[Dshield] PhatBot - Time limited?

Micheal Patterson micheal at tsgincorporated.com
Fri Mar 19 22:14:13 GMT 2004



----- Original Message ----- 
From: "John Sage" <jsage at finchhaven.com>
To: "General DShield Discussion List" <list at dshield.org>
Cc: <micheal at tsgincorporated.com>
Sent: Friday, March 19, 2004 10:33 AM
Subject: Re: [Dshield] PhatBot - Time limited?


> Curiouser and curiouser...
>
> On Fri, Mar 19, 2004 at 09:23:19AM -0600, Micheal Patterson wrote:
> > From: "Micheal Patterson" <micheal at tsgincorporated.com>
> > To: "General DShield Discussion List" <list at dshield.org>
> > Subject: Re: [Dshield] PhatBot
> > Date: Fri, 19 Mar 2004 09:23:19 -0600
> >
> > ----- Original Message ----- 
> > From: "John Sage" <jsage at finchhaven.com>
> > To: "General DShield Discussion List" <list at dshield.org>
> > Sent: Thursday, March 18, 2004 8:33 PM
> > Subject: Re: [Dshield] PhatBot
> >
> > > Well.
> > >
> > > On Thu, Mar 18, 2004 at 04:19:52PM -0500, Paul Marsh wrote:
> > > > Date: Thu, 18 Mar 2004 16:19:52 -0500
> > > > From: "Paul Marsh" <pmarsh at nmefdn.org>
> > > > To: "General DShield Discussion List" <list at dshield.org>
> > > > Subject: [Dshield] PhatBot
>
> /* snip */
>
> > I've had jsut at 63000 hits on that port since Mar 5th on my border
> > fw from the following systems across the world:
>
> /* snip */
>
>
> Suddenly now they've stopped completely.
>
> These are the last I've seen, seven hours ago:
>
>
> Active System Attack Alerts
> =-=-=-=-=-=-=-=-=-=-=-=-=-=
> Mar 19 01:47:45 greatwall snort: [1:0:0] TCP inbound to 65506 proxy
> scan {TCP} 207.36.209.104:2779 -> 24.19.147.225:65506
> Mar 19 01:47:45 greatwall snort: [1:0:0] TCP inbound to 65506 proxy
> scan {TCP} 207.36.209.104:2779 -> 24.19.147.225:65506
> Mar 19 01:47:45 greatwall snort: [1:0:0] TCP inbound to 65506 proxy
> scan {TCP} 207.36.209.104:2779 -> 24.19.147.225:65506
>
>
> Maybe someone was actually paying attention, and figured out that I
> was just honeypotting 'em :-/
>
>
> - John
> -- 
> "Mad cow? You'd be mad too, if someone was trying to eat you."

That's odd as hell. I went and check my current log and the last one that I
saw was at 08:04am this morning central. I'm with you in wondering if this
is time limited or not. I'm also wondering that if the rumors are true, and
this thing is spreading as fast as Code Red was, if ISP's aren't starting to
filter the port.

--

Micheal Patterson
TSG Network Administration
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.




More information about the list mailing list