BotHunter Daily Analysis Index

BotHunter ®
Live Internet Monitor Page
Computer Science Laboratory
SRI International

Last Updated: Sat Oct 15 23:01:01 2011

www.BOTHUNTER.net

Victim IP	Max Score	Profiles	CCs	Events
192.168.1.100	2.4	VIEW 132	88.198.53.104 88.198.53.104 (Dsl), Your-Server.De, Hetzner-Rz-Nbg-Net, Gunzenhausen, Bayern, Germany, Malicious Site Malware Controller. 67.208.74.71 67.208.74.71 (Comp), Inforelay.Net, Inforelay Online Systems Inc, Sterling, Virginia, United States, Malware Controller. 96.9.185.117 96.9.185.117 (Dsl), Hostnoc.Net, Network Operations Center Inc, Scranton, Pennsylvania, United States, Mail Abuser Malware Controller. 200.147.1.41 200.147.1.41 (Dsl), Cslf.Org, Comite Gestor Da Internet No Brasil, Brazil, Mail Abuser Malware Controller. 192.168.1.230 192.168.1.230 (-), -, Private Ip Address Lan, -. 121.14.70.4 121.14.70.4 (Dsl), 163data.Com.Cn, Chinanet Guangdong Province Network, Guangzhou, Guangdong, China, Malware Controller. 200.147.33.21 200.147.33.21 (Dsl), Cslf.Org, Comite Gestor Da Internet No Brasil, Brazil, Mail Abuser Malware Controller. 213.136.106.214 213.136.106.214 (Dsl), Afnet.Net, Isp Cote D'Ivoire, Abidjan, Cote D'Ivoire, Malware Controller. 83.170.72.109 83.170.72.109 (Dsl), Uk2.Net, Uk2.Net, United Kingdom, Malware Controller. 192.168.1.20 192.168.1.20 (-), -, Private Ip Address Lan, -. 41.189.229.65 41.189.229.65 (Dsl), Access.Intnet.Dj, Djibouti Telecom, Djibouti, Malware Controller. 93.170.52.30 93.170.52.30 (Dial), Astra-Net.Ru, Astranet Ltd, Russian Federation, Malware Controller. 194.85.105.17 194.85.105.17 (Dsl), Ripn.Net, Network For Ru Services, Moscow, Moskva, Russian Federation, Malicious Site Mail Abuser Malware Controller. 194.186.88.58 194.186.88.58 (Dsl), Galaktika.Ru, Galaktika Pro, Petrozavodsk, Karelia, Russian Federation, Mail Abuser Malware Controller. 130.149.49.136 130.149.49.136 (Dsl), Tu-Berlin.De, Tu Berlin Campus Network, Berlin, Germany, Malware Controller. 200.72.1.94 200.72.1.94 (Dsl), Uno.Uno, Entel Chile S.A, Santiago, Region Metropolitana, Chile, Malware Controller. 91.209.163.202 91.209.163.202 (Dsl), -, Favorit Network Sl, Spain, Mail Abuser Malware Controller. 91.209.163.201 91.209.163.201 (Dsl), -, Favorit Network Sl, Spain, Mail Abuser Malware Controller. 87.242.73.96 87.242.73.96 (Dsl), Masterhost.Ru, Masterhost Is A Hosting And Technical Support Organization, Moscow, Moskva, Russian Federation, Malware Controller. 187.73.33.20 187.73.33.20 (Dsl), Veloxzone.Com.Br, Comite Gestor Da Internet No Brasil, Brazil, Malware Controller. 134.34.246.5 134.34.246.5 (Dsl), Uni-Konstanz.De, Universitaet Konstanz, Konstanz, Baden-WÜRttemberg, Germany, Malware Controller. 64.70.19.33 64.70.19.33 (Dsl), Website.Ws, Worldsite.Ws, Carlsbad, California, United States, Mail Abuser Malware Controller. 91.228.133.56 91.228.133.56 (Dsl), Mgn.Ru, Eu-Zz, United Kingdom, Malware Propagator Malware Controller. 176.28.0.239 176.28.0.239 (-), -, -, -, Mail Abuser Malware Controller. 79.96.166.153 79.96.166.153 (Dsl), Net.Pl, Home.Pl Webhosting Farm - Static Allocation, Szczecin, Zachodniopomorskie, Poland, Malware Controller Malicious Site. 93.158.135.4 93.158.135.4 (Dsl), Yandex.Net, Yandex Enterprise Network, Moscow, Moskva, Russian Federation, Mail Abuser Malware Controller. 95.173.163.8 95.173.163.8 (Dsl), Ni.Net.Tr, Netinternet Bilgisayar Ve Telekomunikasyon San. Ve Tic. Ltd. Sti, Turkey, Malware Propagator Malware Controller. 98.129.126.138 98.129.126.138 (Comp), -, Whypark, San Antonio, Texas, United States, Mail Abuser Malware Controller. 132.239.17.226 132.239.17.226 (Comp), Ucsd.Edu, University Of California San Diego, La Jolla, California, United States, Malware Controller. 69.10.37.189 69.10.37.189 (Dsl), Reserver.Ru, Interserver Inc, Secaucus, New Jersey, United States, Malicious Site Malware Controller. 129.93.229.138 129.93.229.138 (Comp), Unl.Edu, University Of Nebraska-Lincoln, Lincoln, Nebraska, United States, Malware Propagator Malware Controller. 212.44.109.181 212.44.109.181 (Dsl), Gunigugu.Si, Domenca Hosting Platform, Slovenia, Malware Controller. 78.31.65.216 78.31.65.216 (Dsl), Stephans-Server.De, De-Xantron-Net, Germany, Mail Abuser. 82.146.43.2 82.146.43.2 (Dsl), 24mfc.Ru, Ispsystem At Msm, Russian Federation, Malware Controller. 128.163.142.20 128.163.142.20 (Dsl), -, University Of Kentucky, Lexington, Kentucky, United States, Mail Abuser Malware Controller. 212.150.130.183 212.150.130.183 (Comp), -, Adperform, Israel, Malware Controller Malware Propagator Mail Abuser. 122.224.18.94 122.224.18.94 (Dsl), Yztradecn.Com, Shaoxing Telecom Bureau, China, Malware Controller. 211.234.100.137 211.234.100.137 (Dsl), Newswire.Co.Kr, Kidc-Gabia, Seoul, Kyonggi-Do, Korea Republic Of, Mail Abuser Malware Controller. 96.9.169.85 96.9.169.85 (Dsl), Wibhoo.Com, Network Operations Center Inc, Scranton, Pennsylvania, United States, Malware Controller. 31.170.163.50 31.170.163.50 (-), -, -, -, Malware Controller. 122.226.213.40 122.226.213.40 (Dsl), -, Jinhua Telecom Co. Ltd Idc Center, Beijing, China, Mail Abuser Malware Controller. 121.9.213.187 121.9.213.187 (Dsl), 163data.Com.Cn, Chinanet Guangdong Province Network, Guangzhou, Guangdong, China, Malicious Site Malware Controller. 89.184.73.93 89.184.73.93 (Dsl), Mirohost.Net, Internet Invest Ltd, Kiev, Kyyiv, Ukraine, Malware Controller Mail Abuser. 88.86.113.143 88.86.113.143 (Comp), Superhosting.Cz, Aya Cz Spol. S R.O, Czech Republic, Malware Controller. 62.42.230.17 62.42.230.17 (Dsl), Onobox.Com, Ono-Servicios-Isp, Madrid, Spain, Malware Controller. 200.147.33.19 200.147.33.19 (Dsl), Cslf.Org, Comite Gestor Da Internet No Brasil, Brazil, Mail Abuser Malware Controller. 216.8.179.25 216.8.179.25 (Dsl), Nextdimensioninc.Com, Next Dimension Inc, Windsor, Ontario, Canada, Malware Controller. 64.86.97.91 64.86.97.91 (Dsl), -, Arcphone Canada Inc, Richmond Hill, Ontario, Canada, Malicious Site Malware Controller. 184.22.115.56 184.22.115.56 (-), -, -, -, Malware Controller. 