[nsp-sec] ddos against 83.171.11.27-28
Niels den Otter
Niels.denOtter at surfnet.nl
Tue Sep 15 08:06:51 EDT 2009
On Tuesday, 15 September 2009, Niels den Otter wrote:
> On Tuesday, 15 September 2009, Marius Urkis wrote:
> > We experienced several UDP flood attacks against two IP addresses
> > 83.171.11.27 and 83.171.11.28. Packets used were UDP/22 and UDP/8684.
> >
> > Please find the list of source IP addresses attached. Time specifies the
> > first packet seen (GMT+3).
>
> ACK AS1103.
FWIW. This was caused using a compromised user account on a machine
on which later on a PHP script was uploaded to send the traffic;
vsftpd.log.1:Fri Sep 11 22:20:42 2009 [pid 10103] [<removed>] OK UPLOAD: Client "66.90.103.27", "/home/stud/<removed>/public.www/oyes.php", 418 bytes,
+1.12Kbyte/sec
vsftpd.log.1:Sat Sep 12 23:13:44 2009 [pid 13696] [<removed>] OK RENAME: Client "83.170.95.133", "/home/stud/<removed>/public.www/oyes.php
+/home/stud/<removed>/public.www/secured.php"
-- Niels
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20090915/e9f5733d/attachment-0001.sig>
More information about the nsp-security
mailing list