA,CCIE(Routing&Switching), BS7799 L.A
>   BORANet/DACOM  Internet tech & Security team
>   E-mail : k55k559 at chollian.net
>   phone : 019-393-0009
>   f a x : 02-2089-5997
>  --------------------------------------------------------
> 
> 
> 
> 
> 
> John Fraizer <john at op-sec.us>
> $)C☎Tel:
> 발신인: nsp-security-bounces at puck.nether.net
> 2009-07-09 06:23 AM
> 
> 수신인:        nsp-security at puck.nether.net
> 참조인: 
> 제목:           Re: [nsp-sec] Multiple DDoS attacks
> 
> 
> ----------- nsp-security Confidential --------
> 
> I'm capturing flows on 216.199.83.203.
> 
> 
> On Wed, Jul 8, 2009 at 4:03 AM, Dave Mitchell <davem at yahoo-inc.com> wrote:
> 
>> ----------- nsp-security Confidential --------
>>
>>
>> Anyone gathering intel on?
>>
>> Remote Host     Port Number
>> 213.33.116.41   53
>> 216.199.83.203  80
>> 213.23.243.210  443
>>
>>
>> http://www.threatexpert.com/report.aspx?md5=0f394734c65d44915060b36a0b1a972d
>>
>> The malware in those droppers seems to speak to it and I verified in a
>> sandbox.
>>
>> -dave
>>
>>
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security 
> counter-measures.
> _______________________________________________
> 
> 
> 
> 
> 
> 
> **********************************************************************************
> LG데이콤의 메일 주소가 2008.7.1일부터 ID at dacom.net => ID at lgdacom.net으로 
> 변경되었습니다.
> LGDacom has changed its company e-mail address from ID at dacom.net to 
> ID at lgdacom.net by 1 July, 2008.
> **********************************************************************************
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
> 


- --
Nicholas Ianelli: NeuStar, Inc.
Security Operations

46000 Center Oak Plaza Sterling, VA 20166
+1 571.434.4691 - http://www.neustar.biz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iEYEARECAAYFAkpVdUIACgkQi10dJIBjZIDQMwCcDQ0vjDFXZeMpC0ASZ4s5WHHE
cuwAn2E5k1W9jkDUfHJeduZqcyI/iwNC
=ai5W
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list