Re: the attack continues..

• From: Jay Coley
• Date: Sat Oct 18 15:00:10 2008

• List-archive: <http://mailman.nanog.org/pipermail/nanog>
• List-help: <mailto:[email protected]?subject=help>
• List-id: North American Network Operators Group <nanog.nanog.org>
• List-post: <mailto:[email protected]>
• List-subscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=subscribe>
• List-unsubscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=unsubscribe>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Frank Bulk wrote:
> The website is "http://www.betmania.com/"; and when I try to connect to it I
> get "Database Error: Unable to connect to the database:Could not connect to
> MySQL".
> 
> It's not unusual for betting sites to be DDoSed for ransom.

Also competition (rival companies) based attacks are extremely common in
the gambling/betting industry as well these days.

Are you running any special promotions at the same time as your competition?

- --J


> 
> Frank
> 
> -----Original Message-----
> From: Jay Hennigan [mailto:[email protected]] 
> Sent: Saturday, October 18, 2008 10:24 AM
> To: NANOG list
> Subject: Re: the attack continues..
> 
> Beavis wrote:
>> Hello Lists,
>>
>>     I'm still getting attacked and most of the IP's i got have been
>> reported. and just this morning it looks as if someone is testing my
>> network. and sending out short TCP_SESSION requests. now i may be
>> paranoid but this past few days have been hell.. just want to know if
>> the folks from these ip's can help me out.
>>
>> Attacker IP,Attacker Port,Victim IP,Victim Port,Attack Type,Start
>> Time,Extra Info
>> 205.188.116.7,47198,200.0.179.73,80,TCP_SESSION,2008-10-18
>> 14:20:48,Filtered IP: Dropped packets: 3 Dropped bytes: 156
>> 205.188.117.134,45379,200.0.179.73,80,TCP_SESSION,2008-10-18
>> 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0
>> 205.188.117.137,42257,200.0.179.73,80,TCP_SESSION,2008-10-18
>> 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0
>> 75.105.128.38,4092,200.0.179.73,80,TCP_SESSION,2008-10-18
>> 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0
>>
>> First 3 IP's come from AOL, I'll try to see if I can get their attention.
>>
>> Last IP is from a Wildblue Communications WBC-39.
> 
> "Beavis", you're running a web server on 200.0.179.73, some sort of
> gambling site.  Those who operate web servers generally expect traffic
> to TCP port 80.  If you're not aware that you have a web server running,
> then it is most likely your machine that is infected with a bot.
> 
> --
> Jay Hennigan - CCIE #7880 - Network Engineering - [email protected]
> Impulse Internet Service  -  http://www.impulse.net/
> Your local telephone and internet company - 805 884-6323 - WB6RDV
> 
> 
> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkj6MisACgkQETh+0NgvOtFHnwCfRYCU4VwNmQRXABtgem4wmWhX
gD8AnRSxyfM67NJKGiYVn1MNYNQ5eaSO
=J0JL
-----END PGP SIGNATURE-----

• Follow-Ups:
  • Re: the attack continues.. Beavis

• References:
  • the attack continues.. Beavis
  • Re: the attack continues.. Jay Hennigan
  • RE: the attack continues.. Frank Bulk

• Prev by Date: Re: the attack continues..
• Next by Date: Re: the attack continues..
• Date Index
• Thread Index
• Author Index
• Historical