[nsp-sec] DDoS mitigation help (AusCERT#20109c4d1)

Zane Jarvis zane at auscert.org.au
Sun Jan 10 18:59:41 EST 2010 

Hi all,

I'm forwarding this on behalf of my colleague who did the work.

Regards,
Zane.
----------------------------
Hi,


Please find attached a list of ASN and IPs involved in the attack - sorted
by ASN. These logs are between 09 Jan 00:38 +0930 and 10 Jan 09:44 +0930

Please share with trusted contacts on a need-to-know basis only.

Kind regards,

Paul

-- Paul Fahey --
Information Security Analyst				| Hotline: +61 73365
4417
Australian Computer Emergency Response Team	| 
(AusCERT)							| Fax:    +61
7 3365 7031
The University of Queensland				| WWW:
www.auscert.org.au
Qld 4072 Australia					| Email:
auscert at auscert.org.au



> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-
> bounces at puck.nether.net] On Behalf Of Zane Jarvis
> Sent: Saturday, 9 January 2010 6:23 PM
> To: NSP-SEC List
> Subject: [nsp-sec] DDoS mitigation help (AusCERT#20109c4d1)
> 
> ----------- nsp-security Confidential --------
> 
> Hi NSP'ers,
> 
> Two Australian betting sites are under heavy DDoS at the moment using
> HTTP GET
> requests.
> 
> We are hoping to find the C&C, malware and assistance with mitigating
> this.
> AusCERT's tracking code for this is 20109c4d1.
> 
> The websites are:
> 
>     http://centreracing.com
>     http://centreracing.com.au
>     http://multibet.com
>     http://multibet.com.au
> 
> all point to: 203.3.76.26
> 
> DDoS appears to have started at 01:00am 9th January 2010 GMT+0930.
> 
> Here is a sample of the apache access log from the centreracing.com. We
> are
> awaiting a full set of logs in which we will include ASN to IP mapping.
> 
> 60.254.108.66 - - [09/Jan/2010:14:11:17 +0930] "GET / HTTP/1.1" 200 2564
> "-"
> "Opera/9.02 (Windows NT 5.1; U; ru)"
> 60.254.108.66 - - [09/Jan/2010:14:11:18 +0930] "GET / HTTP/1.1" 200 2564
> "-"
> "Opera/9.02 (Windows NT 5.1; U; ru)"
> 180.183.192.131 - - [09/Jan/2010:14:11:18 +0930] "GET / HTTP/1.1" 200
> 2564 "-"
> "Opera/9.02 (Windows NT 5.1; U; ru)"
> 94.96.3.122 - - [09/Jan/2010:14:11:18 +0930] "GET / HTTP/1.1" 200 2564 "-
> "
> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
> 1.1.4322)"
> 94.96.62.155 - - [09/Jan/2010:14:11:18 +0930] "GET / HTTP/1.1" 200 2564
> "-"
> "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.1) Gecko/20061204
> Firefox/2.0.0.1"
> 202.8.254.21 - - [09/Jan/2010:14:11:19 +0930] "GET / HTTP/1.0" 200 2564
> "-"
> "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.1) Gecko/20061204
> Firefox/2.0.0.1"
> 202.156.10.253 - - [09/Jan/2010:14:11:20 +0930] "GET / HTTP/1.1" 200 2564
> "-"
> "Opera/9.02 (Windows NT 5.1; U; ru)"
> 125.26.123.120 - - [09/Jan/2010:14:11:20 +0930] "GET / HTTP/1.1" 200 2564
> "-"
> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
> 1.1.4322)"
> 202.156.10.253 - - [09/Jan/2010:14:11:20 +0930] "GET / HTTP/1.1" 200 2564
> "-"
> "Opera/9.02 (Windows NT 5.1; U; ru)"
> 188.48.42.198 - - [09/Jan/2010:14:11:20 +0930] "GET / HTTP/1.1" 200 2564
> "-"
> "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.1) Gecko/20061204
> Firefox/2.0.0.1"
> 201.252.54.13 - - [09/Jan/2010:14:11:20 +0930] "GET / HTTP/1.1" 200 2564
> "-"
> "Opera/9.02 (Windows NT 5.1; U; ru)"
> 203.162.3.166 - - [09/Jan/2010:14:11:20 +0930] "GET / HTTP/1.1" 200 2564
> "-"
> "Opera/9.02 (Windows NT 5.1; U; ru)"
> 203.162.3.166 - - [09/Jan/2010:14:11:26 +0930] "GET / HTTP/1.1" 200 2564
> "-"
> "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.1) Gecko/20061204
> Firefox/2.0.0.1"
> 112.142.50.125 - - [09/Jan/2010:14:11:26 +0930] "GET / HTTP/1.1" 200 2564
> "-"
> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
> 1.1.4322)"
> 122.167.46.72 - - [09/Jan/2010:14:11:26 +0930] "GET / HTTP/1.1" 200 2564
> "-"
> "Opera/9.02 (Windows NT 5.1; U; ru)"
> 115.133.138.169 - - [09/Jan/2010:14:11:27 +0930] "GET / HTTP/1.1" 200
> 2564 "-"
> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
> 1.1.4322)"
> 114.128.164.213 - - [09/Jan/2010:14:11:27 +0930] "GET / HTTP/1.1" 200
> 2564 "-"
> "Opera/9.02 (Windows NT 5.1; U; ru)"
> 117.47.126.85 - - [09/Jan/2010:14:11:27 +0930] "GET / HTTP/1.1" 200 2564
> "-"
> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
> 1.1.4322)"
> 200.93.218.179 - - [09/Jan/2010:14:11:28 +0930] "GET / HTTP/1.1" 200 2564
> "-"
> "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.1) Gecko/20061204
> Firefox/2.0.0.1"
> 
> Thanks in advance,
> Zane Jarvis.
> 
> --
> Zane Jarvis
> Senior Information Security Analyst  | Hotline: +61 7 3365 4417
> AusCERT, Australia's Leading CERT    | Fax:     +61 7 3365 7031
> The University of Queensland         | WWW:     www.auscert.org.au
> QLD 4072 Australia                   | Email:   auscert at auscert.org.au
> 
> 
> 
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: bots_ips_asns.txt
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20100111/d93b81d7/attachment-0001.txt>

More information about the nsp-security mailing list