[nsp-sec] UDP based DDoS Attack
Rob Thomas
robt at cymru.com
Tue May 12 21:07:47 EDT 2009
Hey, Nick.
Nice work!
> GET /spm/s_alive.php?id=280062617311&tick=657453&ver=209&smtp=ok HTTP/1.0
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; VS2)
> Host: 91.207.7.194
AS | IP | BGP Prefix | CC | Registry |
Allocated | AS Name
47142 | 91.207.7.194 | 91.207.4.0/22 | UA | ripencc |
2008-09-11 | STEEPHOST-AS SteepHost DC-UA-SteepHost.COM Datacentre
Allocation
It appears that 91.207.7.194 has been in the malware game for a while.
timestamp | sha1 |
md5 | dst_ip | dst_port | protocol | size
--------------------- ------------------------------------------
---------------------------------- -------------- ---------- ----------
------
2009-02-17 06:03:44 | c6dd2c2a2be08f0ec1df1f970dfd6f8996ea2b41 |
b000c2f6b3344278bfc527eb7d1c19b3 | 91.207.7.194 | 80 | 6 |
2009-03-02 05:09:11 | e3de84a8027845585d1e103994e070d32fbf3e55 |
735d77f29a77d7fc292b3e638a18d66d | 91.207.7.194 | 80 | 6 |
We see lots of hits to http://91.207.7.194/[something]/CHANGELOG.
Anyone recognize that pattern?
The larger 91.207.4.0/22 has sourced a lot of spam and a few scans,
mostly SSH.
The DNS RRs in 91.207.4.0/22 during this past month are below.
timestamp | dns_name | ip
--------------------- ------------------------------------ --------------
2009-05-03 07:00:52 | 10.4.207.91.unknown.steephost.net | 91.207.4.10
2009-05-10 16:20:32 | 11.7.207.91.unknown.steephost.net | 91.207.7.11
2009-05-01 01:45:40 | 138.5.207.91.unknown.steephost.net | 91.207.5.138
2009-05-05 03:43:48 | 15.7.207.91.unknown.steephost.net | 91.207.7.15
2009-05-01 01:17:03 | 162.4.207.91.unknown.steephost.net | 91.207.4.162
2009-05-01 01:52:29 | 170.4.207.91.unknown.steephost.net | 91.207.4.170
2009-05-05 07:27:00 | 17.7.207.91.unknown.steephost.net | 91.207.7.17
2009-05-02 06:52:21 | 21.7.207.91.unknown.steephost.net | 91.207.7.21
2009-05-01 21:11:21 | 234.7.207.91.unknown.steephost.net | 91.207.7.234
2009-05-05 07:26:55 | 23.7.207.91.unknown.steephost.net | 91.207.7.23
2009-05-01 20:30:58 | 34.7.207.91.unknown.steephost.net | 91.207.7.34
2009-05-05 07:26:50 | 39.7.207.91.unknown.steephost.net | 91.207.7.39
2009-05-01 20:30:58 | 41.7.207.91.unknown.steephost.net | 91.207.7.41
2009-05-04 20:46:50 | 42.7.207.91.unknown.steephost.net | 91.207.7.42
2009-05-05 07:26:45 | 46.7.207.91.unknown.steephost.net | 91.207.7.46
2009-05-01 20:30:58 | 48.7.207.91.unknown.steephost.net | 91.207.7.48
2009-05-02 06:31:45 | 50.4.207.91.unknown.steephost.net | 91.207.4.50
2009-05-10 14:20:43 | 50.7.207.91.unknown.steephost.net | 91.207.7.50
2009-05-03 07:01:04 | 52.7.207.91.unknown.steephost.net | 91.207.7.52
2009-05-05 07:26:42 | 53.7.207.91.unknown.steephost.net | 91.207.7.53
2009-05-02 06:52:04 | 55.7.207.91.unknown.steephost.net | 91.207.7.55
2009-05-01 20:31:00 | 5.7.207.91.unknown.steephost.net | 91.207.7.5
2009-05-01 20:30:58 | 60.7.207.91.unknown.steephost.net | 91.207.7.60
2009-05-02 06:52:00 | 61.7.207.91.unknown.steephost.net | 91.207.7.61
2009-05-04 20:46:50 | 62.7.207.91.unknown.steephost.net | 91.207.7.62
2009-05-02 12:05:36 | 74.4.207.91.unknown.steephost.net | 91.207.4.74
2009-05-01 00:37:19 | 74.5.207.91.unknown.steephost.net | 91.207.5.74
2009-05-01 00:20:19 | 90.4.207.91.unknown.steephost.net | 91.207.4.90
