[nsp-sec] attack against AS36666 C&C at 141.28.52.24 ?

Dave Monnier dmonnier at cymru.com
Wed Jul 6 18:54:44 EDT 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 7/6/11 11:57 AM, Mike Tancsa wrote:
> ----------- nsp-security Confidential --------
> 
> One of our customers was involved in a DOS attack against 67.43.230.229,
> .231,.233,.242 and .245.  (AS36666)
> 
> All UDP packets, source port 0, dst port 0 from 64.7.152.22. 64.7.152.22
> unfortunately nats a few hundred devices and I am still working with the
> customer to see what sort of logs he might have to try and figure what
> devices were involved.
> 
> Prior to the attack, there was a lot of activity from the customer's
> network to 141.28.52.24 on tcp port 8003 which is unusual for this site.
> 
> # telnet 141.28.52.24 8003
> Trying 141.28.52.24...
> Connected to WI-OM5.wi-om.HS-Furtwangen.DE.
> Escape character is '^]'.
> NOTICE AUTH :*** Processing connection to hades.arpa
> NOTICE AUTH :*** Looking up your hostname...
> NOTICE AUTH :*** Found your hostname
> 
> 
> AS      | IP               | AS Name
> 553     | 141.28.52.24     | BELWUE Landeshochschulnetz
> Baden-Wuerttemberg (BelWue)
> 
> Connections started to the 141.28.52.24 (IRC server ?) at 14:53 GMT on
> the 5th.  Nothing jumps out as to how the customer's machine(s) might
> have been infected/taken over.
> 
> Anyone know anything about this host, or the targets ?
> 
> The attack was from July 5, 23:00 to about July 6th, 13:00 GMT.
> 
> 	---Mike
> 
> 


Hey, Mike!

We've seen a bit of action from this c&c.

There's a few miscreants using it, but your bots look to have taken this
instruction:

2011-07-06 00:05:41 #winz0r 	.tcpflood 67.43.230.231 999999 30000 6667 1
2011-07-06 00:05:41 #winz0r 	.udpflood 67.43.230.231 999999 30000 1

The miscreant looks to be be in or bouncing through Brazil:
dasdas!~r0x at 189.107.54.187

The crew there looks to be hitting both Windows and Linux/FreeBSD systems.

I've dropped the c&c into the ddosrs and it should show up momentarily.

Thanks!
- -Dave

- -- 
Dave Monnier
Team Cymru
https://www.team-cymru.org/
PGP: https://www.cymru.com/dmonnier/0x7C1AAE55_pub.asc

-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAk4U57QACgkQ+29txnwarlVemwCfaVTDTG9bQga4ICykDrMF5qrC
le8Anis3Bde3DkeyPF7XFVeX5ScgoyK+
=SgW3
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list