[nsp-sec] HTTP attackers, sources and some targets.

Wed Aug 4 02:07:24 EDT 2010

Hi all,

The other day I mentioned that a customer of ours, www.centraalbeheer.nl
was getting a pretty healthy HTTP based attack; that is still ongoing,
and I've finally started getting enough hard data from the folks sitting
in front of packets to share a few more bits to help you identify
sources in your network.

In addition to the aforementioned host, these IPs are also getting the
love, and the attack follows DNS, so I'm not entirely sure who the
targets are:

 212.113.130.117 - ns2.truckandplantonline.net
 212.227.119.193 - could be:

www.cleanthinking.de	 A 	212.227.119.193
radio-iran.de	 A 	212.227.119.193
www.smart-fernsehen.de	 A 	212.227.119.193
www.shop.dressur-studien.de	 A 	212.227.119.193
www.no-fei.com	 A 	212.227.119.193
www.irtvradio.com	 A 	212.227.119.193
tw4xp.com	 A 	212.227.119.193
blog.tw4xp.com	 A 	212.227.119.193
www.tw4xp.com	 A 	212.227.119.193
www.fernsehbox.com	 A 	212.227.119.193
splitsch.blog-libre.fr	 A 	212.227.119.193
www.annu-clans.fr	 A 	212.227.119.193

   69.49.188.146 - www.soccercorner.com
   212.23.194.70 - www.culturepub.fr
  174.121.152.92 - could be:

totalsportsworld.org	 A 	174.121.152.92
ns1.totalsportsworld.org	 A 	174.121.152.92
ns2.totalsportsworld.org	 A 	174.121.152.92
www.totalsportsworld.org	 CNAME 	totalsportsworld.org
notebooka.ru	 A 	174.121.152.92

  174.143.45.106 - could be:

www.aeraweb.org	 A 	174.143.45.106
openstack.org	 A 	174.143.45.106
www.openstack.org	 A 	174.143.45.106
wom-tv.jp	 A 	174.143.45.106
realwarriors.net	 A 	174.143.45.106
www.realwarriors.net	 CNAME 	realwarriors.net

  213.214.114.30 - www.centraalbeheer.nl (now, was 145.219.10.249)
   174.143.45.94 - not sure

Now, for the www.centraalbeheer.nl attack, I have attached a list of
sources which have been identified as part of the malicious HTTP
traffic, as well as a timestamp indicating when they were placed into a
blacklist due to the malicious activity -- in theory this is also when
the attack was taking place from the source.

Thanks to some fantastic help from Jose at Arbor and the Team Cymru
people, we know that one of the controller domains for this attack was
akakalat.com, which I now show as being unavailable.  However, given
that the attack is ongoing, I'm guessing that there's more evil out there.

The controller was using:

Hxxp:// akakalat.com/779/s.php
Hxxp:// akakalat.com/779/r.php
C&c: hxxp:// akakalat.com/779/a.php
login: hxxp:// akakalat.com/779/index.php

That was pointing to 113.11.194.148 and it appears to have in /111/ a
Black Energy (guess) controller as stat.php -- currently issuing:

!ddos get target.com 80 /index.php
?login=Test&email=test at test.com&text=Simple text&button=Send 0 login pass

The r.php, s.php and a.php returns a healthy list of urls:

