[nsp-sec] DDoS towards 12.19.225.108
Nicholas Ianelli
ni at allyourinfoarebelongto.us
Tue Nov 1 16:59:11 EDT 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Through help from a few parties on this list, we found at least one
botnet involved in this attack. It's another Dirt Jumper sample and
would love to get my hands on a copy of the malware if possible.
The details are:
POST /fuckk/index.php HTTP/1.0
Host: iejaor.com <--- 31.11.43.31 (Romania)
Keep-Alive: 300
Content-Length: 17
k=<removed>
Domain Name: IEJAOR.COM
Registrar: BIZCN.COM, INC.
***Note: The POST data uses a different HTTP version, so be sure to
reflect that in your monitoring scripts accordingly
Would love to get this added to the DDoSRS as well.
Cheers,
Nick
On 11/01/2011 08:54 PM, Jose Nazario wrote:
> ----------- nsp-security Confidential --------
>
> On Nov 1, 2011, at 4:47 PM, William Salusky wrote:
>
>> Also suspicious is connectivity to 95.211.110.135:444
>
> we have 13 samples that match that IP:port all tagged "buzy". we have not seen it ddos and have not seen obvious signs of ddos in those samples yet.
>
> _____________________________
> jose nazario, ph.d. jose at arbor.net
> sr. manager of security research, arbor networks
> blog: http://asert.arbor.net/
> twitter: @arbornetworks
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk6wXZsACgkQi10dJIBjZICBpwCgk5G/RgVjt0o7ortWCnDoWI9x
rZIAn0RT2pG30ESnjg60MEYUDWETS59O
=THX1
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list