87.98.140.145 87.98.140.145 (Dsl), Mx2.Abaxe.Fr, Ovh Sas, France, Mail Abuser Malware Controller. 208.91.196.10 208.91.196.10 (Dsl), -, Extremeware Inc, Miami, Florida, United States, Malware Controller. 203.121.165.16 203.121.165.16 (Dsl), Thanachart.Co.Th, Micro Thai Plus Co Ltd, Bangkok, Krung Thep, Thailand, Mail Abuser Malware Controller. 67.19.244.4 67.19.244.4 (Comp), Linode.Com, Theplanet.Com Internet Services Inc, Dallas, Texas, United States, Mail Abuser Malware Controller. 87.252.1.21 87.252.1.21 (Dsl), Oxyd.Net, Oxyd-Network, Paris, Ile-De-France, France, Mail Abuser Malware Controller. 67.21.76.36 67.21.76.36 (Dsl), Hostplator.Com, Sharktech Internet Services, Missoula, Montana, United States, Mail Abuser Malware Controller. 86.109.114.31 86.109.114.31 (Dsl), Interausa.Com, Barcelona Datacenter, Barcelona, Catalonia, Spain, Malware Controller. 206.207.248.34 206.207.248.34 (Comp), Arizona.Edu, University Of Arizona, Tucson, Arizona, United States, Mail Abuser Malware Controller. 60.190.93.178 60.190.93.178 (Comp), -, Yueqing Telecom, Yueqing, Zhejiang, China, Malware Controller Mail Abuser. 62.149.140.20 62.149.140.20 (Dsl), Adsl-Pool5-Vi-1.Aruba.It, Aruba S.P.A. - Shared Hosting And Mail Services, Arezzo, Toscana, Italy, Malware Controller Mail Abuser. 128.227.11.13 128.227.11.13 (Comp), Ufl.Edu, University Of Florida, Gainesville, Florida, United States, Malware Controller. 195.226.246.3 195.226.246.3 (Dsl), -, Kuwait Foundation For The Advancement Of Science, Kuwait, Al Kuwayt, Kuwait, Mail Abuser Malware Controller. 216.240.140.201 216.240.140.201 (Dsl), Speedypuppy.Net, Atmlink Inc, Los Alamitos, California, United States, Malware Controller. 8.5.1.44 8.5.1.44 (Dsl), Name-Services.Com, Enom Incorporated, Bellevue, Washington, United States, Malware Propagator Malware Controller. 128.186.122.86 128.186.122.86 (Dsl), Fsu.Edu, Florida State University, Tallahassee, Florida, United States, Malware Controller. 64.191.90.213 64.191.90.213 (Dsl), Hostnoc.Net, Network Operations Center Inc, Scranton, Pennsylvania, United States, Malicious Site. 60.19.30.131 60.19.30.131 (Dsl), Dcb.Ln.Cn, China Unicom Liaoning Province Network, Shenyang, Liaoning, China, Mail Abuser Malware Controller. 194.85.61.78 194.85.61.78 (Dsl), -, Ru Ncc Network, Moscow, Moskva, Russian Federation, Malware Controller. 193.227.240.38 193.227.240.38 (Dsl), -, Naunet Sp, Moscow, Moskva, Russian Federation, Malware Controller. 161.58.175.23 161.58.175.23 (Dsl), Mastermine.Net, Ntt America Inc, Englewood, Colorado, United States, Malware Controller. 213.131.252.251 213.131.252.251 (Dsl), Inetbone.Net, Conversis Gmbh, Duisburg, Nordrhein-Westfalen, Germany, Malware Controller. 91.209.163.184 91.209.163.184 (Dsl), -, Favorit Network Sl, Spain, Malware Controller. 64.49.219.215 64.49.219.215 (Comp), Rackspace.Com, Rackspace.Com Ltd, San Antonio, Texas, United States, Malware Controller. 213.189.197.13 213.189.197.13 (Dsl), Zenon.Net, Zenon N.S.P, Moscow, Moskva, Russian Federation, Mail Abuser Malware Controller. 209.200.55.60 209.200.55.60 (Dsl), Webair.Com, Webair Internet Development Company Inc, Westbury, New York, United States. 91.189.81.71 91.189.81.71 (Dsl), Eserver-Ru.Com, Eserver.Ru - Hosting Operator, Russian Federation, Mail Abuser Malware Controller. 92.241.169.250 92.241.169.250 (Dsl), -, 2x4.Ru Network, Moscow, Moskva, Russian Federation, Malware Controller. 64.94.137.53 64.94.137.53 (Comp), 180solutions.Com, Pinball Corp, Bellevue, Washington, United States, Malware Controller. 61.4.82.131 61.4.82.131 (Dsl), -, Beijing Linktom Network Technology Co. Ltd, Beijing, China, Malware Controller Mail Abuser. 216.246.35.77 216.246.35.77 (Dsl), Hostforweb.Com, Hostforweb Inc, Chicago, Illinois, United States, Mail Abuser Malware Controller. 194.28.86.197 194.28.86.197 (Dsl), Ipaper.Com, Block For Pi Assignments, United Kingdom. 212.36.9.10 212.36.9.10 (Dial), Otel.Net, Otel.Net Network, Sofia, Sofiya, Bulgaria, Malware Controller. 88.80.7.152 88.80.7.152 (Dsl), Prq.Se, Prq-Net-Colo, Stockholm, Stockholms Lan, Sweden, Malicious Site Malware Propagator Malware Controller. 200.147.33.17 200.147.33.17 (Dsl), Cslf.Org, Comite Gestor Da Internet No Brasil, Brazil, Mail Abuser Malware Controller. 222.76.217.174 222.76.217.174 (Dsl), -, Xiamen-Telecom-Idc-Xiamen-Fj, Xiamen, Fujian, China, Malware Controller. 1.226.83.250 1.226.83.250 (-), -, -, -, Malware Controller. 88.81.249.200 88.81.249.200 (Comp), Controlstyle.Com.Ua, Customers: Hosting & Colo, Kiev, Kyyiv, Ukraine, Mail Abuser Malware Controller. 67.43.226.154 67.43.226.154 (Comp), Ela69.Info, Globotech Communications, Toronto, Ontario, Canada, Malware Controller. 200.221.11.98 200.221.11.98 (Dsl), Exwire.Com, Comite Gestor Da Internet No Brasil, Brazil, Malware Controller. 194.226.96.8 194.226.96.8 (Dsl), -, Ru Ncc Network, Kazan, Tatarstan, Russian Federation, Mail Abuser Malware Controller. 76.73.1.194 76.73.1.194 (Dsl), Fdcservers.Net, Fdcservers.Net, Woodstock, Illinois, United States, Mail Abuser Malware Controller. 213.133.101.29 213.133.101.29 (Dsl), Hetzner.De, Hetzner-Rz-Nbg-Net, Gunzenhausen, Bayern, Germany, Mail Abuser Malware Controller. 92.240.68.95 92.240.68.95 (Comp), Xlhost.Lv, Raina Blvd. 29. Riga, Riga, Latvia, Malware Controller. 76.163.253.1 76.163.253.1 (Dsl), 76.In-Addr.Arpa, Ecommerce Corporation, Columbus, Ohio, United States, Mail Abuser Malware Controller. 67.19.244.5 67.19.244.5 (Comp), Linode.Com, Theplanet.Com Internet Services Inc, Dallas, Texas, United States. 93.170.52.20 93.170.52.20 (Dial), Astra-Net.Ru, Astranet Ltd, Russian Federation, Malware Controller. 58.22.242.63 58.22.242.63 (Dsl), -, Longyan City Fujian Provincial Network Of Cncgroup, Beijing, China, Mail Abuser Malware Controller. 123.108.111.67 123.108.111.67 (Dsl), Pangnet.Net, Pang International Limited, Hong Kong, Malware Controller. 69.43.161.164 69.43.161.164 (Dsl), 22a52.Com, Castle Access Inc, Coronado, California, United States, Malware Controller. 