Untitled

Please review the following abuse complaint and provide us with a resolution:

******************************
An IP address (198.199.98.103) under your control appears to have attacked one of our customers as part of a coordinated DDoS botnet. We manually reviewed the captures from this attack and do not believe that your IP address was spoofed, based on the limited number of distinct hosts attacking us, the identicality of many attacking IP addresses to ones we've seen in the past, and the non-random distribution of IP addresses.

It is likely that this host is one of the following, from the responses that others have sent us:

- A compromised DVR, such as a "Hikvision" brand device (ref: http://www.coresecurity.com/advisories/hikvision-ip-cameras-multiple-vulnerabilities)
- A compromised IPMI device, such as one made by Supermicro (possibly because it uses the default U/P of ADMIN/ADMIN or because its password was found through an exploit described at http://arstechnica.com/security/2014/06/at-least-32000-servers-broadcast-admin-passwords-in-the-clear-advisory-warns/)
- A compromised router, such as one made by China Telecom which still allows a default admin username and password; one by Netis, with its built-in internet-accessible backdoor; or one running an old AirOS version with its exposed administrative interface
- A compromised Xerox-branded device
- Some other compromised standalone device
- A compromised webhost, such as one running a vulnerable version of WordPress or phpMyAdmin
- A compromised client, such as one running a vulnerable web browser susceptible to a Java exploit

The actual attack consisted of packets with specific distinguishing characteristics. This is example traffic from the IP address, as put out by the "tcpdump" utility and captured by our router during the attack.

Timestamps (at the very left) are PDT (UTC-7), and the date is 2014-10-01.

19:52:58.438168 IP (tos 0x0, ttl 58, id 0, offset 0, flags [DF], proto UDP (17), length 628)
198.199.98.103.49970 > 192.223.26.x.64813: UDP, length 600
0x0000: 4500 0274 0000 4000 3a11 3a19 c6c7 6267 E..t..@.:.:...bg
0x0010: c0df 1a52 c332 fd2d 0260 826c 4d57 5744 ...R.2.-.`.lMWWD
0x0020: 4746 434d 534d 4643 4859 4955 4956 595a GFCMSMFCHYIUIVYZ
0x0030: 5545 5343 5a55 4453 434f 4542 4154 5159 UESCZUDSCOEBATQY
0x0040: 4b55 4441 564d 5549 5954 574a 5151 594f KUDAVMUIYTWJQQYO
0x0050: 5853 XS
19:52:58.438222 IP (tos 0x0, ttl 58, id 0, offset 0, flags [DF], proto UDP (17), length 628)
198.199.98.103.49970 > 192.223.26.x.64813: UDP, length 600
0x0000: 4500 0274 0000 4000 3a11 3a19 c6c7 6267 E..t..@.:.:...bg
0x0010: c0df 1a52 c332 fd2d 0260 826c 4d57 5744 ...R.2.-.`.lMWWD
0x0020: 4746 434d 534d 4643 4859 4955 4956 595a GFCMSMFCHYIUIVYZ
0x0030: 5545 5343 5a55 4453 434f 4542 4154 5159 UESCZUDSCOEBATQY
0x0040: 4b55 4441 564d 5549 5954 574a 5151 594f KUDAVMUIYTWJQQYO
0x0050: 5853 XS
19:52:58.438236 IP (tos 0x0, ttl 58, id 0, offset 0, flags [DF], proto UDP (17), length 628)
198.199.98.103.49970 > 192.223.26.x.64813: UDP, length 600
0x0000: 4500 0274 0000 4000 3a11 3a19 c6c7 6267 E..t..@.:.:...bg
0x0010: c0df 1a52 c332 fd2d 0260 826c 4d57 5744 ...R.2.-.`.lMWWD
0x0020: 4746 434d 534d 4643 4859 4955 4956 595a GFCMSMFCHYIUIVYZ
0x0030: 5545 5343 5a55 4453 434f 4542 4154 5159 UESCZUDSCOEBATQY
0x0040: 4b55 4441 564d 5549 5954 574a 5151 594f KUDAVMUIYTWJQQYO
0x0050: 5853 XS

(The final octet of our customer's IP address is masked in the above output because some automatic parsers become confused when multiple IP addresses are included. The value of that octet is "82".)

-John
President
Nuclearfallout, Enterprises, Inc. (NFOservers.com)

(We're sending out so many of these notices, and seeing so many auto-responses, that we can't go through this email inbox effectively. If you have follow-up questions, please contact us at noc@nfoe.net.)
******************************

Please note that generating multiple abuse complaints in a short period of time may lead to your account being suspended.