Educause Security Discussion mailing list archives
Re: Phatbot
From: Jeff Kell <jeff-kell () UTC EDU>
Date: Fri, 19 Mar 2004 23:22:21 -0500
Gary Flynn wrote:
Doug Pearson wrote:Has anyone seen hard information on characteristics of the traffic that would be a good marker distinguishing it from other valid traffic in netflow data, e.g. byte counts, etc.I thought I saw something about port 1025 requests but I can't find it now.
1025 has been implicated but you have to be stateful and careful about it. It is such a low-numbered ephemeral port (for Windows anyway) that is somewhat of a problem for incoming SYNs (could be an FTP data port for example). You certainly can't make any assumptions about outgoing SYNs on 1025 identifying an infected machine.
At a higher layer, tThe site below has some snort signatures that I've had active a couple days with no hits.
Likewise.
That port 4387 traffic and/or a unique gnutella client header may also be markers.
I've blocked 4387 both ways (some exceptions for it being an ephemeral port to a well-known service) but I don't know the details of the 4387 traffic and the Gnutella connection. Do you look for 4387->6346? Or is contact with Gnutella cache servers unrelated to 4387? Is there something unique about the connection that might translate to a Snort (or other IDS) signature? Jeff Kell, System/Network Security University of Tennessee at Chattanooga ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: Phatbot, (continued)
- Re: Phatbot Jeff Birch (Mar 19)
- Re: Phatbot Scott Weeks (Mar 19)
- Re: Phatbot Marty Hoag (Mar 19)
- Re: Phatbot Daniel Medina (Mar 19)
- Re: Phatbot Doug Pearson (Mar 19)
- Re: Phatbot Gary Flynn (Mar 19)
- Re: Phatbot Dr. Tina Bird (Mar 19)
- Re: Phatbot Mike Iglesias (Mar 19)
- Re: Phatbot Brian Eckman (Mar 19)
- Re: Phatbot Mike Iglesias (Mar 19)
- Re: Phatbot Jeff Kell (Mar 19)