143.89.49.74 143.89.49.74 (Dsl), Ustlnx43-N2.Ust.Hk, Hong Kong University Of Science And Technology, Hong Kong, Hong Kong (Sar), Hong Kong, Malware Controller. 217.16.28.65 217.16.28.65 (Dsl), Masterhost.Ru, Masterhost Is A Hosting And Technical Support Organization, Moscow, Moskva, Russian Federation, Malware Controller. 193.200.173.3 193.200.173.3 (Dsl), Freehost.Com.Ua, Freehost Ua Ltd, Ukraine, Mail Abuser Malware Controller. 91.207.220.74 91.207.220.74 (Dsl), 550mail.Com, Global Gold Network Ltd, United Kingdom, Mail Abuser Malware Controller.	1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful) MAC_Dst: 00:21:1C:EE:14:00; 60116->80 224:1 (15) {udp} E2[dns] BHDNS SPYWARE-DNS: didid.nl (zeusc&c) MAC_Dst: 00:21:1C:EE:14:00; 49884->53 1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: florianarray.ru (zeus) MAC_Dst: 00:21:1C:EE:14:00; 39246->80 1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 36776->53 1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 40987->80 1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 40243->80 1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful) MAC_Dst: 00:21:1C:EE:14:00; 35634->53 224:1 (2) {udp} E2[dns] BHDNS SPYWARE-DNS: warwork.info (harmful) MAC_Dst: 00:21:1C:EE:14:00; 35410->53 1:2632222 (2) {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful) MAC_Dst: 00:21:1C:EE:14:00; 35634->53 224:1 (13) {udp} E2[dns] BHDNS SPYWARE-DNS: porntubebiz.org (fake_codec) MAC_Dst: 00:21:1C:EE:14:00; 37132->53 1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful) MAC_Dst: 00:21:1C:EE:14:00; 44624->53 224:1 {udp} E2[dns] BHDNS SPYWARE-DNS: warwork.info (harmful) MAC_Dst: 00:21:1C:EE:14:00; 40996->53 1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [S%00%00%00%11%00%00%00%00%00%00%8A/%00%00%00%00%00%011`%00%00%00%00%00%011i%00%00%00%00%00%011b%00%00%00%00%00%011k%00%00%00%00%00%011T%00%00%00%00%00%011m%00] MAC_Dst: 00:21:1C:EE:14:00; 42475->80 1:2009295 {tcp} Egg Download: ET USER_AGENTS Suspicious Mozilla User-Agent Likely Fake (Mozilla/5.0), [/]; 53187->80 224:1 (13) {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus) MAC_Dst: 00:21:1C:EE:14:00; 57567->53 224:1 (4) {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus) MAC_Dst: 00:21:1C:EE:14:00; 38841->53 224:1 (16) {udp} E2[dns] BHDNS SPYWARE-DNS: arhyv.ru (exploit) MAC_Dst: 00:21:1C:EE:14:00; 50926->53 224:1 {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus) MAC_Dst: 00:21:1C:EE:14:00; 60768->53 224:1 (13) {udp} E2[dns] BHDNS SPYWARE-DNS: datacricketuf.ru (zeus) MAC_Dst: 00:21:1C:EE:14:00; 37795->53 224:1 (4) {udp} E4[dns] BHDNS SPYWARE-DNS: wagequtn.mattemon.info (malware); 41947->53
192.168.1.166	0.8	VIEW 2		1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-21933 1:22000033 {tcp} Inbound Attack: ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-21933 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-21933 1:2648 {tcp} Inbound Attack: GPL SHELLCODE x86 NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-21933 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->7765
192.168.1.222	0.8	VIEW 2		1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-34515 1:22000033 {tcp} Inbound Attack: ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-34515 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-34515 1:2648 {tcp} Inbound Attack: GPL SHELLCODE x86 NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-34515 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->2640
192.168.1.190	1.6	VIEW 4	213.155.14.161 213.155.14.161 (Comp), -, Ossadchy - Osadchiy Yuriy, Ukraine, Malware Controller.	1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-23977 1:22000033 {tcp} Inbound Attack: ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-23977 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-23977 1:2648 {tcp} Inbound Attack: GPL SHELLCODE x86 NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-23977 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->632 1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-3106 1:22000033 {tcp} Inbound Attack: ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-3106 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-3106
192.168.1.176	2.1	VIEW 2	213.155.14.161 213.155.14.161 (Comp), -, Ossadchy - Osadchiy Yuriy, Ukraine, Malware Controller.	1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-15695 1:22000033 {tcp} Inbound Attack: ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-15695 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-15695 1:2648 {tcp} Inbound Attack: GPL SHELLCODE x86 NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-15695 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->2049
192.168.1.169	2.1	VIEW 4	46.214.113.96 46.214.113.96 (Dsl), Greatreadings.Com, Ripe Ncc, United Kingdom, Malware Propagator Malware Controller. 76.190.216.105 76.190.216.105 (Comp), Rr.Com, Road Runner Holdco Llc, Beachwood, Ohio, United States, Malware Propagator Malware Controller.	1:9910023 {tcp} Bot Space Access: BotHunter Malware propagation attack source; 445->1786 1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-1786 1:22000046 {tcp} Inbound Attack: ET NETBIOS MS04011 Lsasrv.dll RPC exploit (Win2k) MAC_Dst: 00:30:48:30:03:AE; 445<-1786 1:22314 (5) {tcp} Inbound Attack: GPL SHELLCODE x86 0x90 NOOP unicode MAC_Dst: 00:30:48:30:03:AE; 445<-1786 1:22514 (2) {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-1786 1:2653 (5) {tcp} Inbound Attack: GPL SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-1786 1:9910023 {tcp} Bot Space Access: BotHunter Malware propagation attack source; 135->1810 1:22351 {tcp} Inbound Attack: REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode MAC_Dst: 00:30:48:30:03:AE; 135<-1810 1:1444 (2) {udp} Egg Download: TFTP GET from external source; 1032->69
