Infected list

Here is a list of the compromised machines used in this new botnet we found in California. These are all web servers connected to good bandwidth and they are attacking us, so as a nice little holiday gift to me, please clean your network up if these are on your network.

12-223-37-219.client.insightbb.com
149.64.142.82.ip.b26.cz
151.1.32.221
158.37.52.20
193.138.228.24
193.58.239.61
194.87.149.34
195-13-58-95.oxyd.net
195.140.142.177
195.141.204.164
200.30.71.34
200.62.55.103
202.108.59.135
202.157.177.73
202.210.168.34
202.28.68.75
203.135.128.187
203.22.23.158
206.225.93.88
209.1.163.22
210-80-180-119.conexim.net
210.104.247.130
210.118.194.56
210.97.35.126
211.155.23.81
211.174.53.4
211.200.28.6
211.34.189.3
212.110.119.85
212.63.132.54
212.7.192.58
212.79.246.131
213.197.151.2
213.241.84.66
213.80.21.2
216.158.56.242
216.237.120.114
217-116-3-75.redes.acens.net
217-116-9-152.redes.acens.net
217.19.0.5
217.71.214.98
218.106.125.207
218.144.240.70
218.38.243.5
218.38.34.196
219.83.67.86
220.125.208.3
222.124.11.244
24.176.186.71
253-user7.scnet.cz
46.209.forpsi.net
61.111.254.95
61.129.70.191
61.172.245.21
62-99-206-202.static.sdsl-line.inode.at
62.119.154.2
62.128.242.9
62.204.69.34
62.61.142.98.generic-hostname.arrownet.dk
62.65.161.148
62.79.147.151.adsl.kh.tiscali.dk
64.203.136.14
64.27.109.170
64.5.53.103
65.164.218.248
65.39.145.5
66.132.249.67
66.179.166.218
66.235.184.100
67.18.170.170
69.64.191.40
72.4.161.75
72.75-228-195.hosting.adatpark.hu
72.9.224.146
79.Red-217-125-26.staticIP.rima-tde.net
80.83.176.40
81.169.184.73
81.177.4.15
81.177.4.7
81.29.96.152
81.4.80.116
81.91.64.45
82.113.60.76
82.149.245.5
83.217.76.66
83.72.0.197.ip.tele2adsl.dk
84.244.146.80
85.111.0.20
85.17.9.74
85.233.230.3
AStDenis-105-1-1-133.w193-253.abo.wanadoo.fr
aarde.milieuconsult.be
admin.eigafreak.com
adserver.bresciaonline.it
air651.startdedicated.com
alpha.ckp.pl
apoc.be.priorweb.net
atlas.astro.cz
baszar.icmax.com.pl
bazyl.pagema.net
blue2.nwinternet.com
boom.barad.cz
broadcast.broadcastbuyersguide.com
bubak.halamasek.cz
bws214.internetdsl.tpnet.pl
catalystinternet.com
champ.uft.uni-bremen.de
charlotte.service.csd.uwo.ca
cluster01.ahp01.lax.affinity.com
cmt5.web.mdc.ubisoft.com
cobalt.standingwave.co.uk
colo3.routerspeed.com
customersites3.easily.co.uk
d-eyes.ttk.pte.hu
dcs2.sdv.fr
dedicated.ipowerweb.com
devel.money.net
dimedis-hosting2.de
dns.hsjh.chc.edu.tw
dns1.portnet.pl
dns3.french-connexion.com
dominator.7seas.hu
ds80-237-152-61.dedicated.hosteurope.de
dyndsl-085-016-019-248.ewe-ip-backbone.de
eagle.ezaz.hu
einstein.gottathink.com
enterprise.aztecinternet.net
fatman1.szi.fh-jena.de
fch.vutbr.cz
ferion.com
fido.impulsed.net
flame.xservu.com
flexiserv.keme.net
fpp.hamradio.si
freja.yanet.dk
gabo.pl
gha5servers.com
harlock2.transisters.net
head.linpro.no
heb62010.ikoula.com
hornad.fei.tuke.sk
host-81.216.82.22.addr.tdcsong.se
host.mhr-viandes.com
host107.200.80.42.ifxnw.com.ar
hosting1.telekom.ru
housing19.berlin3.powerweb.de
hurricanepunch.netzkern.net
iate.fortalnet.com.br
igapc14.epfl.ch
iits01121.inlink.com
ik57045.ikexpress.com
ikaika.xtremehosting.net
inetw.de
info3.domainserver.de
ip-217-172-174-208.inaddr.intergenia.de
ip-217-24-113-10.parma.ru
ip-68-178-166-1.ip.secureserver.net
ip36-18-166-62.adsl.versatel.nl
ipartners-gw.interian.pl
iptelecom-gw.niisp.gov.ua
jowita.zr.univ.gda.pl
juggernaut.anchor.net.au
kermit.goldweb.com.au
kid.rkka.cz
koosh.cs.utk.edu
kreativ.red-one.hu
kvist.nt.ntnu.no
lakeweb2.interac.it
ld1.hrnet.fr
mail.bashkortostan.ru
mail.math.uvt.ro
mail.tanet.hu
mail.web401k.com
mail.wws5.com
mail.zenner.ro
math1.math.ncku.edu.tw
max.x3m.pl
mc2.aon.at
midas.mistral.co.uk
monster-new.dataguard.no
morpheus.spaceweb.ru
mx0.gom.com.eg
naka.xcite.net
navaho.gymjev.cz
neo.spaceweb.ru
net4u.net4u.ch
netprosintl.com
newhttpd.vjf.cnrs.fr
news.greenvilleonline.com
ngv.cust.iaf.nl
noriko.pageinabox.com
ns.dns7943.net
ns.extrahosting.cz
ns.infoline.cz
ns.mr.ru
ns.nocex6.net
ns.onetgroup.com
ns.oxl-technologies.net
ns1.multi.pt
ns1.psrweb.net
ns2.zmaximum.ru
ns227.ovh.net
ns2652.ovh.net
ns31226.ovh.net
ns31508.ovh.net
ns31838.ovh.net
ns32343.ovh.net
ns32653.ovh.net
ns33002.ovh.net
ns3830.ovh.net
ns3841.ovh.net
ns4.kabir-ken.com
ns7.virtualns.net
opel1.zentropypartners.de
p15192579.pureserver.info
pauline.vellum.cz
pavlova.org
pc5.berlin.powerweb.de
pd46.wyszkow.sdi.tpnet.pl
philsonicusa.com
phyweb.physics.nus.edu.sg
pippin.denit.net
plesk02.eurohosting.it
pontnet.hu
prodigy.bulport.com
proton.science.upjs.sk
psy.korea.ac.kr
r2d2.linuxlab.dk
ritz.domeneshop.no
rtr.salbis.net
rzv037.rz.tu-bs.de
s1.mhotele.pl
s15186348.rootmaster.info
s4.vhost.hu
s5.lansco.de
sa-4-13.saturn.infonet.ee
saleh-sh1.customer.vol.cz
scoot-web01.msn-coloc.binc.net
sd1038.sivit.org
sd1092.sivit.org
sd119.sivit.org
serv.ilit.bas.bg
serv2.th.schule.de
server001.chemsoft.de
server110.penguinhost.net
server125.chihost.com
server204-222.live-servers.net
server3.substancia.com
server36.fastbighost.com
server6.hostpoint.ch
sgce.cbse.uab.edu
shlb.ub.uni-kiel.de
srv1.netmogitecnologia.com.br
ss5.simpleservers.com
stx.com.mx
temida.wpia.uw.edu.pl
toktok.xs4all.nl
totalqualitygirl.upl.cs.wisc.edu
turbo.applet.cz
turbobert.planet-school.de
u15192743.onlinehome-server.com
umbra.shadowplay.net
ungoliant.kvarteret.no
velocity.beatit.no
vs244021.vserver.de
wc-140.r-195-35-187.essentkabel.co
web-01.dixigo.com
web.lac.u-psud.fr
web2.mtco.com
wpc0034.amenworld.com
wpc0262.host7x24.com
wpc0659.amenworld.com
wpc0740.amenworld.com
wpc1699.host7x24.com
ws.ganag.com
ws95.amenworld.com
wsc10r.amenworld.com
wsc141.amenworld.com
wvc.pf.jcu.cz
www.alternatives.com
www.ecolo.be
www.fit4.net
www.gut-steinhof.de
www.in-case.hu
www.ntnu.edu.tw
www.sis-server.de
www.stw-bonn.de
www.szuper.info.hu
www.ucab.edu.ve
www.virtuaal.ee
www1.ingame.de
xeon.aura.cz
zaphod.radak.org
zem.ewan.com.pl
zeus.serverglobe.net

