Threat Level: green Handler on Duty: Tom Webb

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

New {Phat|Ago|Gao}bot Variant(s) ? - Followup on port 1981 increase

Published: 2004-04-18
Last Updated: 2004-04-19 04:15:52 UTC
by Scott Fendley (Version: 1)
0 comment(s)
B> New Phatbot/Agobot/Gaobot perhaps



We have had a few reports that makes it appear that a new version of the phatbot is running around the Internet today. Along with probes on tcp ports 2745, 1025, 3127, 6129, 5000, 80 and MS netbios (rpc/dcom attacks), we have now seen reports of port 1433 being included as well. This may lend itself to a new variant that attempts to break SQL server ports as well as the other vulnerabilities already exploited. If anyone has full packet captures or is able to grab the executable for analysis, please contact the ISC with the information you can provide.<Br>

There has also been conjecture that the port 1981 increase is potentially also connected to another variant of phatbot. We are actively attempting to capture packet traces and/or executables that will prove this or help otherwise determine wether the conjecture is correct.
---

Scott Fendley, Handler On Duty
Keywords:
0 comment(s)
Diary Archives