192.168.1.206	2.1	VIEW 2	213.155.14.161 213.155.14.161 (Comp), -, Ossadchy - Osadchiy Yuriy, Ukraine, Malware Controller.	1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-6319 1:22000033 {tcp} Inbound Attack: ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-6319 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-6319 1:2648 {tcp} Inbound Attack: GPL SHELLCODE x86 NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-6319 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->5472
192.168.1.43	1.1	VIEW 2	200.107.121.30 200.107.121.30 (Dsl), -, Sercom De Honduras, Tegucigalpa, Francisco Morazan, Honduras, Malware Propagator.	1:9910023 {tcp} Bot Space Access: BotHunter Malware propagation attack source; 445->3916 1:22009201 {tcp} Inbound Attack: ET TROJAN Conficker.b Shellcode MAC_Dst: 00:30:48:30:03:AE; 445<-4152
192.168.1.32	0.8	VIEW 1	213.155.14.161 213.155.14.161 (Comp), -, Ossadchy - Osadchiy Yuriy, Ukraine, Malware Controller.	1:9910003 {tcp} Bot Space Access: BotHunter MTC confirmed botnet control server; 1040->80
192.168.1.201	1.6	VIEW 2	213.155.14.161 213.155.14.161 (Comp), -, Ossadchy - Osadchiy Yuriy, Ukraine, Malware Controller.	1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-27752 1:22000033 {tcp} Inbound Attack: ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-27752 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-27752 1:2648 {tcp} Inbound Attack: GPL SHELLCODE x86 NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-27752 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->1186
192.168.1.116	0.8	VIEW 2		1:22009200 {tcp} Inbound Attack: ET CURRENT_EVENTS Conficker.a Shellcode MAC_Dst: 00:30:48:30:03:AE; 445<-2198 1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 1028<-5887 1:2001685 {tcp} Egg Download: ET MALWARE Possible Windows executable sent when remote host claims to send an image; 1028<-5887 1:3300007 {tcp} Egg Download: BotHunter Malware Windows executable (PE) sent from remote host; 1028<-5887
192.168.1.210	1.3	VIEW 3		1:22514 (2) {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-4322 1:2648 (2) {tcp} Inbound Attack: GPL SHELLCODE x86 NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-4322 1:2000047 {tcp} Egg Download: ET WORM Sasser Transfer _up.exe; 9996<-4410 1:22514 (2) {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-3679 1:2648 (2) {tcp} Inbound Attack: GPL SHELLCODE x86 NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-3679 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 1022->3890
192.168.1.192	0.8	VIEW 2		1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-3100 1:22000033 {tcp} Inbound Attack: ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-3100 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-3100 1:2648 {tcp} Inbound Attack: GPL SHELLCODE x86 NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-3100 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->6834
192.168.1.131	2.1	VIEW 2	213.155.14.161 213.155.14.161 (Comp), -, Ossadchy - Osadchiy Yuriy, Ukraine, Malware Controller.	1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-29548 1:22000033 {tcp} Inbound Attack: ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-29548 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-29548 1:2648 {tcp} Inbound Attack: GPL SHELLCODE x86 NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-29548 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->4392
192.168.1.160	2.1	VIEW 2	213.155.14.161 213.155.14.161 (Comp), -, Ossadchy - Osadchiy Yuriy, Ukraine, Malware Controller.	1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-14794 1:22000033 {tcp} Inbound Attack: ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-14794 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-14794 1:2648 {tcp} Inbound Attack: GPL SHELLCODE x86 NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-14794 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->1336
192.168.1.211	0.8	VIEW 2		1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-32952 1:22000033 {tcp} Inbound Attack: ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-32952 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-32952 1:2648 {tcp} Inbound Attack: GPL SHELLCODE x86 NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-32952 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->3967
192.168.1.39	0.8	VIEW 2		1:22009200 {tcp} Inbound Attack: ET CURRENT_EVENTS Conficker.a Shellcode MAC_Dst: 00:30:48:30:03:AE; 445<-3258 1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 1028<-5758 1:2001685 {tcp} Egg Download: ET MALWARE Possible Windows executable sent when remote host claims to send an image; 1028<-5758 1:3300007 {tcp} Egg Download: BotHunter Malware Windows executable (PE) sent from remote host; 1028<-5758
192.168.1.12	0.8	VIEW 2		1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-26707 1:22000033 {tcp} Inbound Attack: ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-26707 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-26707 1:2648 {tcp} Inbound Attack: GPL SHELLCODE x86 NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-26707 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->2625
192.168.1.111	0.8	VIEW 2		1:22003081 {tcp} Inbound Attack: ET NETBIOS NETBIOS SMB DCERPC NetrpPathCanonicalize request (possible MS06-040) MAC_Dst: 00:30:48:30:03:AE; 139<-1051 1:2537 {tcp} Inbound Attack: GPL NETBIOS SMB IPC$ share access MAC_Dst: 00:30:48:30:03:AE; 139<-1051 1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 9988<-1271 1:2537 {tcp} Inbound Attack: GPL NETBIOS SMB IPC$ share access MAC_Dst: 00:30:48:30:03:AE; 139<-1051 1:3300007 {tcp} Egg Download: BotHunter Malware Windows executable (PE) sent from remote host; 9988<-1271
192.168.1.151	0.8	VIEW 1		1:22514 (2) {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-3234 1:2648 (2) {tcp} Inbound Attack: GPL SHELLCODE x86 NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-3234 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 9995->3289
