« April 2008 · October 2008 · April 2014 »

June 2008
MonTueWedThuFriSatSun
      01
02030405060708
09101112131415
16171819202122
23242526272829
30      
July 2008
MonTueWedThuFriSatSun
 010203040506
07080910111213
14151617181920
21222324252627
28293031   
August 2008
MonTueWedThuFriSatSun
    010203
04050607080910
11121314151617
18192021222324
25262728293031

Calendar:

  • 13.08.2008: Georgian Attacks: Remember Estonia?
  • 12.08.2008: Georgian Websites Under Attack - Don't Believe the Hype
  • 11.08.2008: Georgian Websites Under Attack - DDoS and Defacement
  • 20.07.2008: See below.
  • 18.07.2008: SQL Injection List Format Update
  • 05.07.2008: SQL Injection, Redirects and Drive-By Downloads, Oh My...
  • 26.06.2008: FIRST Conference - Vancouver, Canada
  • 24.06.2008: FIRST Conference - Vancouver, Canada
  • 04.06.2008: AbuseSec08 Conference - Karlsruhe, Germany
Newest first Oldest first

Sunday, 20 July 2008

The Website for the President of Georgia Under Attack - Politically Motivated?


For over 24 hours the website of President Mikhail Saakashvili of Georgia (www.president.gov.ge) has been rendered unavailable due to a multi-pronged distributed denial of service (DDoS) attack. The site began coming under attack very early Saturday morning (Georgian time). Shadowserver has observed at least one web-based command and control (C&C) server taking aim at the website hitting it with a variety of simultaneous attacks. The C&C server has instructed its bots to attack the website with TCP, ICMP, and HTTP floods.

Commands seen so far are:

	flood http www.president.gov.ge/ 
	flood tcp www.president.gov.ge
	flood icmp www.president.gov.ge 

The server [62.168.168.9] which houses the website has been largely offline since the attack started. Passive DNS records show the system houses several other websites which are mostly unrelated to the Georgian government. However, the server does also host the Social Assistance and Employment State Agency website (www.saesa.gov.ge). This website along with the others on the host have been rendered inaccessible.

Is the attack political or perhaps nationalistic in nature? Your guess is as good as ours but it doesn't take much to come to this possible conclusion. Recent DDoS attacks against various other neighbors of Russia to include Estonia have been quite popular in the last few years. We do not have any solid proof that the people behind this C&C server are Russian. However, the HTTP-based botnet C&C server is a MachBot controller, which is a tool that is frequently used by Russian bot herders. On top of that the domain involved with this C&C server has seemingly bogus registration information but does tie back to Russia.

Who else have these guys been attacking with this MachBot C&C server? The answer is no one. This server recently came online in the past few weeks and has not issued any other attacks that we have observed until recently. All attacks we have observed have been directed right at www.president.gov.ge.

The C&C server involved in these attacks is on the IP address 207.10.234.244, which is subsequently located in the United States. Beaconing traffic from your network to this host may indicate that you have infected machines on your network and are most likely participating in this DDoS attack. We would recommend blocking and/or monitoring for traffic to this address.

Update (7/20/2008: 1:36 PM EST): It appears the host site for 207.10.234.244 has taken action against this system and appears to now be blocking access to it. However, the server being targeted by the C&C is still unreachable.

Update (8/10/2008: 10:34 AM EDT): With the recent events in Georgia, we are now seeing new attacks against .ge sites. www.parliament.ge & president.gov.ge are currently being hit with http floods. In this case, the C&C server involved is at IP address 79.135.167.22 which is located in Turkey. We are also observing this C&C as directing attacks against www.skandaly.ru. Traffic from your network to this IP or domain name of googlecomaolcomyahoocomaboutcom.net may indicate compromise and participation in these attacks. [SemperSecurus]

=>Posted July 19, 2008, at 09:57 PM by Steven Adair