Educause Security Discussion mailing list archives

Re: Phatbot

From: Daniel Medina <medina () COLUMBIA EDU>
Date: Fri, 19 Mar 2004 12:04:43 -0500

 The owners of the sites listed below are no doubt collecting traffic
flows to those addresses or monitoring their weblogs to gather that
data.

 I believe infected hosts only contact those addresses on
initialization, so monitoring traffic won't give you the hosts already
infected.

On Fri, Mar 19, 2004 at 08:49:32AM -0800, Scott Weeks wrote:

I see there're six IP addresses that the infected machines contact to do
their "speed test".  I suppose we could just monitor traffic to these
addresses to find infected machines?  Doing traceroutes to the URLs in the
article gives the following list:

       131.113.213.132
       140.114.72.8
       171.67.16.66
       207.155.248.63
       130.89.1.16
       212.227.147.70

Whatcha' think?


--
Daniel Medina

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

Phatbot Kathie Brinkman (Mar 18)
- <Possible follow-ups>
- Re: Phatbot James Moore (Mar 18)
- Re: Phatbot Jeff Birch (Mar 19)
- Re: Phatbot Scott Weeks (Mar 19)
- Re: Phatbot Marty Hoag (Mar 19)
- Re: Phatbot Daniel Medina (Mar 19)
- Re: Phatbot Doug Pearson (Mar 19)
- Re: Phatbot Gary Flynn (Mar 19)
- Re: Phatbot Dr. Tina Bird (Mar 19)
- Re: Phatbot Mike Iglesias (Mar 19)
- Re: Phatbot Brian Eckman (Mar 19)
- Re: Phatbot Mike Iglesias (Mar 19)
- Re: Phatbot Jeff Kell (Mar 19)