[nsp-sec] DDoS mitigation help (AusCERT#20109c4d1)
Zane Jarvis
zane at auscert.org.au
Sat Jan 9 18:48:06 EST 2010
Hi Scott,
Thanks for the info.
Another source of information got back to us with the C&C being hosted on:
49314 | 91.212.198.171 | RU | NEVAL PE Nevedomskiy Alexey Alexeevich
Are you seeing traffic to that one?
Regards,
Zane.
> -----Original Message-----
> From: Scott A. McIntyre [mailto:scott at xs4all.net]
> Sent: Sunday, 10 January 2010 6:49 AM
> To: Zane Jarvis
> Cc: NSP-SEC List
> Subject: Re: [nsp-sec] DDoS mitigation help (AusCERT#20109c4d1)
>
> Hi Zane,
>
>
> > We are hoping to find the C&C, malware and assistance with mitigating
> this.
> > AusCERT's tracking code for this is 20109c4d1.
> >
> > The websites are:
> >
> > http://centreracing.com
> > http://centreracing.com.au
> > http://multibet.com
> > http://multibet.com.au
> >
> > all point to: 203.3.76.26
>
> I think I found a source in my network - and it's not just targeting
> those hosts you list, but quite a few others. There's a lot of
> suspicious tcp syn to 80 at a number of other locations:
>
>
>
> 5532 | 194.158.36.230 | TERRANETMALTA Terranet Communications
> Limited
> 6849 | 212.113.36.19 | UKRTELNET JSC UKRTELECOM,
> 6849 | 91.213.175.34 | UKRTELNET JSC UKRTELECOM,
> 6849 | 91.213.175.4 | UKRTELNET JSC UKRTELECOM,
> 9746 | 203.3.76.26 | IGOLD-AS-AP Online Interactive gaming
> solution
> 12301 | 91.82.249.53 | INVITEL Invitel, Hungary
> 14135 | 216.205.10.0 | NAVISITE-EAST-2 - Navisite, Inc.
> 46844 | 67.21.86.231 | ST-BGP - SHARKTECH INTERNET SERVICES
>
>
> In terms of potential C&C, the closest I have is:
>
> 9121 | 88.251.10.0 | TTNET TTnet Autonomous System
>
> Which seems to be doing something on port 80 that my contributor
> likes...but I can't explore deeper than that. This may be a false
> positive as a result, but, well, TTNet...
>
> Hope that helps...
>
> Scott A. McIntyre
> XS4ALL Internet B.V.
>
More information about the nsp-security
mailing list