Educause Security Discussion mailing list archives
Re: Phatbot
From: Daniel Medina <medina () COLUMBIA EDU>
Date: Fri, 19 Mar 2004 12:04:43 -0500
The owners of the sites listed below are no doubt collecting traffic flows to those addresses or monitoring their weblogs to gather that data. I believe infected hosts only contact those addresses on initialization, so monitoring traffic won't give you the hosts already infected. On Fri, Mar 19, 2004 at 08:49:32AM -0800, Scott Weeks wrote:
I see there're six IP addresses that the infected machines contact to do their "speed test". I suppose we could just monitor traffic to these addresses to find infected machines? Doing traceroutes to the URLs in the article gives the following list: 131.113.213.132 140.114.72.8 171.67.16.66 207.155.248.63 130.89.1.16 212.227.147.70 Whatcha' think?
-- Daniel Medina ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Phatbot Kathie Brinkman (Mar 18)
- <Possible follow-ups>
- Re: Phatbot James Moore (Mar 18)
- Re: Phatbot Jeff Birch (Mar 19)
- Re: Phatbot Scott Weeks (Mar 19)
- Re: Phatbot Marty Hoag (Mar 19)
- Re: Phatbot Daniel Medina (Mar 19)
- Re: Phatbot Doug Pearson (Mar 19)
- Re: Phatbot Gary Flynn (Mar 19)
- Re: Phatbot Dr. Tina Bird (Mar 19)
- Re: Phatbot Mike Iglesias (Mar 19)
- Re: Phatbot Brian Eckman (Mar 19)
- Re: Phatbot Mike Iglesias (Mar 19)
- Re: Phatbot Jeff Kell (Mar 19)