[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Declining traffic

I came across this info which may be related or not about the possible
botnets. There is a new P2P botnet forming. The Trojan it uses is '
Heloag ' .

this is the url that gives info about it:


this is the short url:   http://threatpost.com/en_us/OTQ


On Fri, Apr 23, 2010 at 10:14 AM, Scott Bennett <bennett@xxxxxxxxxx> wrote:
>     On Fri, 23 Apr 2010 15:51:59 +0200 Sebastian Hahn <mail@xxxxxxxxxxxxxxxxx>
> wrote:
>>On Apr 23, 2010, at 3:21 PM, Timo Schoeler wrote:
>>> thus Brian Mearns spake:
>>>> Any chance your ISP is throttling you?
>>> 100% *not*.
>>Another possibility would be that your relay is heavily
>>overloaded. See the big thread on tor-relays about
>>the problems and potential solutions [0].
>     Sebastian, there was something that looked very much like a botnet
> attack running for two or three hours this a.m.  It seems to have stopped
> now.  I had shut down my machine to install operating system updates.
> When all that was finished and I finally brought the system back up, for
> some unknown reason, pf did not start.  (As if there were not going to be
> enough confusion as things already were.  Sigh.)  As soon as I noticed pf
> wasn't running, I started it manually and loaded a block list.  But pftop
> continued to pour forth log entries of illicit connection attempts from
> untold numbers of IP addresses and to scads of different TCP port numbers.
> I kept stopping and starting the logging, so that I could see the log
> entries long enough to add the addresses to that block list.  I eventually
> got crosseyed from adding somewhere between 200 and 300 IP addresses to
> the list. :-(  When I then let the logging continue, it had stopped
> getting any new stuff to log.
>     It was very intense while it lasted, but in the larger scheme of
> things, it was of very short duration for a coordinated attack.  I doubt
> that my system was the onlyt tor relay being attacked.  In fact, I think
> the attack began a short time after my node appeared in the consensus,
> although at this point I can't prove it.
>     What I would like to know is how many systems were attacked this
> a.m. in that manner,  were only systems running tor relays attacked,
> who shut it off, etc.  If anyone else on this list noticed anything between
> 5:00 a.m. CDT and 8:00 a.m. CDT, please post the details here.  Thanks!
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/