BotHunter Daily Analysis Index

BotHunter ®
Live Internet Monitor Page
Computer Science Laboratory
SRI International

Last Updated: Tue Nov 29 23:02:06 2011

www.BOTHUNTER.net

Victim IP	Max Score	Profiles	CCs	Events
192.168.1.175	0.8	VIEW 2		1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-1337 1:22000033 {tcp} Inbound Attack: ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-1337 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-1337 1:2648 {tcp} Inbound Attack: GPL SHELLCODE x86 NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-1337 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->1492
192.168.1.5	1.1	VIEW 2	120.196.169.169 120.196.169.169 (Dsl), Sterlingstudents.Net, China Mobile Communications Corporation, Beijing, China, Malware Propagator.	1:9910023 {tcp} Bot Space Access: BotHunter Malware propagation attack source; 445->3517 1:22008705 {tcp} Inbound Attack: (experimental) ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (15) MAC_Dst: 00:30:48:30:03:AF; 445<-3540 1:22009200 {tcp} Inbound Attack: ET CURRENT_EVENTS Conficker.a Shellcode MAC_Dst: 00:30:48:30:03:AE; 445<-3540
192.168.1.100	1.7	VIEW 305	132.239.17.226 132.239.17.226 (Comp), Ucsd.Edu, University Of California San Diego, La Jolla, California, United States, Malware Controller. 218.6.19.3 218.6.19.3 (Dsl), 163data.Com.Cn, Chinanet Fujian Province Network, Beijing, China, Malware Controller. 184.105.178.92 184.105.178.92 (-), -, -, -, Malware Controller. 194.85.105.17 194.85.105.17 (Dsl), Ripn.Net, Network For Ru Services, Moscow, Moskva, Russian Federation, Malicious Site Mail Abuser Malware Controller. 194.85.252.62 194.85.252.62 (Dsl), Nic.Ru, Network For Ru Services, Moscow, Moskva, Russian Federation, Malware Controller. 128.163.142.20 128.163.142.20 (Dsl), -, University Of Kentucky, Lexington, Kentucky, United States, Mail Abuser Malware Controller. 137.165.1.111 137.165.1.111 (Dsl), -, Williams College Campus, Williamstown, Massachusetts, United States, Malware Controller. 129.93.229.138 129.93.229.138 (Comp), Unl.Edu, University Of Nebraska-Lincoln, Lincoln, Nebraska, United States, Malware Controller. 206.207.248.34 206.207.248.34 (Comp), Arizona.Edu, University Of Arizona, Tucson, Arizona, United States, Mail Abuser Malware Controller. 130.104.72.201 130.104.72.201 (Dsl), Ucl.Ac.Be, Universite Catholique De Louvain, Brussels, Brussels Hoofdstedelijk Gewest, Belgium, Malware Controller. 195.37.16.125 195.37.16.125 (Comp), -, Extranet Der Universitaet Passau, Passau, Bayern, Germany, Malware Controller. 134.34.246.5 134.34.246.5 (Dsl), Uni-Konstanz.De, Universitaet Konstanz, Konstanz, Baden-WÜRttemberg, Germany, Malware Controller. 130.149.49.136 130.149.49.136 (Dsl), Tu-Berlin.De, Tu Berlin Campus Network, Berlin, Germany, Malware Controller. 138.238.250.155 138.238.250.155 (Dsl), -, Howard University, Washington, District Of Columbia, United States, Malware Controller. 8.5.1.45 8.5.1.45 (Dsl), Name-Services.Com, Enom Incorporated, Bellevue, Washington, United States, Malware Controller. 128.186.122.86 128.186.122.86 (Dsl), Fsu.Edu, Florida State University, Tallahassee, Florida, United States, Malware Controller. 143.89.49.74 143.89.49.74 (Dsl), Ustlnx43-N2.Ust.Hk, Hong Kong University Of Science And Technology, Hong Kong, Hong Kong (Sar), Hong Kong, Malware Controller.	1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 35044<-18230 1:3300007 {tcp} Egg Download: BotHunter Malware Windows executable (PE) sent from remote host; 35044<-18230 1:9910006 {udp} Bot Space Access: BotHunter REPO confirmed botnet control server; 49302->49302 1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 53112<-29649 1:3300007 {tcp} Egg Download: BotHunter Malware Windows executable (PE) sent from remote host; 53112<-29649 1:9910005 {tcp} Bot Space Access: BotHunter REPO confirmed botnet control server; 37325->2126 1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 45879<-11443 1:3300007 {tcp} Egg Download: BotHunter Malware Windows executable (PE) sent from remote host; 45879<-11443 1:9910020 {udp} Bot Space Access: ET ShadowServer confirmed botnet control server; 2121->2121 1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 60424<-58809 1:3300007 {tcp} Egg Download: BotHunter Malware Windows executable (PE) sent from remote host; 60424<-58809 1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 3124->35503 1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 3124->34847 1:9910005 {tcp} Bot Space Access: BotHunter REPO confirmed botnet control server; 60199->2126 1:9910006 {udp} Bot Space Access: BotHunter REPO confirmed botnet control server; 5377->5377 1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 3124->48095 1:9910006 {udp} Bot Space Access: BotHunter REPO confirmed botnet control server; 2121->2121 1:9910005 {tcp} Bot Space Access: BotHunter REPO confirmed botnet control server; 34508->2128 1:9910005 {tcp} Bot Space Access: BotHunter REPO confirmed botnet control server; 50997->2128 1:2009295 {tcp} Egg Download: ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/5.0), [/]; 39254->80
