Infected Target: 192.168.71.136 Score: 2.3 (>= 0.8) Infector List: Egg Source List: C & C List: 65.98.34.74 Peer Coord. List: Resource List: 192.168.71.2 (2) Observed Start: 06/28/2008 00:35:32.345 PDT Gen. Time: 06/28/2008 00:42:48.999 PDT INBOUND SCAN EXPLOIT EXPLOIT (slade) EGG DOWNLOAD C and C TRAFFIC 65.98.34.74 (00:35:36.040 PDT) event=1:2003427 {tcp} E4[rb] ET WORM Bagle Worm User-Agent (DEBUT.TMP) 3011->80 (00:35:36.040 PDT) PEER COORDINATION OUTBOUND SCAN 192.168.71.2 (2) (00:35:34.450 PDT) event=777:7777005 (2) {tcp} E5[bh] Detected moderate malware port scanning of 9 IPs (6 /24s) (# pkts S/M/O/I=9/16/4/6): 137u:16 0->0 (00:35:34.450 PDT) 0->0 (00:42:48.999 PDT) ATTACK PREP 192.168.71.2 (2) (00:35:34.334 PDT) event=1:2600040 {udp} E6[rb] SPYWARE-DNS DNS lookup 3 chars (.by) 1027->53 (00:35:34.697 PDT) ------------------------- event=1:2600129 {udp} E6[rb] SPYWARE-DNS DNS lookup 3 chars (.com) 1027->53 (00:35:34.334 PDT) DECLARE BOT 81.95.149.235 (3) (00:35:32.345 PDT) event=1:2406000 {tcp} E8[rb] ET rbN Known Russian Business Network Traffic - Hosting Nets 3009->80 (00:35:32.345 PDT) ------------------------- event=1:2406030 {tcp} E8[rb] ET RBN Known Russian Business Network Monitored Domains (26) 3009->80 (00:35:32.345 PDT) ------------------------- event=1:2500000 {tcp} E8[rb] ET COMPROMISED Known Compromised or Hostile Host Traffic (1) 3009->80 (00:35:32.345 PDT) tcpslice 1214638532.345 1214638532.346 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.71.136'