[Intrusions] We are experiencing a DDoS attacking one of our domains - mpecllc.com
David McCall
david at atgi.net
Wed Jan 12 20:02:40 GMT 2005
At last count I have isolated 21,000 unique IP addresses that are pounding our dns and web servers
for robots.txt and entry.php.......
This domain is effectively down because of this issue. We had to move it to a sand box server and
this was ineffective after 24 hours. If I enable the domain and turn on the web site the initial
attack is 200-400 attacks per second, consisting of a GET for robots.txt or entry.php, neither of
which exist on the site.
I've notified mci.com and verio.net abuse depts.
I've filed a report with FBI and wanted to make you all aware of what is going on:
IFCC COMPLAINT REFERRAL REPORT
Complaint Number: I05011113017305
The following information was provided by the victim and will be forwarded to the appropriate law
enforcement or regulatory agency.
Computer Intrusion/Hacking
Date of Complaint: 1/11/2005 1:01:35 PM
Victim Information
Business Name: Eschelon Telecom
Name: David Chester McCall
DOB: 11/21/1954
Gender: M
Phone #: 707-284-5695
Email: david at atgi.net
Address: 19 Old Courthouse Square
Santa Rosa, CA 95404
Live in city limits: No
County: Sonoma
Country: USA
Do you have pertinent documents in paper form? No
Please indicate who your local law enforcement agency is:
http://ci.santa-rosa.ca.us/default.aspx?PageId=119
Please List the easiest way and most convenient time to contact you:
david at atgi.net
707-477-7466 cell phone
707-792-0482 home
Information about the Business that victimized you.
Name:
Gender: U
Phone #:
Current Email:
Address:
Country: USA
Contact between you and the Person/company that victimized you.
Type of Contact: Web Page
Date of Contact: 01/05/2005
Contact Information:
DDoS attack on one of our hosted domains: www.mpecllc.com
Brief log exerpt below:
www.mpecllc.com 68.70.227.25 - - [10/Jan/2005:11:10:49 -
0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.1)"
www.mpecllc.com 24.247.2.226 - - [10/Jan/2005:11:10:49 -
0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.1)"
www.mpecllc.com 68.253.255.21 - - [10/Jan/2005:11:10:49 -
0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.1)"
www.mpecllc.com 68.80.225.249 - - [10/Jan/2005:11:10:49 -
0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.1)"
www.mpecllc.com 128.227.58.20 - - [10/Jan/2005:11:10:50 -
0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.1)"
www.mpecllc.com 24.211.249.43 - - [10/Jan/2005:11:10:50 -
0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.1)"
www.mpecllc.com 70.178.8.21 - - [10/Jan/2005:11:10:50 -
0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.1)"
www.mpecllc.com 4.29.92.66 - - [10/Jan/2005:11:10:50 -
0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.1)"
www.mpecllc.com 207.81.81.85 - - [10/Jan/2005:11:10:50 -
0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.1)"
www.mpecllc.com 68.36.53.42 - - [10/Jan/2005:11:10:50 -
0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.1)"
www.mpecllc.com 63.198.19.106 - - [10/Jan/2005:11:10:50 -
0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.1)"
www.mpecllc.com 65.196.186.6 - - [10/Jan/2005:11:10:50 -
0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.1)"
www.mpecllc.com 69.211.75.13 - - [10/Jan/2005:11:10:50 -
