[108703] in North American Network Operators' Group
RE: the attack continues..
daemon@ATHENA.MIT.EDU (Frank Bulk)
Sat Oct 18 12:17:12 2008
From: "Frank Bulk" <frnkblk@iname.com>
To: "NANOG list" <nanog@nanog.org>
In-Reply-To: <48F9FFA9.8070906@west.net>
Date: Sat, 18 Oct 2008 11:16:46 -0500
Errors-To: nanog-bounces@nanog.org
The website is "http://www.betmania.com/" and when I try to connect to it I
get "Database Error: Unable to connect to the database:Could not connect to
MySQL".
It's not unusual for betting sites to be DDoSed for ransom.
Frank
-----Original Message-----
From: Jay Hennigan [mailto:jay@west.net]
Sent: Saturday, October 18, 2008 10:24 AM
To: NANOG list
Subject: Re: the attack continues..
Beavis wrote:
> Hello Lists,
>
> I'm still getting attacked and most of the IP's i got have been
> reported. and just this morning it looks as if someone is testing my
> network. and sending out short TCP_SESSION requests. now i may be
> paranoid but this past few days have been hell.. just want to know if
> the folks from these ip's can help me out.
>
> Attacker IP,Attacker Port,Victim IP,Victim Port,Attack Type,Start
> Time,Extra Info
> 205.188.116.7,47198,200.0.179.73,80,TCP_SESSION,2008-10-18
> 14:20:48,Filtered IP: Dropped packets: 3 Dropped bytes: 156
> 205.188.117.134,45379,200.0.179.73,80,TCP_SESSION,2008-10-18
> 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0
> 205.188.117.137,42257,200.0.179.73,80,TCP_SESSION,2008-10-18
> 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0
> 75.105.128.38,4092,200.0.179.73,80,TCP_SESSION,2008-10-18
> 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0
>
> First 3 IP's come from AOL, I'll try to see if I can get their attention.
>
> Last IP is from a Wildblue Communications WBC-39.
"Beavis", you're running a web server on 200.0.179.73, some sort of
gambling site. Those who operate web servers generally expect traffic
to TCP port 80. If you're not aware that you have a web server running,
then it is most likely your machine that is infected with a bot.
--
Jay Hennigan - CCIE #7880 - Network Engineering - jay@impulse.net
Impulse Internet Service - http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV
