Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: New {Phat|Ago|Gao}bot Variant(s) ? - Followup on port 1981 increase SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
New {Phat|Ago|Gao}bot Variant(s) ? - Followup on port 1981 increase
B> New Phatbot/Agobot/Gaobot perhaps

We have had a few reports that makes it appear that a new version of the phatbot is running around the Internet today. Along with probes on tcp ports 2745, 1025, 3127, 6129, 5000, 80 and MS netbios (rpc/dcom attacks), we have now seen reports of port 1433 being included as well. This may lend itself to a new variant that attempts to break SQL server ports as well as the other vulnerabilities already exploited. If anyone has full packet captures or is able to grab the executable for analysis, please contact the ISC with the information you can provide.<Br>

There has also been conjecture that the port 1981 increase is potentially also connected to another variant of phatbot. We are actively attempting to capture packet traces and/or executables that will prove this or help otherwise determine wether the conjecture is correct.

Scott Fendley, Handler On Duty

191 Posts
ISC Handler
Apr 19th 2004

Sign Up for Free or Log In to start participating in the conversation!