It could be this attack, or maybe just developing the threat that is going
to use your server for that kind of attack?

http://www.grc.com/dos/drdos.htm

Tamas



On 07/11/06, James Newton, Host <jamesnewton@piclist.com> wrote:
>
> Here is a bit more: Thinking that it must be bots waiting for
> instructions,
> I looked through my comment logs to see if I could find any changes on
> that
> page. I didn't find any on that page but...
>
> Some days ago, on a related but different page... the matching page, if
> you
> will (? Again, I don't want to say the page, but if the page taking hits
> was
> "come in" the page that was commented on would be "go out"), someone
> calling
> themselves "littleb@email.com" made a number of very strange comments:
>
> On 07/14 @ 14:14 from 212.243.13.48 = ip-plus.net
> 690515136 <a href="http://www.276083374.com">276083374</a>
> http://www.464965820.com
>
> On 07/14/ @ 14:15 from 216.126.141.44 = starnetusa.net
> 690515136 [url=http://www.330987548.com]330987548[/url]
> http://www.464965820.com
>
> On 09/07 @ 18:39 from 218.16.122.88 = gddc.com.cn
> 960998535 <a href="http://www.858578491.com">858578491</a>
> http://www.619433593.com
>
> On 09/07 @ 18:41 from 168.210.90.181 = is.co.za
> 960998535 [url=http://www.269244384.com]269244384[/url]
> http://www.619433593.com
>
> Now, IP addresses can be represented as decimal numbers. E.g.
>
> 276083374 = 16.116.178.174
>
> because 174 + (178 * 256) + (116 * 65536) + (16 * 16777216) = 276083374
>
> Reverse DNS on 16.116.178.174 shows it is owned by HP.COM
>
> 330987548 = 19.186.120.28 = ford.com
>
> 858578491 = 51.44.222.59 = Department of Social Security of the UK
>
> 269244384 = 16.12.87.224 = HP.com
>
> If the leading numbers are also decimal IP's...
> 690515136 = 41.40.108.192 = afrinic.net
>
> 960998535 = 57.71.172.135 = equant.com
>
> And the following URLs:
> 464965820 = 27.182.208.188 = ??? Invalid ???
>
> 619433593 = 36.235.206.121 = ??? Invalid ???
>
> If those were more sequential in nature, I would have guessed that they
> were
> date/time stamps. Perhaps of when to start the attack.
>
> Now, there were no such strange hits on this other page around 09/07 but
> there were some on 07/14. Those came from only a few different Ips:
> 212.243.13.48, 216.126.141.44 mostly with one each from
> 219.131.196.122,82.119.225.22, and 202.103.67.47 and all of those had the
> user agent string:
>
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1)
>
> So, the questions:
>
> - Was that a test? The bot net zombie program being developed?
>
> - Where the target IP address at HP, ford and the UK DSS hit with a DoS or
> some other sort of attack?
>
> The thing is, piclist.com isn't like most wiki, blog systems. If you make
> a
> comment, it really does instantly go onto the HTML page, yes, but NO it is
> not shown to everyone who views that page. Yes, it IS shown to the person
> who posted the comment, but ONLY to their IP address. For example, if
> 1.2.3.4 posts "hello" on a page, that text is saved in the .htm file. And
> if
> 1.2.3.4 then views the page, the text is displayed to him. But if 4.3.2.1
> views that same page, the text is removed prior to being displayed. Of
> course, I was sent an email when the comment was posted, and if I approve
> it, then everyone can see it; but not until then.
>
> So it would be easy for some wannabbe bot net master to think that
> piclist.com would be just the place to quickly post instructions to his
> bots
> without any danger that the comment would be removed. But it wouldn't
> work,
> because the bots could never see it.
>
> I'm going to also post this on the security news group at grc.com and cc
> the
> respective abuse addresses and whois record holders.
>
> Wow... I think I have access to a bot net... I just have no idea what they
> do...
>
>
> > -----Original Message-----
> > From: piclist-bounces@mit.edu
> > [mailto:piclist-bounces@mit.edu] On Behalf Of James Newton, Host
> > Sent: 2006 Nov 07, Tue 11:46
> > To: 'Microcontroller discussion list - Public.'
> > Subject: [OT] A botnet is watching a page at piclist.com
> > Importance: High
> >
> > This is just weird:
> >
> > A few days ago I noticed that a page containing information
> > that is not interesting and is commonly available elsewhere
> > was becoming very popular on the site. It is now the most
> > popular single page with 4352 hits in the last
> > 6 days. I'm not going to post the page URL here because I
> > don't want to upset what is going on with you all visiting
> > the page. Suffice it to say that the page is just about
> > stupid and almost empty.
> >
> > Today I started looking at my server logs to see who was
> > linking to that page (expecting to find a referred from URL
> > in at least some of the hits) and I was somewhat shocked to
> > find that all the hits not only do not specify the referrer,
> > they are also from exactly the same user agent:
> >
> > Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+C
> LR+1.1.4322)
> >
> > No variation at all. So I thought that some idiot had
> > probably got his site ripping engine stuck on one page. But
> > no, the accesses are coming from different IP addresses. No
> > single IP address has ever requested the page more than once.
> > In fact, none of them have requested ANY page on my server
> > anytime in the last 7 days OTHER than this one.
> >
> > So then I thought it must be a DoS attack, but no, the volume
> > is still quite low. In fact: There has not been more than 1
> > access from each IP address.
> > And each IP address only hits that one page... One time...
> >
> > So think about this: Thousands of different IP addresses from
> > all over the world (mostly outside the USA) are making one
> > request of my server for a nothing page and then going away.
> >
> > These must be zombies. They are running some software that is
> > causing them to make this request on first install or once
> > every so many days but greater than the 7 days I've checked.
> >
> > Questions:
> >
> > - Is the author of the zombie planning to use my page to post
> > updated instructions to his program? Piclist.com is a wiki...
> > I've locked the page so it can not be modified just incase,
> > but I am still alowing it to be viewed.
> >
> > - Is there some outfit that investigates things like this who
> > would be interested to know what I'm seeing?
> >
> > - If this is a zombie program is its reference to my server
> > going to implicate me? In other words, could someone who is
> > tracking the zombie and looking for the author think that it
> > is me since the program is looking here?
> >
> > - What would you do if you were me?
> >
> > ---
> > James Newton: PICList webmaster/Admin
> > mailto:jamesnewton@piclist.com  1-619-652-0593 phone
> > http://www.piclist.com/member/JMN-EFP-786
> > PIC/PICList FAQ: http://www.piclist.com
> >
> >
> > --
> > http://www.piclist.com PIC/SX FAQ & list archive View/change
> > your membership options at
> > http://mailman.mit.edu/mailman/listinfo/piclist
>
> --
> http://www.piclist.com PIC/SX FAQ & list archive
> View/change your membership options at
> http://mailman.mit.edu/mailman/listinfo/piclist
>



-- 
unPIC -- The PIC Disassembler
http://unpic.sourceforge.net
-- 
http://www.piclist.com PIC/SX FAQ & list archive
View/change your membership options at
http://mailman.mit.edu/mailman/listinfo/piclist