Re: the attack continues..
Beavis wrote: Hello Lists, I'm still getting attacked and most of the IP's i got have been reported. and just this morning it looks as if someone is testing my network. and sending out short TCP_SESSION requests. now i may be paranoid but this past few days have been hell.. just want to know if the folks from these ip's can help me out. Attacker IP,Attacker Port,Victim IP,Victim Port,Attack Type,Start Time,Extra Info 205.188.116.7,47198,200.0.179.73,80,TCP_SESSION,2008-10-18 14:20:48,Filtered IP: Dropped packets: 3 Dropped bytes: 156 205.188.117.134,45379,200.0.179.73,80,TCP_SESSION,2008-10-18 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0 205.188.117.137,42257,200.0.179.73,80,TCP_SESSION,2008-10-18 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0 75.105.128.38,4092,200.0.179.73,80,TCP_SESSION,2008-10-18 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0 First 3 IP's come from AOL, I'll try to see if I can get their attention. Last IP is from a Wildblue Communications WBC-39. Beavis, you're running a web server on 200.0.179.73, some sort of gambling site. Those who operate web servers generally expect traffic to TCP port 80. If you're not aware that you have a web server running, then it is most likely your machine that is infected with a bot. -- Jay Hennigan - CCIE #7880 - Network Engineering - [EMAIL PROTECTED] Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
RE: the attack continues..
The website is http://www.betmania.com/; and when I try to connect to it I get Database Error: Unable to connect to the database:Could not connect to MySQL. It's not unusual for betting sites to be DDoSed for ransom. Frank -Original Message- From: Jay Hennigan [mailto:[EMAIL PROTECTED] Sent: Saturday, October 18, 2008 10:24 AM To: NANOG list Subject: Re: the attack continues.. Beavis wrote: Hello Lists, I'm still getting attacked and most of the IP's i got have been reported. and just this morning it looks as if someone is testing my network. and sending out short TCP_SESSION requests. now i may be paranoid but this past few days have been hell.. just want to know if the folks from these ip's can help me out. Attacker IP,Attacker Port,Victim IP,Victim Port,Attack Type,Start Time,Extra Info 205.188.116.7,47198,200.0.179.73,80,TCP_SESSION,2008-10-18 14:20:48,Filtered IP: Dropped packets: 3 Dropped bytes: 156 205.188.117.134,45379,200.0.179.73,80,TCP_SESSION,2008-10-18 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0 205.188.117.137,42257,200.0.179.73,80,TCP_SESSION,2008-10-18 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0 75.105.128.38,4092,200.0.179.73,80,TCP_SESSION,2008-10-18 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0 First 3 IP's come from AOL, I'll try to see if I can get their attention. Last IP is from a Wildblue Communications WBC-39. Beavis, you're running a web server on 200.0.179.73, some sort of gambling site. Those who operate web servers generally expect traffic to TCP port 80. If you're not aware that you have a web server running, then it is most likely your machine that is infected with a bot. -- Jay Hennigan - CCIE #7880 - Network Engineering - [EMAIL PROTECTED] Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: the attack continues..
