[unisog] Increased Activity
sbernard at gmu.edu
Tue Mar 23 16:20:53 GMT 2004
Lang, Michael wrote:
> Hey everyone,
> This is my first post to unisog and I just subscribed, - I hope that this isn't repetitive...
> This morning I see a dramatic increase in hosts on our network that are scanning for
> tcp 2745
> tcp 1025
> tcp 3127
> tcp 6129
> tcp 80
> The attacked IP is chosen pretty random with the first octet staying the same and the last three changing.
> Not only is there a dramatic increase of hosts on our network getting this, but I see a lot from the Internet pouring into our network.
> Anyone clue me into what this one is?
> - Mike
> University of Connecticut
If you are seeing individual hosts which are scanning on all of those
ports it is very likely that they are infected with something in the
Phatbot family. I had about 60 of these in the student residence halls
last week. There is a good write-up about this at LURQ's web site,
including Snort signatures, and all of the AV vendors have information
Sr. Systems Engineer, NET
George Mason University
More information about the unisog