[nsp-sec] DDoS towards 12.19.225.108
William Salusky
william.salusky at teamaol.com
Tue Nov 1 17:07:29 EDT 2011
Ignore everything else I sent, this is a no brainer now. duh.
Controller at 31.11.43.31:80
POST /fuckk/index.php HTTP/1.0
Host: iejaor.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US)
Content-Type: application/x-www-form-urlencoded
Content-Length: 17
k=924814628987678
HTTP/1.1 200 OK
Date: Tue, 01 Nov 2011 18:54:26 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Content-Length: 182
Connection: close
Content-Type: text/html; charset=cp1251
Content-Language: ru
01|999|300https://secretsline.biz/en/register/?a=()()()!2000
http://secretsline.biz/en/register/?a=()()()!2000
https://webinfoplus.mandtbank.com/
http://webinfoplus.mandtbank.com/
On 11/1/11 4:54 PM, Jose Nazario wrote:
> On Nov 1, 2011, at 4:47 PM, William Salusky wrote:
>
>> Also suspicious is connectivity to 95.211.110.135:444
> we have 13 samples that match that IP:port all tagged "buzy". we have not seen it ddos and have not seen obvious signs of ddos in those samples yet.
>
> _____________________________
> jose nazario, ph.d. jose at arbor.net
> sr. manager of security research, arbor networks
> blog: http://asert.arbor.net/
> twitter: @arbornetworks
>
More information about the nsp-security
mailing list