I came across this info which may be related or not about the possible botnets. There is a new P2P botnet forming. The Trojan it uses is ' Heloag ' .
this is the url that gives info about it: http://threatpost.com/en_us/blogs/new-p2p-botnet-forming-041310?utm_source=Threatpost+Spotlight+Email&utm_medium=Email+Marketing+-+CRM+List&utm_campaign=Threatpost+Spotlight&CID= this is the short url: http://threatpost.com/en_us/OTQ FYI On Fri, Apr 23, 2010 at 10:14 AM, Scott Bennett <[email protected]> wrote: > On Fri, 23 Apr 2010 15:51:59 +0200 Sebastian Hahn <[email protected]> > wrote: >>On Apr 23, 2010, at 3:21 PM, Timo Schoeler wrote: >>> thus Brian Mearns spake: >>>> Any chance your ISP is throttling you? >>> >>> 100% *not*. >> >>Another possibility would be that your relay is heavily >>overloaded. See the big thread on tor-relays about >>the problems and potential solutions [0]. >> > Sebastian, there was something that looked very much like a botnet > attack running for two or three hours this a.m. It seems to have stopped > now. I had shut down my machine to install operating system updates. > When all that was finished and I finally brought the system back up, for > some unknown reason, pf did not start. (As if there were not going to be > enough confusion as things already were. Sigh.) As soon as I noticed pf > wasn't running, I started it manually and loaded a block list. But pftop > continued to pour forth log entries of illicit connection attempts from > untold numbers of IP addresses and to scads of different TCP port numbers. > I kept stopping and starting the logging, so that I could see the log > entries long enough to add the addresses to that block list. I eventually > got crosseyed from adding somewhere between 200 and 300 IP addresses to > the list. :-( When I then let the logging continue, it had stopped > getting any new stuff to log. > It was very intense while it lasted, but in the larger scheme of > things, it was of very short duration for a coordinated attack. I doubt > that my system was the onlyt tor relay being attacked. In fact, I think > the attack began a short time after my node appeared in the consensus, > although at this point I can't prove it. > What I would like to know is how many systems were attacked this > a.m. in that manner, were only systems running tor relays attacked, > who shut it off, etc. If anyone else on this list noticed anything between > 5:00 a.m. CDT and 8:00 a.m. CDT, please post the details here. Thanks! > *********************************************************************** To unsubscribe, send an e-mail to [email protected] with unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
