[nsp-sec] DDOS towards 195.245.201.10
David Freedman
david.freedman at uk.clara.net
Wed Oct 24 14:04:12 EDT 2012
All,
I'd like to follow up and say that we are still receiving
this traffic, since this post on 07/09,
The request headers are as such:
Hypertext Transfer Protocol
POST /?ptrxcz_cyIatBSk3LdwEVo7PgyGYrBUqHbwFZ HTTP/1.1\r\n
[Expert Info (Chat/Sequence): POST
/?ptrxcz_cyIatBSk3LdwEVo7PgyGYrBUqHbwFZ HTTP/1.1\r\n]
[Message: POST /?ptrxcz_cyIatBSk3LdwEVo7PgyGYrBUqHbwFZ
HTTP/1.1\r\n]
[Severity level: Chat]
[Group: Sequence]
Request Method: POST
Request URI: /?ptrxcz_cyIatBSk3LdwEVo7PgyGYrBUqHbwFZ
Request Version: HTTP/1.1
Accept: */*\r\n
Accept-Language: en-us\r\n
Content-Type: application/octet-stream\r\n
Content-Length: 246\r\n
[Content length: 246]
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n
Host: claranet.fr\r\n
Connection: Keep-Alive\r\n
Cache-Control: no-cache\r\n
\r\n
Media Type
Media Type: application/octet-stream (246 bytes)
The only thing that changes here is the POST URI,
which always consists of the string "ptrxcz_" followed
by 30 characters.
This URL (http://doc.emergingthreats.net/bin/view/Main/2015807)
appears to indicate that the traffic is related to a checkin
from the trojan Backdoor.Win32.Pushdo.s, which I'm assuming
is the agent of the Pushdo bonnet.
I have a list of 2852 hosts (attached) which are still
generating this traffic, I'd appreciate any insight
about it's nature or assistance removing it.
Regards,
David Freedman
Claranet
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ddos-fr.txt
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20121024/85b62876/attachment-0001.txt>
More information about the nsp-security
mailing list