192.168.1.222	2.1	VIEW 2	213.155.14.161 213.155.14.161 (Comp), -, Ossadchy - Osadchiy Yuriy, Ukraine, Malware Controller.	1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-1800 1:22000033 {tcp} Inbound Attack: ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-1800 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-1800 1:2648 {tcp} Inbound Attack: GPL SHELLCODE x86 NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-1800 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->2405
192.168.1.190	1.6	VIEW 2	213.155.14.161 213.155.14.161 (Comp), -, Ossadchy - Osadchiy Yuriy, Ukraine, Malware Controller.	1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-2454 1:22000033 {tcp} Inbound Attack: ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-2454 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-2454 1:2648 {tcp} Inbound Attack: GPL SHELLCODE x86 NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-2454 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->1529
192.168.1.37	0.8	VIEW 4	74.125.224.83 74.125.224.83 (Dial), Google.Com, Google Inc, Mountain View, California, United States. 74.125.224.81 74.125.224.81 (Dial), Google.Com, Google Inc, Mountain View, California, United States. 74.125.224.82 74.125.224.82 (Dial), Google.Com, Google Inc, Mountain View, California, United States.	1:9910028 {tcp} Bot Space Access: BotHunter Version 1.X Test Rule, [/bothunter/testpage-1.X.html]; 49172->80 1:9910028 (2) {tcp} Bot Space Access: BotHunter Version 1.X Test Rule, [/bothunter/testpage-1.X.html]; 49172->80 1:9910028 {tcp} Bot Space Access: BotHunter Version 1.X Test Rule, [/bothunter/testpage-1.X.html]; 49223->80 1:9910028 {tcp} Bot Space Access: BotHunter Version 1.X Test Rule, [/bothunter/testpage-1.X.html]; 49427->80
192.168.1.138	1.6	VIEW 2	82.98.86.164 82.98.86.164 (Dsl), Fhe3rz.Net, Sedo Domain Parking, Berlin, Germany, Malware Controller.	1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-40799 1:22000033 {tcp} Inbound Attack: ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-40799 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-40799 1:2648 {tcp} Inbound Attack: GPL SHELLCODE x86 NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-40799 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->3246
192.168.1.15	0.8	VIEW 1		1:2648 {tcp} Inbound Attack: GPL SHELLCODE x86 NOOP MAC_Dst: 00:01:64:FF:CE:EA; 36877<-80 1:2000419 (3) {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 36877<-80 1:2008576 (2) {tcp} Egg Download: ET TROJAN TinyPE Binary - Possibly Hostile; 36877<-80 1:3300007 (5) {tcp} Egg Download: BotHunter Malware Windows executable (PE) sent from remote host; 36877<-80
192.168.1.206	0.8	VIEW 2		1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-31756 1:22000033 {tcp} Inbound Attack: ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-31756 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-31756 1:2648 {tcp} Inbound Attack: GPL SHELLCODE x86 NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-31756 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->6564
192.168.1.169	2.1	VIEW 4	72.45.61.112 72.45.61.112 (Dsl), Atlanticbb.Net, Atlantic Broadband, Middletown, Delaware, United States, Malware Propagator Malware Controller.	1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-3676 1:22000033 {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-3676 1:2299913 (2) {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-3676 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->6940 1:9910023 {tcp} Bot Space Access: BotHunter Malware propagation attack source; 135->32759 1:22351 {tcp} Inbound Attack: REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode MAC_Dst: 00:30:48:30:03:AE; 135<-32759 1:2299913 {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 135<-32759 1:1444 (2) {udp} Egg Download: TFTP GET from external source; 1032->69
192.168.1.125	0.8	VIEW 2		1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-37277 1:22000033 {tcp} Inbound Attack: ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-37277 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-37277 1:2648 {tcp} Inbound Attack: GPL SHELLCODE x86 NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-37277 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->1659
