<< Also, I'd like to explore the possibility of reporting compromised people to their ISPs. >>
Well good luck ;) As I posted earlier, we have been hit by over 200,000 attack attempts over the past 2 days. Here's the analysis from our last 195,264 attack attempts: Our attacks over the past *24 hours* have originated from *12,007* different IP addresses. Twelve THOUSAND. That is not a typo. This is an extremely large botnet, pure and simple. These IP addresses appaer to be largely random folks who are using browsers with vulnerabilities. Each client, on average, makes 2-4 attack requests. Here are the origin IPs with the most attacks: | ip | attacks | tmp1 | tmp2 | +-----------------+-------+----------+----------+ | 203.160.1.40 | 1246 | NULL | NULL | | 203.160.1.70 | 596 | NULL | NULL | | 61.164.132.230 | 478 | NULL | NULL | | 211.72.233.9 | 471 | NULL | NULL | | 203.162.3.159 | 462 | NULL | NULL | | 211.72.233.8 | 452 | NULL | NULL | | 211.72.233.10 | 429 | NULL | NULL | | 221.253.217.138 | 319 | NULL | NULL | | 210.112.177.244 | 252 | NULL | NULL | | 59.15.212.125 | 252 | NULL | NULL | | 70.88.218.70 | 240 | NULL | NULL | | 67.86.134.184 | 234 | NULL | NULL | | 125.107.109.47 | 231 | NULL | NULL | | 202.92.190.172 | 225 | NULL | NULL | | 59.114.123.73 | 224 | NULL | NULL | | 12.215.231.131 | 218 | NULL | NULL | | 68.193.151.157 | 200 | NULL | NULL | | 98.28.106.213 | 200 | NULL | NULL | | 122.118.202.29 | 198 | NULL | NULL | | 67.184.18.83 | 196 | NULL | NULL | There have been fewer than 5 attacks from each of 4515 different IPs. So for those of you trying to stop this sort of thing by blocking IP addresses, don't bother. Some of those 203.* and 211.* addresses look suspicious, and perhaps are part of the botnet control, but who knows... I have the complete list of 12,000 IP addresses (and counting at the rate of 500+ new IP addresses each hour) of this botnet available if that's of any use to anyone. Regards --- On Fri, 8/8/08, Brad Wood <[EMAIL PROTECTED]> wrote: > From: Brad Wood <[EMAIL PROTECTED]> > Subject: Re: SQL injection attack on House of Fusion > To: "CF-Talk" <cf-talk@houseoffusion.com> > Date: Friday, August 8, 2008, 4:25 PM > Yeah, I'm well aware of the near impossibility of ever > tracking IP address > to anything useful, but I'm a person who likes data, > for within mounds of > useless data can be found trends. Most of all, I'm > just curious. Also, I'd > like to explore the possibility of reporting compromised > people to their > ISPs. Some US ISPs do have abuse policies that might cause > them to pressure > their users to clean themselves. A number of these attacks > could have come > from servers for all we know. Servers are desirable for > Trojans due to > their fast internet connections and 24/7 uptime. > > ~Brad > > ----- Original Message ----- > From: "Andy Matthews" > <[EMAIL PROTECTED]> > To: "CF-Talk" <cf-talk@houseoffusion.com> > Sent: Friday, August 08, 2008 3:00 PM > Subject: RE: SQL injection attack on House of Fusion > > > > blocking the IPs would probably stop the attacks, but > analyzing them is > > going to be useless. They're either using some > hacked computer as a proxy, > > or have some sort of spoofing in place. Unless > you're really good at > > forensics, you'll never find their real > origination point. > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310572 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
