[nsp-sec] Shopify (204.15.199.4) under fire, got C&C?

SURFcert - Peter p.g.m.peters at utwente.nl
Tue Mar 24 17:21:58 EDT 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Scott A. McIntyre wrote on 2009-03-24 18:02:

> The folks over at Shopify are catching a reasonable sized 80/tcp
> synflood.  Target is 204.15.199.4.  We've been seeing a fair bit of
> backscatter here, starting around 2009-03-24 15:54:37.075 UTC+0100. 
> Anyone happen to see in their flows actual traffic from their part of
> the world and, better still, indication of what/where/who the C&C is?

I can see traffic to that host but I can't see whether this is
legitimate traffic or not. The strang thing though is I see in a appr. 2
hour window a lot of hosts only sending 2 flows with 1 packet per flow.
Is the site firewalled at the moment?

> Date flow start          Duration Proto      Src IP Addr:Port          Dst IP Addr:Port   Flags Tos  Packets    Bytes Flows
> 2009-03-24 16:16:39.702     0.007 TCP     131.211.22.212:25170 ->     204.15.199.4:80    .A.R..   0        2       88     2
> 2009-03-24 17:08:46.267     0.002 TCP     131.211.35.201:30487 ->     204.15.199.4:80    .A.R..   0        2       88     2
> 2009-03-24 15:59:14.573     0.005 TCP       131.211.8.40:26214 ->     204.15.199.4:80    .A.R..   0        2       88     2
> 2009-03-24 16:15:42.366   131.028 TCP     131.211.13.124:12378 ->     204.15.199.4:80    .A.R..   0        2       88     2
> 2009-03-24 16:11:56.610     0.006 TCP       131.211.6.82:20544 ->     204.15.199.4:80    .A.R..   0        2       88     2
> 2009-03-24 17:22:45.512  1642.249 TCP      131.211.22.34:13792 ->     204.15.199.4:80    .A.R..   0        2       88     2
> 2009-03-24 17:46:57.771     0.002 TCP     131.211.24.160:25230 ->     204.15.199.4:80    .A.R..   0        2       88     2
> 2009-03-24 16:10:34.138   587.213 TCP      131.211.34.77:28507 ->     204.15.199.4:80    .A.R..   0        2       88     2
> 2009-03-24 16:08:05.567     0.004 TCP      131.211.34.39:18869 ->     204.15.199.4:80    .A.R..   0        2       88     2
> 2009-03-24 17:34:39.870  1962.775 TCP       145.145.4.26:19110 ->     204.15.199.4:80    ...R..   0        2       80     2

- --
Peter Peters
SURFcert Officer on Duty
cert at surfnet.nl                            http://cert.surfnet.nl/
office-hours: +31 302 305 305    emergency (24/7): +31 622 923 564
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJyU72elLo80lrIdIRApzRAJ9tLXgPwInMxS6MJ0jq24kjumGWLwCgjpfY
WHbZnWfWv7ii+MT2azWF9tA=
=gz5f
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list