192.168.1.149	1.3	VIEW 4		1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-2488 1:22000033 {tcp} Inbound Attack: ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-2488 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-2488 1:2648 {tcp} Inbound Attack: GPL SHELLCODE x86 NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-2488 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->2608 1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-3873 1:22000033 {tcp} Inbound Attack: ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-3873 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-3873
192.168.1.62	0.8	VIEW 2	60.190.217.55 60.190.217.55 (Comp), -, Shanghai Zhongsheng Network Ltd, Shanghai, China, Malware Controller.	1:9910009 {tcp} Bot Space Access: ET ShadowServer confirmed botnet control server; 1039->3321 1:9910005 {tcp} Bot Space Access: BotHunter REPO confirmed botnet control server; 1039->3321
192.168.1.148	1.6	VIEW 2	213.155.14.161 213.155.14.161 (Comp), -, Ossadchy - Osadchiy Yuriy, Ukraine, Malware Controller.	1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-4714 1:22000033 {tcp} Inbound Attack: ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-4714 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-4714 1:2648 {tcp} Inbound Attack: GPL SHELLCODE x86 NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-4714 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->7883
192.168.1.217	1.6	VIEW 2	213.155.14.161 213.155.14.161 (Comp), -, Ossadchy - Osadchiy Yuriy, Ukraine, Malware Controller.	1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-8352 1:22000033 {tcp} Inbound Attack: ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-8352 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-8352 1:2648 {tcp} Inbound Attack: GPL SHELLCODE x86 NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-8352 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->2576
192.168.1.244	0.8	VIEW 1	82.98.86.164 82.98.86.164 (Dsl), Fhe3rz.Net, Sedo Domain Parking, Berlin, Germany, Malware Controller.	1:9910005 {tcp} Bot Space Access: BotHunter REPO confirmed botnet control server; 1032->6667
192.168.1.3	0.8	VIEW 4	199.249.120.1 199.249.120.1 (Dsl), Afilias-Nst.Info, Afilias Canada Corp, Toronto, Ontario, Canada, Malware Controller. 128.8.10.90 128.8.10.90 (Comp), Umd.Edu, University Of Maryland, College Park, Maryland, United States, Malware Controller. 192.5.5.241 192.5.5.241 (Dsl), Isc.Org, Internet Systems Consortium Inc, Redwood City, California, United States, Malware Controller. 192.228.79.201 192.228.79.201 (Dsl), -, B.Root-Server-Ops, Marina Del Rey, California, United States, Malware Controller.	1:9910005 {tcp} Bot Space Access: BotHunter REPO confirmed botnet control server; 53039->53 1:9910005 {tcp} Bot Space Access: BotHunter REPO confirmed botnet control server; 53159->53 1:9910005 {tcp} Bot Space Access: BotHunter REPO confirmed botnet control server; 46825->53 1:9910005 {tcp} Bot Space Access: BotHunter REPO confirmed botnet control server; 36971->53
192.168.1.235	0.8	VIEW 3		1:22514 (2) {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-10813 1:2648 (2) {tcp} Inbound Attack: GPL SHELLCODE x86 NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-10813 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 9995->10898 1:22003081 {tcp} Inbound Attack: ET NETBIOS NETBIOS SMB DCERPC NetrpPathCanonicalize request (possible MS06-040) MAC_Dst: 00:30:48:30:03:AE; 139<-27025 1:2537 {tcp} Inbound Attack: GPL NETBIOS SMB IPC$ share access MAC_Dst: 00:30:48:30:03:AE; 139<-27025 1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 9988<-27423 1:2537 {tcp} Inbound Attack: GPL NETBIOS SMB IPC$ share access MAC_Dst: 00:30:48:30:03:AE; 139<-27025
192.168.1.136	1.6	VIEW 2	60.190.217.55 60.190.217.55 (Comp), -, Shanghai Zhongsheng Network Ltd, Shanghai, China, Malware Controller.	1:22465 {tcp} Inbound Attack: GPL NETBIOS SMB-DS IPC$ share access MAC_Dst: 00:30:48:30:03:AE; 445<-54863 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port, [/rt.exe]; 1028->80 1:22465 {tcp} Inbound Attack: GPL NETBIOS SMB-DS IPC$ share access MAC_Dst: 00:30:48:30:03:AE; 445<-54863 1:2648 {tcp} Inbound Attack: GPL SHELLCODE x86 NOOP MAC_Dst: 00:30:48:30:03:AE; 1028<-80 1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 1028<-80 1:2007671 {tcp} Egg Download: ET POLICY Binary Download Smaller than 1 MB Likely Hostile; 1028<-80
192.168.1.40	0.8	VIEW 1		1:22009201 {tcp} Inbound Attack: ET TROJAN Conficker.b Shellcode MAC_Dst: 00:30:48:30:03:AE; 445<-1113 1:3300007 {tcp} Egg Download: BotHunter Malware Windows executable (PE) sent from remote host; 445<-1113
