37.221.175.41 Gets Creative (DoS Attempt)
6 August, 2013 - 15:59
I haven't been posting DoS logs lately as it's just been more of the same. 37.221.175.41 tried to get creative, but unfortunately we have pretty good DDoS protections in place.
37.221.175.41 - - [04/Aug/2013:17:45:26 -0400] "GET /?IDXMR=ROGCXB HTTP/1.1" 403 2620 "http://www.usatoday.com/search/results?q=ZBJKHY" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729)"
37.221.175.41 - - [04/Aug/2013:17:45:11 -0400] "GET / HTTP/1.1" 403 424 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)"
37.221.175.41 - - [04/Aug/2013:17:45:26 -0400] "GET /?SVQREUE=EFA HTTP/1.1" 403 2620 "http://www.usatoday.com/search/results?q=IIRJNM" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
37.221.175.41 - - [04/Aug/2013:17:45:23 -0400] "HEAD / HTTP/1.1" 403 452 "-" "-"
37.221.175.41 - - [04/Aug/2013:17:45:26 -0400] "GET /?LRHBXPQF=QEMPMAC HTTP/1.1" 403 2620 "http://www.usatoday.com/search/results?q=HEBNWLAOKB" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1; .NET CLR 2.0.50727; InfoPath.2)"
37.221.175.41 - - [04/Aug/2013:17:45:26 -0400] "GET /?GDLDXGMGH=JSSI HTTP/1.1" 403 2620 "http://engadget.search.aol.com/search?q=LODAHDC" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
37.221.175.41 - - [04/Aug/2013:17:45:22 -0400] "HEAD / HTTP/1.1" 403 452 "-" "-"
37.221.175.41 - - [04/Aug/2013:17:45:26 -0400] "GET /?GESOUSIXYA=KWABG HTTP/1.1" 403 2620 "http://engadget.search.aol.com/search?q=YAPIOVUV" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.3) Gecko/20090913 Firefox/3.5.3"
37.221.175.41 - - [04/Aug/2013:17:45:26 -0400] "GET /?SEBD=MJLBDQ HTTP/1.1" 403 2620 "http://www.soldierx.com/BPFYHT" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
37.221.175.41 - - [04/Aug/2013:17:45:26 -0400] "GET /?SGEBHO=BIA HTTP/1.1" 403 2620 "http://www.soldierx.com/OYBVZ" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Win64; x64; Trident/4.0)"
37.221.175.41 - - [04/Aug/2013:17:45:26 -0400] "GET /?FVMFY=CJZKTHASDP HTTP/1.1" 403 2620 "http://engadget.search.aol.com/search?q=BOKWKLAO" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/4.0.219.6 Safari/532.1"
37.221.175.41 - - [04/Aug/2013:17:45:26 -0400] "GET /?BYCDY=NKZMCIPOT HTTP/1.1" 403 2620 "http://www.soldierx.com/JHVWKSYTLE" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729)"
37.221.175.41 - - [04/Aug/2013:17:45:26 -0400] "GET /?FVCDJHNWJ=IFTTDIGFH HTTP/1.1" 403 2620 "http://www.soldierx.com/SXAAVMCVWP" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1; .NET CLR 2.0.50727; InfoPath.2)"
37.221.175.41 - - [04/Aug/2013:17:45:26 -0400] "GET /?JBBREPF=LYBFBSIGE HTTP/1.1" 403 2620 "http://engadget.search.aol.com/search?q=WQFSG" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729)"
37.221.175.41 - - [04/Aug/2013:17:45:26 -0400] "GET /?TEVDIC=EVJ HTTP/1.1" 403 2620 "http://www.usatoday.com/search/results?q=VUMXNKABEG" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1; .NET CLR 2.0.50727; InfoPath.2)"
37.221.175.41 - - [04/Aug/2013:17:45:26 -0400] "GET /?QIOPNQTUR=RLOVFD HTTP/1.1" 403 2620 "http://www.soldierx.com/YOYSVFC" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
37.221.175.41 - - [04/Aug/2013:17:45:26 -0400] "GET /?RUDJH=QZRBGQKPX HTTP/1.1" 403 2620 "http://www.usatoday.com/search/results?q=JQYOZ" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1; .NET CLR 2.0.50727; InfoPath.2)"
37.221.175.41 - - [04/Aug/2013:17:45:12 -0400] "GET / HTTP/1.1" 403 424 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)"
37.221.175.41 - - [04/Aug/2013:17:45:27 -0400] "GET /?JNIWFROP=YPIWSJ HTTP/1.1" 403 2620 "http://www.soldierx.com/KCJKORFP" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/4.0.219.6 Safari/532.1"
37.221.175.41 - - [04/Aug/2013:17:45:11 -0400] "GET / HTTP/1.1" 403 424 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)"
