the attack continues..

Beavis pfunix at gmail.com
Sat Oct 18 14:58:57 CDT 2008


overall .. sorry list for putting out such a noise.

-John

On Sat, Oct 18, 2008 at 1:52 PM, Beavis <pfunix at gmail.com> wrote:
> I'm hosting the company's site and we're not running any type of
> promotions other than the ones that we have. this is a typical
> scenario for sites that host these type of content to get attacked.
>
> If only i can get through one of those IP's and get the program that's
> running on them (bot) that will give me a clue where it goes.
>
> Attacker IP's these guys are just persistent they are trying to hit
> port 80 on a dns box.
>
> 92.124.174.10
> 89.252.28.60
> 91.124.110.98
> 98.25.64.170
> 92.112.229.94
> 75.186.69.225
> 89.113.48.227
> 87.103.174.101
> 84.47.161.244
> 89.169.111.90
> 92.112.145.158
> 85.141.238.233
> 91.202.109.72
> 89.222.217.116
> 193.109.241.45
> 212.192.251.11
> 213.252.64.74
> 91.200.8.6
> 92.113.10.101
> 200.11.153.142
> 80.55.213.118
> 200.43.3.153
>
>
> On Sat, Oct 18, 2008 at 12:59 PM, Jay Coley <j at jcoley.net> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Frank Bulk wrote:
>>> The website is "http://www.betmania.com/" and when I try to connect to it I
>>> get "Database Error: Unable to connect to the database:Could not connect to
>>> MySQL".
>>>
>>> It's not unusual for betting sites to be DDoSed for ransom.
>>
>> Also competition (rival companies) based attacks are extremely common in
>> the gambling/betting industry as well these days.
>>
>> Are you running any special promotions at the same time as your competition?
>>
>> - --J
>>
>>
>>>
>>> Frank
>>>
>>> -----Original Message-----
>>> From: Jay Hennigan [mailto:jay at west.net]
>>> Sent: Saturday, October 18, 2008 10:24 AM
>>> To: NANOG list
>>> Subject: Re: the attack continues..
>>>
>>> Beavis wrote:
>>>> Hello Lists,
>>>>
>>>>     I'm still getting attacked and most of the IP's i got have been
>>>> reported. and just this morning it looks as if someone is testing my
>>>> network. and sending out short TCP_SESSION requests. now i may be
>>>> paranoid but this past few days have been hell.. just want to know if
>>>> the folks from these ip's can help me out.
>>>>
>>>> Attacker IP,Attacker Port,Victim IP,Victim Port,Attack Type,Start
>>>> Time,Extra Info
>>>> 205.188.116.7,47198,200.0.179.73,80,TCP_SESSION,2008-10-18
>>>> 14:20:48,Filtered IP: Dropped packets: 3 Dropped bytes: 156
>>>> 205.188.117.134,45379,200.0.179.73,80,TCP_SESSION,2008-10-18
>>>> 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0
>>>> 205.188.117.137,42257,200.0.179.73,80,TCP_SESSION,2008-10-18
>>>> 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0
>>>> 75.105.128.38,4092,200.0.179.73,80,TCP_SESSION,2008-10-18
>>>> 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0
>>>>
>>>> First 3 IP's come from AOL, I'll try to see if I can get their attention.
>>>>
>>>> Last IP is from a Wildblue Communications WBC-39.
>>>
>>> "Beavis", you're running a web server on 200.0.179.73, some sort of
>>> gambling site.  Those who operate web servers generally expect traffic
>>> to TCP port 80.  If you're not aware that you have a web server running,
>>> then it is most likely your machine that is infected with a bot.
>>>
>>> --
>>> Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
>>> Impulse Internet Service  -  http://www.impulse.net/
>>> Your local telephone and internet company - 805 884-6323 - WB6RDV
>>>
>>>
>>>
>>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.8 (Darwin)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>>
>> iEYEARECAAYFAkj6MisACgkQETh+0NgvOtFHnwCfRYCU4VwNmQRXABtgem4wmWhX
>> gD8AnRSxyfM67NJKGiYVn1MNYNQ5eaSO
>> =J0JL
>> -----END PGP SIGNATURE-----
>>
>>
>




More information about the NANOG mailing list