the attack continues..

Beavis pfunix at gmail.com
Sat Oct 18 14:52:26 CDT 2008


I'm hosting the company's site and we're not running any type of
promotions other than the ones that we have. this is a typical
scenario for sites that host these type of content to get attacked.

If only i can get through one of those IP's and get the program that's
running on them (bot) that will give me a clue where it goes.

Attacker IP's these guys are just persistent they are trying to hit
port 80 on a dns box.

92.124.174.10
89.252.28.60
91.124.110.98
98.25.64.170
92.112.229.94
75.186.69.225
89.113.48.227
87.103.174.101
84.47.161.244
89.169.111.90
92.112.145.158
85.141.238.233
91.202.109.72
89.222.217.116
193.109.241.45
212.192.251.11
213.252.64.74
91.200.8.6
92.113.10.101
200.11.153.142
80.55.213.118
200.43.3.153


On Sat, Oct 18, 2008 at 12:59 PM, Jay Coley <j at jcoley.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Frank Bulk wrote:
>> The website is "http://www.betmania.com/" and when I try to connect to it I
>> get "Database Error: Unable to connect to the database:Could not connect to
>> MySQL".
>>
>> It's not unusual for betting sites to be DDoSed for ransom.
>
> Also competition (rival companies) based attacks are extremely common in
> the gambling/betting industry as well these days.
>
> Are you running any special promotions at the same time as your competition?
>
> - --J
>
>
>>
>> Frank
>>
>> -----Original Message-----
>> From: Jay Hennigan [mailto:jay at west.net]
>> Sent: Saturday, October 18, 2008 10:24 AM
>> To: NANOG list
>> Subject: Re: the attack continues..
>>
>> Beavis wrote:
>>> Hello Lists,
>>>
>>>     I'm still getting attacked and most of the IP's i got have been
>>> reported. and just this morning it looks as if someone is testing my
>>> network. and sending out short TCP_SESSION requests. now i may be
>>> paranoid but this past few days have been hell.. just want to know if
>>> the folks from these ip's can help me out.
>>>
>>> Attacker IP,Attacker Port,Victim IP,Victim Port,Attack Type,Start
>>> Time,Extra Info
>>> 205.188.116.7,47198,200.0.179.73,80,TCP_SESSION,2008-10-18
>>> 14:20:48,Filtered IP: Dropped packets: 3 Dropped bytes: 156
>>> 205.188.117.134,45379,200.0.179.73,80,TCP_SESSION,2008-10-18
>>> 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0
>>> 205.188.117.137,42257,200.0.179.73,80,TCP_SESSION,2008-10-18
>>> 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0
>>> 75.105.128.38,4092,200.0.179.73,80,TCP_SESSION,2008-10-18
>>> 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0
>>>
>>> First 3 IP's come from AOL, I'll try to see if I can get their attention.
>>>
>>> Last IP is from a Wildblue Communications WBC-39.
>>
>> "Beavis", you're running a web server on 200.0.179.73, some sort of
>> gambling site.  Those who operate web servers generally expect traffic
>> to TCP port 80.  If you're not aware that you have a web server running,
>> then it is most likely your machine that is infected with a bot.
>>
>> --
>> Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
>> Impulse Internet Service  -  http://www.impulse.net/
>> Your local telephone and internet company - 805 884-6323 - WB6RDV
>>
>>
>>
>>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkj6MisACgkQETh+0NgvOtFHnwCfRYCU4VwNmQRXABtgem4wmWhX
> gD8AnRSxyfM67NJKGiYVn1MNYNQ5eaSO
> =J0JL
> -----END PGP SIGNATURE-----
>
>




More information about the NANOG mailing list