nanog mailing list archives
Re: the attack continues..
From: Beavis <pfunix () gmail com>
Date: Sat, 18 Oct 2008 13:58:57 -0600
overall .. sorry list for putting out such a noise. -John On Sat, Oct 18, 2008 at 1:52 PM, Beavis <pfunix () gmail com> wrote:
I'm hosting the company's site and we're not running any type of promotions other than the ones that we have. this is a typical scenario for sites that host these type of content to get attacked. If only i can get through one of those IP's and get the program that's running on them (bot) that will give me a clue where it goes. Attacker IP's these guys are just persistent they are trying to hit port 80 on a dns box. 92.124.174.10 89.252.28.60 91.124.110.98 98.25.64.170 92.112.229.94 75.186.69.225 89.113.48.227 87.103.174.101 84.47.161.244 89.169.111.90 92.112.145.158 85.141.238.233 91.202.109.72 89.222.217.116 193.109.241.45 212.192.251.11 213.252.64.74 91.200.8.6 92.113.10.101 200.11.153.142 80.55.213.118 200.43.3.153 On Sat, Oct 18, 2008 at 12:59 PM, Jay Coley <j () jcoley net> wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frank Bulk wrote:The website is "http://www.betmania.com/" and when I try to connect to it I get "Database Error: Unable to connect to the database:Could not connect to MySQL". It's not unusual for betting sites to be DDoSed for ransom.Also competition (rival companies) based attacks are extremely common in the gambling/betting industry as well these days. Are you running any special promotions at the same time as your competition? - --JFrank -----Original Message----- From: Jay Hennigan [mailto:jay () west net] Sent: Saturday, October 18, 2008 10:24 AM To: NANOG list Subject: Re: the attack continues.. Beavis wrote:Hello Lists, I'm still getting attacked and most of the IP's i got have been reported. and just this morning it looks as if someone is testing my network. and sending out short TCP_SESSION requests. now i may be paranoid but this past few days have been hell.. just want to know if the folks from these ip's can help me out. Attacker IP,Attacker Port,Victim IP,Victim Port,Attack Type,Start Time,Extra Info 205.188.116.7,47198,200.0.179.73,80,TCP_SESSION,2008-10-18 14:20:48,Filtered IP: Dropped packets: 3 Dropped bytes: 156 205.188.117.134,45379,200.0.179.73,80,TCP_SESSION,2008-10-18 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0 205.188.117.137,42257,200.0.179.73,80,TCP_SESSION,2008-10-18 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0 75.105.128.38,4092,200.0.179.73,80,TCP_SESSION,2008-10-18 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0 First 3 IP's come from AOL, I'll try to see if I can get their attention. Last IP is from a Wildblue Communications WBC-39."Beavis", you're running a web server on 200.0.179.73, some sort of gambling site. Those who operate web servers generally expect traffic to TCP port 80. If you're not aware that you have a web server running, then it is most likely your machine that is infected with a bot. -- Jay Hennigan - CCIE #7880 - Network Engineering - jay () impulse net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkj6MisACgkQETh+0NgvOtFHnwCfRYCU4VwNmQRXABtgem4wmWhX gD8AnRSxyfM67NJKGiYVn1MNYNQ5eaSO =J0JL -----END PGP SIGNATURE-----
Current thread:
- the attack continues.. Beavis (Oct 18)
- Re: the attack continues.. Jay Hennigan (Oct 18)
- RE: the attack continues.. Frank Bulk (Oct 18)
- Re: the attack continues.. Christopher Morrow (Oct 18)
- Re: the attack continues.. Jay Coley (Oct 18)
- Re: the attack continues.. Beavis (Oct 18)
- Re: the attack continues.. Beavis (Oct 18)
- Re: the attack continues.. Paul Ferguson (Oct 18)
- RE: the attack continues.. Frank Bulk (Oct 18)
- Re: the attack continues.. Jay Hennigan (Oct 18)