[nsp-sec] Syn flood attack on Israeli goverment sites 2011-01-04
Dirk Stander
dst+nsp-sec at glaskugel.org
Wed Jan 5 09:13:02 EST 2011
.: Dirk Stander (Tue, Jan 04, 2011 at 01:07:36PM +0100)
> .: Rafi Sadowsky (Tue, Jan 04, 2011 at 01:45:28PM +0200)
>> 8560 | 212.227.134.28 | 147.237.72.235 Jan 04 2011 01:12:34 | ONEANDONE-AS 1&1 Internet AG
> Thanks and ACK 8560 -- i'll take a deeper look into
> this machine.
this box was running a outdated osCommerce shop. The perpetrator uploaded
a bunch of php scripts (web shells, mass mailer etc) and the "m4os.php"
script, which happens to be a simple HTTP flooder.
Here's one invocation of the script:
2011-01-03 23:15:39 88.234.152.148 POST /catalog/m4os.php HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+Trident/4.0;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729;+.NET4.0C;+.NET4.0E)
cheers, Dirk :.
More information about the nsp-security
mailing list