[|105|700http://www.hertzfurniture.com/Conference-Chairs--284--ca.html
http://casino-imperator.com/columbus.php
http://casino-imperator.com/lobby
http://casino-imperator.com/lobby/game/fruitc/
http://casino-imperator.com/lobby/login.php
http://casino-imperator.com:80
http://englishharbour.com:80
http://kazinoroyal.com/
http://kazinoroyal.com/gaminator.php?dur=wmr&game=pharaohsgoldlll
http://mt.gotti.ru/e-store/catalog/179/1893/
http://mt.gotti.ru/e-store/catalog/312/4207/
http://www.artbrok.com/ShowArticle.aspx?id=music
http://www.artbrok.com/about.aspx
http://www.artbrok.com/articles.aspx?article=kakie-tovary-vygodno-zakazyvat-iz-za-rubezha
http://www.btwincycle.com/EN/edito-59334640/
http://www.btwincycle.com/EN/kiddy-blue-red-27280456/
http://www.btwincycle.com/EN/road-tyres-111660455/
http://www.buy-usa.ru/index.aspx?page=help
http://www.buy-usa.ru/index.aspx?page=shoplist
http://www.buy-usa.ru:80
http://www.buynowus.ru/static/catalog/ebay/1404/Lamps%2C+Lighting.html
http://www.buynowus.ru/static/catalog/ebay/view/180535636987.html?obj[CategoryID][|105|700http://www.hertzfurniture.com/Conference-Chairs--284--ca.html
http://www.buyusa.ru/index.aspx?page=eba]0|445|700http://www.lasvegasusacasino.com/download.php
http://www.buyusa.ru/index.aspx?page=shopdescription&shid=109
http://www.centraalbeheer.nl/pim/cb/dialogen/inloggen.jsp
http://www.culturepub.fr/themes#24530
http://www.culturepub.fr/videos/7up-calendar
http://www.culturepub.fr/videos/sol-let-s-talk
http://www.cumberlandfurniture.com/
http://www.cumberlandfurniture.com/designers_speak.php
http://www.cumberlandfurniture.com/products.php
http://www.dominium.ru/menu/pizza/
http://www.dominium.ru/page/232.html
http://www.dozaroffice.com/conf.htm
http://www.dozaroffice.com/services.htm
http://www.englishharbour.com/casino-games/
http://www.englishharbour.com/casino-games/#
http://www.englishharbour.com/english-harbour-banking.php
http://www.englishharbour.com/responsible_gaming.php
http://www.frescopizza.ru/pages/competitions/?id=8
http://www.frescopizza.ru/pages/products/
http://www.hertzfurniture.com/Chair-Trucks--103--ca.html
http://www.hertzfurniture.com/Reception-Area-Tables--293--ca.html
http://www.joreyat.net/
http://www.joreyat.net:80
http://www.kazinoroyal.com/games.php
http://www.kazinoroyal.com/gaminator.php?dur=wmr&game=pharaohsgoldll
http://www.kazinoroyal.com/gaminator.php?dur=wmr&game=pharaohsgoldlll
http://www.lasvegasusacasino.com/banking.php
http://www.lasvegasusacasino.com/fairplay.php
http://www.lasvegasusacasino.com/index.php
http://www.lasvegasusacasino.com/preview.php
http://www.lasvegasusacasino.com/promotions.php
http://www.oene.com/
http://www.pokupayvusa.com/delivery.html
http://www.pokupayvusa.com/stores.html
http://www.templatesbox.com/category/all-flash-enabled-templates/index.htm
http://www.templatesbox.com/premium-templates/full-flash-sites/template52.htm
http://www.usbay.ru/index.php?cat=21
http://www.usbay.ru/index.php?st=8
http://www.vergelijk.nl/digitale_camera/canon/eos_500d_ef_s_18_55_is/
http://www.vergelijk.nl/digitale_camera/f/cameratype_list/cameratype_list%3dspiegelreflex/
https://centraalbeheer.helptu.nl/(nd1dou45qeuemgncme3c20q5)/p_sn_li.aspx?ClickType=2&NodeID=81
https://www.centraalbeheer.nl/prive/klantenservice/veelgestelde-vragen/wijziging-doorgeven

Anyway, back to the attacking sources -- there are quite a few ASNs
participating, and attached are the details (puck.nether willing) and
here's a list:

