North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: the attack continues..
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frank Bulk wrote: > The website is "http://www.betmania.com/" and when I try to connect to it I > get "Database Error: Unable to connect to the database:Could not connect to > MySQL". > > It's not unusual for betting sites to be DDoSed for ransom. Also competition (rival companies) based attacks are extremely common in the gambling/betting industry as well these days. Are you running any special promotions at the same time as your competition? - --J > > Frank > > -----Original Message----- > From: Jay Hennigan [mailto:[email protected]] > Sent: Saturday, October 18, 2008 10:24 AM > To: NANOG list > Subject: Re: the attack continues.. > > Beavis wrote: >> Hello Lists, >> >> I'm still getting attacked and most of the IP's i got have been >> reported. and just this morning it looks as if someone is testing my >> network. and sending out short TCP_SESSION requests. now i may be >> paranoid but this past few days have been hell.. just want to know if >> the folks from these ip's can help me out. >> >> Attacker IP,Attacker Port,Victim IP,Victim Port,Attack Type,Start >> Time,Extra Info >> 18.104.22.168,47198,22.214.171.124,80,TCP_SESSION,2008-10-18 >> 14:20:48,Filtered IP: Dropped packets: 3 Dropped bytes: 156 >> 126.96.36.199,45379,188.8.131.52,80,TCP_SESSION,2008-10-18 >> 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0 >> 184.108.40.206,42257,220.127.116.11,80,TCP_SESSION,2008-10-18 >> 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0 >> 18.104.22.168,4092,22.214.171.124,80,TCP_SESSION,2008-10-18 >> 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0 >> >> First 3 IP's come from AOL, I'll try to see if I can get their attention. >> >> Last IP is from a Wildblue Communications WBC-39. > > "Beavis", you're running a web server on 126.96.36.199, some sort of > gambling site. Those who operate web servers generally expect traffic > to TCP port 80. If you're not aware that you have a web server running, > then it is most likely your machine that is infected with a bot. > > -- > Jay Hennigan - CCIE #7880 - Network Engineering - [email protected] > Impulse Internet Service - http://www.impulse.net/ > Your local telephone and internet company - 805 884-6323 - WB6RDV > > > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkj6MisACgkQETh+0NgvOtFHnwCfRYCU4VwNmQRXABtgem4wmWhX gD8AnRSxyfM67NJKGiYVn1MNYNQ5eaSO =J0JL -----END PGP SIGNATURE-----