[Dshield] PhatBot - Time limited?

John Sage jsage at finchhaven.com
Sat Mar 20 03:23:25 GMT 2004


Here's whats in /var/log/messages for the last 10 days:

On Fri, Mar 19, 2004 at 04:14:13PM -0600, Micheal Patterson wrote:
> From: "Micheal Patterson" <micheal at tsgincorporated.com>
> To: "General DShield Discussion List" <list at dshield.org>
> Subject: Re: [Dshield] PhatBot - Time limited?
> Date: Fri, 19 Mar 2004 16:14:13 -0600

/* various snippages */

> > Suddenly now they've stopped completely.
> >
> > These are the last I've seen, seven hours ago:
> >
> > Active System Attack Alerts
> > =-=-=-=-=-=-=-=-=-=-=-=-=-=
> > Mar 19 01:47:45 greatwall snort: [1:0:0] TCP inbound to 65506 proxy
> > scan {TCP} 207.36.209.104:2779 -> 24.19.147.225:65506
> > Mar 19 01:47:45 greatwall snort: [1:0:0] TCP inbound to 65506 proxy
> > scan {TCP} 207.36.209.104:2779 -> 24.19.147.225:65506
> > Mar 19 01:47:45 greatwall snort: [1:0:0] TCP inbound to 65506 proxy
> > scan {TCP} 207.36.209.104:2779 -> 24.19.147.225:65506
> 
> That's odd as hell. I went and check my current log and the last one
> that I saw was at 08:04am this morning central. I'm with you in
> wondering if this is time limited or not. I'm also wondering that if
> the rumors are true, and this thing is spreading as fast as Code Red
> was, if ISP's aren't starting to filter the port.


/var/log/messages rotates every morning about 4:00am; it's now Fri Mar
19 19:22:21 PST 2004...


[root at greatwall snort]# grep -c xxx:65506 ../messages
9
[root at greatwall snort]# grep -c xxx:65506 ../messages.1
2314
[root at greatwall snort]# grep -c xxx:65506 ../messages.2
456
[root at greatwall snort]# grep -c xxx:65506 ../messages.3
39
[root at greatwall snort]# grep -c xxx:65506 ../messages.4
68
[root at greatwall snort]# grep -c xxx:65506 ../messages.5
151
[root at greatwall snort]# grep -c xxx:65506 ../messages.6
4
[root at greatwall snort]# grep -c xxx:65506 ../messages.7
2
[root at greatwall snort]# grep -c xxx:65506 ../messages.8
0
[root at greatwall snort]# grep -c xxx:65506 ../messages.9
0
[root at greatwall snort]# grep -c xxx:65506 ../messages.10
0




- John
-- 
"Mad cow? You'd be mad too, if someone was trying to eat you."




More information about the list mailing list