Infected Target: 192.168.71.146 Score: 2.3 (>= 0.8) Infector List: Egg Source List: C & C List: 61.135.158.241 (2) Peer Coord. List: Resource List: 192.168.71.2 Observed Start: 06/30/2008 23:09:20.623 PDT Gen. Time: 06/30/2008 23:13:37.549 PDT INBOUND SCAN EXPLOIT EXPLOIT (slade) EGG DOWNLOAD C and C TRAFFIC 61.135.158.241 (2) (23:09:59.459 PDT) event=1:2002400 (2) {tcp} E4[rb] ET MALWARE Suspicious User Agent (Microsoft Internet Explorer) 3013->80 (23:09:59.459 PDT) 3054->80 (23:12:08.051 PDT) PEER COORDINATION OUTBOUND SCAN 89.208.66.7 (23:13:37.549 PDT) event=777:7777005 {udp} E5[bh] Detected intense non-malware port scanning of 30 IPs (28 /24s) (# pkts S/M/O/I=143/96/208/6): 61703u:1, 443:2, 17606u:3, 53u:22, 13557u:1, 19786u:1, 80:19, 3333u:4, 1111u:1, 123u:1, 10489u:1, 2418u:1 0->0 (23:13:37.549 PDT) 192.168.71.2 (2) (23:09:20.623 PDT) event=777:7777005 (2) {tcp} E5[bh] Detected moderate malware port scanning of 9 IPs (6 /24s) (# pkts S/M/O/I=9/86/4/6): 137u:71, 138u:15 0->0 (23:09:20.623 PDT) 0->0 (23:10:56.143 PDT) 87.118.110.126 (23:12:01.937 PDT) event=777:7777005 {udp} E5[bh] Detected intense non-malware port scanning of 30 IPs (28 /24s) (# pkts S/M/O/I=29/92/94/6): 61703u:1, 53u:9, 13557u:1, 19786u:1, 123u:1, 10489u:1, 2418u:1, 54576u:1, 1900u:3, 40568u:1, 80:14, 3571u:1 0->0 (23:12:01.937 PDT) ATTACK PREP 192.168.71.2 (23:12:03.243 PDT) event=1:2600129 {udp} E6[rb] SPYWARE-DNS DNS lookup 3 chars (.com) 3031->53 (23:12:03.243 PDT) DECLARE BOT 192.168.71.2 (23:11:22.070 PDT) event=777:7777008 {udp} E8[bh] Detected intense malware port scanning of 21 IPs (18 /24s) (# pkts S/M/O/I=28/89/15/6): 137u:74, 138u:15 0->0 (23:11:22.070 PDT) tcpslice 1214892560.623 1214892560.624 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.71.146'