209
378
577
719
812
852
1103
1133
1241
1267
1547
1680
2042
2116
2119
2497
2510
2514
2516
2527
2529
2561
2609
2634
2856
2860
2905
3209
3215
3216
3219
3225
3239
3243
3255
3269
3292
3301
3304
3320
3329
3340
3352
3356
3462
3663
3741
3786
3816
4134
4230
4515
4589
4621
4685
4713
4716
4725
4732
4760
4771
4775
4780
4788
4800
4802
4812
4854
5089
5377
5390
5391
5410
5432
5466
5483
5486
5578
5603
5607
5610
5617
5650
5760
5769
5778
6128
6147
6181
6304
6327
6332
6389
6400
6471
6614
6621
6656
6661
6697
6702
6703
6706
6713
6730
6739
6746
6785
6799
6805
6830
6848
6849
6855
6866
6871
6876
6905
7011
7015
7016
7018
7132
7303
7385
7395
7418
7482
7545
7643
7725
7738
7757
7843
7992
8048
8151
8167
8220
8228
8289
8359
8376
8400
8404
8422
8445
8447
8452
8551
8557
8585
8605
8612
8708
8767
8771
8781
8866
8881
8926
8934
8953
8968
8997
9031
9038
9050
9116
9117
9121
9141
9143
9145
9155
9198
9269
9318
9365
9386
9443
9506
9556
9583
9595
9609
9617
9622
9737
9824
9829
9927
9931
10010
10029
10030
10081
10091
10139
10199
10201
10318
10481
10620
10796
10838
10933
10994
11060
11069
11139
11260
11351
11398
11426
11427
11646
11664
11776
11955
12262
12271
12297
12301
12302
12322
12334
12338
12346
12357
12365
12380
12389
12392
12414
12421
12430
12455
12479
12493
12497
12542
12552
12576
12578
12594
12620
12634
12670
12714
12715
12716
12741
12766
12768
12772
12874
12946
12968
12969
12975
13037
13046
13126
13127
13156
13174
13184
13188
13194
13280
13285
13343
13367
13407
13432
13489
13490
13675
13999
14910
15435
15461
15467
15480
15500
15557
15582
15623
15659
15709
15747
15774
15804
15857
15895
16010
16054
16232
16290
16299
16338
16342
16345
16347
16414
16482
16586
16637
16810
16960
17293
17465
17488
17511
17552
17676
17754
17803
17858
17908
17924
17936
17971
17974
18002
18081
18101
18144
18182
18209
18252
18268
18403
18779
18809
18881
19037
19090
19180
19262
19429
19515
19864
20001
20115
20214
20231
20299
20485
20676
20797
20825
20838
20845
20852
20910
20959
21003
21021
21052
21104
21229
21351
21438
21453
21497
21502
21508
21615
21804
22047
22085
22318
22442
22689
22773
22927
23674
23693
23700
23736
23805
23860
23919
23966
24378
24530
24554
24560
24608
24651
24699
24827
24835
24863
25019
25036
25229
25248
25385
25405
25472
25512
25515
25520
25540
25549
25576
26091
26642
27699
27925
27996
28548
28554
28555
28573
28580
28719
28751
28787
28884
28968
28999
29049
29096
29119
29276
29314
29456
29518
29695
29975
30099
30689
30722
30728
30824
31042
31094
31149
31200
31214
31234
31250
31252
31334
31350
31458
31549
31679
32440
33287
33362
33489
33490
33491
33650
33651
33652
33656
33657
33660
33662
33668
33774
33782
33852
33983
34001
34047
34056
34170
34383
34533
34588
34606
34610
34630
34661
34718
34779
34875
35002
35063
35141
35205
35210
35228
35311
35632
35641
35651
35736
35776
36125
36423
36493
36522
36884
36925
36935
36947
36992
37044
37069
37903
38193
38264
38285
38322
38550
38595
39005
39065
39232
39246
39280
39375
39435
39608
39642
39651
39703
39706
39785
39875
41039
41273
41334
41373
41440
41589
41682
41733
41843
41897
41920
41997
42003
42036
42305
42313
42337
42431
42580
42610
42715
42841
42863
42945
43179
43234
43447
43989
43995
44034
44038
44087
44149
44482
44775
44957
45184
45455
45528
45595
45611
45629
45669
45694
45758
45820
45899
47155
47377
47395
47524
47956
48253
49422
50004
50411
50643
50699
50740
55330
55577
131089
196815

Happy hunting,

Scott A. McIntyre
XS4ALL Internet B.V.