192.168.1.144	0.8	VIEW 3		1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-26472 1:22000033 {tcp} Inbound Attack: ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-26472 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-26472 1:2648 {tcp} Inbound Attack: GPL SHELLCODE x86 NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-26472 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->6420 1:22514 (2) {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-61715 1:2648 (2) {tcp} Inbound Attack: GPL SHELLCODE x86 NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-61715 1:2000047 {tcp} Egg Download: ET WORM Sasser Transfer _up.exe; 9996<-61728
192.168.1.181	2.1	VIEW 2	188.173.222.221 188.173.222.221 (Dsl), Netergy.Ro, Sc Nextgen Communications Srl, Bucharest, Bucuresti, Romania, Malware Propagator Malware Controller. 213.155.14.161 213.155.14.161 (Comp), -, Ossadchy - Osadchiy Yuriy, Ukraine, Malware Controller.	1:9910023 {tcp} Bot Space Access: BotHunter Malware propagation attack source; 445->1180 1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-1180 1:22000033 {tcp} Inbound Attack: ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-1180 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-1180 1:2648 {tcp} Inbound Attack: GPL SHELLCODE x86 NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-1180 1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 1031<-2300
192.168.1.128	0.8	VIEW 1		1:22514 (2) {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-50052 1:2648 (2) {tcp} Inbound Attack: GPL SHELLCODE x86 NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-50052 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 9995->50105
192.168.1.71	2.1	VIEW 4	213.155.14.161 213.155.14.161 (Comp), -, Ossadchy - Osadchiy Yuriy, Ukraine, Malware Controller.	1:22009200 {tcp} Inbound Attack: ET CURRENT_EVENTS Conficker.a Shellcode MAC_Dst: 00:30:48:30:03:AE; 445<-4237 1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 1028<-5887 1:2001685 {tcp} Egg Download: ET MALWARE Possible Windows executable sent when remote host claims to send an image; 1028<-5887 1:3300007 {tcp} Egg Download: BotHunter Malware Windows executable (PE) sent from remote host; 1028<-5887 1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-39026 1:22000033 {tcp} Inbound Attack: ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-39026 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-39026
192.168.1.18	0.8	VIEW 2		1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-50036 1:22000033 {tcp} Inbound Attack: ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-50036 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-50036 1:2648 {tcp} Inbound Attack: GPL SHELLCODE x86 NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-50036 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->1186
192.168.1.171	0.8	VIEW 1		1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-25600 1:22000033 {tcp} Inbound Attack: ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-25600 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-25600 1:2648 {tcp} Inbound Attack: GPL SHELLCODE x86 NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-25600 1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 1031<-2255 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->2255
192.168.1.14	1.1	VIEW 5	188.173.222.221 188.173.222.221 (Dsl), Netergy.Ro, Sc Nextgen Communications Srl, Bucharest, Bucuresti, Romania, Malware Propagator Malware Controller. 66.249.67.182 66.249.67.182 (Comp), Google.Com, Google Inc, Mountain View, California, United States. 88.131.106.8 88.131.106.8 (Comp), Entireweb.Com, Worldlightcom-Net, Stockholm, Stockholms Lan, Sweden.	1:9910023 {tcp} Bot Space Access: BotHunter Malware propagation attack source; 445->4895 1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-4895 1:22000033 {tcp} Inbound Attack: ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-4895 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-4895 1:2648 {tcp} Inbound Attack: GPL SHELLCODE x86 NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-4895 1:2002033 {tcp} C&C Communication: ET TROJAN BOT - potential response; 80->64474 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 80->57057 1:2002033 {tcp} C&C Communication: ET TROJAN BOT - potential response; 80->42255 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 80->54992 1:2002033 {tcp} C&C Communication: ET TROJAN BOT - potential response; 80->21996 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 80->33865
192.168.1.85	1.0	VIEW 36	67.195.113.243 67.195.113.243 (Dsl), Yahoo.Com, Yahoo! Inc, Sunnyvale, California, United States. 66.249.68.77 66.249.68.77 (Comp), Google.Com, Google Inc, Cabot, Arkansas, United States. 180.76.5.148 180.76.5.148 (Dsl), -, Beijing Baidu Netcom Science And Technology Co. Ltd, Beijing, China. 77.88.27.26 77.88.27.26 (Dsl), Yandex.Net, Yandex Enterprise Network, Russian Federation. 180.76.5.178 180.76.5.178 (Dsl), -, Beijing Baidu Netcom Science And Technology Co. Ltd, Beijing, China. 180.76.5.62 180.76.5.62 (Dsl), -, Beijing Baidu Netcom Science And Technology Co. Ltd, Beijing, China. 180.76.5.99 180.76.5.99 (Dsl), -, Beijing Baidu Netcom Science And Technology Co. Ltd, Beijing, China. 180.76.5.192 180.76.5.192 (Dsl), -, Beijing Baidu Netcom Science And Technology Co. Ltd, Beijing, China. 180.76.5.67 180.76.5.67 (Dsl), -, Beijing Baidu Netcom Science And Technology Co. Ltd, Beijing, China. 180.76.5.12 180.76.5.12 (Dsl), -, Beijing Baidu Netcom Science And Technology Co. Ltd, Beijing, China. 66.249.67.34 66.249.67.34 (Comp), Google.Com, Google Inc, Mountain View, California, United States.	