Hi, NANOGers.

Here is Barrett's list, including and sorted by ASN.

Thanks,
Rob.

And even that won't be sufficient for many networks to take action.

A lot of people provide lists of the IPs that spam/attack/etc them,
but do not provide the actual time. Since many "consumer" networks
are running DHCP, they will have no way to know which of their many
customers using the claimed IP on the day in question was actually
an attacker, and so they will almost certainly ignore such a report.

To get action, lists of compromised (etc) systems NEED to include:
Date/Time (preferably UTC), exact IP (as hostnames can have multiple
A-records) and AS number.

] To get action, lists of compromised (etc) systems NEED to include:
] Date/Time (preferably UTC), exact IP (as hostnames can have multiple
] A-records) and AS number.

Agreed! We presumed it in this case, as the attack was "on-going."
I really should have included the immediate timestamp, now that I
think about it. Doh!

Not to mention that many IP's may be set to one device, yet there are
multiple things NAT'd behind it.

Perhaps they're even non-related folks. Do we go after the ISP, the smaller
ISP, the Starbucks WiFi hotspot (example), or the user with the compromised
laptop that plugged in a whatever time that was???

Scott

* Barrett G. Lyon:

Here is a list of the compromised machines used in this new botnet we
found in California. These are all web servers connected to good
bandwidth and they are attacking us, so as a nice little holiday gift
to me, please clean your network up if these are on your network.

It's usually better not to run DNS resolution on the IP addresses you
have because DNS is so volatile[1]. Mapping host names to IP address
is rather expensive, too, and the casual bot-hunter may not have the
necessary tools. (And I doubt that many bot hunters work at
web-hosting companies...)

Timestamps are usually required to pin-point an attack, but if the
compromised hosts are mostly largish web servers, they should have
static IP addresses and some kind of accounting where you can see that
something went terribly wrong.

[1] I assume you have verified those host names using a forward
    lookup. Relying on PTR records alone is not a good idea.

* Scott Morris:

Not to mention that many IP's may be set to one device, yet there are
multiple things NAT'd behind it.

Are there any devices which perform non-static NAT and can forward
significant DoS traffic? Perhaps if it's just a single flow, but
this kind of DoS traffic would be rather unusual.

Irregardless of that, I always thought the whole point of a DDoS attack was
quantity of hosts, not relying on quality of connection.

I thought we were theorizing anyway.