[nsp-sec] Attack on www.gsn.com 07/23/2011?

Yiming Gong yiming.gong at xo.com
Wed Jul 27 15:55:49 EDT 2011 

I see two hosts 67.207.144.116 and 67.207.145.123 having quite some 
traffic traversing our network during that time frame. And they are 
already on the list you sent out.

On the other hand, i do noticed both hosts were talking to 
81.169.181.251 on port 443 as you can see below, not sure what that 
could be,

2011-07-23 11:50:41.653     0.000 TCP     67.207.145.123:51984 ->   
81.169.181.251:443   .A....     1000    52000     1    220    181
2011-07-23 11:58:25.495     0.000 TCP     67.207.144.116:38399 ->   
81.169.181.251:443   .A....     1000    52000     1    220    181
2011-07-23 11:59:36.527     0.000 TCP     67.207.145.123:45844 ->   
81.169.181.251:443   .A...F     1000    52000     1    220    181
2011-07-23 12:04:32.623     0.000 TCP     67.207.145.123:35119 ->   
81.169.181.251:443   ....S.     1000    60000     1    220    181
2011-07-23 12:05:28.078     0.000 TCP     67.207.145.123:57369 ->   
81.169.181.251:443   ....S.     1000    60000     1    220    181
2011-07-23 12:02:56.877     0.000 TCP     67.207.144.116:47457 ->   
81.169.181.251:443   .AP...     5000   455000     1    811    926



the attacking traffic

2011-07-23 11:50:28.779    33.106 UDP     67.207.144.116:44543 ->    
66.150.203.80:113   ......    7.1 M  555.8 M     1    220    181
2011-07-23 11:50:28.842    33.042 UDP     67.207.145.123:34468 ->    
66.150.203.80:113   ......    3.9 M  307.5 M     1    220    181
2011-07-23 11:51:01.998    59.889 UDP     67.207.144.116:44543 ->    
66.150.203.80:113   ......   12.1 M  942.5 M     1    220    181
2011-07-23 11:51:01.998    59.889 UDP     67.207.145.123:34468 ->    
66.150.203.80:113   ......    6.2 M  486.8 M     1    220    181
2011-07-23 11:52:02.939    59.948 UDP     67.207.144.116:44543 ->    
66.150.203.80:113   ......   12.8 M  997.8 M     1    220    181
2011-07-23 11:52:02.939    59.948 UDP     67.207.145.123:34468 ->    
66.150.203.80:113   ......    9.2 M  715.6 M     1    220    181
2011-07-23 11:53:02.942    59.901 UDP     67.207.144.116:44543 ->    
66.150.203.80:113   ......   11.6 M  905.4 M     1    220    181
2011-07-23 11:53:02.941    59.901 UDP     67.207.145.123:34468 ->    
66.150.203.80:113   ......    5.8 M  449.9 M     1    220    181
2011-07-23 11:54:02.939    59.955 UDP     67.207.144.116:44543 ->    
66.150.203.80:113   ......   12.7 M  989.6 M     1    220    181
2011-07-23 11:54:02.939    59.954 UDP     67.207.145.123:34468 ->    
66.150.203.80:113   ......    6.3 M  488.2 M     1    220    181
2011-07-23 11:55:02.939    59.925 UDP     67.207.144.116:44543 ->    
66.150.203.80:113   ......   12.0 M  933.3 M     1    220    181
2011-07-23 11:55:02.938    59.925 UDP     67.207.145.123:34468 ->    
66.150.203.80:113   ......    6.7 M  525.2 M     1    220    181
2011-07-23 11:56:02.936    59.945 UDP     67.207.144.116:44543 ->    
66.150.203.80:113   ......   11.4 M  887.6 M     1    220    181
2011-07-23 11:56:02.936    59.946 UDP     67.207.145.123:34468 ->    
66.150.203.80:113   ......    7.9 M  616.0 M     1    220    181
2011-07-23 11:57:02.931    59.963 UDP     67.207.144.116:44543 ->    
66.150.203.80:113   ......   10.9 M  850.3 M     1    220    181
2011-07-23 11:57:02.920    59.963 UDP     67.207.145.123:34468 ->    
66.150.203.80:113   ......   10.4 M  813.5 M     1    220    181
2011-07-23 11:58:02.940    59.925 UDP     67.207.144.116:44543 ->    
66.150.203.80:113   ......   11.9 M  925.1 M     1    220    181
2011-07-23 11:58:02.940    59.871 UDP     67.207.145.123:34468 ->    
66.150.203.80:113   ......    7.2 M  557.8 M     1    220    181
2011-07-23 11:59:02.948    59.940 UDP     67.207.144.116:44543 ->    
66.150.203.80:113   ......   11.2 M  876.6 M     1    220    181
2011-07-23 11:59:02.948    59.749 UDP     67.207.145.123:34468 ->    
66.150.203.80:113   ......    5.7 M  446.4 M     1    220    181
2011-07-23 12:00:02.921    54.373 UDP     67.207.144.116:44543 ->    
66.150.203.80:113   ......    9.9 M  775.4 M     1    220    181
2011-07-23 12:00:02.991    54.373 UDP     67.207.145.123:34468 ->    
66.150.203.80:113   ......    4.3 M  332.7 M     1    220    181

Regards

Yiming

On 07/27/2011 01:52 PM, Chris Jackman wrote:
> ----------- nsp-security Confidential --------
>
>
> Hello all.
>
> A friend at the GameShow Network asked me to ask
> if anyone saw anything against www.gsn.com
> on Saturday, July 23rd, 2011, between 12:50pm and 13:00 pm Eastern Time.
>
> I'm told the target was www.gsn.com at 66.150.203.80 and packets were udp
> port 113.
>
> I was sent this list of ips:
>
>
> 194.204.42.237  : dsl42-237.uninet.ee.
> 85.25.135.160   : delta552.server4you.de.
> 67.207.144.116  : 67-207-144-116.slicehost.net.
> 174.129.2.77    : ec2-174-129-2-77.compute-1.amazonaws.com.
> 194.164.225.146 : alexander.paston.co.uk.
> 184.73.252.136  : viral-manager.com.
> 203.201.149.67  :
> 85.25.147.195   : hotel564.server4you.de.
> 67.207.145.123  : 67-207-145-123.slicehost.net.
> 184.73.154.140  : ec2-184-73-154-140.compute-1.amazonaws.com.
> 195.54.198.31   : mail.zdr.ru.
> 77.111.153.210  : ip-153-210-userpool.zeg.zelkanet.hu.
> 188.94.232.11   : mail2.kralovice.cz.
> 74.207.251.120  : li93-120.members.linode.com.
>
> I'm told they blocked 194.204.42.237 first and then the others
> faded away.  They noticed some of those hosts answer port 22
> as Debian or Ubuntu.
>
> Thanks.
> -cj
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>
>

More information about the nsp-security mailing list