[nsp-sec] DDoS towards 12.19.225.108

William Salusky william.salusky at teamaol.com
Tue Nov 1 16:47:54 EDT 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I see one particularly suspicious client request / server response
associated with a ddos agent infected dial user.

Some obvious base64 encoded stuff in the client request.  Not sure what
is encoded into the server response.

GET
/xgi-bin/q.php?c=e0I3NTMxRjc2LUZBNUYtNDdGMi04NTE3LTVDRDBBRTlEMkQwQ30=&v=MTExMDI0&t=VGFza0lEPTB8SXNDbGljaz0wfFN0YXR1cz0w
HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; ; SLCC2;
.NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center
PC 6.0; InfoPath.2; AskTbAVR-W1/5.12.2.17367)
Host: bfor1.com
Cache-Control: no-cache

HTTP/1.1 200 OK
Date: Tue, 01 Nov 2011 19:52:40 GMT
Server: Apache
X-Powered-By: PHP/5.3.5
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 25
Content-Type: text/html

19631813|xJxzN/nnWnk=    



Also suspicious is connectivity to 95.211.110.135:444


W




On 11/1/11 3:41 PM, William Salusky wrote:
> ----------- nsp-security Confidential --------
>
>
> I had one user session who appears to have been participating in the
> ddos for ~15 minutes but they went offline before I could take a look at
> traffic. Based on flow, it looks like the ddos is also hitting
> 193.23.181.38. With my 1:1000 netflow I see nothing else that helps to
> identify a controller. If the user comes back online, I can find it.
>
> itzod.ru. IN A 193.23.181.38
> pool.itzod.ru. IN A 193.23.181.38
> anatolymik.itzod.ru. IN A 193.23.181.38
> inf-it.ru. IN A 193.23.181.38
> brandopt.ru. IN A 193.23.181.38
> mail.brandopt.ru. IN A 193.23.181.38
> www.china-e-trade.ru. IN A 193.23.181.38
> trackservices.ws. IN A 193.23.181.38
> www.trackservices.ws. IN A 193.23.181.38
> secretsline.biz. IN A 193.23.181.38 <= Target ????
> o2epc.com. IN A 193.23.181.38
> lizmovies.com. IN A 193.23.181.38
> www.lizmovies.com. IN A 193.23.181.38
> mollygays.com. IN A 193.23.181.38
> www.mollygays.com. IN A 193.23.181.38
> tovarcash.com. IN A 193.23.181.38
> lightpornmovies.com. IN A 193.23.181.38
>
> W
>
> On 11/1/11 11:33 AM, Nicholas Ianelli wrote:
> > ----------- nsp-security Confidential --------
>
>
> > Update 1: looks like there is a lot of port 443/TCP hitting the site as
> > well. Waiting on some log files.
>
> > On 11/01/2011 03:25 PM, Nicholas Ianelli wrote:
> >> ----------- nsp-security Confidential --------
>
> >> Folks,
>
> >> I've been given permission to share this with you. Currently a DDoS
> >> attack is ongoing targeting 12.19.225.108. This is a financially
> >> motivated attack, similar to what was seen October 21/22.
>
> >> At that time the C2s directing the attack were:
>
> >> s0r.ru
> >> 193.105.240.212
>
> >> Both of these were Dirt Jumper based botnets.
>
> >> While I'm still gathering information, I'm asking for assistance in
> >> tracking down IPs sending large amounts of packets to 12.19.225.108
> >> (it's believed to be port 80/TCP based).
>
> >> I'm trying to find the C2, but if you can squash contributors, that
> >> would be awesome.
>
> >> Thanks!
> >> Nick
>
> > _______________________________________________
> > nsp-security mailing list
> > nsp-security at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/nsp-security
>
> > Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> > community. Confidentiality is essential for effective Internet security
> > counter-measures.
> > _______________________________________________
>
>
>
> > _______________________________________________
> > nsp-security mailing list
> > nsp-security at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/nsp-security
>
> > Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> > community. Confidentiality is essential for effective Internet security
> counter-measures.
> > _______________________________________________
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
counter-measures.
> _______________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)

iEYEARECAAYFAk6wWvoACgkQXyx2ON3+G42Q9wCdGwicQVUcHI06VYtUz1ATAm/4
kiEAoLIc37x7f4Uo4pro9ZtdH2MyIZ65
=FcLu
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list