[nsp-sec] DDOS Fun
Nick Ianelli
ni at allyourinfoarebelongto.us
Wed Sep 19 12:28:14 EDT 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
There is overlap in the IP addresses between attacks occurring recently.
What we have found when examining other web servers that have
participated in the attack are the following files:
stcp.php
stph.php
indx.php
classtyle.php
classtyle2.php
The control infrastructure works as follows:
Tier 2 controller sends POST command to Tier 1 (compromised web
servers) - generally the POST goes to indx.php
indx.php uses curl to send command to itself (stph.php or stcp.php)
script, which then commences the DDoS attack.
*** PLEASE PLEASE PLEASE look in your logs for traffic to "indx.php",
that will point to the Tier 2, the real IP of interest. ***
Decrypted commands look like:
<target ip>[#]<port>[#]<size>[#]<duration>[#]<protocol tcp/udp>
Now, the above code is what we've been able to ID as sending the
packets with all the "A"s, not sure what's doing the SYN flood yet.
Nick
On 09/19/2012 03:25 PM, King, Link wrote:
> ----------- nsp-security Confidential --------
>
>
>
> Hi folks.
>
> We have one of the current targets of the ongoing financial
> services targets. Target IP's:
>
> 156.154.64.70 156.154.65.70 156.154.66.70 156.154.67.70
> 156.154.68.70 156.154.69.70
>
>
> Attached are the current heavy hitters. The signature is TCP SYN
> (port 53) and UPD/53 with AAAAAA's stuffed in the packet (large UDP
> packets). These are authoritative nameservers so don't kill all
> TCP/UDP 53 traffic but if possible please deal with the sources.
>
> I'll update as sources/attack changes. Thanks!
>
>
>
>
>
>
> _______________________________________________ nsp-security
> mailing list nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security community. Confidentiality is essential for effective
> Internet security counter-measures.
> _______________________________________________
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
iEYEARECAAYFAlBZ8p4ACgkQi10dJIBjZICDbQCfTy6E027ta5DjT1s5ea01PrtL
LPMAoK6feILoREMYhH9t5HwlZ5FiP6SY
=sA2f
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list