Here are my top 50: Note that the top 1 is in the same subnet as your top 1. I had 134,993 attempts that I caught..
IP (times) 203.160.1.52 (705) 203.162.3.160 (373) 203.160.1.76 (325) 61.164.132.230 (325) 59.15.212.125 (258) 210.112.177.244 (252) 70.189.143.59 (219) 221.253.217.138 (204) 96.36.10.144 (196) 24.73.176.42 (194) 98.28.106.213 (190) 68.193.151.157 (165) 24.47.218.244 (162) 123.202.60.95 (143) 59.114.123.73 (141) 218.254.31.26 (140) 202.131.225.173 (138) 125.107.109.47 (135) 189.172.137.45 (133) 203.162.3.169 (133) 68.56.228.46 (133) 12.217.163.28 (132) 67.86.134.184 (132) 76.92.189.111 (132) 61.252.80.122 (131) 67.177.74.149 (130) 69.249.95.147 (130) 70.109.78.114 (129) 202.92.190.172 (125) 70.124.124.12 (124) 85.228.247.106 (122) 190.244.220.149 (121) 12.207.124.127 (118) 74.128.74.54 (118) 69.254.237.179 (117) 98.195.181.47 (117) 163.19.104.53 (114) 218.237.7.174 (114) 24.170.242.107 (114) 67.180.14.106 (113) 83.145.205.184 (112) 142.177.47.211 (110) 58.241.23.162 (110) 68.194.247.48 (110) 75.67.214.54 (110) 76.122.137.243 (110) 74.214.55.53 (108) 99.194.179.224 (108) 124.8.50.109 (107) 121.13.155.156 (105) >Our attacks over the past *24 hours* have originated from *12,007* >different IP addresses. Twelve THOUSAND. That is not a >typo. This is an extremely large botnet, pure and simple. These >IP addresses appaer to be largely random folks who are using >browsers with vulnerabilities. > >Each client, on average, makes 2-4 attack requests. > >Here are the origin IPs with the most attacks: > >| ip | attacks | tmp1 | tmp2 | >+-----------------+-------+----------+----------+ >| 203.160.1.40 | 1246 | NULL | NULL | >| 203.160.1.70 | 596 | NULL | NULL | >| 61.164.132.230 | 478 | NULL | NULL | >| 211.72.233.9 | 471 | NULL | NULL | >| 203.162.3.159 | 462 | NULL | NULL | >| 211.72.233.8 | 452 | NULL | NULL | >| 211.72.233.10 | 429 | NULL | NULL | >| 221.253.217.138 | 319 | NULL | NULL | >| 210.112.177.244 | 252 | NULL | NULL | >| 59.15.212.125 | 252 | NULL | NULL | >| 70.88.218.70 | 240 | NULL | NULL | >| 67.86.134.184 | 234 | NULL | NULL | >| 125.107.109.47 | 231 | NULL | NULL | >| 202.92.190.172 | 225 | NULL | NULL | >| 59.114.123.73 | 224 | NULL | NULL | >| 12.215.231.131 | 218 | NULL | NULL | >| 68.193.151.157 | 200 | NULL | NULL | >| 98.28.106.213 | 200 | NULL | NULL | >| 122.118.202.29 | 198 | NULL | NULL | >| 67.184.18.83 | 196 | NULL | NULL | > >There have been fewer than 5 attacks from each of 4515 different IPs. > >So for those of you trying to stop this sort of thing by blocking IP >addresses, don't bother. > >Some of those 203.* and 211.* addresses look suspicious, and perhaps >are part of the botnet control, but who knows... > >I have the complete list of 12,000 IP addresses (and counting at the >rate of 500+ new IP addresses each hour) of this botnet available if >that's of any use to anyone. > >Regards ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310620 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
