BotHunter Daily Analysis Index

BotHunter ®
Live Internet Monitor Page
Computer Science Laboratory
SRI International

Last Updated: Mon Jul 16 23:00:02 2012

www.BOTHUNTER.net

Victim IP	Max Score	Profiles	CCs	Events
192.168.1.40	1.1	VIEW 2	122.169.240.178 122.169.240.178 , , , .	1:22009200 {tcp} Inbound Attack: ET CURRENT_EVENTS Conficker.a Shellcode MAC_Dst: 00:30:48:30:03:AE; 445<-4753
192.168.1.238	0.8	VIEW 1		1:2299913 (4) {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-4467 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 1022->4502
192.168.1.175	1.9	VIEW 2	213.155.14.161 213.155.14.161 , , , .	1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-1645 1:22000033 {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-1645 1:2299913 (2) {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-1645 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->5226
192.168.1.100	1.6	VIEW 52	130.104.72.201 130.104.72.201 , , , . 128.2.211.114 128.2.211.114 , , , . 129.93.229.138 129.93.229.138 , , , . 137.165.1.111 137.165.1.111 , , , . 138.238.250.155 138.238.250.155 , , , .	1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:BB:0C; 2001<-2026 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:BB:0C; 2011<-2022 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:BB:0C; 2013<-2003 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:BB:0C; 2024<-2014 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:BB:0C; 2011<-2002 1:52012087 {udp} Outbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode; 2011->2007 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:BB:0C; 2017<-2014 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:BB:0C; 2018<-2026 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:BB:0C; 2025<-2020 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:BB:0C; 2024<-2002 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:BB:0C; 2017<-2029 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:BB:0C; 2010<-2006 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:BB:0C; 2002<-2002 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:BB:0C; 2018<-2020 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:BB:0C; 2015<-2012 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:BB:0C; 2010<-2021 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:BB:0C; 2011<-2012 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:BB:0C; 2009<-2016 1:52012087 {udp} Outbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode; 2003->2006 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:BB:0C; 2019<-2012
192.168.1.46	1.1	VIEW 5	132.239.17.226 132.239.17.226 , , , . 216.223.0.211 216.223.0.211 , , , .	1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 43759->22 1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 52547->22 1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 50356->22 1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 35707->22 1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 33381->22 1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 57641->22 1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 55968->22
192.168.1.202	0.8	VIEW 1	74.193.212.133 74.193.212.133 , , , .
192.168.1.12	0.8	VIEW 1	122.169.240.178 122.169.240.178 , , , .
192.168.1.201	0.8	VIEW 1		1:22003081 (2) {tcp} Inbound Attack: ET EXPLOIT NETBIOS SMB DCERPC NetrpPathCanonicalize request (possible MS06-040) MAC_Dst: 00:30:48:30:03:AE; 139<-2139 1:22003082 (2) {tcp} Inbound Attack: ET EXPLOIT NETBIOS SMB-DS DCERPC NetrpPathCanonicalize request (possible MS06-040) MAC_Dst: 00:30:48:30:03:AE; 139<-2139 1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 9988<-3097
192.168.1.85	1.0	VIEW 1	71.236.253.160 71.236.253.160 , , , .	1:2001220 (2) {tcp} C&C Communication: BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report; 80->4517 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 80->38793
192.168.1.102	1.7	VIEW 56	195.37.16.125 195.37.16.125 , , , . 128.2.211.114 128.2.211.114 , , , . 188.93.19.162 188.93.19.162 , , , . 132.239.17.226 132.239.17.226 , , , . 143.89.49.74 143.89.49.74 , , , . 128.186.122.86 128.186.122.86 , , , . 128.163.142.20 128.163.142.20 , , , . 129.93.229.138 129.93.229.138 , , , . 206.207.248.34 206.207.248.34 , , , . 130.149.49.136 130.149.49.136 , , , . 199.255.189.60 199.255.189.60 , , , . 134.34.246.5 134.34.246.5 , , , . 138.238.250.155 138.238.250.155 , , , .	1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:EC:40; 2004<-2029 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:EC:40; 2009<-2026 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:EC:40; 2028<-2026 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:EC:40; 2024<-2004 1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 4815->53562 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:EC:40; 2008<-2022 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:EC:40; 2020<-2018 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:EC:40; 2006<-2026 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:EC:40; 2023<-2007 1:52012087 {udp} Outbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode; 2017->2002 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:EC:40; 2007<-2011 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:EC:40; 2002<-2025 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:EC:40; 2011<-2019 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:EC:40; 2013<-2003 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:EC:40; 2011<-2001 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:EC:40; 2025<-2006 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:EC:40; 2024<-2007 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:EC:40; 2019<-2022 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:EC:40; 2019<-2028 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:EC:40; 2005<-2015