API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Aug 22nd, 2019
426
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.69 KB | None | 0 0
raw download clone embed print report
  1. An IP address (109.254.170.19) under your control appears to have attacked one of our customers as part of a coordinated DDoS botnet. We manually reviewed the captures from this attack and do not believe that your IP address was spoofed, based on the limited number of distinct hosts attacking us, the identicality of many attacking IP addresses to ones we've seen in the past, and the non-random distribution of IP addresses.
  2.  
  3. It is possible that this host is one of the following, from the responses that others have sent us about previous attacks:
  4.  
  5. - A compromised router, such as a D-Link that is running with WAN access enabled; a China Telecom which still allows a default admin username and password; a Netis, with a built-in internet-accessible backdoor (http://blog.trendmicro.com/trendlabs-security-intelligence/netis-routers-leave-wide-open-backdoor/); or one running an old AirOS version with a vulnerable and exposed administrative interface
  6. - An IPTV device that is vulnerable to compromise (such as HTV), either directly through the default firmware or through a trojan downloaded app
  7. - A compromised webhost, such as one running a vulnerable version of Drupal (for instance, using the vulnerability discussed at https://groups.drupal.org/security/faq-2018-002), WordPress, phpMyAdmin, or zPanel
  8. - A compromised DVR, such as a "Hikvision" brand device (ref: http://www.coresecurity.com/advisories/hikvision-ip-cameras-multiple-vulnerabilities)
  9. - A compromised IPMI device, such as one made by Supermicro (possibly because it uses the default U/P of ADMIN/ADMIN or because its password was found through an exploit described at http://arstechnica.com/security/2014/06/at-least-32000-servers-broadcast-admin-passwords-in-the-clear-advisory-warns/)
  10. - A compromised Xerox-branded device
  11. - Some other compromised standalone device
  12. - A server with an insecure password that was brute-forced, such as through SSH or RDP
  13. - A server running an improperly secured Hadoop installation
  14.  
  15. From your side, you would be able to observe this attack as a burst of traffic that likely saturated the network adapter of the source device for approximately one to five minutes.
  16.  
  17. This is example traffic from the IP address, as interpreted by the "tcpdump" utility and captured by our router during the attack. Source and destination IP addresses, protocols, and ports are included.
  18.  
  19. Date/timestamps (at the very left) are UTC.
  20.  
  21. 2019-08-22 06:15:51.950992 IP (tos 0x0, ttl 50, id 19369, offset 0, flags [DF], proto UDP (17), length 1428)
  22. 109.254.170.19.26509 > 66.85.15.x.65500: UDP, length 1400
  23. 0x0000: 4500 0594 4ba9 4000 3211 8e48 6dfe aa13 E...K.@.2..Hm...
  24. 0x0010: 4255 0f01 678d ffdc 0580 f194 6830 6c61 BU..g.......h0la
  25. 0x0020: 6334 6e63 6235 3275 3075 6e67 366a 6d75 c4ncb52u0ung6jmu
  26. 0x0030: 6272 3563 6264 6e63 6934 306e 636b 3432 br5cbdnci40nck42
  27. 0x0040: 7362 7461 6b72 646c 7361 7437 3032 3871 sbtakrdlsat7028q
  28. 0x0050: 6533 e3
  29. 2019-08-22 06:15:52.027503 IP (tos 0x0, ttl 50, id 19433, offset 0, flags [DF], proto UDP (17), length 1428)
  30. 109.254.170.19.26509 > 66.85.15.x.65500: UDP, length 1400
  31. 0x0000: 4500 0594 4be9 4000 3211 8e08 6dfe aa13 E...K.@.2...m...
  32. 0x0010: 4255 0f01 678d ffdc 0580 f194 6830 6c61 BU..g.......h0la
  33. 0x0020: 6334 6e63 6235 3275 3075 6e67 366a 6d75 c4ncb52u0ung6jmu
  34. 0x0030: 6272 3563 6264 6e63 6934 306e 636b 3432 br5cbdnci40nck42
  35. 0x0040: 7362 7461 6b72 646c 7361 7437 3032 3871 sbtakrdlsat7028q
  36. 0x0050: 6533 e3
  37. 2019-08-22 06:15:52.050382 IP (tos 0x0, ttl 50, id 19452, offset 0, flags [DF], proto UDP (17), length 1428)
  38. 109.254.170.19.26509 > 66.85.15.x.65500: UDP, length 1400
  39. 0x0000: 4500 0594 4bfc 4000 3211 8df5 6dfe aa13 E...K.@.2...m...
  40. 0x0010: 4255 0f01 678d ffdc 0580 f194 6830 6c61 BU..g.......h0la
  41. 0x0020: 6334 6e63 6235 3275 3075 6e67 366a 6d75 c4ncb52u0ung6jmu
  42. 0x0030: 6272 3563 6264 6e63 6934 306e 636b 3432 br5cbdnci40nck42
  43. 0x0040: 7362 7461 6b72 646c 7361 7437 3032 3871 sbtakrdlsat7028q
  44. 0x0050: 6533 e3
  45. 2019-08-22 06:15:52.098077 IP (tos 0x0, ttl 50, id 19491, offset 0, flags [DF], proto UDP (17), length 1428)
  46. 109.254.170.19.26509 > 66.85.15.x.65500: UDP, length 1400
  47. 0x0000: 4500 0594 4c23 4000 3211 8dce 6dfe aa13 E...L#@.2...m...
  48. 0x0010: 4255 0f01 678d ffdc 0580 f194 6830 6c61 BU..g.......h0la
  49. 0x0020: 6334 6e63 6235 3275 3075 6e67 366a 6d75 c4ncb52u0ung6jmu
  50. 0x0030: 6272 3563 6264 6e63 6934 306e 636b 3432 br5cbdnci40nck42
  51. 0x0040: 7362 7461 6b72 646c 7361 7437 3032 3871 sbtakrdlsat7028q
  52. 0x0050: 6533 e3
  53. 2019-08-22 06:15:52.108401 IP (tos 0x0, ttl 50, id 19500, offset 0, flags [DF], proto UDP (17), length 1428)
  54. 109.254.170.19.26509 > 66.85.15.x.65500: UDP, length 1400
  55. 0x0000: 4500 0594 4c2c 4000 3211 8dc5 6dfe aa13 E...L,@.2...m...
  56. 0x0010: 4255 0f01 678d ffdc 0580 f194 6830 6c61 BU..g.......h0la
  57. 0x0020: 6334 6e63 6235 3275 3075 6e67 366a 6d75 c4ncb52u0ung6jmu
  58. 0x0030: 6272 3563 6264 6e63 6934 306e 636b 3432 br5cbdnci40nck42
  59. 0x0040: 7362 7461 6b72 646c 7361 7437 3032 3871 sbtakrdlsat7028q
  60. 0x0050: 6533 e3
  61.  
  62. (The final octet of our customer's IP address is masked in the above output because some automatic parsers become confused when multiple IP addresses are included. The value of that octet is "1".)
  63.  
  64. Based on the size, number of samples, and timestamps of received packets from your host in our capture, we estimate that your host was sending at least 34.3 Mbps of attack traffic at the peak of this coordinated attack. The peak of the attack may have lasted only a few seconds.
  65.  
  66. -John
  67. President
  68. NFOservers.com
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!