the attack continues..

Beavis · October 18, 2008, 2:35pm

Hello Lists,

I'm still getting attacked and most of the IP's i got have been
reported. and just this morning it looks as if someone is testing my
network. and sending out short TCP_SESSION requests. now i may be
paranoid but this past few days have been hell.. just want to know if
the folks from these ip's can help me out.

Attacker IP,Attacker Port,Victim IP,Victim Port,Attack Type,Start
Time,Extra Info
205.188.116.7,47198,200.0.179.73,80,TCP_SESSION,2008-10-18
14:20:48,Filtered IP: Dropped packets: 3 Dropped bytes: 156
205.188.117.134,45379,200.0.179.73,80,TCP_SESSION,2008-10-18
14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0
205.188.117.137,42257,200.0.179.73,80,TCP_SESSION,2008-10-18
14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0
75.105.128.38,4092,200.0.179.73,80,TCP_SESSION,2008-10-18
14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0

First 3 IP's come from AOL, I'll try to see if I can get their attention.

Last IP is from a Wildblue Communications WBC-39.

I wanted to see if it's possible to get a sample of the "bots" that
their using against me. I know... it's a long shot but any help will
be greatly appreciated.

thanks,
John Lopez

Jay_Hennigan · October 18, 2008, 3:24pm

Beavis wrote:

Hello Lists,

I'm still getting attacked and most of the IP's i got have been
reported. and just this morning it looks as if someone is testing my
network. and sending out short TCP_SESSION requests. now i may be
paranoid but this past few days have been hell.. just want to know if
the folks from these ip's can help me out.

Attacker IP,Attacker Port,Victim IP,Victim Port,Attack Type,Start
Time,Extra Info
205.188.116.7,47198,200.0.179.73,80,TCP_SESSION,2008-10-18
14:20:48,Filtered IP: Dropped packets: 3 Dropped bytes: 156
205.188.117.134,45379,200.0.179.73,80,TCP_SESSION,2008-10-18
14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0
205.188.117.137,42257,200.0.179.73,80,TCP_SESSION,2008-10-18
14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0
75.105.128.38,4092,200.0.179.73,80,TCP_SESSION,2008-10-18
14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0

First 3 IP's come from AOL, I'll try to see if I can get their attention.

Last IP is from a Wildblue Communications WBC-39.

"Beavis", you're running a web server on 200.0.179.73, some sort of gambling site. Those who operate web servers generally expect traffic to TCP port 80. If you're not aware that you have a web server running, then it is most likely your machine that is infected with a bot.

Frank_Bulk1 · October 18, 2008, 4:16pm

The website is "http://www.betmania.com/" and when I try to connect to it I
get "Database Error: Unable to connect to the database:Could not connect to
MySQL".

It's not unusual for betting sites to be DDoSed for ransom.

Frank

Christopher_Morrow · October 18, 2008, 6:50pm

The website is "http://www.betmania.com/" and when I try to connect to it I
get "Database Error: Unable to connect to the database:Could not connect to
MySQL".

It's not unusual for betting sites to be DDoSed for ransom.

GW10.MIA4.ALTER.NET (152.63.81.53) 54.482 ms 54.665 ms
8 (63.65.190.126) 54.949 ms 54.774 ms 55.035 ms
9 s-1-0-0-nmi-core01.nwnnetwork.net (63.245.5.65) 58.575 ms 56.288
ms 58.745 ms
10 ge-2-0-nmi-edge03.nwnnetwork.net (63.245.5.21)

I would also venture to guess that vbz/uunet would be willing to help
if the site's provider (nwnnetwork.net) would call and ask for
support...

Jay_Coley · October 18, 2008, 6:59pm

Frank Bulk wrote:

The website is "http://www.betmania.com/" and when I try to connect to it I
get "Database Error: Unable to connect to the database:Could not connect to
MySQL".

It's not unusual for betting sites to be DDoSed for ransom.

Also competition (rival companies) based attacks are extremely common in
the gambling/betting industry as well these days.

Are you running any special promotions at the same time as your competition?

- --J

Beavis · October 18, 2008, 7:52pm

I'm hosting the company's site and we're not running any type of
promotions other than the ones that we have. this is a typical
scenario for sites that host these type of content to get attacked.

If only i can get through one of those IP's and get the program that's
running on them (bot) that will give me a clue where it goes.

Attacker IP's these guys are just persistent they are trying to hit
port 80 on a dns box.

92.124.174.10
89.252.28.60
91.124.110.98
98.25.64.170
92.112.229.94
75.186.69.225
89.113.48.227
87.103.174.101
84.47.161.244
89.169.111.90
92.112.145.158
85.141.238.233
91.202.109.72
89.222.217.116
193.109.241.45
212.192.251.11
213.252.64.74
91.200.8.6
92.113.10.101
200.11.153.142
80.55.213.118
200.43.3.153

Beavis · October 18, 2008, 7:58pm

overall .. sorry list for putting out such a noise.

-John

Paul_Ferguson · October 18, 2008, 8:08pm

Well, good luck with all that -- it would appear that all of the hosts
attacking you are botnet'ed residential broadband machines:

92.124.174.10 -PTR-> host-92-124-174-10.pppoe.omsknet.ru
89.252.28.60 -PTR-> NXDOMAIN
91.124.110.98 -PTR-> 98-110-124-91.pool.ukrtel.net
98.25.64.170 -PTR-> cpe-098-025-064-170.sc.res.rr.com
92.112.229.94 -PTR-> 94-229-112-92.pool.ukrtel.net
75.186.69.225 -PTR-> cpe-75-186-69-225.cinci.res.rr.com
89.113.48.227 -PTR-> 89-113-48-227.nat.dsl.orel.ru
87.103.174.101 -PTR-> 87-103-174-101.pppoe.irtel.ru
84.47.161.244 -PTR-> 84-47-161-244.apmt.ru

[...]

- - ferg