I got this email from nfoservers.com. Baffled?
An IP address (xx.xx.xx.107) under your control appears to have attacked one of our customers as part of a coordinated DDoS botnet. We manually reviewed the captures from this attack and do not believe that your IP address was spoofed, based on the limited number of distinct hosts attacking us, the identicality of many attacking IP addresses to ones we've seen in the past, and the non-random distribution of IP addresses.
It is likely that this host is one of the following, from the responses that others have sent us:
- A compromised DVR, such as a "Hikvision" brand device (ref: http://www.coresecurity.com/advisories/hikvision-ip-cameras-multiple-vulnerabilities)
- A compromised IPMI device, such as one made by Supermicro (possibly because it uses the default U/P of ADMIN/ADMIN or because its password was found through an exploit described at http://arstechnica.com/security/201...-admin-passwords-in-the-clear-advisory-warns/)
- A compromised router, such as one made by China Telecom which still allows a default admin username and password; one by Netis, with its built-in internet-accessible backdoor; or one running an old AirOS version with its exposed administrative interface
- A compromised Xerox-branded device
- Some other compromised standalone device
- A compromised webhost, such as one running a vulnerable version of WordPress, phpMyAdmin, or zPanel
- A compromised client, such as one running a vulnerable web browser susceptible to a Java exploit
- A server with an insecure password that was brute-forced, such as through SSH or RDP
The actual attack consisted of packets with specific distinguishing characteristics. This is example traffic from the IP address, as put out by the "tcpdump" utility and captured by our router during the attack.
Date/timestamps (at the very left) are UTC.
2016-01-14 07:25:36.144169 IP (tos 0x48, ttl 49, id 0, offset 0, flags [DF], proto UDP (17), length 628)
xx.xx.xx.107.2323 > 95.172.92.x.25200: UDP, length 600
0x0000: 4548 0274 0000 4000 3111 ea1e 4040 606b EH.t..@.1...@@`k
0x0010: 5fac 5cbb 0913 6270 0260 1e83 474e 5948 _.\...bp.`..GNYH
0x0020: 5a4d 4946 5a55 5842 574d 5056 4156 5259 ZMIFZUXBWMPVAVRY
0x0030: 434e 4659 4e56 4949 5644 4952 5853 594e CNFYNVIIVDIRXSYN
0x0040: 4c45 485a 4359 5848 4f4a 5041 4f52 524d LEHZCYXHOJPAORRM
0x0050: 4254 BT
2016-01-14 07:25:36.144297 IP (tos 0x48, ttl 49, id 0, offset 0, flags [DF], proto UDP (17), length 628)
xx.xx.xx.107.2323 > 95.172.92.x.25200: UDP, length 600
0x0000: 4548 0274 0000 4000 3111 ea1e 4040 606b EH.t..@.1...@@`k
0x0010: 5fac 5cbb 0913 6270 0260 1e83 474e 5948 _.\...bp.`..GNYH
0x0020: 5a4d 4946 5a55 5842 574d 5056 4156 5259 ZMIFZUXBWMPVAVRY
0x0030: 434e 4659 4e56 4949 5644 4952 5853 594e CNFYNVIIVDIRXSYN
0x0040: 4c45 485a 4359 5848 4f4a 5041 4f52 524d LEHZCYXHOJPAORRM
0x0050: 4254 BT
2016-01-14 07:25:36.144378 IP (tos 0x48, ttl 49, id 0, offset 0, flags [DF], proto UDP (17), length 628)
xx.xx.xx.107.2323 > 95.172.92.x.25200: UDP, length 600
0x0000: 4548 0274 0000 4000 3111 ea1e 4040 606b EH.t..@.1...@@`k
0x0010: 5fac 5cbb 0913 6270 0260 1e83 474e 5948 _.\...bp.`..GNYH
0x0020: 5a4d 4946 5a55 5842 574d 5056 4156 5259 ZMIFZUXBWMPVAVRY
0x0030: 434e 4659 4e56 4949 5644 4952 5853 594e CNFYNVIIVDIRXSYN
0x0040: 4c45 485a 4359 5848 4f4a 5041 4f52 524d LEHZCYXHOJPAORRM
0x0050: 4254 BT
(The final octet of our customer's IP address is masked in the above output because some automatic parsers become confused when multiple IP addresses are included. The value of that octet is "187".)