192.168.1.11	1.6	VIEW 2	218.63.69.77 218.63.69.77 (Dial), 163data.Com.Cn, Chinanet Yunnan Province Network, Beijing, China, Mail Abuser Malicious Scanner Malware Propagator Malware Controller.	1:9910023 {tcp} Bot Space Access: BotHunter Malware propagation attack source; 445->3158 1:22009200 {tcp} Inbound Attack: ET CURRENT_EVENTS Conficker.a Shellcode MAC_Dst: 00:30:48:30:03:AE; 445<-3181 1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 1028<-7849 1:2001685 {tcp} Egg Download: ET MALWARE Possible Windows executable sent when remote host claims to send an image; 1028<-7849 1:3300007 {tcp} Egg Download: BotHunter Malware Windows executable (PE) sent from remote host; 1028<-7849 1:9910005 {tcp} Bot Space Access: BotHunter REPO confirmed botnet control server; 1028->7849
192.168.1.193	1.1	VIEW 2	71.37.192.83 71.37.192.83 (Dsl), Qwest.Net, Qwest Communications Company Llc, Prescott, Arizona, United States, Malware Propagator.	1:9910023 {tcp} Bot Space Access: BotHunter Malware propagation attack source; 445->2879 1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-2905 1:22000046 {tcp} Inbound Attack: ET NETBIOS MS04011 Lsasrv.dll RPC exploit (Win2k) MAC_Dst: 00:30:48:30:03:AE; 445<-2905 1:22314 (6) {tcp} Inbound Attack: GPL SHELLCODE x86 0x90 NOOP unicode MAC_Dst: 00:30:48:30:03:AE; 445<-2913 1:22514 (3) {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-2913 1:2653 (6) {tcp} Inbound Attack: GPL SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-2905
192.168.1.160	2.1	VIEW 3	213.155.14.161 213.155.14.161 (Comp), -, Ossadchy - Osadchiy Yuriy, Ukraine, Malware Controller.	1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-56950 1:22000033 {tcp} Inbound Attack: ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-56950 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-56950 1:2648 {tcp} Inbound Attack: GPL SHELLCODE x86 NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-56950 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->7549 1:22514 (2) {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-1762 1:2648 (2) {tcp} Inbound Attack: GPL SHELLCODE x86 NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-1762 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 9995->1783
192.168.1.219	1.3	VIEW 2		1:22351 {tcp} Inbound Attack: REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode MAC_Dst: 00:30:48:30:03:AE; 135<-4933 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 1027->707 1:1444 (2) {udp} Egg Download: TFTP GET from external source; 1028->69 1:2008120 (2) {udp} Egg Download: ET POLICY Outbound TFTP Read Request; 1028->69 1:3001441 (2) {udp} Egg Download: TFTP GET .exe from external source; 1028->69
192.168.1.249	1.6	VIEW 2	60.190.217.55 60.190.217.55 (Comp), -, Shanghai Zhongsheng Network Ltd, Shanghai, China, Malware Controller.	1:22465 {tcp} Inbound Attack: GPL NETBIOS SMB-DS IPC$ share access MAC_Dst: 00:30:48:30:03:AE; 445<-10239 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port, [/rt.exe]; 1028->80 1:22465 {tcp} Inbound Attack: GPL NETBIOS SMB-DS IPC$ share access MAC_Dst: 00:30:48:30:03:AE; 445<-10239 1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 1028<-80 1:2007671 {tcp} Egg Download: ET POLICY Binary Download Smaller than 1 MB Likely Hostile; 1028<-80
192.168.1.111	0.8	VIEW 2		1:22003081 {tcp} Inbound Attack: ET NETBIOS NETBIOS SMB DCERPC NetrpPathCanonicalize request (possible MS06-040) MAC_Dst: 00:30:48:30:03:AE; 139<-4822 1:2537 {tcp} Inbound Attack: GPL NETBIOS SMB IPC$ share access MAC_Dst: 00:30:48:30:03:AE; 139<-4822 1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 9988<-1097 1:2537 {tcp} Inbound Attack: GPL NETBIOS SMB IPC$ share access MAC_Dst: 00:30:48:30:03:AE; 139<-4822 1:3300007 {tcp} Egg Download: BotHunter Malware Windows executable (PE) sent from remote host; 9988<-1097
192.168.1.237	0.8	VIEW 2		1:22003081 {tcp} Inbound Attack: ET NETBIOS NETBIOS SMB DCERPC NetrpPathCanonicalize request (possible MS06-040) MAC_Dst: 00:30:48:30:03:AE; 139<-50289 1:2537 {tcp} Inbound Attack: GPL NETBIOS SMB IPC$ share access MAC_Dst: 00:30:48:30:03:AE; 139<-50289 1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 9988<-51157 1:2537 {tcp} Inbound Attack: GPL NETBIOS SMB IPC$ share access MAC_Dst: 00:30:48:30:03:AE; 139<-50289 1:3300007 {tcp} Egg Download: BotHunter Malware Windows executable (PE) sent from remote host; 9988<-51157
192.168.1.214	1.3	VIEW 4	173.22.110.29 173.22.110.29 (Comp), Mchsi.Com, Mediacom Communications Corp, Springfield, Missouri, United States, Malware Propagator Malware Controller.	1:9910023 {tcp} Bot Space Access: BotHunter Malware propagation attack source; 135->4772 1:22351 {tcp} Inbound Attack: REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode MAC_Dst: 00:30:48:30:03:AE; 135<-4772 1:2299913 {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 135<-4772 1:22351 {tcp} Inbound Attack: REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode MAC_Dst: 00:30:48:30:03:AE; 135<-1102 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 1027->707 1:1444 (2) {udp} Egg Download: TFTP GET from external source; 1028->69 1:2008120 (2) {udp} Egg Download: ET POLICY Outbound TFTP Read Request; 1028->69