37.221.175.41 - - [04/Aug/2013:17:45:26 -0400] "GET /?SVQREUE=EFA HTTP/1.1" 403 2620 "http://www.usatoday.com/search/results?q=IIRJNM" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
37.221.175.41 - - [04/Aug/2013:17:45:23 -0400] "HEAD / HTTP/1.1" 403 452 "-" "-"
37.221.175.41 - - [04/Aug/2013:17:45:26 -0400] "GET /?LRHBXPQF=QEMPMAC HTTP/1.1" 403 2620 "http://www.usatoday.com/search/results?q=HEBNWLAOKB" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1; .NET CLR 2.0.50727; InfoPath.2)"
37.221.175.41 - - [04/Aug/2013:17:45:26 -0400] "GET /?GDLDXGMGH=JSSI HTTP/1.1" 403 2620 "http://engadget.search.aol.com/search?q=LODAHDC" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
37.221.175.41 - - [04/Aug/2013:17:45:22 -0400] "HEAD / HTTP/1.1" 403 452 "-" "-"
37.221.175.41 - - [04/Aug/2013:17:45:26 -0400] "GET /?GESOUSIXYA=KWABG HTTP/1.1" 403 2620 "http://engadget.search.aol.com/search?q=YAPIOVUV" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.3) Gecko/20090913 Firefox/3.5.3"
37.221.175.41 - - [04/Aug/2013:17:45:26 -0400] "GET /?SEBD=MJLBDQ HTTP/1.1" 403 2620 "http://www.soldierx.com/BPFYHT" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
37.221.175.41 - - [04/Aug/2013:17:45:26 -0400] "GET /?SGEBHO=BIA HTTP/1.1" 403 2620 "http://www.soldierx.com/OYBVZ" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Win64; x64; Trident/4.0)"
37.221.175.41 - - [04/Aug/2013:17:45:26 -0400] "GET /?FVMFY=CJZKTHASDP HTTP/1.1" 403 2620 "http://engadget.search.aol.com/search?q=BOKWKLAO" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/4.0.219.6 Safari/532.1"
37.221.175.41 - - [04/Aug/2013:17:45:26 -0400] "GET /?BYCDY=NKZMCIPOT HTTP/1.1" 403 2620 "http://www.soldierx.com/JHVWKSYTLE" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729)"
37.221.175.41 - - [04/Aug/2013:17:45:26 -0400] "GET /?FVCDJHNWJ=IFTTDIGFH HTTP/1.1" 403 2620 "http://www.soldierx.com/SXAAVMCVWP" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1; .NET CLR 2.0.50727; InfoPath.2)"
37.221.175.41 - - [04/Aug/2013:17:45:26 -0400] "GET /?JBBREPF=LYBFBSIGE HTTP/1.1" 403 2620 "http://engadget.search.aol.com/search?q=WQFSG" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729)"
37.221.175.41 - - [04/Aug/2013:17:45:26 -0400] "GET /?TEVDIC=EVJ HTTP/1.1" 403 2620 "http://www.usatoday.com/search/results?q=VUMXNKABEG" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1; .NET CLR 2.0.50727; InfoPath.2)"
37.221.175.41 - - [04/Aug/2013:17:45:26 -0400] "GET /?QIOPNQTUR=RLOVFD HTTP/1.1" 403 2620 "http://www.soldierx.com/YOYSVFC" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
37.221.175.41 - - [04/Aug/2013:17:45:26 -0400] "GET /?RUDJH=QZRBGQKPX HTTP/1.1" 403 2620 "http://www.usatoday.com/search/results?q=JQYOZ" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1; .NET CLR 2.0.50727; InfoPath.2)"
37.221.175.41 - - [04/Aug/2013:17:45:12 -0400] "GET / HTTP/1.1" 403 424 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)"
37.221.175.41 - - [04/Aug/2013:17:45:27 -0400] "GET /?JNIWFROP=YPIWSJ HTTP/1.1" 403 2620 "http://www.soldierx.com/KCJKORFP" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/4.0.219.6 Safari/532.1"
My assumption is that the lamers thought that if they hit us with something new while we were at Defcon, they would be able to hold down the site. As all of you already know, they were wrong. Equally interesting is that it looks like they hit us with this after viewing https://www.soldierx.com/hdb/0x0ptim0us. So maybe the rumor that 0x0ptim0us is involved with Operation Ababil is correct. If anybody on this site is involved in fighting against Op Ababil, I would be interested in knowing if this DDoS traffic is similar to what you've been seeing. If so, then 0x0ptim0us is probably your man 
The original post that all the cyber jihadists came from was http://www.turk-bh.ir/cc/showthread.php?threadid=353?
All I have to say is... http://www.youtube.com/watch?v=Hl0DD_MYqZU