On Sat, Oct 18, 2008 at 12:16 PM, Frank Bulk [EMAIL PROTECTED] wrote: The website is http://www.betmania.com/; and when I try to connect to it I get Database Error: Unable to connect to the database:Could not connect to MySQL. It's not unusual for betting sites to be DDoSed for ransom. GW10.MIA4.ALTER.NET (152.63.81.53) 54.482 ms 54.665 ms 8 (63.65.190.126) 54.949 ms 54.774 ms 55.035 ms 9 s-1-0-0-nmi-core01.nwnnetwork.net (63.245.5.65) 58.575 ms 56.288 ms 58.745 ms 10 ge-2-0-nmi-edge03.nwnnetwork.net (63.245.5.21) I would also venture to guess that vbz/uunet would be willing to help if the site's provider (nwnnetwork.net) would call and ask for support... Frank -Original Message- From: Jay Hennigan [mailto:[EMAIL PROTECTED] Sent: Saturday, October 18, 2008 10:24 AM To: NANOG list Subject: Re: the attack continues.. Beavis wrote: Hello Lists, I'm still getting attacked and most of the IP's i got have been reported. and just this morning it looks as if someone is testing my network. and sending out short TCP_SESSION requests. now i may be paranoid but this past few days have been hell.. just want to know if the folks from these ip's can help me out. Attacker IP,Attacker Port,Victim IP,Victim Port,Attack Type,Start Time,Extra Info 205.188.116.7,47198,200.0.179.73,80,TCP_SESSION,2008-10-18 14:20:48,Filtered IP: Dropped packets: 3 Dropped bytes: 156 205.188.117.134,45379,200.0.179.73,80,TCP_SESSION,2008-10-18 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0 205.188.117.137,42257,200.0.179.73,80,TCP_SESSION,2008-10-18 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0 75.105.128.38,4092,200.0.179.73,80,TCP_SESSION,2008-10-18 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0 First 3 IP's come from AOL, I'll try to see if I can get their attention. Last IP is from a Wildblue Communications WBC-39. Beavis, you're running a web server on 200.0.179.73, some sort of gambling site. Those who operate web servers generally expect traffic to TCP port 80. If you're not aware that you have a web server running, then it is most likely your machine that is infected with a bot. -- Jay Hennigan - CCIE #7880 - Network Engineering - [EMAIL PROTECTED] Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: the attack continues..
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Frank Bulk wrote: The website is http://www.betmania.com/; and when I try to connect to it I get Database Error: Unable to connect to the database:Could not connect to MySQL. It's not unusual for betting sites to be DDoSed for ransom. Also competition (rival companies) based attacks are extremely common in the gambling/betting industry as well these days. Are you running any special promotions at the same time as your competition? - --J Frank -Original Message- From: Jay Hennigan [mailto:[EMAIL PROTECTED] Sent: Saturday, October 18, 2008 10:24 AM To: NANOG list Subject: Re: the attack continues.. Beavis wrote: Hello Lists, I'm still getting attacked and most of the IP's i got have been reported. and just this morning it looks as if someone is testing my network. and sending out short TCP_SESSION requests. now i may be paranoid but this past few days have been hell.. just want to know if the folks from these ip's can help me out. Attacker IP,Attacker Port,Victim IP,Victim Port,Attack Type,Start Time,Extra Info 205.188.116.7,47198,200.0.179.73,80,TCP_SESSION,2008-10-18 14:20:48,Filtered IP: Dropped packets: 3 Dropped bytes: 156 205.188.117.134,45379,200.0.179.73,80,TCP_SESSION,2008-10-18 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0 205.188.117.137,42257,200.0.179.73,80,TCP_SESSION,2008-10-18 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0 75.105.128.38,4092,200.0.179.73,80,TCP_SESSION,2008-10-18 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0 First 3 IP's come from AOL, I'll try to see if I can get their attention. Last IP is from a Wildblue Communications WBC-39. Beavis, you're running a web server on 200.0.179.73, some sort of gambling site. Those who operate web servers generally expect traffic to TCP port 80. If you're not aware that you have a web server running, then it is most likely your machine that is infected with a bot. -- Jay Hennigan - CCIE #7880 - Network Engineering - [EMAIL PROTECTED] Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkj6MisACgkQETh+0NgvOtFHnwCfRYCU4VwNmQRXABtgem4wmWhX gD8AnRSxyfM67NJKGiYVn1MNYNQ5eaSO =J0JL -END PGP SIGNATURE-
Re: the attack continues..