0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.1)"
www.mpecllc.com 65.40.1.55 - - [10/Jan/2005:11:10:50 -
0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.1)"
www.mpecllc.com 141.157.196.180 - - [10/Jan/2005:11:10:50 -
0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.1)"
www.mpecllc.com 216.170.177.114 - - [10/Jan/2005:11:10:50 -
0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.1)"
www.mpecllc.com 24.250.111.104 - - [10/Jan/2005:11:10:50 -
0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.1)"
www.mpecllc.com 66.69.186.184 - - [10/Jan/2005:11:10:50 -
0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.1)"
Additional Information:
We have had to disable this customer site as the attack eventually
brings down the server. However this attack continues and can be
viewed by the DNS queries from our name servers (brief listing below):
Jan 11 09:27:03 e4500a named[280]: XX /24.25.195.1/mpecllc.com/A/IN
Jan 11 09:27:09 e4500a named[280]: XX /66.186.224.158/mpecllc.com/A/IN
Jan 11 09:27:12 e4500a named[280]: XX /68.1.208.23/mpecllc.com/A/IN
Jan 11 09:27:20 e4500a named[280]: XX /66.129.37.38/mpecllc.com/A/IN
Jan 11 09:27:23 e4500a named[280]: XX /68.73.225.60/mpecllc.com/A/IN
Jan 11 09:27:26 e4500a named[280]: XX /167.206.3.247/mpecllc.com/A/IN
Jan 11 09:27:43 e4500a named[280]: XX /209.204.64.3/mpecllc.com/A/IN
Jan 11 09:27:25 e4500B named[20019]: XX /68.35.192.6/mpecllc.com/A/IN
Jan 11 09:27:26 e4500B named[20019]:
XX /167.206.3.248/mpecllc.com/A/IN
Jan 11 09:27:27 e4500B named[20019]: XX /68.73.225.60/mpecllc.com/A/IN
Jan 11 09:27:28 e4500B named[20019]:
XX /213.129.10.130/mpecllc.com/A/IN
Jan 11 09:27:30 e4500B named[20019]: XX /65.32.1.79/mpecllc.com/A/IN
Jan 11 09:27:34 e4500B named[20019]:
XX /209.244.4.189/mpecllc.com/A/IN
Jan 11 09:27:40 e4500B named[20019]:
XX /167.206.3.184/mpecllc.com/A/IN
Jan 11 09:27:45 e4500B named[20019]: XX /24.140.1.132/mpecllc.com/A/IN
Jan 11 09:27:58 e4500B named[20019]:
XX /204.127.202.35/mpecllc.com/A/IN
Jan 11 09:28:10 e4500B named[20019]:
XX /206.135.241.66/mpecllc.com/A/IN
Jan 11 09:27:30 queue named[26183]: [ID 295310 daemon.info]
XX /137.39.110.165/mpecllc.com/A/IN
Jan 11 09:27:32 queue named[26183]: [ID 295310 daemon.info]
XX /208.204.150.212/mpecllc.com/A/IN
Jan 11 09:27:33 queue named[26183]: [ID 295310 daemon.info]
XX+/152.1.1.206/mpecllc.com/A/IN
Jan 11 09:27:37 queue named[26183]: [ID 295310 daemon.info]
XX /152.38.30.122/mpecllc.com/A/IN
Jan 11 09:27:44 queue named[26183]: [ID 295310 daemon.info]
XX /63.64.9.19/mpecllc.com/A/IN
Jan 11 09:27:47 queue named[26183]: [ID 295310 daemon.info]
XX /207.65.122.221/mpecllc.com/A/IN
Jan 11 09:27:52 queue named[26183]: [ID 295310 daemon.info]
XX /24.92.32.23/mpecllc.com/AAAA/IN
Jan 11 09:27:55 queue named[26183]: [ID 295310 daemon.info]
XX /209.86.63.205/mpecllc.com/A/IN
Jan 11 09:28:03 queue named[26183]: [ID 295310 daemon.info]
XX /216.162.16.130/mpecllc.com/A/IN
Jan 11 09:28:05 queue named[26183]: [ID 295310 daemon.info]
XX /206.64.117.231/mpecllc.com/A/IN
Jan 11 09:28:05 queue named[26183]: [ID 295310 daemon.info]
XX /216.162.16.131/mpecllc.com/A/IN
Jan 11 09:28:07 queue named[26183]: [ID 295310 daemon.info]
XX /68.57.192.6/mpecllc.com/A/IN
Jan 11 09:28:09 queue named[26183]: [ID 295310 daemon.info]
XX /68.168.192.5/mpecllc.com/A/IN
Jan 11 09:28:17 queue named[26183]: [ID 295310 daemon.info]