192.168.1.106	0.9	VIEW 2	209.190.113.190 209.190.113.190 (Comp), Xlhost.Com, Mohd. Arif Hossain Khan, Bangladesh, Malware Controller Mail Abuser.	1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 58802<-80 1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 58702->80 1:3300007 {tcp} Egg Download: BotHunter Malware Windows executable (PE) sent from remote host; 58802<-80
192.168.1.186	1.0	VIEW 2	188.247.135.32 188.247.135.32 (Dsl), Ripe.Net, European Regional Registry, United Kingdom, Malware Controller.	1:2000427 {tcp} Egg Download: ET POLICY PE EXE Install Windows file download; 1303<-80 1:2007671 {tcp} Egg Download: ET POLICY Binary Download Smaller than 1 MB Likely Hostile; 1303<-80 1:2013519 {tcp} C&C Communication: (experimental) ET TROJAN Driveby Loader Request sn.php, [/sn.php?c=213F6185B9299540C8D58CA2176D24E25EC1422AD38099034C74D2A1528BCFE2CEB71B0D447AC8FAB2D845D9878DFCE45CA4B00549D4F1A10E3D2]; 1304->80 1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 1313<-80 1:2007671 (2) {tcp} Egg Download: ET POLICY Binary Download Smaller than 1 MB Likely Hostile; 1303<-80 1:3300007 {tcp} Egg Download: BotHunter Malware Windows executable (PE) sent from remote host; 1313<-80
192.168.1.144	1.3	VIEW 2		1:22351 {tcp} Inbound Attack: REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode MAC_Dst: 00:30:48:30:03:AE; 135<-3080 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 1027->707 1:1444 (2) {udp} Egg Download: TFTP GET from external source; 1028->69 1:2008120 (2) {udp} Egg Download: ET POLICY Outbound TFTP Read Request; 1028->69 1:3001441 (2) {udp} Egg Download: TFTP GET .exe from external source; 1028->69
192.168.1.216	1.3	VIEW 2		1:22514 (2) {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-2141 1:2648 (2) {tcp} Inbound Attack: GPL SHELLCODE x86 NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-2141 1:2000047 {tcp} Egg Download: ET WORM Sasser Transfer _up.exe; 9996<-2175 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 9996->2175
192.168.1.250	3.0	VIEW 2	1.251.61.249 1.251.61.249 (-), -, -, -, Malware Propagator. 83.133.119.197 83.133.119.197 (Dsl), Greatnet.De, Lncde-Greatnet-Newmedia, Germany, Malicious Site Mail Abuser Malware Controller. 188.247.135.32 188.247.135.32 (Dsl), Ripe.Net, European Regional Registry, United Kingdom, Malware Controller.	1:9910023 {tcp} Bot Space Access: BotHunter Malware propagation attack source; 135->2706 1:22351 {tcp} Inbound Attack: REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode MAC_Dst: 00:30:48:30:03:AE; 135<-2706 1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 1036<-80 1:2002190 {tcp} Egg Download: BLEEDING-EDGE WORM Possible UPnP Infection - gc.exe download, [/gc.exe]; 1036->80 1:2007671 {tcp} Egg Download: ET POLICY Binary Download Smaller than 1 MB Likely Hostile; 1036<-80 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1036->80
192.168.1.128	1.6	VIEW 7	82.98.86.164 82.98.86.164 (Dsl), Fhe3rz.Net, Sedo Domain Parking, Berlin, Germany, Malware Controller. 218.63.69.77 218.63.69.77 (Dial), 163data.Com.Cn, Chinanet Yunnan Province Network, Beijing, China, Mail Abuser Malicious Scanner Malware Propagator Malware Controller. 64.56.64.18 64.56.64.18 (Dsl), Bartonkiegersite.Net, Vrtservers Inc, Los Angeles, California, United States, Malware Propagator Malware Controller Malicious Scanner.	1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-29186 1:22000033 {tcp} Inbound Attack: ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-29186 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-29186 1:2648 {tcp} Inbound Attack: GPL SHELLCODE x86 NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-29186 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->5689 1:9910023 {tcp} Bot Space Access: BotHunter Malware propagation attack source; 445->2357 1:22009200 {tcp} Inbound Attack: ET CURRENT_EVENTS Conficker.a Shellcode MAC_Dst: 00:30:48:30:03:AE; 445<-2377 1:9910023 {tcp} Bot Space Access: BotHunter Malware propagation attack source; 445->2889 1:9910005 {tcp} Bot Space Access: BotHunter REPO confirmed botnet control server; 1028->8119 1:22009200 {tcp} Inbound Attack: ET CURRENT_EVENTS Conficker.a Shellcode MAC_Dst: 00:30:48:30:03:AE; 445<-2893 1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 1029<-8119
