[nsp-sec] Message relay for Paypal requesting assistance with active DDoS

Noam Freedman noam at noam.com
Mon Dec 13 22:32:37 EST 2010 

One more message relay for Jim...  Again, please contact him off-list if you need to follow on this:  Jim Oberton (joberton at paypal.com)

Thanks,
- Noam

-- 
Noam Freedman
Akamai Technologies
as20940


3 IRC servers, one webserver and a domain left....

WEBSERVERS:
anonops.info

Domain Name:ANONOPS.INFO
Created On:29-Nov-2010 18:03:09 UTC
Last Updated On:14-Dec-2010 00:32:32 UTC
Expiration Date:29-Nov-2011 18:03:09 UTC
Sponsoring Registrar:eNom, Inc. (R126-LRMS)

V&v&v&v&v&v&v&v&v&V&v&v&v&v&v&v&v&v&V&v&v&v&v&v&v&v&v&V&v&v&

98.124.199.1
Anonops.info

OrgName:        eNom, Incorporated
OrgId:          ENOM
Address:        15801 NE 24th Street
City:           Bellevue
StateProv:      WA
PostalCode:     98008
Country:        US
RegDate:        2001-06-15
Updated:        2010-02-03
Comment:        Domain Related inquiries please contact our helpdesk at
425-274-4500 (http://www.enom.com/help/).
Ref:            http://whois.arin.net/rest/org/ENOM

OrgAbuseHandle: DEMAN-ARIN
OrgAbuseName:   DemandMedia NOC
OrgAbusePhone:  +1-425-274-4500
OrgAbuseEmail:  dmnoc at demandmedia.com
OrgAbuseRef:    http://whois.arin.net/rest/poc/DEMAN-ARIN





V&v&v&v&v&v&v&v&v&V&v&v&v&v&v&v&v&v&V&v&v&v&v&v&v&v&v&V&v&v&

IRC SERVERS:
Discovered open port 6667/tcp on 85.223.50.236
Discovered open port 6667/tcp on 67.23.234.51
Discovered open port 6667/tcp on 72.10.160.223


===========================================================

85.223.50.236

abuse at internl.net
Legal at internl.net
Hostmaster at internl.net

role:           InterNLnet BV Role Account
address:        InterNLnet BV
address:        Toernooiveld 318
address:        6525 EC NIJMEGEN
address:        The Netherlands
phone:          +31-24-3653653
fax-no:         +31-24-3653655
e-mail:         ipreg at internl.net
admin-c:        PT1019-RIPE
admin-c:        EB7088-RIPE
tech-c:         PT1019-RIPE
tech-c:         JJ624-RIPE
remarks:        trouble:      noc at internl.net
nic-hdl:        INNL1-RIPE
remarks:        ------------------------------------
remarks:        For abuse notification send email to
remarks:        abuse at internl.net
remarks:        ------------------------------------
mnt-by:         INTERNLNET-MNT
source:         RIPE # Filtered



========================================================

67.23.234.51

network at dimenoc.com
Abuse at dimenoc.com
legal at dimenoc.com
Hostmaster at dimenoc.com

OrgName:        HostDime.com, Inc.
OrgId:          DIMEN-6
Address:        189 South Orange Avenue
Address:        Suite 1500S
City:           Orlando
StateProv:      FL
PostalCode:     32801
Country:        US
RegDate:        2004-06-30
Updated:        2009-08-21
Comment:        Reassignment information for this block is
Comment:        available at rwhois.dimenoc.com port 4321
Ref:            http://whois.arin.net/rest/org/DIMEN-6



=====================================================

72.10.160.223

noc at gtcomm.net
plquimper at gtcomm.net
Abuse at gtcomm.net
Legal at gtcomm.net
Hostmaster at gtcomm.net

OrgName:        GloboTech Communications
OrgId:          GLOBO
Address:        PO Box 1402
City:           Saint-Quentin
StateProv:      NB
PostalCode:     E8A-1A2
Country:        CA
RegDate:        2003-01-11
Updated:        2010-06-28
Comment:        Please send abuse complaints to abuse at gtcomm.net
Comment:        This space is statically assigned
Comment:        www.gtcomm.net
Ref:            http://whois.arin.net/rest/org/GLOBO



On Dec 12, 2010, at 11:18 PM, Noam Freedman wrote:

