North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: the attack continues..
overall .. sorry list for putting out such a noise. -John On Sat, Oct 18, 2008 at 1:52 PM, Beavis <[email protected]> wrote: > I'm hosting the company's site and we're not running any type of > promotions other than the ones that we have. this is a typical > scenario for sites that host these type of content to get attacked. > > If only i can get through one of those IP's and get the program that's > running on them (bot) that will give me a clue where it goes. > > Attacker IP's these guys are just persistent they are trying to hit > port 80 on a dns box. > > 18.104.22.168 > 22.214.171.124 > 126.96.36.199 > 188.8.131.52 > 184.108.40.206 > 220.127.116.11 > 18.104.22.168 > 22.214.171.124 > 126.96.36.199 > 188.8.131.52 > 184.108.40.206 > 220.127.116.11 > 18.104.22.168 > 22.214.171.124 > 126.96.36.199 > 188.8.131.52 > 184.108.40.206 > 220.127.116.11 > 18.104.22.168 > 22.214.171.124 > 126.96.36.199 > 188.8.131.52 > > > On Sat, Oct 18, 2008 at 12:59 PM, Jay Coley <[email protected]> wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Frank Bulk wrote: >>> The website is "http://www.betmania.com/" and when I try to connect to it I >>> get "Database Error: Unable to connect to the database:Could not connect to >>> MySQL". >>> >>> It's not unusual for betting sites to be DDoSed for ransom. >> >> Also competition (rival companies) based attacks are extremely common in >> the gambling/betting industry as well these days. >> >> Are you running any special promotions at the same time as your competition? >> >> - --J >> >> >>> >>> Frank >>> >>> -----Original Message----- >>> From: Jay Hennigan [mailto:[email protected]] >>> Sent: Saturday, October 18, 2008 10:24 AM >>> To: NANOG list >>> Subject: Re: the attack continues.. >>> >>> Beavis wrote: >>>> Hello Lists, >>>> >>>> I'm still getting attacked and most of the IP's i got have been >>>> reported. and just this morning it looks as if someone is testing my >>>> network. and sending out short TCP_SESSION requests. now i may be >>>> paranoid but this past few days have been hell.. just want to know if >>>> the folks from these ip's can help me out. >>>> >>>> Attacker IP,Attacker Port,Victim IP,Victim Port,Attack Type,Start >>>> Time,Extra Info >>>> 184.108.40.206,47198,220.127.116.11,80,TCP_SESSION,2008-10-18 >>>> 14:20:48,Filtered IP: Dropped packets: 3 Dropped bytes: 156 >>>> 18.104.22.168,45379,22.214.171.124,80,TCP_SESSION,2008-10-18 >>>> 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0 >>>> 126.96.36.199,42257,188.8.131.52,80,TCP_SESSION,2008-10-18 >>>> 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0 >>>> 184.108.40.206,4092,220.127.116.11,80,TCP_SESSION,2008-10-18 >>>> 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0 >>>> >>>> First 3 IP's come from AOL, I'll try to see if I can get their attention. >>>> >>>> Last IP is from a Wildblue Communications WBC-39. >>> >>> "Beavis", you're running a web server on 18.104.22.168, some sort of >>> gambling site. Those who operate web servers generally expect traffic >>> to TCP port 80. If you're not aware that you have a web server running, >>> then it is most likely your machine that is infected with a bot. >>> >>> -- >>> Jay Hennigan - CCIE #7880 - Network Engineering - [email protected] >>> Impulse Internet Service - http://www.impulse.net/ >>> Your local telephone and internet company - 805 884-6323 - WB6RDV >>> >>> >>> >>> >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.8 (Darwin) >> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org >> >> iEYEARECAAYFAkj6MisACgkQETh+0NgvOtFHnwCfRYCU4VwNmQRXABtgem4wmWhX >> gD8AnRSxyfM67NJKGiYVn1MNYNQ5eaSO >> =J0JL >> -----END PGP SIGNATURE----- >> >> >