2009-05-01 18:11:23 | besplatno-s622.derektor.ru | 91.207.4.67
2009-05-01 20:42:06 | besplatnuee15.derektor.ru | 91.207.4.67
2009-04-04 23:52:30 | bnew.hmarhelo.com | 91.207.4.242
2009-05-01 22:12:17 | dzhordan.ru | 91.207.7.248
2009-05-01 09:10:20 | foto-golueh406.robot-yaga.ru | 91.207.4.66
2009-05-02 00:55:28 | foto-golueh930.derector.ru | 91.207.4.68
2009-05-04 23:01:36 | goluee-devk.men-ton.ru | 91.207.4.67
2009-05-02 04:33:00 | graffiti---.derector.ru | 91.207.4.68
2009-05-11 15:07:38 | gruppovoj-s.daysy.ru | 91.207.4.66
2009-05-04 19:31:58 | igrue-flesh363.daysy.ru | 91.207.4.66
2009-05-01 22:41:56 | index19.dirsokas.com | 91.207.4.66
2009-05-03 16:47:07 | index19.dirweight.com | 91.207.4.66
2009-05-02 02:35:52 | index1.astanna.ru | 91.207.4.70
2009-05-05 17:36:59 | index1.car-bon.ru | 91.207.4.68
2009-05-04 16:30:24 | index1.daysy.ru | 91.207.4.66
2009-05-02 04:20:13 | index1.dirsokas.com | 91.207.4.66
2009-05-01 09:43:12 | index1.robot-yaga.ru | 91.207.4.66
2009-05-02 02:46:41 | index23.dirsokas.com | 91.207.4.66
2009-05-02 01:15:31 | index24.dirweight.com | 91.207.4.66
2009-05-03 18:15:41 | index25.dirsokas.com | 91.207.4.66
2009-05-05 18:41:03 | index2.car-bon.ru | 91.207.4.68
2009-05-04 19:32:36 | index2.daysy.ru | 91.207.4.66
2009-05-01 17:46:48 | index2.derector.ru | 91.207.4.68
2009-05-01 15:48:28 | index2.derektor.ru | 91.207.4.67
2009-05-02 14:10:14 | index2.dirokas.com | 91.207.4.66
2009-05-01 23:21:05 | index2.dirsokas.com | 91.207.4.66
2009-05-05 12:52:17 | index3.bob-dub.ru | 91.207.4.70
2009-05-05 05:46:41 | index3.daysy.ru | 91.207.4.66
2009-05-01 23:32:31 | index3.derector.ru | 91.207.4.68
2009-05-02 03:31:24 | index4.astanna.ru | 91.207.4.70
2009-05-05 01:22:47 | index4.car-bon.ru | 91.207.4.68
2009-05-02 02:17:16 | index4.derector.ru | 91.207.4.68
2009-05-01 14:02:57 | index4.derektor.ru | 91.207.4.67
2009-05-05 08:26:23 | index4.oreh-moreh.ru | 91.207.4.69
2009-05-01 07:25:39 | index4.robot-yaga.ru | 91.207.4.66
2009-05-02 14:26:13 | index5.astanna.ru | 91.207.4.70
2009-05-04 23:51:55 | index5.men-ton.ru | 91.207.4.67
2009-05-05 07:02:33 | jimm-aspro-589.car-bon.ru | 91.207.4.68
2009-05-05 03:28:04 | mail.com-telephones.ru | 91.207.4.98
2009-05-02 07:20:43 | mail.filmshara.ru | 91.207.4.34
2009-05-01 12:30:43 | mail.friendsworld.ru | 91.207.4.82
2009-05-02 05:17:50 | mail.irkkoni.ru | 91.207.4.42
2009-05-05 03:52:39 | mail.jabra-phone.ru | 91.207.4.180
2009-05-05 05:21:07 | mail.lg-phone.ru | 91.207.4.98
2009-05-05 06:12:53 | mail.phones-market.ru | 91.207.4.98
2009-05-03 11:16:43 | mail.sam-remont.ru | 91.207.4.10
2009-05-05 11:55:46 | mail.sony-ericsson-phone.ru | 91.207.4.98
2009-05-05 00:50:53 | mail.stili-interera.ru | 91.207.4.14
2009-05-05 06:21:48 | mail.telephone-market.ru | 91.207.4.98
2009-05-01 01:03:11 | mail.vistahosting.ru | 91.207.4.82
2009-05-02 02:48:18 | mail.xxx-porno-video.ru | 91.207.4.42
2009-05-02 10:37:28 | mail.zdrav-obzor.ru | 91.207.4.183
2009-05-05 04:06:58 | mobilmznaya272.car-bon.ru | 91.207.4.68
2009-05-01 17:08:27 | mobilmznuej747.derektor.ru | 91.207.4.67
2009-05-01 05:57:17 | muzueka-90-.robot-yaga.ru | 91.207.4.66
2009-05-02 12:52:12 | myanmarnet.dirokas.com | 91.207.4.66
2009-05-01 11:10:27 | nokia-pc-su.robot-yaga.ru | 91.207.4.66
