[Dshield] Portscan pattern

Pete Cap peteoutside at yahoo.com
Sun Mar 14 22:51:29 GMT 2004


Greetings--

Could be the new "Phatbot," an Agobot variant which
hit the streets last week.
There was a link at DShield (copied here for your
convenience) with some packet captures you can
compare.

In short, Phatbot is a kind of swiss-army-knife which
spreads via multiple exploits (there's technical info
at DShield and various other sites).  It gives an
attacker backdoor access, can act as a proxy, etc. 
You can probably spot an infected host by the port
activity.

http://isc.sans.org/diary.html?date=2004-03-11

Regards,

Pete

--- Korhonen Juuso <juuso.korhonen at camline.fi> wrote:
> Hi
> 
> Can somebody tell me is it a scanning tool or a
> computer with virus with a
> scan pattern like this:
> 
> Scanned ports: 2745, 1025, 135, 445, 6129
> 
> I am having scans like this originating mainly from
> addresses starting with
> 61. and 68.
> 
> Best Regards
> 
> Juuso Korhonen
> IT Manager
> Camline corporation
> 
> 
> 
>
****************************************************************************
> This message has been scanned by F-Secure Anti-Virus
> for Microsoft Exchange.
>
****************************************************************************
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or
> unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list


__________________________________
Do you Yahoo!?
Yahoo! Mail - More reliable, more storage, less spam
http://mail.yahoo.com




More information about the list mailing list