[nsp-sec] ACK: Attack on www.betinternet.com TCP/80

Rodolfo Baader rbaader at arcert.gov.ar
Tue Sep 1 13:30:57 EDT 2009 

Hi!

ACK for AR ASNs: 7303, 10318, 10481, 10697, 10834, 11315, 11664, 11815, 16814,
17401, 19037, 20207, 22927, 27747, 27751, 27754, 27818, 27827, 27879, 27940,
27953, 27960, 27964, 27976, 27984, 28015, 28065

Notifications were sent to the abuse/noc departments.

R.

Nick Hilliard wrote:
> ----------- nsp-security Confidential --------
> 
> 
> 
> ------------------------------------------------------------------------
> 
> Forwarded from GX Networks.
> 
> Nick
> 
> -------- Original Message --------
> Subject: Attack on www.betinternet.com TCP/80
> Date: Sun, 30 Aug 2009 13:32:06 +0100
> From: Rob Shakir <rjs at eng.gxn.net>
> 
> Hi nsp-sec,
> 
> We're currently dealing with an attack on www.betinternet.com tcp/80 since
> Friday. The service is located on 83.218.15.254.
> 
> The attack appears to be around 50-60mbps (i.e. not particularly high
> volume), but is still affecting our end customer's application. The
> traffic volume at approximately 12:00 GMT was as per below:
> 
>             pps        bps
> Unfiltered Traffic:    6414        4692782
> Filtered Traffic:    41395        47896825
> 
> As far as we can see, this appears to be mostly Windows-based zombies.
> We were originally able to mitigate this by filtering the following
> User-Agent: headers:
> 
> User-Agent.*www\.lolyousuck\.com
> User-Agent.*i\.love\.teh\.cock
> User-Agent.*www\.googlebawt\.com
> User-Agent:.*Slurp/cat
> User-Agent:.*www\.supercocklol\.com
> User-Agent:.*DigExt
> 
> We also saw a large number of requests with the following Accept: header:
> 
> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
> application/x-shockwave-flash, application/vnd\.ms-excel,
> application/msword,
> 
> The zombies appear to be changing to */* as we have migitated this.
> 
> As per a previous attack in the year, we saw a number of 41 byte packets
> that included only the character "G", but as per the previous attack,
> this mutated as we filtered it.
> 
> We'd really appreciate it if anyone can identify the C&C and kill it,
> and/or clean up any drones that can be accessed. I've attached a full
> list - all timestamps are in UTC.
> 
> Many thanks in advance,
> Rob
> 
> 
> ------------------------------------------------------------------------
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________

More information about the nsp-security mailing list