Score: 1.1 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 18:12:49.924 PDT Gen. Time: 07/16/2012 18:13:17.845 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 134.88.5.251 (18:12:49.924 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 43759->22 (18:12:49.924 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port 132.239.17.226 (18:13:17.845 PDT) event=1:9920005 {tcp} E8[std] BotHunter REPO confirmed botnet control server on standard port, [] MAC_Src: 00:01:64:FF:CE:EA 36320->22 (18:13:17.845 PDT) DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342487569.924 1342487569.925 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 18:12:49.924 PDT Gen. Time: 07/16/2012 18:16:26.006 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 134.88.5.251 (18:12:49.924 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 43759->22 (18:12:49.924 PDT) 128.8.126.111 (18:13:41.564 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 52547->22 (18:13:41.564 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port 132.239.17.226 (18:13:17.845 PDT) event=1:9920005 {tcp} E8[std] BotHunter REPO confirmed botnet control server on standard port, [] MAC_Src: 00:01:64:FF:CE:EA 36320->22 (18:13:17.845 PDT) DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342487569.924 1342487569.925 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 18:29:45.598 PDT Gen. Time: 07/16/2012 18:30:58.821 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (18:29:45.598 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 50356->22 (18:29:45.598 PDT) 169.229.50.15 (18:30:38.667 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 35707->22 (18:30:38.667 PDT) 128.208.4.197 (18:30:11.047 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 33381->22 (18:30:11.047 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port 132.239.17.226 (18:30:58.821 PDT) event=1:9920005 {tcp} E8[std] BotHunter REPO confirmed botnet control server on standard port, [] MAC_Src: 00:01:64:FF:CE:EA 36434->22 (18:30:58.821 PDT) DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342488585.598 1342488585.599 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 18:29:45.598 PDT Gen. Time: 07/16/2012 18:34:26.814 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.252.19.18 (18:31:29.192 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 57641->22 (18:31:29.192 PDT) 128.111.52.58 (18:29:45.598 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 50356->22 (18:29:45.598 PDT) 169.229.50.15 (18:30:38.667 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 35707->22 (18:30:38.667 PDT) 128.208.4.197 (18:30:11.047 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 33381->22 (18:30:11.047 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port 132.239.17.226 (18:30:58.821 PDT) event=1:9920005 {tcp} E8[std] BotHunter REPO confirmed botnet control server on standard port, [] MAC_Src: 00:01:64:FF:CE:EA 36434->22 (18:30:58.821 PDT) DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342488585.598 1342488585.599 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 18:47:44.586 PDT Gen. Time: 07/16/2012 18:48:04.075 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 165.91.55.8 (18:48:04.075 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 55968->22 (18:48:04.075 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port 216.223.0.211 (18:47:44.586 PDT) event=1:9920005 {tcp} E8[std] BotHunter REPO confirmed botnet control server on standard port, [] MAC_Src: 00:01:64:FF:CE:EA 40273->80 (18:47:44.586 PDT) DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342489664.586 1342489664.587 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================