[nsp-sec] DDoS towards 12.19.225.108

Tue Nov 1 16:52:31 EDT 2011

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Also sketchy which appears to govern the tcp 444 stuff I mentioned in my
last message.

- -> 95.211.110.135:8000

GET
/stat?uptime=100&downlink=2222&uplink=2222&id=00172616&statpass=bpass&version=20111023&features=31&guid=8eb33e57-1a22-4289-9c10-c38a515b0dd1&comment=20111004&p=0&s=
HTTP/1.0

HTTP/1.1 200 OK
Content-Length: 11

session:444

On 11/1/11 3:41 PM, William Salusky wrote:
> ----------- nsp-security Confidential --------
>
>
> I had one user session who appears to have been participating in the
> ddos for ~15 minutes but they went offline before I could take a look at
> traffic. Based on flow, it looks like the ddos is also hitting
> 193.23.181.38. With my 1:1000 netflow I see nothing else that helps to
> identify a controller. If the user comes back online, I can find it.
>
> itzod.ru. IN A 193.23.181.38
> pool.itzod.ru. IN A 193.23.181.38
> anatolymik.itzod.ru. IN A 193.23.181.38
> inf-it.ru. IN A 193.23.181.38
> brandopt.ru. IN A 193.23.181.38
> mail.brandopt.ru. IN A 193.23.181.38
> www.china-e-trade.ru. IN A 193.23.181.38
> trackservices.ws. IN A 193.23.181.38
> www.trackservices.ws. IN A 193.23.181.38
> secretsline.biz. IN A 193.23.181.38 <= Target ????
> o2epc.com. IN A 193.23.181.38
> lizmovies.com. IN A 193.23.181.38
> www.lizmovies.com. IN A 193.23.181.38
> mollygays.com. IN A 193.23.181.38
> www.mollygays.com. IN A 193.23.181.38
> tovarcash.com. IN A 193.23.181.38
> lightpornmovies.com. IN A 193.23.181.38
>
> W
>
> On 11/1/11 11:33 AM, Nicholas Ianelli wrote:
> > ----------- nsp-security Confidential --------
>
>
> > Update 1: looks like there is a lot of port 443/TCP hitting the site as
> > well. Waiting on some log files.
>
> > On 11/01/2011 03:25 PM, Nicholas Ianelli wrote:
> >> ----------- nsp-security Confidential --------
>
> >> Folks,
>
> >> I've been given permission to share this with you. Currently a DDoS
> >> attack is ongoing targeting 12.19.225.108. This is a financially
> >> motivated attack, similar to what was seen October 21/22.
>
> >> At that time the C2s directing the attack were:
>
> >> s0r.ru
> >> 193.105.240.212
>
> >> Both of these were Dirt Jumper based botnets.
>
> >> While I'm still gathering information, I'm asking for assistance in
> >> tracking down IPs sending large amounts of packets to 12.19.225.108
> >> (it's believed to be port 80/TCP based).
>
> >> I'm trying to find the C2, but if you can squash contributors, that
> >> would be awesome.
>
> >> Thanks!
> >> Nick
>
> > _______________________________________________
> > nsp-security mailing list
> > nsp-security at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/nsp-security
>
> > Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> > community. Confidentiality is essential for effective Internet security
> > counter-measures.
> > _______________________________________________
>
>
>
> > _______________________________________________
> > nsp-security mailing list
> > nsp-security at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/nsp-security
>
> > Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> > community. Confidentiality is essential for effective Internet security
> counter-measures.
> > _______________________________________________
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
counter-measures.
> _______________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)

iEYEARECAAYFAk6wXA8ACgkQXyx2ON3+G413XwCfbCndVZzJJLDwL51qPlz5vFyV
svMAnjtE//jwLgkJvFChKe18MxXB2b2P
=+lQ9
-----END PGP SIGNATURE-----