> All,
> 
> I was contacted off-list by Jim Oberton (joberton at paypal.com) at Paypal requesting some assistance.  I've asked an eBay contact on the list to contact him, but I told him I would forward on an email for him (which is included below).  Please contact him directly off-list if you are able to assist.
> 
> Thanks,
> - Noam
> 
> --
> Noam Freedman
> Akamai Technologies
> as20940
> 
> 
> ---------
> From Jim:
> 
> These servers are running an IRC server on port 6667 that is used to
> control the target of ongoing DDoS attacks.
> The command used to direct these attacks is:
> 12/11/2010 7:32:21 PM
> 
> 
> #loic :!lazor default targethost=paypal.com subsite=/ speed=3 threads=15
> method=tcp wait=false random=true checked=false
> message=Payback_is_a_bitch,_isn't_it? port=80 start
> 
> +++++++++++++++++++++++++++++++++++++++
> COMMAND AND CONTROL BOTNET HOSTING ISPs:
> 
> Heihachi
> abuse at gigalinknetwork.com
> support at gigalinknetwork.com
> 
> InterNetworX Ltd. & Co. KG: Providing Domain name services for anonops.eu
> hostmaster at inwx.de
> lucke at 1st-communications.de
> berlin at 1st-communications.de
> 
> IRC.ANONOPS.EU ABUSE CONTACTS
> nic at hostnoc.net
> noc at internl.net
> abuse at ip-exchange.de
> abuse at midphase.com
> Abuse at softlayer.net
> abuse at fanaticalvps.com
> lihaijun at chinamobile.com
> abuse at ovh.net
> ripe-admin at ipeer.se
> Abuse at ipeer.se
> abuse at ovh.net
> abuse at energimidt.dk
> abuse at sil.at
> admin at sil.at
> abuse at ovh.net
> net-abuse at hosteurope.de
> abuse at fanaticalvps.com
> abuse at dimenoc.com
> plquimper at gtcomm.net
> ralph at flexwebhosting.nl
> abuse at ovh.net
> 
> 
> ABUSE LIST WITH IP ADDRESS
> Anonops.eu servers:
> nic at hostnoc.net 184.82.107.110 teamslack.anonops.eu
> noc at internl.net 85.223.50.236 synergy.anonops.eu
> abuse at ip-exchange.de 80.190.98.196 lexus.anonops.eu
> abuse at midphase.com 173.192.206.141 approved.anonops.eu
> Abuse at softlayer.net 173.192.206.141 approved.anonops.eu
> abuse at fanaticalvps.com 178.63.172.192 fancy.anonops.eu
> lihaijun at chinamobile.com 117.135.137.126 dragon.anonops.eu
> abuse at ovh.net 91.121.88.140 klima.anonops.eu
> ripe-admin at ipeer.se 213.180.92.167 power.anonops.eu
> Abuse at ipeer.se 213.180.92.167 power.anonops.eu
> abuse at ovh.net 91.121.72.103 nexus.anonops.eu
> abuse at energimidt.dk 92.246.17.71 creative.anonops.eu
> abuse at sil.at 86.59.36.242 thealps.anonops.eu
> admin at sil.at 86.59.36.242 thealps.anonops.eu
> abuse at ovh.net 91.121.92.84 vendetta.anonops.eu
> net-abuse at hosteurope.de 83.169.21.109 nitrox.anonops.eu
> abuse at fanaticalvps.com 88.198.224.117 tinycore.anonops.eu
> abuse at dimenoc.com 67.23.234.51 osiris.anonops.eu
> plquimper at gtcomm.net 72.10.160.223 koldsun.anonops.eu
> ralph at flexwebhosting.nl 109.70.3.24 firefly.anonops.eu
> abuse at ovh.net 91.121.205.10 anansa.anonops.eu
> 
> Discovered open port 6667/tcp on 85.223.50.236
> Discovered open port 6667/tcp on 91.121.88.140
> Discovered open port 6667/tcp on 91.121.72.103
> Discovered open port 6667/tcp on 80.190.98.196
> Discovered open port 6667/tcp on 92.246.17.71
> Discovered open port 6667/tcp on 213.180.92.167
> Discovered open port 6667/tcp on 117.135.137.126
> Discovered open port 6667/tcp on 67.23.234.51
> Discovered open port 6667/tcp on 72.10.160.223
> Discovered open port 6667/tcp on 184.82.107.110
> Discovered open port 6667/tcp on 109.70.3.24
> Discovered open port 6667/tcp on 91.121.205.10
> Discovered open port 6667/tcp on 91.121.92.84
> Discovered open port 6667/tcp on 117.135.137.126
> Discovered open port 6667/tcp on 91.121.72.103
> Discovered open port 6667/tcp on 80.190.98.196
> Discovered open port 6667/tcp on 67.23.234.51
> Discovered open port 6667/tcp on 72.10.160.223
> Discovered open port 6667/tcp on 184.82.107.110
> Discovered open port 6667/tcp on 109.70.3.24
> Discovered open port 6667/tcp on 91.121.205.10
> Discovered open port 6667/tcp on 91.121.92.84

More information about the nsp-security mailing list