I'm hosting the company's site and we're not running any type of promotions other than the ones that we have. this is a typical scenario for sites that host these type of content to get attacked. If only i can get through one of those IP's and get the program that's running on them (bot) that will give me a clue where it goes. Attacker IP's these guys are just persistent they are trying to hit port 80 on a dns box. 92.124.174.10 89.252.28.60 91.124.110.98 98.25.64.170 92.112.229.94 75.186.69.225 89.113.48.227 87.103.174.101 84.47.161.244 89.169.111.90 92.112.145.158 85.141.238.233 91.202.109.72 89.222.217.116 193.109.241.45 212.192.251.11 213.252.64.74 91.200.8.6 92.113.10.101 200.11.153.142 80.55.213.118 200.43.3.153 On Sat, Oct 18, 2008 at 12:59 PM, Jay Coley [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Frank Bulk wrote: The website is http://www.betmania.com/; and when I try to connect to it I get Database Error: Unable to connect to the database:Could not connect to MySQL. It's not unusual for betting sites to be DDoSed for ransom. Also competition (rival companies) based attacks are extremely common in the gambling/betting industry as well these days. Are you running any special promotions at the same time as your competition? - --J Frank -Original Message- From: Jay Hennigan [mailto:[EMAIL PROTECTED] Sent: Saturday, October 18, 2008 10:24 AM To: NANOG list Subject: Re: the attack continues.. Beavis wrote: Hello Lists, I'm still getting attacked and most of the IP's i got have been reported. and just this morning it looks as if someone is testing my network. and sending out short TCP_SESSION requests. now i may be paranoid but this past few days have been hell.. just want to know if the folks from these ip's can help me out. Attacker IP,Attacker Port,Victim IP,Victim Port,Attack Type,Start Time,Extra Info 205.188.116.7,47198,200.0.179.73,80,TCP_SESSION,2008-10-18 14:20:48,Filtered IP: Dropped packets: 3 Dropped bytes: 156 205.188.117.134,45379,200.0.179.73,80,TCP_SESSION,2008-10-18 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0 205.188.117.137,42257,200.0.179.73,80,TCP_SESSION,2008-10-18 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0 75.105.128.38,4092,200.0.179.73,80,TCP_SESSION,2008-10-18 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0 First 3 IP's come from AOL, I'll try to see if I can get their attention. Last IP is from a Wildblue Communications WBC-39. Beavis, you're running a web server on 200.0.179.73, some sort of gambling site. Those who operate web servers generally expect traffic to TCP port 80. If you're not aware that you have a web server running, then it is most likely your machine that is infected with a bot. -- Jay Hennigan - CCIE #7880 - Network Engineering - [EMAIL PROTECTED] Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkj6MisACgkQETh+0NgvOtFHnwCfRYCU4VwNmQRXABtgem4wmWhX gD8AnRSxyfM67NJKGiYVn1MNYNQ5eaSO =J0JL -END PGP SIGNATURE-
Re: the attack continues..
