[nsp-sec] Syn flood attack on Israeli goverment sites 2011-01-04
Shelton, Steve
sshelton at Cogentco.com
Wed Jan 5 10:01:19 EST 2011
Rafi,
Got the same results as Dirk.
78.188.188.203 - - [03/Jan/2011:04:02:54 -0500] "GET /store////m4os.php
HTTP/1.0" 200 434 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT
6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET
CLR 3.0.30729; Media Center PC 6.0; Tablet PC 2.0)"
Parsing /32's out of some logging depicts GET/POST from numerous
prefix's behind one particular ASN, also see the following entry which
may be related or point out a potential culprit.
78.165.199.242 - - [03/Jan/2011:06:04:20 -0500] "GET /store/fup.php
HTTP/1.0" 200 301
"http://www.imhatimi.org/23280/accaunts/5-6-tane-server/" "Mozilla/5.0
(Windows; U; Windows NT 5.1; tr; rv:1.9.2.13) Gecko/20101203
Firefox/3.6.13 GTB7.1"
Best regards,
Steve Shelton
Sec Engineer
Cogent Communications
-----Original Message-----
From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Rafi Sadowsky
Sent: Tuesday, January 04, 2011 6:45 AM
To: NSP Security list
Subject: [nsp-sec] Syn flood attack on Israeli goverment sites
2011-01-04
----------- nsp-security Confidential --------
More information about the nsp-security
mailing list