1:2002033 {tcp} C&C Communication: ET TROJAN BOT - potential response; 80->51783 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 80->49724 1:552123 (2) {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 80->49724 1:2001220 {tcp} C&C Communication: BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report; 80->54187 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 80->15586 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 80->39060 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 80->15271 1:2001220 {tcp} C&C Communication: BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report; 80->39163 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 80->45893 1:2001220 {tcp} C&C Communication: BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report; 80->45004 1:5648 {tcp} Outbound Attack: GPL SHELLCODE x86 NOOP; 80->45004 1:2001220 {tcp} C&C Communication: BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report; 80->54487 1:2001220 {tcp} C&C Communication: BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report; 80->61406 1:2001220 (2) {tcp} C&C Communication: BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report; 80->53137 1:2001220 {tcp} C&C Communication: BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report; 80->34179 1:2001220 (2) {tcp} C&C Communication: BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report; 80->49502 1:2001220 {tcp} C&C Communication: BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report; 80->50026 1:2001220 {tcp} C&C Communication: BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report; 80->46895 1:2001220 {tcp} C&C Communication: BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report; 80->17600 1:2001220 {tcp} C&C Communication: BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report; 80->57400
192.168.1.191	1.6	VIEW 6	213.155.14.161 213.155.14.161 (Comp), -, Ossadchy - Osadchiy Yuriy, Ukraine, Malware Controller. 82.98.86.164 82.98.86.164 (Dsl), Fhe3rz.Net, Sedo Domain Parking, Berlin, Germany, Malware Controller.	1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-20708 1:22000033 {tcp} Inbound Attack: ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-20708 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-20708 1:2648 {tcp} Inbound Attack: GPL SHELLCODE x86 NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-20708 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->1645 1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-20120 1:22000033 {tcp} Inbound Attack: ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-20120 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-20120 1:22000032 (3) {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-2367 1:22000033 (2) {tcp} Inbound Attack: ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-2367
192.168.1.164	1.3	VIEW 3	213.155.14.161 213.155.14.161 (Comp), -, Ossadchy - Osadchiy Yuriy, Ukraine, Malware Controller.	1:9910003 {tcp} Bot Space Access: BotHunter MTC confirmed botnet control server; 1037->80 1:22351 {tcp} Inbound Attack: REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode MAC_Dst: 00:30:48:30:03:AE; 135<-4876 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 1031->707 1:1444 (2) {udp} Egg Download: TFTP GET from external source; 1032->69 1:2008120 (2) {udp} Egg Download: ET POLICY Outbound TFTP Read Request; 1032->69 1:3001441 (2) {udp} Egg Download: TFTP GET .exe from external source; 1032->69
192.168.1.129	0.8	VIEW 2		1:22465 {tcp} Inbound Attack: GPL NETBIOS SMB-DS IPC$ share access MAC_Dst: 00:30:48:30:03:AE; 445<-51990 1:2007671 {tcp} Egg Download: ET POLICY Binary Download Smaller than 1 MB Likely Hostile; 1028<-80 1:22465 {tcp} Inbound Attack: GPL NETBIOS SMB-DS IPC$ share access MAC_Dst: 00:30:48:30:03:AE; 445<-51990 1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 1028<-80 1:2008576 (2) {tcp} Egg Download: ET TROJAN TinyPE Binary - Possibly Hostile; 1028<-80
192.168.1.248	1.3	VIEW 2		1:22351 {tcp} Inbound Attack: REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode MAC_Dst: 00:30:48:30:03:AE; 135<-4411 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 1031->707 1:1444 (2) {udp} Egg Download: TFTP GET from external source; 1032->69 1:2008120 (2) {udp} Egg Download: ET POLICY Outbound TFTP Read Request; 1032->69 1:3001441 (2) {udp} Egg Download: TFTP GET .exe from external source; 1032->69
192.168.1.245	1.1	VIEW 4	213.109.225.38 213.109.225.38 (Dsl), Tvnet.If.Ua, Discovery Ltd, Ukraine, Malware Propagator Malware Controller. 213.144.213.39 213.144.213.39 (Comp), 39-213-144-213.Altitudetelecom.Fr, Infrastructure, France, Malware Propagator.	1:9910023 {tcp} Bot Space Access: BotHunter Malware propagation attack source; 445->4126 1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-4126 1:22000046 {tcp} Inbound Attack: ET NETBIOS MS04011 Lsasrv.dll RPC exploit (Win2k) MAC_Dst: 00:30:48:30:03:AE; 445<-4126 1:22314 (5) {tcp} Inbound Attack: GPL SHELLCODE x86 0x90 NOOP unicode MAC_Dst: 00:30:48:30:03:AE; 445<-4126 1:22514 (2) {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-4126 1:2653 (5) {tcp} Inbound Attack: GPL SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-4126 1:9910023 {tcp} Bot Space Access: BotHunter Malware propagation attack source; 445->50539 1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-48388 1:22000046 {tcp} Inbound Attack: ET NETBIOS MS04011 Lsasrv.dll RPC exploit (Win2k) MAC_Dst: 00:30:48:30:03:AE; 445<-48388
192.168.1.102	2.4	VIEW 123	200.147.1.41 200.147.1.41 (Dsl), Cslf.Org, Comite Gestor Da Internet No Brasil, Brazil, Mail Abuser Malware Controller. 64.70.19.33 64.70.19.33 (Dsl), Website.Ws, Worldsite.Ws, Carlsbad, California, United States, Mail Abuser Malware Controller. 64.94.137.53 64.94.137.53 (Comp), 180solutions.Com, Pinball Corp, Bellevue, Washington, United States, Malware Controller. 194.186.88.58 194.186.88.58 (Dsl), Galaktika.Ru, Galaktika Pro, Petrozavodsk, Karelia, Russian Federation, Mail Abuser Malware Controller. 83.170.72.109 83.170.72.109 (Dsl), Uk2.Net, Uk2.Net, United Kingdom, Malware Controller. 88.198.53.104 88.198.53.104 (Dsl), Your-Server.De, Hetzner-Rz-Nbg-Net, Gunzenhausen, Bayern, Germany, Malicious Site Malware Controller. 91.209.163.202 91.209.163.202 (Dsl), -, Favorit Network Sl, Spain, Mail Abuser Malware Controller. 67.208.74.71 67.208.74.71 (Comp), Inforelay.Net, Inforelay Online Systems Inc, Sterling, Virginia, United States, Malware Controller. 91.209.163.184 91.209.163.184 (Dsl), -, Favorit Network Sl, Spain, Malware Controller. 