overall .. sorry list for putting out such a noise. -John
On Sat, Oct 18, 2008 at 1:52 PM, Beavis <[EMAIL PROTECTED]> wrote: > I'm hosting the company's site and we're not running any type of > promotions other than the ones that we have. this is a typical > scenario for sites that host these type of content to get attacked. > > If only i can get through one of those IP's and get the program that's > running on them (bot) that will give me a clue where it goes. > > Attacker IP's these guys are just persistent they are trying to hit > port 80 on a dns box. > > 92.124.174.10 > 89.252.28.60 > 91.124.110.98 > 98.25.64.170 > 92.112.229.94 > 75.186.69.225 > 89.113.48.227 > 87.103.174.101 > 84.47.161.244 > 89.169.111.90 > 92.112.145.158 > 85.141.238.233 > 91.202.109.72 > 89.222.217.116 > 193.109.241.45 > 212.192.251.11 > 213.252.64.74 > 91.200.8.6 > 92.113.10.101 > 200.11.153.142 > 80.55.213.118 > 200.43.3.153 > > > On Sat, Oct 18, 2008 at 12:59 PM, Jay Coley <[EMAIL PROTECTED]> wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Frank Bulk wrote: >>> The website is "http://www.betmania.com/"; and when I try to connect to it I >>> get "Database Error: Unable to connect to the database:Could not connect to >>> MySQL". >>> >>> It's not unusual for betting sites to be DDoSed for ransom. >> >> Also competition (rival companies) based attacks are extremely common in >> the gambling/betting industry as well these days. >> >> Are you running any special promotions at the same time as your competition? >> >> - --J >> >> >>> >>> Frank >>> >>> -----Original Message----- >>> From: Jay Hennigan [mailto:[EMAIL PROTECTED] >>> Sent: Saturday, October 18, 2008 10:24 AM >>> To: NANOG list >>> Subject: Re: the attack continues.. >>> >>> Beavis wrote: >>>> Hello Lists, >>>> >>>> I'm still getting attacked and most of the IP's i got have been >>>> reported. and just this morning it looks as if someone is testing my >>>> network. and sending out short TCP_SESSION requests. now i may be >>>> paranoid but this past few days have been hell.. just want to know if >>>> the folks from these ip's can help me out. >>>> >>>> Attacker IP,Attacker Port,Victim IP,Victim Port,Attack Type,Start >>>> Time,Extra Info >>>> 205.188.116.7,47198,200.0.179.73,80,TCP_SESSION,2008-10-18 >>>> 14:20:48,Filtered IP: Dropped packets: 3 Dropped bytes: 156 >>>> 205.188.117.134,45379,200.0.179.73,80,TCP_SESSION,2008-10-18 >>>> 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0 >>>> 205.188.117.137,42257,200.0.179.73,80,TCP_SESSION,2008-10-18 >>>> 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0 >>>> 75.105.128.38,4092,200.0.179.73,80,TCP_SESSION,2008-10-18 >>>> 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0 >>>> >>>> First 3 IP's come from AOL, I'll try to see if I can get their attention. >>>> >>>> Last IP is from a Wildblue Communications WBC-39. >>> >>> "Beavis", you're running a web server on 200.0.179.73, some sort of >>> gambling site. Those who operate web servers generally expect traffic >>> to TCP port 80. If you're not aware that you have a web server running, >>> then it is most likely your machine that is infected with a bot. >>> >>> -- >>> Jay Hennigan - CCIE #7880 - Network Engineering - [EMAIL PROTECTED] >>> Impulse Internet Service - http://www.impulse.net/ >>> Your local telephone and internet company - 805 884-6323 - WB6RDV >>> >>> >>> >>> >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.8 (Darwin) >> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org >> >> iEYEARECAAYFAkj6MisACgkQETh+0NgvOtFHnwCfRYCU4VwNmQRXABtgem4wmWhX >> gD8AnRSxyfM67NJKGiYVn1MNYNQ5eaSO >> =J0JL >> -----END PGP SIGNATURE----- >> >> >
