[nsp-sec] attack against AS36666 C&C at 141.28.52.24 ?
Mike Tancsa
mike at sentex.net
Wed Jul 6 12:57:52 EDT 2011
One of our customers was involved in a DOS attack against 67.43.230.229,
.231,.233,.242 and .245. (AS36666)
All UDP packets, source port 0, dst port 0 from 64.7.152.22. 64.7.152.22
unfortunately nats a few hundred devices and I am still working with the
customer to see what sort of logs he might have to try and figure what
devices were involved.
Prior to the attack, there was a lot of activity from the customer's
network to 141.28.52.24 on tcp port 8003 which is unusual for this site.
# telnet 141.28.52.24 8003
Trying 141.28.52.24...
Connected to WI-OM5.wi-om.HS-Furtwangen.DE.
Escape character is '^]'.
NOTICE AUTH :*** Processing connection to hades.arpa
NOTICE AUTH :*** Looking up your hostname...
NOTICE AUTH :*** Found your hostname
AS | IP | AS Name
553 | 141.28.52.24 | BELWUE Landeshochschulnetz
Baden-Wuerttemberg (BelWue)
Connections started to the 141.28.52.24 (IRC server ?) at 14:53 GMT on
the 5th. Nothing jumps out as to how the customer's machine(s) might
have been infected/taken over.
Anyone know anything about this host, or the targets ?
The attack was from July 5, 23:00 to about July 6th, 13:00 GMT.
---Mike
--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/
More information about the nsp-security
mailing list