XX /152.3.250.1/mpecllc.com/A/IN
Jan 11 09:28:21 queue named[26183]: [ID 295310 daemon.info]
XX /24.28.99.62/mpecllc.com/A/IN
Jan 11 09:28:25 queue named[26183]: [ID 295310 daemon.info]
XX /137.159.198.137/mpecllc.com/A/IN
Jan 11 09:28:31 queue2 named[29380]: [ID 295310 daemon.info]
XX /12.38.46.250/mpecllc.com/A/IN
Jan 11 09:28:31 queue2 named[29380]: [ID 295310 daemon.info]
XX /209.244.4.51/mpecllc.com/A/IN
Jan 11 09:28:31 queue2 named[29380]: [ID 295310 daemon.info]
XX /63.243.88.30/mpecllc.com/A/IN
Jan 11 09:28:32 queue2 named[29380]: [ID 295310 daemon.info]
XX /69.152.0.5/mpecllc.com/A/IN
Jan 11 09:28:36 queue2 named[29380]: [ID 295310 daemon.info]
XX /64.78.119.1/mpecllc.com/A/IN
Jan 11 09:28:37 queue2 named[29380]: [ID 295310 daemon.info]
XX /192.216.106.50/mpecllc.com/A/IN
Jan 11 09:28:37 queue2 named[29380]: [ID 295310 daemon.info]
XX /32.97.118.68/mpecllc.com/A/IN
Jan 11 09:28:39 queue2 named[29380]: [ID 295310 daemon.info]
XX /206.230.181.2/mpecllc.com/A/IN
Jan 11 09:28:40 queue2 named[29380]: [ID 295310 daemon.info]
XX /205.188.118.22/mpecllc.com/A/IN
Jan 11 09:28:43 queue2 named[29380]: [ID 295310 daemon.info]
XX /64.7.232.10/mpecllc.com/A/IN
Jan 11 09:28:46 queue2 named[29380]: [ID 295310 daemon.info]
XX /216.226.178.11/mpecllc.com/A/IN
Jan 11 09:28:51 queue2 named[29380]: [ID 295310 daemon.info]
XX /129.219.13.81/mpecllc.com/A/IN
Jan 11 09:28:31 webserv named[24989]: [ID 295310 daemon.info]
XX /24.247.24.41/mpecllc.com/A/IN
Jan 11 09:28:35 webserv named[24989]: [ID 295310 daemon.info]
XX /151.164.1.3/mpecllc.com/A/IN
Jan 11 09:28:37 webserv named[24989]: [ID 295310 daemon.info]
XX /216.144.187.199/mpecllc.com/A/IN
Jan 11 09:28:38 webserv named[24989]: [ID 295310 daemon.info]
XX /12.34.129.27/mpecllc.com/A/IN
Jan 11 09:28:38 webserv named[24989]: [ID 295310 daemon.info]
XX /205.152.132.23/mpecllc.com/A/IN
Jan 11 09:28:42 webserv named[24989]: [ID 295310 daemon.info]
XX /66.133.128.138/mpecllc.com/A/IN
Jan 11 09:28:42 webserv named[24989]: [ID 295310 daemon.info]
XX /204.127.198.60/mpecllc.com/A/IN
Jan 11 09:28:56 webserv named[24989]: [ID 295310 daemon.info]
XX /24.29.99.16/mpecllc.com/A/IN
Jan 11 09:28:56 webserv named[24989]: [ID 295310 daemon.info]
XX /167.206.3.249/mpecllc.com/A/IN
Jan 11 09:28:56 webserv named[24989]: [ID 295310 daemon.info]
XX /216.110.87.10/mpecllc.com/A/IN
Jan 11 09:28:58 webserv named[24989]: [ID 295310 daemon.info]
XX+/66.189.130.21/mpecllc.com/A/IN
Jan 11 09:28:59 webserv named[24989]: [ID 295310 daemon.info]
XX /216.47.193.14/mpecllc.com/A/IN
Jan 11 09:29:03 webserv named[24989]: [ID 295310 daemon.info]
XX /66.189.130.5/mpecllc.com/A/IN
Jan 11 09:29:07 webserv named[24989]: [ID 295310 daemon.info]
XX /129.22.4.3/mpecllc.com/A/IN
Jan 11 09:29:07 webserv named[24989]: [ID 295310 daemon.info]
XX+/206.47.244.102/mpecllc.com/A/IN
Jan 11 09:29:07 webserv named[24989]: [ID 295310 daemon.info]
XX /199.18.39.5/mpecllc.com/A/IN
I have no immediate power to isolate where this is coming from but I can make you all aware of
what it is doing exactly. mpecllc.com is now pointed to a 127. IP address but this has not
stopped the queries on our name servers, as you can see above.
thanks ahead of time for any help you can offer..
regards
Domain Name Services - AdvancedTelcomInc
David C. McCall - david at atgi.net
More information about the Intrusions
mailing list