An IP address (xx.xx.xx.107) under your control appears to have attacked one of our customers as part of a coordinated DDoS botnet. We manually reviewed the captures from this attack and do not believe that your IP address was spoofed, based on the limited number of distinct hosts attacking us, the identicality of many attacking IP addresses to ones we've seen in the past, and the non-random distribution of IP addresses.
It is likely that this host is one of the following, from the responses that others have sent us:
- A compromised DVR, such as a "Hikvision" brand device (ref: http://www.coresecurity.com/advisories/hikvision-ip-cameras-multiple-vulnerabilities)
- A compromised IPMI device, such as one made by Supermicro (possibly because it uses the default U/P of ADMIN/ADMIN or because its password was found through an exploit described at http://arstechnica.com/security/201...-admin-passwords-in-the-clear-advisory-warns/)
- A compromised router, such as one made by China Telecom which still allows a default admin username and password; one by Netis, with its built-in internet-accessible backdoor; or one running an old AirOS version with its exposed administrative interface
- A compromised Xerox-branded device
- Some other compromised standalone device
- A compromised webhost, such as one running a vulnerable version of WordPress, phpMyAdmin, or zPanel
- A compromised client, such as one running a vulnerable web browser susceptible to a Java exploit
- A server with an insecure password that was brute-forced, such as through SSH or RDP
The actual attack consisted of packets with specific distinguishing characteristics. This is example traffic from the IP address, as put out by the "tcpdump" utility and captured by our router during the attack.
Date/timestamps (at the very left) are UTC.
2016-01-14 07:25:36.144169 IP (tos 0x48, ttl 49, id 0, offset 0, flags [DF], proto UDP (17), length 628)
xx.xx.xx.107.2323 > 95.172.92.x.25200: UDP, length 600
0x0000: 4548 0274 0000 4000 3111 ea1e 4040 606b EH.t..@.1...@@`k
0x0010: 5fac 5cbb 0913 6270 0260 1e83 474e 5948 _.\...bp.`..GNYH
0x0020: 5a4d 4946 5a55 5842 574d 5056 4156 5259 ZMIFZUXBWMPVAVRY
0x0030: 434e 4659 4e56 4949 5644 4952 5853 594e CNFYNVIIVDIRXSYN
0x0040: 4c45 485a 4359 5848 4f4a 5041 4f52 524d LEHZCYXHOJPAORRM
0x0050: 4254 BT
2016-01-14 07:25:36.144297 IP (tos 0x48, ttl 49, id 0, offset 0, flags [DF], proto UDP (17), length 628)
xx.xx.xx.107.2323 > 95.172.92.x.25200: UDP, length 600
0x0000: 4548 0274 0000 4000 3111 ea1e 4040 606b EH.t..@.1...@@`k
0x0010: 5fac 5cbb 0913 6270 0260 1e83 474e 5948 _.\...bp.`..GNYH
0x0020: 5a4d 4946 5a55 5842 574d 5056 4156 5259 ZMIFZUXBWMPVAVRY
0x0030: 434e 4659 4e56 4949 5644 4952 5853 594e CNFYNVIIVDIRXSYN
0x0040: 4c45 485a 4359 5848 4f4a 5041 4f52 524d LEHZCYXHOJPAORRM
0x0050: 4254 BT
2016-01-14 07:25:36.144378 IP (tos 0x48, ttl 49, id 0, offset 0, flags [DF], proto UDP (17), length 628)
xx.xx.xx.107.2323 > 95.172.92.x.25200: UDP, length 600
0x0000: 4548 0274 0000 4000 3111 ea1e 4040 606b EH.t..@.1...@@`k
0x0010: 5fac 5cbb 0913 6270 0260 1e83 474e 5948 _.\...bp.`..GNYH
0x0020: 5a4d 4946 5a55 5842 574d 5056 4156 5259 ZMIFZUXBWMPVAVRY
0x0030: 434e 4659 4e56 4949 5644 4952 5853 594e CNFYNVIIVDIRXSYN
0x0040: 4c45 485a 4359 5848 4f4a 5041 4f52 524d LEHZCYXHOJPAORRM
0x0050: 4254 BT
(The final octet of our customer's IP address is masked in the above output because some automatic parsers become confused when multiple IP addresses are included. The value of that octet is "187".)