192.168.1.230 192.168.1.230 (-), -, Private Ip Address Lan, -. 176.28.0.239 176.28.0.239 (-), -, -, -, Mail Abuser Malware Controller. 88.80.7.152 88.80.7.152 (Dsl), Prq.Se, Prq-Net-Colo, Stockholm, Stockholms Lan, Sweden, Malicious Site Malware Propagator Malware Controller. 213.136.106.214 213.136.106.214 (Dsl), Afnet.Net, Isp Cote D'Ivoire, Abidjan, Cote D'Ivoire, Malware Controller. 192.168.1.20 192.168.1.20 (-), -, Private Ip Address Lan, -. 195.226.246.3 195.226.246.3 (Dsl), -, Kuwait Foundation For The Advancement Of Science, Kuwait, Al Kuwayt, Kuwait, Mail Abuser Malware Controller. 194.85.105.17 194.85.105.17 (Dsl), Ripn.Net, Network For Ru Services, Moscow, Moskva, Russian Federation, Malicious Site Mail Abuser Malware Controller. 31.170.163.50 31.170.163.50 (-), -, -, -, Malware Controller. 200.147.33.19 200.147.33.19 (Dsl), Cslf.Org, Comite Gestor Da Internet No Brasil, Brazil, Mail Abuser Malware Controller. 118.220.175.24 118.220.175.24 (Dsl), -, Hanaro Telecom, Seoul, Kyonggi-Do, Korea Republic Of, Mail Abuser. 67.55.67.250 67.55.67.250 (Dsl), Webair.Com, Webair Internet Development Company Inc, Westbury, New York, United States, Malware Controller Malware Propagator. 87.252.1.21 87.252.1.21 (Dsl), Oxyd.Net, Oxyd-Network, Paris, Ile-De-France, France, Mail Abuser Malware Controller. 132.239.17.226 132.239.17.226 (Comp), Ucsd.Edu, University Of California San Diego, La Jolla, California, United States, Malware Controller. 87.98.140.145 87.98.140.145 (Dsl), Mx2.Abaxe.Fr, Ovh Sas, France, Mail Abuser Malware Controller. 93.170.52.20 93.170.52.20 (Dial), Astra-Net.Ru, Astranet Ltd, Russian Federation, Malware Controller. 208.87.35.100 208.87.35.100 (Dsl), Adkix.Com, Secure Hosting Ltd, Nassau, New Providence, Bahamas, Malware Controller. 60.19.30.131 60.19.30.131 (Dsl), Dcb.Ln.Cn, China Unicom Liaoning Province Network, Shenyang, Liaoning, China, Mail Abuser Malware Controller. 130.104.72.201 130.104.72.201 (Dsl), Ucl.Ac.Be, Universite Catholique De Louvain, Brussels, Brussels Hoofdstedelijk Gewest, Belgium, Malware Controller. 86.109.114.31 86.109.114.31 (Dsl), Interausa.Com, Barcelona Datacenter, Barcelona, Catalonia, Spain, Malware Controller. 91.228.133.56 91.228.133.56 (Dsl), Mgn.Ru, Eu-Zz, United Kingdom, Malware Propagator Malware Controller. 138.238.250.155 138.238.250.155 (Dsl), -, Howard University, Washington, District Of Columbia, United States, Malware Controller. 91.209.163.182 91.209.163.182 (Dsl), -, Favorit Network Sl, Spain, Malware Controller. 134.34.246.5 134.34.246.5 (Dsl), Uni-Konstanz.De, Universitaet Konstanz, Konstanz, Baden-WÜRttemberg, Germany, Malware Controller. 58.22.242.63 58.22.242.63 (Dsl), -, Longyan City Fujian Provincial Network Of Cncgroup, Beijing, China, Mail Abuser Malware Controller. 123.108.111.67 123.108.111.67 (Dsl), Pangnet.Net, Pang International Limited, Hong Kong, Malware Controller. 212.44.109.181 212.44.109.181 (Dsl), Gunigugu.Si, Domenca Hosting Platform, Slovenia, Malware Controller. 222.236.44.135 222.236.44.135 (Dsl), Hananet.Net, Hanaro Telecom Inc, Seoul, Kyonggi-Do, Korea Republic Of, Malware Controller Malicious Site. 128.163.142.20 128.163.142.20 (Dsl), -, University Of Kentucky, Lexington, Kentucky, United States, Mail Abuser Malware Controller. 88.86.113.143 88.86.113.143 (Comp), Superhosting.Cz, Aya Cz Spol. S R.O, Czech Republic, Malware Controller. 88.81.249.200 88.81.249.200 (Comp), Controlstyle.Com.Ua, Customers: Hosting & Colo, Kiev, Kyyiv, Ukraine, Mail Abuser Malware Controller. 98.129.126.138 98.129.126.138 (Comp), -, Whypark, San Antonio, Texas, United States, Mail Abuser Malware Controller. 61.139.126.15 61.139.126.15 (Comp), -, Sc-My-Xiweishuma-Lyd, Chengdu, Sichuan, China, Mail Abuser Malware Controller. 62.42.230.17 62.42.230.17 (Dsl), Onobox.Com, Ono-Servicios-Isp, Madrid, Spain, Malware Controller. 130.149.49.136 130.149.49.136 (Dsl), Tu-Berlin.De, Tu Berlin Campus Network, Berlin, Germany, Malware Controller. 92.38.209.184 92.38.209.184 (Dsl), Di-Net.Ru, Hosting And Colocation Services, Russian Federation, Mail Abuser Malware Controller. 128.227.11.13 128.227.11.13 (Comp), Ufl.Edu, University Of Florida, Gainesville, Florida, United States, Malware Controller. 194.226.96.8 194.226.96.8 (Dsl), -, Ru Ncc Network, Kazan, Tatarstan, Russian Federation, Mail Abuser Malware Controller. 93.170.52.30 93.170.52.30 (Dial), Astra-Net.Ru, Astranet Ltd, Russian Federation, Malware Controller. 41.189.229.65 41.189.229.65 (Dsl), Access.Intnet.Dj, Djibouti Telecom, Djibouti, Malware Controller. 206.207.248.34 206.207.248.34 (Comp), Arizona.Edu, University Of Arizona, Tucson, Arizona, United States, Mail Abuser Malware Controller. 78.31.65.216 78.31.65.216 (Dsl), Stephans-Server.De, De-Xantron-Net, Germany, Mail Abuser. 87.242.73.96 87.242.73.96 (Dsl), Masterhost.Ru, Masterhost Is A Hosting And Technical Support Organization, Moscow, Moskva, Russian Federation, Malware Controller. 67.43.226.154 67.43.226.154 (Comp), Ela69.Info, Globotech Communications, Toronto, Ontario, Canada, Malware Controller. 64.86.97.91 64.86.97.91 (Dsl), -, Arcphone Canada Inc, Richmond Hill, Ontario, Canada, Malicious Site Malware Controller. 203.121.165.16 203.121.165.16 (Dsl), Thanachart.Co.Th, Micro Thai Plus Co Ltd, Bangkok, Krung Thep, Thailand, Mail Abuser Malware Controller. 64.191.90.213 64.191.90.213 (Dsl), Hostnoc.Net, Network Operations Center Inc, Scranton, Pennsylvania, United States, Malicious Site. 92.241.169.250 92.241.169.250 (Dsl), -, 2x4.Ru Network, Moscow, Moskva, Russian Federation, Malware Controller. 60.190.93.178 60.190.93.178 (Comp), -, Yueqing Telecom, Yueqing, Zhejiang, China, Malware Controller Mail Abuser. 96.9.185.117 96.9.185.117 (Dsl), Hostnoc.Net, Network Operations Center Inc, Scranton, Pennsylvania, United States, Mail Abuser Malware Controller. 8.5.1.44 8.5.1.44 (Dsl), Name-Services.Com, Enom Incorporated, Bellevue, Washington, United States, Malware Propagator Malware Controller. 