[Dshield] PhatBot - Time limited?

John Sage jsage at finchhaven.com
Fri Mar 19 16:33:21 GMT 2004


Curiouser and curiouser...

On Fri, Mar 19, 2004 at 09:23:19AM -0600, Micheal Patterson wrote:
> From: "Micheal Patterson" <micheal at tsgincorporated.com>
> To: "General DShield Discussion List" <list at dshield.org>
> Subject: Re: [Dshield] PhatBot
> Date: Fri, 19 Mar 2004 09:23:19 -0600
> 
> ----- Original Message ----- 
> From: "John Sage" <jsage at finchhaven.com>
> To: "General DShield Discussion List" <list at dshield.org>
> Sent: Thursday, March 18, 2004 8:33 PM
> Subject: Re: [Dshield] PhatBot
> 
> > Well.
> >
> > On Thu, Mar 18, 2004 at 04:19:52PM -0500, Paul Marsh wrote:
> > > Date: Thu, 18 Mar 2004 16:19:52 -0500
> > > From: "Paul Marsh" <pmarsh at nmefdn.org>
> > > To: "General DShield Discussion List" <list at dshield.org>
> > > Subject: [Dshield] PhatBot

/* snip */

> I've had jsut at 63000 hits on that port since Mar 5th on my border
> fw from the following systems across the world:

/* snip */


Suddenly now they've stopped completely.

These are the last I've seen, seven hours ago:


Active System Attack Alerts
=-=-=-=-=-=-=-=-=-=-=-=-=-=
Mar 19 01:47:45 greatwall snort: [1:0:0] TCP inbound to 65506 proxy
scan {TCP} 207.36.209.104:2779 -> 24.19.147.225:65506
Mar 19 01:47:45 greatwall snort: [1:0:0] TCP inbound to 65506 proxy
scan {TCP} 207.36.209.104:2779 -> 24.19.147.225:65506
Mar 19 01:47:45 greatwall snort: [1:0:0] TCP inbound to 65506 proxy
scan {TCP} 207.36.209.104:2779 -> 24.19.147.225:65506


Maybe someone was actually paying attention, and figured out that I
was just honeypotting 'em :-/


- John
-- 
"Mad cow? You'd be mad too, if someone was trying to eat you."




More information about the list mailing list