Educause Security Discussion mailing list archives

Re: Phatbot

From: Scott Weeks <sweeks () SANDIEGO EDU>
Date: Fri, 19 Mar 2004 08:49:32 -0800

Hello Everyone,

I see there're six IP addresses that the infected machines contact to do
their "speed test".  I suppose we could just monitor traffic to these
addresses to find infected machines?  Doing traceroutes to the URLs in the
article gives the following list:

       131.113.213.132
       140.114.72.8
       171.67.16.66
       207.155.248.63
       130.89.1.16
       212.227.147.70

Whatcha' think?

scott


:  Another good web site.
:  http://www.lurhq.com/phatbot.html


:  http://www.washingtonpost.com/wp-dyn/articles/A444-2004Mar17.html
:  follows:
:          Hackers Embrace P2P Concept
:          Experts Fear 'Phatbot' Trojan Could Lead to New Wave of Spam or
:  Denial-of-Service Attacks










=====

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

Phatbot Kathie Brinkman (Mar 18)
- <Possible follow-ups>
- Re: Phatbot James Moore (Mar 18)
- Re: Phatbot Jeff Birch (Mar 19)
- Re: Phatbot Scott Weeks (Mar 19)
- Re: Phatbot Marty Hoag (Mar 19)
- Re: Phatbot Daniel Medina (Mar 19)
- Re: Phatbot Doug Pearson (Mar 19)
- Re: Phatbot Gary Flynn (Mar 19)
- Re: Phatbot Dr. Tina Bird (Mar 19)
- Re: Phatbot Mike Iglesias (Mar 19)
- Re: Phatbot Brian Eckman (Mar 19)
- Re: Phatbot Mike Iglesias (Mar 19)
- Re: Phatbot Jeff Kell (Mar 19)