Educause Security Discussion mailing list archives

Re: Phatbot

From: Mike Iglesias <iglesias () DRACO ACS UCI EDU>
Date: Fri, 19 Mar 2004 13:54:11 -0800

I thought I saw something about port 1025 requests but
I can't find it now.


We've seen it probe systems on the following ports:

  135/139/445
  1025
  2745  (bagle/beagle backdoor)
  3127  (mydoom backdoor)
  6129  (Dameware vuln)
  80    (WebDAV vuln attacks)

We're pretty certain that at least one system was infected via the
bagle backdoor.

We also found several of the infected systems talking to an IRC server
on 206.222.29.51.  We had also heard that they may try to contact the
IRC server on 209.25.161.103, but we have not seen that.


Mike Iglesias                          Email:       iglesias () draco acs uci edu
University of California, Irvine       phone:       949-824-6926
Network & Academic Computing Services  FAX:         949-824-2069

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

Phatbot Kathie Brinkman (Mar 18)
- <Possible follow-ups>
- Re: Phatbot James Moore (Mar 18)
- Re: Phatbot Jeff Birch (Mar 19)
- Re: Phatbot Scott Weeks (Mar 19)
- Re: Phatbot Marty Hoag (Mar 19)
- Re: Phatbot Daniel Medina (Mar 19)
- Re: Phatbot Doug Pearson (Mar 19)
- Re: Phatbot Gary Flynn (Mar 19)
- Re: Phatbot Dr. Tina Bird (Mar 19)
- Re: Phatbot Mike Iglesias (Mar 19)
- Re: Phatbot Brian Eckman (Mar 19)
- Re: Phatbot Mike Iglesias (Mar 19)
- Re: Phatbot Jeff Kell (Mar 19)