Infected Target:  192.168.71.2
Score:            1.8 (>= 0.8)
Infector List:    <unobserved>
Egg Source List:  <unobserved>
C & C List:       <unobserved>
Peer Coord. List: <unobserved>
Resource List:    192.168.71.176
Observed Start:   07/14/2008 02:01:20.116 PDT
Gen. Time:        07/14/2008 02:05:41.419 PDT

INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT (slade)
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
C and C TRAFFIC
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
OUTBOUND SCAN
    192.168.71.177 (2) (02:01:20.116 PDT)
       event=777:7777005 (2) {udp} E5[bh] Detected intense non-malware port scanning of 30 IPs (25 /24s) (# pkts S/M/O/I=64838/56273/65380/37937): 139:36239, 443:29130, 80:50145, 53u:65535, 67u:10, 123u:1
          0<-0 (02:01:20.116 PDT)
          (02:05:41.419 PDT)
       
ATTACK PREP
    192.168.71.176 (02:05:10.468 PDT)
       event=1:2600269 {udp} E6[rb] SPYWARE-DNS  DNS lookup 7 chars (.info)
          53<-1026 (02:05:10.468 PDT)
       
DECLARE BOT
    192.168.71.177 (3) (02:01:31.890 PDT)
       event=777:7777008 (3) {udp} E8[bh] Detected intense malware port scanning of 30 IPs (25 /24s) (# pkts S/M/O/I=0/56406/65380/37937): 445:36212, 137u:20182, 138u:12
          0<-0 (02:01:31.890 PDT)
          0<-0 (02:03:01.089 PDT)
          0<-0 (02:04:31.377 PDT)
       
tcpslice 1216026080.116 1216026080.117 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.71.2'