[nsp-sec] 10Gbps distributed UDP flood against 62.50.74.234 (AS8928)
Harri Sylvander
harri.sylvander at csc.fi
Fri Jun 4 10:11:31 EDT 2010
> I would appreciate to hear if anybody else has some additional
> information they can provide us with, especially if this was controlled
FWIW: One of the affected constituents ran GREM on the compromised
system (AV found nothing) and found a couple of hidden services
started at boot-time as well as a couple of dubious sys-files
(imcxapl.sys and wpptu.sys - no MD5:s or further info due to reasons
below) after which the box did the old BSoD on him.
When mounted on a Linux-box the files were 0-bytes (ADS?). Apparently
they are busy at the moment so he didn't have time to continue the
analysis, but hopefully he'll find time to recover the binaries during
the weekend.
As far as traffic to/from muza-flowers.biz (189.120.233.193) we see
none.
Same hosts were also involved in the UDP-floods to 91.205.41.173 and
178.208.73.57.
-hts
--
Harri Sylvander, Funet CERT, CSC - IT Center for Science Ltd.
P.O. Box 405, 02101 Espoo, Finland, tel +358 9 457 2082
CSC is the Finnish IT Center for Science, http://www.csc.fi/
e-mail: harri.sylvander at csc.fi
More information about the nsp-security
mailing list