[nsp-sec] DDoS mitigation help (AusCERT#20109c4d1)
Zane Jarvis
zane at auscert.org.au
Sat Jan 9 03:23:10 EST 2010
Hi NSP'ers,
Two Australian betting sites are under heavy DDoS at the moment using HTTP GET
requests.
We are hoping to find the C&C, malware and assistance with mitigating this.
AusCERT's tracking code for this is 20109c4d1.
The websites are:
http://centreracing.com
http://centreracing.com.au
http://multibet.com
http://multibet.com.au
all point to: 203.3.76.26
DDoS appears to have started at 01:00am 9th January 2010 GMT+0930.
Here is a sample of the apache access log from the centreracing.com. We are
awaiting a full set of logs in which we will include ASN to IP mapping.
60.254.108.66 - - [09/Jan/2010:14:11:17 +0930] "GET / HTTP/1.1" 200 2564 "-"
"Opera/9.02 (Windows NT 5.1; U; ru)"
60.254.108.66 - - [09/Jan/2010:14:11:18 +0930] "GET / HTTP/1.1" 200 2564 "-"
"Opera/9.02 (Windows NT 5.1; U; ru)"
180.183.192.131 - - [09/Jan/2010:14:11:18 +0930] "GET / HTTP/1.1" 200 2564 "-"
"Opera/9.02 (Windows NT 5.1; U; ru)"
94.96.3.122 - - [09/Jan/2010:14:11:18 +0930] "GET / HTTP/1.1" 200 2564 "-"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
94.96.62.155 - - [09/Jan/2010:14:11:18 +0930] "GET / HTTP/1.1" 200 2564 "-"
"Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.1) Gecko/20061204
Firefox/2.0.0.1"
202.8.254.21 - - [09/Jan/2010:14:11:19 +0930] "GET / HTTP/1.0" 200 2564 "-"
"Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.1) Gecko/20061204
Firefox/2.0.0.1"
202.156.10.253 - - [09/Jan/2010:14:11:20 +0930] "GET / HTTP/1.1" 200 2564 "-"
"Opera/9.02 (Windows NT 5.1; U; ru)"
125.26.123.120 - - [09/Jan/2010:14:11:20 +0930] "GET / HTTP/1.1" 200 2564 "-"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
202.156.10.253 - - [09/Jan/2010:14:11:20 +0930] "GET / HTTP/1.1" 200 2564 "-"
"Opera/9.02 (Windows NT 5.1; U; ru)"
188.48.42.198 - - [09/Jan/2010:14:11:20 +0930] "GET / HTTP/1.1" 200 2564 "-"
"Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.1) Gecko/20061204
Firefox/2.0.0.1"
201.252.54.13 - - [09/Jan/2010:14:11:20 +0930] "GET / HTTP/1.1" 200 2564 "-"
"Opera/9.02 (Windows NT 5.1; U; ru)"
203.162.3.166 - - [09/Jan/2010:14:11:20 +0930] "GET / HTTP/1.1" 200 2564 "-"
"Opera/9.02 (Windows NT 5.1; U; ru)"
203.162.3.166 - - [09/Jan/2010:14:11:26 +0930] "GET / HTTP/1.1" 200 2564 "-"
"Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.1) Gecko/20061204
Firefox/2.0.0.1"
112.142.50.125 - - [09/Jan/2010:14:11:26 +0930] "GET / HTTP/1.1" 200 2564 "-"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
122.167.46.72 - - [09/Jan/2010:14:11:26 +0930] "GET / HTTP/1.1" 200 2564 "-"
"Opera/9.02 (Windows NT 5.1; U; ru)"
115.133.138.169 - - [09/Jan/2010:14:11:27 +0930] "GET / HTTP/1.1" 200 2564 "-"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
114.128.164.213 - - [09/Jan/2010:14:11:27 +0930] "GET / HTTP/1.1" 200 2564 "-"
"Opera/9.02 (Windows NT 5.1; U; ru)"
117.47.126.85 - - [09/Jan/2010:14:11:27 +0930] "GET / HTTP/1.1" 200 2564 "-"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
200.93.218.179 - - [09/Jan/2010:14:11:28 +0930] "GET / HTTP/1.1" 200 2564 "-"
"Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.1) Gecko/20061204
Firefox/2.0.0.1"
Thanks in advance,
Zane Jarvis.
--
Zane Jarvis
Senior Information Security Analyst | Hotline: +61 7 3365 4417
AusCERT, Australia's Leading CERT | Fax: +61 7 3365 7031
The University of Queensland | WWW: www.auscert.org.au
QLD 4072 Australia | Email: auscert at auscert.org.au
More information about the nsp-security
mailing list