[unisog] Increased Activity

Stephen Bernard sbernard at gmu.edu
Tue Mar 23 16:20:53 GMT 2004

Lang, Michael wrote:
> Hey everyone,
> This is my first post to unisog and I just subscribed, - I hope that this isn't repetitive...
> This morning I see a dramatic increase in hosts on our network that are scanning for 
> tcp 2745
> tcp 1025
> tcp 3127
> tcp 6129
> tcp   80
> The attacked IP is chosen pretty random with the first octet staying the same and the last three changing.
> Not only is there a dramatic increase of hosts on our network getting this, but I see a lot from the Internet pouring into our network.
> Anyone clue me into what this one is?
> thanks,
> - Mike
> University of Connecticut

If you are seeing individual hosts which are scanning on all of those 
ports it is very likely that they are infected with something in the 
Phatbot family. I had about 60 of these in the student residence halls 
last week. There is a good write-up about this at LURQ's web site, 
including Snort signatures, and all of the AV vendors have information 
as well.


Steve Bernard
Sr. Systems Engineer, NET
George Mason University
Fairfax, Virginia

More information about the unisog mailing list