[Dshield] PhatBot

John Sage jsage at finchhaven.com
Fri Mar 19 02:33:00 GMT 2004


Well.

On Thu, Mar 18, 2004 at 04:19:52PM -0500, Paul Marsh wrote:
> Date: Thu, 18 Mar 2004 16:19:52 -0500
> From: "Paul Marsh" <pmarsh at nmefdn.org>
> To: "General DShield Discussion List" <list at dshield.org>
> Subject: [Dshield] PhatBot
> 
> Well this is a happy picture the Washington Post painted.
> 
> "Phatbot Trojan Spreading To More Systems Than Code Red A veritable
> Swiss Army Knife of attack tools is disabling antivirus tools,
> stealing passwords, connecting systems to peer-to-peer networks and
> setting the victim systems up to send spam and DDoS traffic."
> 
> What's the word on the inside about this nasty thing?  LURGQ's write
> up is good http://www.lurhq.com/phatbot.html but it doesn't really
> give any pointers as to what we should be on the look out for.


I can tell you that I have seen a major increase in traffic to
TCP:65506, which may be PhatBot related:

[root at greatwall snort]# grep -c xxx:65506 ../messages
1329 <- this for about *8* hours today..

[root at greatwall snort]# grep -c xxx:65506 ../messages.1
456 <- this, and all below cover *24* hours

[root at greatwall snort]# grep -c xxx:65506 ../messages.2
39
[root at greatwall snort]# grep -c xxx:65506 ../messages.3
68
[root at greatwall snort]# grep -c xxx:65506 ../messages.4
151
[root at greatwall snort]# grep -c xxx:65506 ../messages.5
4
[root at greatwall snort]# grep -c xxx:65506 ../messages.6
2
[root at greatwall snort]# grep -c xxx:65506 ../messages.7
0
[root at greatwall snort]# grep -c xxx:65506 ../messages.8
0
[root at greatwall snort]# grep -c xxx:65506 ../messages.9
0
[root at greatwall snort]# grep -c xxx:65506 ../messages.10
0


These recent are of the form:

input: snort.log.1079626835
filter: ip and ( dst port 65506 )
match: CONNECT
###
T 2004/03/18 08:20:48.194911 207.36.209.104:1184 -> 24.19.14y.xxx:65506 [AP]
  43 4f 4e 4e 45 43 54 20    32 31 32 2e 31 35 35 2e    CONNECT 212.155.
  32 30 37 2e 31 3a 32 35    20 48 54 54 50 2f 31 2e    207.1:25 HTTP/1.
  30 0d 0a 0d 0a                                        0....
######
T 2004/03/18 08:21:07.953162 207.36.209.104:2588 -> 24.19.14y.xxx:65506 [AP]
  43 4f 4e 4e 45 43 54 20    32 34 2e 31 31 36 2e 31    CONNECT 24.116.1
  31 34 2e 34 3a 32 35 20    48 54 54 50 2f 31 2e 30    14.4:25 HTTP/1.0
  0d 0a 0d 0a                                           ....
#####
T 2004/03/18 08:24:41.878823 207.36.209.104:1534 -> 24.19.14y.xxx:65506 [AP]
  43 4f 4e 4e 45 43 54 20    31 39 39 2e 39 36 2e 33    CONNECT 199.96.3
  2e 35 3a 32 35 20 48 54    54 50 2f 31 2e 30 0d 0a    .5:25 HTTP/1.0..
  0d 0a                                                 ..
#####
T 2004/03/18 08:24:51.624856 207.36.209.104:2038 -> 24.19.14y.xxx:65506 [AP]
  43 4f 4e 4e 45 43 54 20    32 31 36 2e 31 35 37 2e    CONNECT 216.157.
  31 36 2e 31 35 3a 32 35    20 48 54 54 50 2f 31 2e    16.15:25 HTTP/1.
  30 0d 0a 0d 0a                                        0....
####
T 2004/03/18 08:25:22.471225 207.36.209.104:1034 -> 24.19.14y.xxx:65506 [AP]
  43 4f 4e 4e 45 43 54 20    31 39 38 2e 31 37 32 2e    CONNECT 198.172.
  32 33 31 2e 36 3a 32 35    20 48 54 54 50 2f 31 2e    231.6:25 HTTP/1.
  30 0d 0a 0d 0a                                        0....


Over and over and over and over...


- John
-- 
"Mad cow? You'd be mad too, if someone was trying to eat you."




More information about the list mailing list