[nsp-sec] DDoS towards 12.19.225.108
William Salusky
william.salusky at teamaol.com
Tue Nov 1 16:59:26 EDT 2011
Here's a little more that makes my spidey senses tingle.
POST / HTTP/1.1
Authorization: Basic [REDACTED]
Content-Length: 43
User-Agent: Ufasoft ping.exe/6.1.7600.16385 (Windows NT 7 6.1.7600)
Host: revalati0n-startup.com:8344
Cache-Control: no-cache
{"method": "getwork", "params": [], "id":0}
HTTP/1.1 200 ok
Server: nginx/1.1.4
Date: Tue, 01 Nov 2011 19:52:38 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: close
X-Long-Polling: /LP
X-Roll-NTime: Y
[REDACTED]
On 11/1/11 4:54 PM, Jose Nazario wrote:
> On Nov 1, 2011, at 4:47 PM, William Salusky wrote:
>
>> Also suspicious is connectivity to 95.211.110.135:444
> we have 13 samples that match that IP:port all tagged "buzy". we have not seen it ddos and have not seen obvious signs of ddos in those samples yet.
>
> _____________________________
> jose nazario, ph.d. jose at arbor.net
> sr. manager of security research, arbor networks
> blog: http://asert.arbor.net/
> twitter: @arbornetworks
>
More information about the nsp-security
mailing list