2009-05-02 04:11:12 | ns1.amohal.ru | 91.207.4.69
2009-05-02 10:25:13 | ns1.astanna.ru | 91.207.4.70
2009-05-05 10:52:33 | ns1.bob-dub.ru | 91.207.4.70
2009-05-05 07:10:52 | ns1.car-bon.ru | 91.207.4.68
2009-05-04 17:01:37 | ns1.daysy.ru | 91.207.4.66
2009-05-01 17:11:56 | ns1.derector.ru | 91.207.4.68
2009-05-01 14:37:25 | ns1.derektor.ru | 91.207.4.67
2009-05-02 05:10:18 | ns1.dirokas.com | 91.207.4.66
2009-05-01 22:15:37 | ns1.dirsokas.com | 91.207.4.66
2009-05-04 22:16:01 | ns1.men-ton.ru | 91.207.4.67
2009-05-05 06:37:16 | ns1.oreh-moreh.ru | 91.207.4.69
2009-05-01 07:46:20 | ns1.robot-yaga.ru | 91.207.4.66
2009-05-05 00:30:43 | ns1.seique.com | 91.207.4.66
2009-05-02 04:11:12 | ns2.amohal.ru | 91.207.4.70
2009-05-02 10:25:13 | ns2.astanna.ru | 91.207.4.66
2009-05-05 10:52:38 | ns2.bob-dub.ru | 91.207.4.66
2009-05-05 07:10:52 | ns2.car-bon.ru | 91.207.4.69
2009-05-04 17:01:37 | ns2.daysy.ru | 91.207.4.67
2009-05-01 19:06:11 | ns2.derector.ru | 91.207.4.69
2009-05-02 05:10:18 | ns2.dirokas.com | 91.207.4.67
2009-05-01 22:15:37 | ns2.dirsokas.com | 91.207.4.67
2009-05-04 22:16:01 | ns2.men-ton.ru | 91.207.4.68
2009-05-05 06:37:14 | ns2.oreh-moreh.ru | 91.207.4.70
2009-05-01 07:46:20 | ns2.robot-yaga.ru | 91.207.4.67
2009-05-05 00:30:43 | ns2.seique.com | 91.207.4.67
2009-05-04 23:56:49 | onlajn-klip555.men-ton.ru | 91.207.4.67
2009-05-02 20:41:05 | prosmotr-on721.astanna.ru | 91.207.4.70
2009-05-03 07:01:04 | reverse.226.4.207.91.reserver.ru | 91.207.4.226
2009-05-04 17:07:35 | seks-prosmo.daysy.ru | 91.207.4.66
2009-05-01 06:13:47 | server8.ss2.name | 91.207.5.131
2009-05-02 00:36:40 | skachatmz-b898.derector.ru | 91.207.4.68
2009-05-04 23:55:43 | skachatmz-b9.men-ton.ru | 91.207.4.67
2009-05-01 15:30:30 | trofim-mosk.derector.ru | 91.207.4.68
2009-05-05 12:35:46 | tyuning-avt.bob-dub.ru | 91.207.4.70
2009-05-01 10:47:09 | video-domas.derektor.ru | 91.207.4.67
2009-05-02 06:33:01 | video-rolik612.amohal.ru | 91.207.4.69
2009-05-03 16:37:43 | www-24sex-c.seique.com | 91.207.4.66
2009-05-02 15:01:35 | www-adultmo.dirokas.com | 91.207.4.66
2009-05-05 09:51:22 | www.bob-dub.ru | 91.207.4.70
2009-05-04 19:26:00 | www.daysy.ru | 91.207.4.66
2009-05-03 17:11:39 | www-forza-n.seipor.com | 91.207.4.66
2009-05-02 12:56:12 | www-kidpick.dirokas.com | 91.207.4.66
2009-05-01 07:51:53 | www.robot-yaga.ru | 91.207.4.66
2009-05-01 23:10:55 | www-youtube296.dirsokas.com | 91.207.4.66
2009-05-02 06:31:49 | xxxtraf.ru | 91.207.4.50
We have 150 samples in our malware menagerie that point to hosts in
91.207.4.0/22. Let me know if you want the list.
We see a mix of Microsoft IIS 6.0, Apache, and nginx in 91.207.4.0/22.
There are some interesting web servers there, such as:
timestamp | server_ip | server_name |
server_type | server_powered_by | server_last_mod
--------------------- -------------- ----------------
--------------------------------- -------------------
-------------------------------
2009-01-03 01:00:01 | 91.207.4.106 | breakss78jh.cn | Microsoft-IIS/6.0
| PleskWin |
2009-01-04 01:00:01 | 91.207.4.106 | cashbotnet.com | Microsoft-IIS/6.0
| PleskWin |
Hmm!
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.team-cymru.org/
cmn_err(CEO_PANIC, "Out of coffee!");
More information about the nsp-security
mailing list