[nsp-sec] DDoS mitigation help (AusCERT#20109c4d1)
Scott A. McIntyre
scott at xs4all.net
Sat Jan 9 15:49:24 EST 2010
Hi Zane,
> We are hoping to find the C&C, malware and assistance with mitigating this.
> AusCERT's tracking code for this is 20109c4d1.
>
> The websites are:
>
> http://centreracing.com
> http://centreracing.com.au
> http://multibet.com
> http://multibet.com.au
>
> all point to: 203.3.76.26
I think I found a source in my network - and it's not just targeting those hosts you list, but quite a few others. There's a lot of suspicious tcp syn to 80 at a number of other locations:
5532 | 194.158.36.230 | TERRANETMALTA Terranet Communications Limited
6849 | 212.113.36.19 | UKRTELNET JSC UKRTELECOM,
6849 | 91.213.175.34 | UKRTELNET JSC UKRTELECOM,
6849 | 91.213.175.4 | UKRTELNET JSC UKRTELECOM,
9746 | 203.3.76.26 | IGOLD-AS-AP Online Interactive gaming solution
12301 | 91.82.249.53 | INVITEL Invitel, Hungary
14135 | 216.205.10.0 | NAVISITE-EAST-2 - Navisite, Inc.
46844 | 67.21.86.231 | ST-BGP - SHARKTECH INTERNET SERVICES
In terms of potential C&C, the closest I have is:
9121 | 88.251.10.0 | TTNET TTnet Autonomous System
Which seems to be doing something on port 80 that my contributor likes...but I can't explore deeper than that. This may be a false positive as a result, but, well, TTNet...
Hope that helps...
Scott A. McIntyre
XS4ALL Internet B.V.
More information about the nsp-security
mailing list