[nsp-sec] ddos against 83.171.11.27-28
Marius Urkis
marius at litnet.lt
Tue Sep 15 09:18:53 EDT 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
Thank you for info Niels
Niels den Otter wrote:
> On Tuesday, 15 September 2009, Niels den Otter wrote:
>> On Tuesday, 15 September 2009, Marius Urkis wrote:
>>> We experienced several UDP flood attacks against two IP addresses
>>> 83.171.11.27 and 83.171.11.28. Packets used were UDP/22 and UDP/8684.
>>>
>>> Please find the list of source IP addresses attached. Time specifies the
>>> first packet seen (GMT+3).
>> ACK AS1103.
>
> FWIW. This was caused using a compromised user account on a machine
> on which later on a PHP script was uploaded to send the traffic;
>
> vsftpd.log.1:Fri Sep 11 22:20:42 2009 [pid 10103] [<removed>] OK UPLOAD: Client "66.90.103.27", "/home/stud/<removed>/public.www/oyes.php", 418 bytes,
> +1.12Kbyte/sec
> vsftpd.log.1:Sat Sep 12 23:13:44 2009 [pid 13696] [<removed>] OK RENAME: Client "83.170.95.133", "/home/stud/<removed>/public.www/oyes.php
> +/home/stud/<removed>/public.www/secured.php"
>
>
> -- Niels
- --
Marius
=============================
Marius Urkis
LITNET CERT
http://cert.litnet.lt
Tel: +370 37 300645
GSM: +370 687 79059
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkqvlD0ACgkQHS98nbdNAJwTsQCePFbXwtaLdNBcfLwr7TeLhWXQ
E1MAn0CiwBtqb2Q7A/nSQmLvHNvoSrtj
=tgFG
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list