192.168.1.18	1.1	VIEW 2	81.218.35.109 81.218.35.109 (Dsl), Bezeqint.Net, Bezeq-International, Tel Aviv, Israel, Malware Propagator Malicious Scanner.	1:9910023 {tcp} Bot Space Access: BotHunter Malware propagation attack source; 445->2458 1:22009200 {tcp} Inbound Attack: ET CURRENT_EVENTS Conficker.a Shellcode MAC_Dst: 00:30:48:30:03:AE; 445<-2490
192.168.1.167	0.8	VIEW 1		1:22003081 (2) {tcp} Inbound Attack: ET NETBIOS NETBIOS SMB DCERPC NetrpPathCanonicalize request (possible MS06-040) MAC_Dst: 00:30:48:30:03:AE; 139<-60181 1:2537 {tcp} Inbound Attack: GPL NETBIOS SMB IPC$ share access MAC_Dst: 00:30:48:30:03:AE; 139<-60181 1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 9988<-61242
192.168.1.171	0.8	VIEW 2		1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-1498 1:22000033 {tcp} Inbound Attack: ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-1498 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-1498 1:2648 {tcp} Inbound Attack: GPL SHELLCODE x86 NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-1498 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->8031
192.168.1.146	1.3	VIEW 2		1:22351 {tcp} Inbound Attack: REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode MAC_Dst: 00:30:48:30:03:AE; 135<-2227 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 1031->707 1:1444 (2) {udp} Egg Download: TFTP GET from external source; 1032->69 1:2008120 (2) {udp} Egg Download: ET POLICY Outbound TFTP Read Request; 1032->69 1:3001441 (2) {udp} Egg Download: TFTP GET .exe from external source; 1032->69
192.168.1.159	2.1	VIEW 2	220.130.253.73 220.130.253.73 (Dsl), Hinet.Net, Chunghwa Telecom Data Communication Business Group, Taipei, T'Ai-Pei, Taiwan, Malware Propagator Mail Abuser Malware Controller.	1:9910023 {tcp} Bot Space Access: BotHunter Malware propagation attack source; 135->3041 1:22351 {tcp} Inbound Attack: REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode MAC_Dst: 00:30:48:30:03:AE; 135<-3041 1:1444 (6) {udp} Egg Download: TFTP GET from external source; 1032->69 1:2008120 (6) {udp} Egg Download: ET POLICY Outbound TFTP Read Request; 1032->69 1:3001441 (5) {udp} Egg Download: TFTP GET .exe from external source; 1032->69 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 1031->707
192.168.1.73	0.8	VIEW 1		1:22003081 (2) {tcp} Inbound Attack: ET NETBIOS NETBIOS SMB DCERPC NetrpPathCanonicalize request (possible MS06-040) MAC_Dst: 00:30:48:30:03:AE; 139<-13658 1:22492 {tcp} Inbound Attack: GPL NETBIOS SMB DCERPC ISystemActivator bind attempt MAC_Dst: 00:30:48:30:03:AE; 139<-12508 1:2537 (3) {tcp} Inbound Attack: GPL NETBIOS SMB IPC$ share access MAC_Dst: 00:30:48:30:03:AE; 139<-12508 1:2648 {tcp} Inbound Attack: GPL SHELLCODE x86 NOOP MAC_Dst: 00:30:48:30:03:AE; 139<-13877 1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 9988<-13159
192.168.1.26	1.6	VIEW 2	60.190.217.55 60.190.217.55 (Comp), -, Shanghai Zhongsheng Network Ltd, Shanghai, China, Malware Controller.	1:22465 {tcp} Inbound Attack: GPL NETBIOS SMB-DS IPC$ share access MAC_Dst: 00:30:48:30:03:AE; 445<-26029 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port, [/rt.exe]; 1028->80 1:22465 {tcp} Inbound Attack: GPL NETBIOS SMB-DS IPC$ share access MAC_Dst: 00:30:48:30:03:AE; 445<-26029 1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 1028<-80 1:2007671 {tcp} Egg Download: ET POLICY Binary Download Smaller than 1 MB Likely Hostile; 1028<-80
192.168.1.185	1.6	VIEW 2	60.190.217.55 60.190.217.55 (Comp), -, Shanghai Zhongsheng Network Ltd, Shanghai, China, Malware Controller.	1:22465 {tcp} Inbound Attack: GPL NETBIOS SMB-DS IPC$ share access MAC_Dst: 00:30:48:30:03:AE; 445<-7666 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port, [/rt.exe]; 1028->80 1:22465 {tcp} Inbound Attack: GPL NETBIOS SMB-DS IPC$ share access MAC_Dst: 00:30:48:30:03:AE; 445<-7666 1:2648 {tcp} Inbound Attack: GPL SHELLCODE x86 NOOP MAC_Dst: 00:30:48:30:03:AE; 1028<-80 1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 1028<-80 1:2007671 {tcp} Egg Download: ET POLICY Binary Download Smaller than 1 MB Likely Hostile; 1028<-80
192.168.1.85	1.6	VIEW 27	180.76.5.170 180.76.5.170 (Dsl), -, Beijing Baidu Netcom Science And Technology Co. Ltd, Beijing, China. 180.76.5.51 180.76.5.51 (Dsl), -, Beijing Baidu Netcom Science And Technology Co. Ltd, Beijing, China. 180.76.5.63 180.76.5.63 (Dsl), -, Beijing Baidu Netcom Science And Technology Co. Ltd, Beijing, China. 180.76.5.56 180.76.5.56 (Dsl), -, Beijing Baidu Netcom Science And Technology Co. Ltd, Beijing, China. 180.76.5.195 180.76.5.195 (Dsl), -, Beijing Baidu Netcom Science And Technology Co. Ltd, Beijing, China. 180.76.5.143 180.76.5.143 (Dsl), -, Beijing Baidu Netcom Science And Technology Co. Ltd, Beijing, China. 180.76.5.94 180.76.5.94 (Dsl), -, Beijing Baidu Netcom Science And Technology Co. Ltd, Beijing, China. 180.76.5.67 180.76.5.67 (Dsl), -, Beijing Baidu Netcom Science And Technology Co. Ltd, Beijing, China. 