overall .. sorry list for putting out such a noise. -John On Sat, Oct 18, 2008 at 1:52 PM, Beavis [EMAIL PROTECTED] wrote: I'm hosting the company's site and we're not running any type of promotions other than the ones that we have. this is a typical scenario for sites that host these type of content to get attacked. If only i can get through one of those IP's and get the program that's running on them (bot) that will give me a clue where it goes. Attacker IP's these guys are just persistent they are trying to hit port 80 on a dns box. 92.124.174.10 89.252.28.60 91.124.110.98 98.25.64.170 92.112.229.94 75.186.69.225 89.113.48.227 87.103.174.101 84.47.161.244 89.169.111.90 92.112.145.158 85.141.238.233 91.202.109.72 89.222.217.116 193.109.241.45 212.192.251.11 213.252.64.74 91.200.8.6 92.113.10.101 200.11.153.142 80.55.213.118 200.43.3.153 On Sat, Oct 18, 2008 at 12:59 PM, Jay Coley [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Frank Bulk wrote: The website is http://www.betmania.com/; and when I try to connect to it I get Database Error: Unable to connect to the database:Could not connect to MySQL. It's not unusual for betting sites to be DDoSed for ransom. Also competition (rival companies) based attacks are extremely common in the gambling/betting industry as well these days. Are you running any special promotions at the same time as your competition? - --J Frank -Original Message- From: Jay Hennigan [mailto:[EMAIL PROTECTED] Sent: Saturday, October 18, 2008 10:24 AM To: NANOG list Subject: Re: the attack continues.. Beavis wrote: Hello Lists, I'm still getting attacked and most of the IP's i got have been reported. and just this morning it looks as if someone is testing my network. and sending out short TCP_SESSION requests. now i may be paranoid but this past few days have been hell.. just want to know if the folks from these ip's can help me out. Attacker IP,Attacker Port,Victim IP,Victim Port,Attack Type,Start Time,Extra Info 205.188.116.7,47198,200.0.179.73,80,TCP_SESSION,2008-10-18 14:20:48,Filtered IP: Dropped packets: 3 Dropped bytes: 156 205.188.117.134,45379,200.0.179.73,80,TCP_SESSION,2008-10-18 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0 205.188.117.137,42257,200.0.179.73,80,TCP_SESSION,2008-10-18 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0 75.105.128.38,4092,200.0.179.73,80,TCP_SESSION,2008-10-18 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0 First 3 IP's come from AOL, I'll try to see if I can get their attention. Last IP is from a Wildblue Communications WBC-39. Beavis, you're running a web server on 200.0.179.73, some sort of gambling site. Those who operate web servers generally expect traffic to TCP port 80. If you're not aware that you have a web server running, then it is most likely your machine that is infected with a bot. -- Jay Hennigan - CCIE #7880 - Network Engineering - [EMAIL PROTECTED] Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkj6MisACgkQETh+0NgvOtFHnwCfRYCU4VwNmQRXABtgem4wmWhX gD8AnRSxyfM67NJKGiYVn1MNYNQ5eaSO =J0JL -END PGP SIGNATURE-
Re: the attack continues..
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sat, Oct 18, 2008 at 12:52 PM, Beavis [EMAIL PROTECTED] wrote: I'm hosting the company's site and we're not running any type of promotions other than the ones that we have. this is a typical scenario for sites that host these type of content to get attacked. If only i can get through one of those IP's and get the program that's running on them (bot) that will give me a clue where it goes. Attacker IP's these guys are just persistent they are trying to hit port 80 on a dns box. 92.124.174.10 89.252.28.60 91.124.110.98 98.25.64.170 92.112.229.94 75.186.69.225 89.113.48.227 87.103.174.101 84.47.161.244 89.169.111.90 92.112.145.158 85.141.238.233 91.202.109.72 89.222.217.116 193.109.241.45 212.192.251.11 213.252.64.74 91.200.8.6 92.113.10.101 200.11.153.142 80.55.213.118 200.43.3.153 Well, good luck with all that -- it would appear that all of the hosts attacking you are botnet'ed residential broadband machines: 92.124.174.10 -PTR- host-92-124-174-10.pppoe.omsknet.ru 89.252.28.60 -PTR- NXDOMAIN 91.124.110.98 -PTR- 98-110-124-91.pool.ukrtel.net 98.25.64.170 -PTR- cpe-098-025-064-170.sc.res.rr.com 92.112.229.94 -PTR- 94-229-112-92.pool.ukrtel.net 75.186.69.225 -PTR- cpe-75-186-69-225.cinci.res.rr.com 89.113.48.227 -PTR- 89-113-48-227.nat.dsl.orel.ru 87.103.174.101 -PTR- 87-103-174-101.pppoe.irtel.ru 84.47.161.244 -PTR- 84-47-161-244.apmt.ru [...] - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFI+kJBq1pz9mNUZTMRApbGAJ9WamkW06pTb+SpWUn0rirpQZf/KgCg1APq LPs4/rDH8wPmAk6bvl+FpI4= =N1VC -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
