Security Incidents mailing list archives
DDOS network
From: Gael MARTINEZ <mgc () MGC SPACESTAR NET>
Date: Thu, 17 Aug 2000 14:17:23 -0500
Hi I m getting attacks theses few last days against one of my irc servers, attacks are of kind DDOS, some Stacheldraht kind, attack is visibly synack based 207.41.173.132 -> 194.158.96.45 TCP D=73 S=1523 Ack=1339378523 Seq=674711609 Len=0 Win=65535 202.100.13.83 -> 194.158.96.45 NTP C port=1635 202.101.226.67 -> 194.158.96.45 X400 C port=1369 202.99.198.115 -> 194.158.96.45 UUCP-PATH C port=1771 130.88.234.245 -> 194.158.96.45 TCP D=135 S=1419 Ack=570623872 Seq=674711609 Len=0 Win=65535 152.74.5.155 -> 194.158.96.45 TCP D=65 S=1409 Ack=1231844585 Seq=674711609 Len=0 Win=65535 12 0.00001 202.101.235.29 -> 194.158.96.45 HOSTNAME C port=1832 13 0.00027 202.102.142.173 -> 194.158.96.45 NTP C port=1095 14 0.00001 202.102.135.201 -> 194.158.96.45 CHARGEN C port=1655 15 0.00003 202.96.31.115 -> 194.158.96.45 TELNET C port=1186 16 0.00020 129.24.171.67 -> 194.158.96.45 DAYTIME C port=1054 17 0.00001 202.101.189.201 -> 194.158.96.45 NBT C port=1481 18 0.00002 202.100.13.249 -> 194.158.96.45 TCP D=3 S=1911 Ack=990335809 Seq=674711609 Len=0 Win=65535 19 0.00001 202.98.10.234 -> 194.158.96.45 X400 C port=1017 20 0.00004 202.102.245.190 -> 194.158.96.45 TCP D=33 S=1446 Ack=1718066386 Seq=674711609 Len=0 Win=65535 21 0.00005 202.96.31.155 -> 194.158.96.45 TCP D=45 S=1696 Ack=1245474309 Seq=674711609 Len=0 Win=65535 Attacks are originating from theses classes, first number is number of distincts hosts second the class itself: 105 129.24.171 130 130.160.46 13 130.237.56 182 130.88.234 164 152.4.101 221 152.7.138 79 152.74.5 74 152.8.249 177 152.8.7 12 152.92.2 55 192.167.171 39 193.140.151 34 193.140.195 59 193.140.203 62 193.204.92 31 193.224.191 236 193.52.202 22 193.62.87 41 193.89.118 186 202.100.13 138 202.101.189 200 202.101.226 22 202.101.229 187 202.101.235 190 202.102.135 81 202.102.142 130 202.102.227 108 202.102.231 123 202.102.245 11 202.103.41 14 202.104.177 154 202.109.129 19 202.54.102 18 202.54.32 20 202.58.253 195 202.96.136 132 202.96.189 223 202.96.31 3 202.97.245 7 202.97.246 131 202.98.1 187 202.98.10 99 202.98.15 29 202.98.152 140 202.98.198 22 202.98.36 188 202.98.9 128 202.99.104 141 202.99.198 14 202.99.2 11 202.99.219 141 202.99.44 55 207.104.145 59 207.113.11 60 207.113.34 156 207.12.156 213 207.41.173 143 208.31.190 16 209.66.12 91 212.16.98 Following some list of abusive irc users (bot) acting in group on our network reported during some abusive usage, as they look like similar (classes very close) and are visibly manipulated by the same person who daily harass our network, I m including them , convinced they re the origins of the doses, and 99 % convinced it's servers hacked with numerous exploits. login@ip format nije@202.100.14.210 cukar@202.105.80.216 nije@202.100.14.210 kamen@202.104.134.198 kocka@202.102.245.17 krek@202.104.137.226 ex@202.99.192.35 gs@202.101.166.72 pljas@202.106.77.137 prckalo@202.105.21.22 gsgs@202.101.230.123 ktitor@202.98.8.6 ah@202.82.76.240 slovo@202.101.241.99 chika@202.101.106.187 zguz@202.106.140.110 vitamin@202.104.135.89 cukar@202.105.80.216 exer@202.106.109.50 bocboc@202.99.23.218 uNf@202.104.134.200 gs@202.102.192.117 zap@202.102.204.40 gsgs@202.101.224.80 gs@202.101.240.114 fire@202.101.224.79 macica@202.101.166.120 gs@202.101.232.113 zguz@202.106.140.110 exer@202.106.109.50 ex@202.99.192.35 bwwb@202.106.255.234 steroid@202.108.123.14 gsgs@202.101.224.80 shaban@202.84.248.1 vitamin@202.104.135.89 uNf@202.104.121.200 djoka@202.104.61.8 BBshow@202.102.209.180 BBshow@202.102.216.6 pish@202.102.201.41 kamen@202.104.134.198 mapet@202.98.0.73 gs@202.102.192.116 pish@202.102.201.41 finger@202.101.226.84 gs@202.101.232.113 BBshow@202.102.209.180 Utjeha@202.102.210.40 saints@202.97.18.60 fire@202.101.224.79 delfin@202.42.166.68 pare@202.108.123.4 bwwb@202.106.255.234 cezar@202.106.101.10 chika@202.101.106.187 Regards Gael -- Gael MARTINEZ IrcAdministrator on Ircnet
Current thread:
- DDOS network Gael MARTINEZ (Aug 18)