North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: the attack continues..
On Sat, Oct 18, 2008 at 12:16 PM, Frank Bulk <[email protected]> wrote: > The website is "http://www.betmania.com/" and when I try to connect to it I > get "Database Error: Unable to connect to the database:Could not connect to > MySQL". > > It's not unusual for betting sites to be DDoSed for ransom. > GW10.MIA4.ALTER.NET (184.108.40.206) 54.482 ms 54.665 ms 8 (220.127.116.11) 54.949 ms 54.774 ms 55.035 ms 9 s-1-0-0-nmi-core01.nwnnetwork.net (18.104.22.168) 58.575 ms 56.288 ms 58.745 ms 10 ge-2-0-nmi-edge03.nwnnetwork.net (22.214.171.124) I would also venture to guess that vbz/uunet would be willing to help if the site's provider (nwnnetwork.net) would call and ask for support... > Frank > > -----Original Message----- > From: Jay Hennigan [mailto:[email protected]] > Sent: Saturday, October 18, 2008 10:24 AM > To: NANOG list > Subject: Re: the attack continues.. > > Beavis wrote: >> Hello Lists, >> >> I'm still getting attacked and most of the IP's i got have been >> reported. and just this morning it looks as if someone is testing my >> network. and sending out short TCP_SESSION requests. now i may be >> paranoid but this past few days have been hell.. just want to know if >> the folks from these ip's can help me out. >> >> Attacker IP,Attacker Port,Victim IP,Victim Port,Attack Type,Start >> Time,Extra Info >> 126.96.36.199,47198,188.8.131.52,80,TCP_SESSION,2008-10-18 >> 14:20:48,Filtered IP: Dropped packets: 3 Dropped bytes: 156 >> 184.108.40.206,45379,220.127.116.11,80,TCP_SESSION,2008-10-18 >> 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0 >> 18.104.22.168,42257,22.214.171.124,80,TCP_SESSION,2008-10-18 >> 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0 >> 126.96.36.199,4092,188.8.131.52,80,TCP_SESSION,2008-10-18 >> 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0 >> >> First 3 IP's come from AOL, I'll try to see if I can get their attention. >> >> Last IP is from a Wildblue Communications WBC-39. > > "Beavis", you're running a web server on 184.108.40.206, some sort of > gambling site. Those who operate web servers generally expect traffic > to TCP port 80. If you're not aware that you have a web server running, > then it is most likely your machine that is infected with a bot. > > -- > Jay Hennigan - CCIE #7880 - Network Engineering - [email protected] > Impulse Internet Service - http://www.impulse.net/ > Your local telephone and internet company - 805 884-6323 - WB6RDV > > > >