[nsp-sec] More on the Azerbaijani attack

Bill Woodcock woody at pch.net
Mon Apr 23 15:16:17 EDT 2012 


Begin forwarded message:

> From: first-team at cert.gov.az
> Date: April 22, 2012 2:15:18 PM PDT
> To: "Robert Waldner" <waldner at cert.at>, first-teams at first.org
> Subject: [1st-t] Attack info_2/Server Logs/IP addresses saparated by Country
> Reply-To: first-team at cert.gov.az
> 
> Sent from my BlackBerry® smartphone using Azercell Azerbaijan.
> From: "Mammadov Tural" <mammadov.t at dmx.gov.az>
> Date: Mon, 23 Apr 2012 01:47:56 +0500
> To: <first-rep at cert.gov.az>
> Cc: <first-team at cert.gov.az>
> Subject: Attack info_2/Server Logs/IP addresses saparated by Country
> 
> Dear Sirs,
> Analyzing Server log files we defined that the attack came over 4 IP addresses. There was X-Forwarded-For HTTP header of the IP addresses in which the bot machines were installed in the logs.  The attack continued within 10-15 minutes. The duration of attacks, 4 IPs of main addresses, IP addresses on the header X-Forwarded-For shows that the attack was planned as a demonstrative attack for client of DDOS attack. And also the owner of bot net tried to hide the real bot net machine using 4 proxy servers.
> PS. And also there is a little percentage of possibility that the IP addresses shown X-Forwarded-For – are fake, so that it is possible to create such kind of fake header. And we also forecast that the main attack is planned for 24th of April
> PS. We have attached 2 files: 1. Server Logs   2. IP addresses saparated by Country
>  
> log_format:
> 
> remote_addr - remote_user [time_local] "request" status body_bytes_sent
>  "http_referer" "http_user_agent" "http_x_forwarded_for" "virtual_host"
> _______________________________________________
> 
> *** FIRST restricted and confidential use mailing list. Do not Forward, Cc, Bcc, copy or summarize this email outside of the FIRST community without the express permission of the content owner(s). ***
> 
> first-teams mailing list
> first-teams at lists.first.org
> _______________________________________________

                                -Bill




-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 881 bytes
Desc: This is a digitally signed message part
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20120423/31e39ab7/attachment-0001.sig>

More information about the nsp-security mailing list