Educause Security Discussion mailing list archives
Re: Phatbot
From: Mike Iglesias <iglesias () DRACO ACS UCI EDU>
Date: Fri, 19 Mar 2004 14:09:20 -0800
I haven't had one on my network (crossing fingers), but looking at those knocking on the door has helped a bunch. Phatbot (now called Polybot by most AV companies) tries to spread itself via a RPC related vulnerability via port 1025/tcp on remote hosts (among other methods). It either favors or exclusively tries to spread within the /8 network the infected host is on. Therefore, a rule looking for outbound SYN (no other flags set) packets to destination port 1025/tcp on addresses in the same /8 is a good start. An infected host will send quite a few of these packets in a minute. If you see a host sending one or two of them over a several minute span, it's not Polybot.
The infected systems on our network probed the /8 about 50-60% of the time. The rest of the probes appear to be destined for AOL's 172.128.0.0/10 network. Mike Iglesias Email: iglesias () draco acs uci edu University of California, Irvine phone: 949-824-6926 Network & Academic Computing Services FAX: 949-824-2069 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: Phatbot, (continued)
- Re: Phatbot James Moore (Mar 18)
- Re: Phatbot Jeff Birch (Mar 19)
- Re: Phatbot Scott Weeks (Mar 19)
- Re: Phatbot Marty Hoag (Mar 19)
- Re: Phatbot Daniel Medina (Mar 19)
- Re: Phatbot Doug Pearson (Mar 19)
- Re: Phatbot Gary Flynn (Mar 19)
- Re: Phatbot Dr. Tina Bird (Mar 19)
- Re: Phatbot Mike Iglesias (Mar 19)
- Re: Phatbot Brian Eckman (Mar 19)
- Re: Phatbot Mike Iglesias (Mar 19)
- Re: Phatbot Jeff Kell (Mar 19)