92.240.68.95 92.240.68.95 (Comp), Xlhost.Lv, Raina Blvd. 29. Riga, Riga, Latvia, Malware Controller. 80.172.236.66 80.172.236.66 (Dsl), -, Amen Portugal, Portugal, Mail Abuser Malware Controller. 31.170.163.70 31.170.163.70 (-), -, -, -, Mail Abuser Malware Controller. 69.43.161.164 69.43.161.164 (Dsl), 22a52.Com, Castle Access Inc, Coronado, California, United States, Malware Controller. 128.2.211.114 128.2.211.114 (Comp), Incommsolutions.Com, Carnegie Mellon University, Pittsburgh, Pennsylvania, United States, Malware Controller. 91.207.61.48 91.207.61.48 (Dsl), Nn.Zp.Ua, Isp Nova-Net, Ukraine, Malware Controller. 96.9.169.85 96.9.169.85 (Dsl), Wibhoo.Com, Network Operations Center Inc, Scranton, Pennsylvania, United States, Malware Controller. 212.36.9.10 212.36.9.10 (Dial), Otel.Net, Otel.Net Network, Sofia, Sofiya, Bulgaria, Malware Controller. 212.150.22.126 212.150.22.126 (Comp), Sharatim.Net, Solel, Haifa, Hefa, Israel. 91.220.0.78 91.220.0.78 (Dsl), Mgn.Ru, Eu-Zz, United Kingdom. 80.150.6.138 80.150.6.138 (Dsl), T-Online.De, T-Online International Ag, Berlin, Germany, Malware Controller. 200.147.33.17 200.147.33.17 (Dsl), Cslf.Org, Comite Gestor Da Internet No Brasil, Brazil, Mail Abuser Malware Controller. 67.19.244.5 67.19.244.5 (Comp), Linode.Com, Theplanet.Com Internet Services Inc, Dallas, Texas, United States. 208.91.196.10 208.91.196.10 (Dsl), -, Extremeware Inc, Miami, Florida, United States, Malware Controller. 118.175.21.9 118.175.21.9 (Comp), Totbb.Net, Vocational Education Commission Offices Bangkok, Bangkok, Krung Thep, Thailand, Mail Abuser. 216.8.179.25 216.8.179.25 (Dsl), Nextdimensioninc.Com, Next Dimension Inc, Windsor, Ontario, Canada, Malware Controller. 86.35.15.212 86.35.15.212 (Dsl), -, Service Servers, Bucharest, Bucuresti, Romania, Mail Abuser. 76.73.1.194 76.73.1.194 (Dsl), Fdcservers.Net, Fdcservers.Net, Woodstock, Illinois, United States, Mail Abuser Malware Controller. 193.232.130.14 193.232.130.14 (Dsl), Rbnet.Ru, Center, Russian Federation, Mail Abuser Malware Controller. 200.147.33.21 200.147.33.21 (Dsl), Cslf.Org, Comite Gestor Da Internet No Brasil, Brazil, Mail Abuser Malware Controller. 61.4.82.131 61.4.82.131 (Dsl), -, Beijing Linktom Network Technology Co. Ltd, Beijing, China, Malware Controller Mail Abuser. 194.85.61.78 194.85.61.78 (Dsl), -, Ru Ncc Network, Moscow, Moskva, Russian Federation, Malware Controller. 64.62.181.43 64.62.181.43 (Comp), He.Net, Ripside Interactive Inc, Omaha, Nebraska, United States, Malware Controller. 67.21.76.36 67.21.76.36 (Dsl), Hostplator.Com, Sharktech Internet Services, Missoula, Montana, United States, Mail Abuser Malware Controller. 193.200.173.3 193.200.173.3 (Dsl), Freehost.Com.Ua, Freehost Ua Ltd, Ukraine, Mail Abuser Malware Controller. 64.74.223.2 64.74.223.2 (Dsl), Name-Services.Com, Enom, Bellevue, Washington, United States, Malware Controller. 128.186.122.86 128.186.122.86 (Dsl), Fsu.Edu, Florida State University, Tallahassee, Florida, United States, Malware Controller. 188.65.113.241 188.65.113.241 (Dsl), Footholds.Net, Uk-Ukwebhosting, United Kingdom, Malware Controller Malicious Site. 72.29.87.105 72.29.87.105 (Dsl), Dimenoc.Com, Hostdime.Com Inc, Orlando, Florida, United States. 109.234.161.10 109.234.161.10 (Dsl), Mgn.Ru, Eu-Zz, United Kingdom, Malware Controller Mail Abuser. 75.126.150.82 75.126.150.82 (Comp), Softlayer.Com, Softlayer Technologies Inc, Dallas, Texas, United States, Malware Controller. 80.239.246.69 80.239.246.69 (Dsl), Teliacarrier.Com, Eu-Telianet, United Kingdom, Malicious Site Malware Controller. 194.85.61.20 194.85.61.20 (Dsl), -, Ru Ncc Network, Moscow, Moskva, Russian Federation, Malware Controller. 205.209.143.94 205.209.143.94 (Dsl), Sjcolo.Com, Managed Solutions Group Inc, Fremont, California, United States, Mail Abuser Malware Controller. 196.40.97.219 196.40.97.219 (Dsl), Your-Server.Co.Za, Afrinic, South Africa, Malware Controller. 82.146.55.155 82.146.55.155 (Dsl), Exelance.Ru, Ispsystem At Nac, Crystal River, Florida, United States, Malware Controller. 91.209.163.201 91.209.163.201 (Dsl), -, Favorit Network Sl, Spain, Mail Abuser Malware Controller.	1:2632222 (2) {tcp} E2[dns] BHDNS SPYWARE-CONTACT: sourcegoogle.com (harmful) MAC_Dst: 00:21:1C:EE:14:00; 41638->80 224:1 (15) {udp} E2[dns] BHDNS SPYWARE-DNS: arhyv.ru (exploit) MAC_Dst: 00:21:1C:EE:14:00; 36658->53 1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 49945->80 1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 60328->53 1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 41807->53 1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain, [/robots.txt]; 36952->80 224:1 (2) {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus) MAC_Dst: 00:21:1C:EE:14:00; 45762->53 1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 54703->53 1:2632222 (2) {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful) MAC_Dst: 00:21:1C:EE:14:00; 43023->80 224:1 (15) {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus) MAC_Dst: 00:21:1C:EE:14:00; 41879->53 1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: esperadooptic.ru (zeus) MAC_Dst: 00:21:1C:EE:14:00; 54480->80 1:3810008 {udp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 54892->53 224:1 (2) {udp} E2[dns] BHDNS SPYWARE-DNS: warwork.info (harmful) MAC_Dst: 00:21:1C:EE:14:00; 56523->53 1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful) MAC_Dst: 00:21:1C:EE:14:00; 54392->80 1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 51604->80 1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful) MAC_Dst: 00:21:1C:EE:14:00; 33978->80 224:1 {udp} E2[dns] BHDNS SPYWARE-DNS: activationcode.ru (harmful) MAC_Dst: 00:21:1C:EE:14:00; 49404->53 1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: esperadooptic.ru (zeus) MAC_Dst: 00:21:1C:EE:14:00; 38047->53 224:1 (8) {udp} E2[dns] BHDNS SPYWARE-DNS: arhyv.ru (exploit) MAC_Dst: 00:21:1C:EE:14:00; 50027->53 224:1 (12) {udp} E2[dns] BHDNS SPYWARE-DNS: arhyv.ru (exploit) MAC_Dst: 00:21:1C:EE:14:00; 50027->53