180.76.5.185 180.76.5.185 (Dsl), -, Beijing Baidu Netcom Science And Technology Co. Ltd, Beijing, China. 212.113.37.105 212.113.37.105 (Dsl), Utel.Net.Ua, Utel Internet Services, Lviv, L'Vivs'Ka Oblast', Ukraine, Mail Abuser. 180.76.6.37 180.76.6.37 (Dsl), -, Beijing Baidu Netcom Science And Technology Co. Ltd, Beijing, China. 180.76.5.192 180.76.5.192 (Dsl), -, Beijing Baidu Netcom Science And Technology Co. Ltd, Beijing, China. 64.56.64.18 64.56.64.18 (Dsl), Bartonkiegersite.Net, Vrtservers Inc, Los Angeles, California, United States, Malware Propagator Malware Controller Malicious Scanner. 180.76.5.138 180.76.5.138 (Dsl), -, Beijing Baidu Netcom Science And Technology Co. Ltd, Beijing, China. 180.76.5.53 180.76.5.53 (Dsl), -, Beijing Baidu Netcom Science And Technology Co. Ltd, Beijing, China. 180.76.5.95 180.76.5.95 (Dsl), -, Beijing Baidu Netcom Science And Technology Co. Ltd, Beijing, China.	1:2001220 {tcp} C&C Communication: BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report; 80->44954 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 80->43454 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 80->52073 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 80->52293 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 80->55721 1:552123 (4) {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 80->38905 1:2002033 {tcp} C&C Communication: ET TROJAN BOT - potential response; 80->55273 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 80->53142 1:2001220 {tcp} C&C Communication: BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report; 80->3685 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 80->44257 1:2001220 {tcp} C&C Communication: BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report; 80->3104 1:2001220 {tcp} C&C Communication: BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report; 80->6995 1:2001220 {tcp} C&C Communication: BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report; 80->11786 1:2001220 {tcp} C&C Communication: BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report; 80->14456 1:2001220 (2) {tcp} C&C Communication: BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report; 80->14456 1:2001220 {tcp} C&C Communication: BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report; 80->8117 1:2002033 {tcp} C&C Communication: ET TROJAN BOT - potential response; 80->47616 1:2001220 {tcp} C&C Communication: BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report; 80->17944 1:2001220 {tcp} C&C Communication: BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report; 80->37493 1:9910023 {tcp} Bot Space Access: BotHunter Malware propagation attack source; 445->3665
192.168.1.191	2.1	VIEW 2	213.155.14.161 213.155.14.161 (Comp), -, Ossadchy - Osadchiy Yuriy, Ukraine, Malware Controller.	1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-17029 1:22000033 {tcp} Inbound Attack: ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-17029 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-17029 1:2648 {tcp} Inbound Attack: GPL SHELLCODE x86 NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-17029 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->1445
192.168.1.164	0.8	VIEW 4	188.247.135.32 188.247.135.32 (Dsl), Ripe.Net, European Regional Registry, United Kingdom, Malware Controller.	1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-12431 1:22000033 {tcp} Inbound Attack: ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-12431 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-12431 1:2648 {tcp} Inbound Attack: GPL SHELLCODE x86 NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-12431 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->1992 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-35922 1:2013519 {tcp} C&C Communication: (experimental) ET TROJAN Driveby Loader Request sn.php, [/sn.php?c=F1EF15F1019120F54C54A1F8C885D43B59C73F0BD9C4198F5F6BECA8D47D644E125B5F48241FBEE163598CE779466A819C6A6CD479E7C8E8ABCE0]; 1413->80 1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-35922 1:22000046 {tcp} Inbound Attack: ET NETBIOS MS04011 Lsasrv.dll RPC exploit (Win2k) MAC_Dst: 00:30:48:30:03:AE; 445<-35922
192.168.1.245	1.1	VIEW 2	119.15.231.127 119.15.231.127 (Dsl), Tcol.Com.Tw, E-Max Network Corp, Taipei, T'Ai-Pei, Taiwan, Malware Propagator.	1:9910023 {tcp} Bot Space Access: BotHunter Malware propagation attack source; 445->3229 1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-3229 1:22000046 {tcp} Inbound Attack: ET NETBIOS MS04011 Lsasrv.dll RPC exploit (Win2k) MAC_Dst: 00:30:48:30:03:AE; 445<-3229 1:22314 (5) {tcp} Inbound Attack: GPL SHELLCODE x86 0x90 NOOP unicode MAC_Dst: 00:30:48:30:03:AE; 445<-3229 1:22514 (2) {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-3229 1:2653 (5) {tcp} Inbound Attack: GPL SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-3229
