Infected Target:  192.168.71.193
Score:            1.8 (>= 0.8)
Infector List:    <unobserved>
Egg Source List:  <unobserved>
C & C List:       192.168.191.145, 192.168.228.144, 192.168.87.218, 192.168.252.129
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   07/20/2008 19:46:04.423 PDT
Gen. Time:        07/20/2008 19:50:10.354 PDT

INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT (slade)
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
C and C TRAFFIC
    192.168.191.145 (19:50:10.354 PDT)
       event=1:2001581 {tcp} E4[rb] ET SCAN Behavioral Unusual Port 135 traffic, Potential Scan or Infection
          3498->135 (19:50:10.354 PDT)
       
    192.168.228.144 (19:48:48.438 PDT)
       event=1:2001581 {tcp} E4[rb] ET SCAN Behavioral Unusual Port 135 traffic, Potential Scan or Infection
          3348->135 (19:48:48.438 PDT)
       
    192.168.87.218 (19:46:04.423 PDT)
       event=1:2001581 {tcp} E4[rb] ET SCAN Behavioral Unusual Port 135 traffic, Potential Scan or Infection
          3027->135 (19:46:04.423 PDT)
       
    192.168.252.129 (19:47:26.455 PDT)
       event=1:2001581 {tcp} E4[rb] ET SCAN Behavioral Unusual Port 135 traffic, Potential Scan or Infection
          3189->135 (19:47:26.455 PDT)
       
PEER COORDINATION
    <unobserved>
    
OUTBOUND SCAN
    192.168.228.144 (19:49:08.963 PDT)
       event=1:2001569 {tcp} E5[rb] ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection
          3389->445 (19:49:08.963 PDT)
       
    192.168.87.218 (19:46:24.923 PDT)
       event=1:2001569 {tcp} E5[rb] ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection
          3068->445 (19:46:24.923 PDT)
       
    192.168.71.2 (19:46:24.923 PDT)
       event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (6 /24s) (# pkts S/M/O/I=3/81/104/15): 137u:12, 445:69
          0->0 (19:46:24.923 PDT)
       
    192.168.252.129 (19:47:47.076 PDT)
       event=1:2001569 {tcp} E5[rb] ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection
          3227->445 (19:47:47.076 PDT)
       
ATTACK PREP
    <unobserved>
    
DECLARE BOT
    192.168.71.2 (2) (19:47:58.854 PDT)
       event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (13 /24s) (# pkts S/M/O/I=7/302/305/41): 137u:27, 445:275
          0->0 (19:47:58.854 PDT)
          0->0 (19:49:28.781 PDT)
       
tcpslice 1216608364.423 1216608364.424 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.71.193'