Infected Target:  192.168.71.2
Score:            2.0 (>= 0.8)
Infector List:    <unobserved>
Egg Source List:  <unobserved>
C & C List:       <unobserved>
Peer Coord. List: <unobserved>
Resource List:    192.168.71.158 (2)
Observed Start:   07/06/2008 08:42:14.880 PDT
Gen. Time:        07/06/2008 08:47:32.213 PDT

INBOUND SCAN
    192.168.71.158 (3) (08:40:27.812 PDT)
       event=777:7777001 (3) {udp} E1[bh] Detected moderate malware scan by 192.168.71.158 (# pkts S/M/O/I=28/409/10/28) of 5 IPs:  192.168.71.254.67 192.168.71.2.{137,53} 192.168.71.255.{137,138}
          0<-0 (08:40:27.812 PDT)
          0<-0 (08:43:29.979 PDT)
          0<-0 (08:45:45.747 PDT)
       
EXPLOIT
    <unobserved>
    
EXPLOIT (slade)
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
C and C TRAFFIC
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
OUTBOUND SCAN
    192.168.71.158 (08:42:14.880 PDT)
       event=777:7777005 {udp} E5[bh] Detected moderate malware port scanning of 20 IPs (13 /24s) (# pkts S/M/O/I=140/418/14/16): 137u:392, 138u:26
          0<-0 (08:42:14.880 PDT)
       
ATTACK PREP
    192.168.71.158 (2) (08:43:29.979 PDT)
       event=1:2600144 {udp} E6[rb] SPYWARE-DNS  DNS lookup 6 chars (.com)
          53<-3029 (08:43:29.979 PDT)
       -------------------------
       event=1:2600332 {udp} E6[rb] SPYWARE-DNS  DNS lookup 7 chars (.net)
          53<-3029 (08:43:30.518 PDT)
       
DECLARE BOT
    192.168.71.158 (3) (08:43:31.422 PDT)
       event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (14 /24s) (# pkts S/M/O/I=158/420/14/16): 137u:394, 138u:26
          0<-0 (08:43:31.422 PDT)
          0<-0 (08:45:45.747 PDT)
          0<-0 (08:47:32.213 PDT)
       
tcpslice 1215358934.880 1215358934.881 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.71.2'