192.168.1.102	1.3	VIEW 321	137.165.1.111 137.165.1.111 (Dsl), -, Williams College Campus, Williamstown, Massachusetts, United States, Malware Controller. 206.207.248.34 206.207.248.34 (Comp), Arizona.Edu, University Of Arizona, Tucson, Arizona, United States, Mail Abuser Malware Controller. 194.85.105.17 194.85.105.17 (Dsl), Ripn.Net, Network For Ru Services, Moscow, Moskva, Russian Federation, Malicious Site Mail Abuser Malware Controller. 184.105.178.92 184.105.178.92 (-), -, -, -, Malware Controller. 128.163.142.20 128.163.142.20 (Dsl), -, University Of Kentucky, Lexington, Kentucky, United States, Mail Abuser Malware Controller. 128.227.11.13 128.227.11.13 (Comp), Ufl.Edu, University Of Florida, Gainesville, Florida, United States, Malware Controller. 132.239.17.226 132.239.17.226 (Comp), Ucsd.Edu, University Of California San Diego, La Jolla, California, United States, Malware Controller. 130.149.49.136 130.149.49.136 (Dsl), Tu-Berlin.De, Tu Berlin Campus Network, Berlin, Germany, Malware Controller. 195.37.16.125 195.37.16.125 (Comp), -, Extranet Der Universitaet Passau, Passau, Bayern, Germany, Malware Controller. 129.93.229.138 129.93.229.138 (Comp), Unl.Edu, University Of Nebraska-Lincoln, Lincoln, Nebraska, United States, Malware Controller. 130.104.72.201 130.104.72.201 (Dsl), Ucl.Ac.Be, Universite Catholique De Louvain, Brussels, Brussels Hoofdstedelijk Gewest, Belgium, Malware Controller. 134.34.246.5 134.34.246.5 (Dsl), Uni-Konstanz.De, Universitaet Konstanz, Konstanz, Baden-WÜRttemberg, Germany, Malware Controller. 128.2.211.114 128.2.211.114 (Comp), Incommsolutions.Com, Carnegie Mellon University, Pittsburgh, Pennsylvania, United States, Malware Controller. 128.186.122.86 128.186.122.86 (Dsl), Fsu.Edu, Florida State University, Tallahassee, Florida, United States, Malware Controller. 143.89.49.74 143.89.49.74 (Dsl), Ustlnx43-N2.Ust.Hk, Hong Kong University Of Science And Technology, Hong Kong, Hong Kong (Sar), Hong Kong, Malware Controller. 138.238.250.155 138.238.250.155 (Dsl), -, Howard University, Washington, District Of Columbia, United States, Malware Controller. 199.255.189.60 199.255.189.60 (-), -, -, -, Malware Controller.	1:9910006 {udp} Bot Space Access: BotHunter REPO confirmed botnet control server; 54593->54593 1:9910005 {tcp} Bot Space Access: BotHunter REPO confirmed botnet control server; 49866->2128 1:3810008 {udp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 45936->33435 1:9910006 {udp} Bot Space Access: BotHunter REPO confirmed botnet control server; 45936->33435 1:9910020 {udp} Bot Space Access: ET ShadowServer confirmed botnet control server; 2121->2121 1:9910005 {tcp} Bot Space Access: BotHunter REPO confirmed botnet control server; 56215->2126 1:9910006 {udp} Bot Space Access: BotHunter REPO confirmed botnet control server; 49302->65535 1:9910006 {udp} Bot Space Access: BotHunter REPO confirmed botnet control server; 2122->2122 1:9910005 {tcp} Bot Space Access: BotHunter REPO confirmed botnet control server; 55931->2126 1:9910005 {tcp} Bot Space Access: BotHunter REPO confirmed botnet control server; 37751->2128 1:9910006 {udp} Bot Space Access: BotHunter REPO confirmed botnet control server; 5377->5377 1:9910005 {tcp} Bot Space Access: BotHunter REPO confirmed botnet control server; 59684->2128 1:9910005 {tcp} Bot Space Access: BotHunter REPO confirmed botnet control server; 43510->2128 1:9910005 {tcp} Bot Space Access: BotHunter REPO confirmed botnet control server; 48882->2128 1:9910005 {tcp} Bot Space Access: BotHunter REPO confirmed botnet control server; 34064->2126 1:9910006 {udp} Bot Space Access: BotHunter REPO confirmed botnet control server; 2121->2121 1:9910005 {tcp} Bot Space Access: BotHunter REPO confirmed botnet control server; 45167->2126 1:9910005 {tcp} Bot Space Access: BotHunter REPO confirmed botnet control server; 48479->2128 1:9910005 {tcp} Bot Space Access: BotHunter REPO confirmed botnet control server; 42849->2128 1:9910005 {tcp} Bot Space Access: BotHunter REPO confirmed botnet control server; 47445->2128
192.168.1.78	1.6	VIEW 2	213.155.14.161 213.155.14.161 (Comp), -, Ossadchy - Osadchiy Yuriy, Ukraine, Malware Controller.	1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-38983 1:22000033 {tcp} Inbound Attack: ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-38983 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-38983 1:2648 {tcp} Inbound Attack: GPL SHELLCODE x86 NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-38983 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->1992