Educause Security Discussion mailing list archives
Re: Phatbot
From: Mike Iglesias <iglesias () DRACO ACS UCI EDU>
Date: Fri, 19 Mar 2004 13:54:11 -0800
I thought I saw something about port 1025 requests but I can't find it now.
We've seen it probe systems on the following ports: 135/139/445 1025 2745 (bagle/beagle backdoor) 3127 (mydoom backdoor) 6129 (Dameware vuln) 80 (WebDAV vuln attacks) We're pretty certain that at least one system was infected via the bagle backdoor. We also found several of the infected systems talking to an IRC server on 206.222.29.51. We had also heard that they may try to contact the IRC server on 209.25.161.103, but we have not seen that. Mike Iglesias Email: iglesias () draco acs uci edu University of California, Irvine phone: 949-824-6926 Network & Academic Computing Services FAX: 949-824-2069 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Phatbot Kathie Brinkman (Mar 18)
- <Possible follow-ups>
- Re: Phatbot James Moore (Mar 18)
- Re: Phatbot Jeff Birch (Mar 19)
- Re: Phatbot Scott Weeks (Mar 19)
- Re: Phatbot Marty Hoag (Mar 19)
- Re: Phatbot Daniel Medina (Mar 19)
- Re: Phatbot Doug Pearson (Mar 19)
- Re: Phatbot Gary Flynn (Mar 19)
- Re: Phatbot Dr. Tina Bird (Mar 19)
- Re: Phatbot Mike Iglesias (Mar 19)
- Re: Phatbot Brian Eckman (Mar 19)
- Re: Phatbot Mike Iglesias (Mar 19)
- Re: Phatbot Jeff Kell (Mar 19)