Score: 1.1 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 14:24:01.484 PDT Gen. Time: 07/17/2012 14:24:49.153 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.8.126.111 (14:24:01.484 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 53758->22 (14:24:01.484 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port 132.239.17.226 (14:24:49.153 PDT) event=1:9920005 {tcp} E8[std] BotHunter REPO confirmed botnet control server on standard port, [] MAC_Src: 00:01:64:FF:CE:EA 37554->22 (14:24:49.153 PDT) DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342560241.484 1342560241.485 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 14:24:01.484 PDT Gen. Time: 07/17/2012 14:28:59.157 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 165.230.49.119 (14:24:49.653 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 38296->22 (14:24:49.653 PDT) 128.252.19.19 (14:25:01.834 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 55336->22 (14:25:01.834 PDT) 128.8.126.111 (14:24:01.484 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 53758->22 (14:24:01.484 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port 132.239.17.226 (14:24:49.153 PDT) event=1:9920005 {tcp} E8[std] BotHunter REPO confirmed botnet control server on standard port, [] MAC_Src: 00:01:64:FF:CE:EA 37554->22 (14:24:49.153 PDT) DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342560241.484 1342560241.485 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 14:46:14.668 PDT Gen. Time: 07/17/2012 14:46:50.879 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 165.242.90.129 (14:46:39.636 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 35730->22 (14:46:39.636 PDT) 133.15.59.1 (14:46:48.710 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 55295->22 (14:46:48.710 PDT) 158.130.6.254 (14:46:14.668 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 57639->22 (14:46:14.668 PDT) 129.97.74.12 (14:46:29.203 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 60354->22 (14:46:29.203 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port 130.104.72.201 (14:46:50.879 PDT) event=1:9920005 {tcp} E8[std] BotHunter REPO confirmed botnet control server on standard port, [] MAC_Src: 00:01:64:FF:CE:EA 60892->22 (14:46:50.879 PDT) DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342561574.668 1342561574.669 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 14:46:14.668 PDT Gen. Time: 07/17/2012 14:51:10.296 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.84.154.45 (14:46:59.075 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 49739->22 (14:46:59.075 PDT) 165.242.90.129 (14:46:39.636 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 35730->22 (14:46:39.636 PDT) 141.20.103.210 (14:47:11.697 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 36502->22 (14:47:11.697 PDT) 133.15.59.1 (14:46:48.710 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 55295->22 (14:46:48.710 PDT) 158.130.6.254 (14:46:14.668 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 57639->22 (14:46:14.668 PDT) 129.97.74.12 (14:46:29.203 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 60354->22 (14:46:29.203 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port 130.104.72.201 (14:46:50.879 PDT) event=1:9920005 {tcp} E8[std] BotHunter REPO confirmed botnet control server on standard port, [] MAC_Src: 00:01:64:FF:CE:EA 60892->22 (14:46:50.879 PDT) DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342561574.668 1342561574.669 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 15:39:22.528 PDT Gen. Time: 07/17/2012 15:40:03.352 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 165.230.49.119 (15:39:46.032 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 38539->22 (15:39:46.032 PDT) 155.245.47.225 (15:39:22.528 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 47005->22 (15:39:22.528 PDT) 141.212.113.180 (15:39:56.508 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 45330->22 (15:39:56.508 PDT) 133.9.81.165 (15:39:32.851 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 48785->22 (15:39:32.851 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port 130.104.72.201 (15:40:03.352 PDT) event=1:9920005 {tcp} E8[std] BotHunter REPO confirmed botnet control server on standard port, [] MAC_Src: 00:01:64:FF:CE:EA 32801->22 (15:40:03.352 PDT) DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342564762.528 1342564762.529 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 15:39:22.528 PDT Gen. Time: 07/17/2012 15:51:40.765 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (15:43:34.314 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 51978->22 (15:43:34.314 PDT) 133.1.74.162 (15:43:19.126 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 52056->22 (15:43:19.126 PDT) 128.10.19.52 (15:44:59.541 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 58046->22 (15:44:59.541 PDT) 165.91.55.10 (15:42:27.572 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 44995->22 (15:42:27.572 PDT) 133.15.59.2 (15:40:07.373 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 43042->22 (15:40:07.373 PDT) 165.230.49.119 (2) (15:39:46.032 PDT) event=1:2001219 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 38539->22 (15:39:46.032 PDT) 38811->22 (15:45:32.545 PDT) 193.136.191.21 (15:40:32.448 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 46489->22 (15:40:32.448 PDT) 133.9.81.165 (15:39:32.851 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 48785->22 (15:39:32.851 PDT) 131.114.59.242 (15:40:18.726 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 32926->22 (15:40:18.726 PDT) 141.212.113.180 (15:39:56.508 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 45330->22 (15:39:56.508 PDT) 150.244.58.161 (15:43:08.747 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 43992->22 (15:43:08.747 PDT) 202.249.37.67 (15:42:58.471 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 41086->22 (15:42:58.471 PDT) 193.63.75.18 (2) (15:42:37.796 PDT) event=1:2001219 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 44248->22 (15:42:37.796 PDT) 44384->22 (15:45:28.321 PDT) 203.178.133.3 (15:42:48.137 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 35143->22 (15:42:48.137 PDT) 155.245.47.225 (15:39:22.528 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 47005->22 (15:39:22.528 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port 130.104.72.201 (15:40:03.352 PDT) event=1:9920005 {tcp} E8[std] BotHunter REPO confirmed botnet control server on standard port, [] MAC_Src: 00:01:64:FF:CE:EA 32801->22 (15:40:03.352 PDT) DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342564762.528 1342564762.529 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 16:28:24.773 PDT Gen. Time: 07/17/2012 16:28:24.830 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 204.85.191.10 (16:28:24.830 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 51194->22 (16:28:24.830 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port 132.239.17.226 (16:28:24.773 PDT) event=1:9920005 {tcp} E8[std] BotHunter REPO confirmed botnet control server on standard port, [] MAC_Src: 00:01:64:FF:CE:EA 38777->22 (16:28:24.773 PDT) DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342567704.773 1342567704.774 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 16:28:24.773 PDT Gen. Time: 07/17/2012 16:33:13.506 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.220.231.4 (16:29:38.713 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 59904->22 (16:29:38.713 PDT) 204.85.191.10 (16:28:24.830 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 51194->22 (16:28:24.830 PDT) 128.42.142.45 (16:30:05.228 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 36047->22 (16:30:05.228 PDT) 128.84.154.45 (16:29:22.885 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 50915->22 (16:29:22.885 PDT) 165.91.55.8 (16:28:47.749 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 58295->22 (16:28:47.749 PDT) 141.212.113.180 (16:28:25.020 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 46326->22 (16:28:25.020 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port 132.239.17.226 (16:28:24.773 PDT) event=1:9920005 {tcp} E8[std] BotHunter REPO confirmed botnet control server on standard port, [] MAC_Src: 00:01:64:FF:CE:EA 38777->22 (16:28:24.773 PDT) DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342567704.773 1342567704.774 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 18:13:03.320 PDT Gen. Time: 07/17/2012 18:13:28.819 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 134.88.5.251 (18:13:03.320 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 48899->22 (18:13:03.320 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port 132.239.17.226 (18:13:28.819 PDT) event=1:9920005 {tcp} E8[std] BotHunter REPO confirmed botnet control server on standard port, [] MAC_Src: 00:01:64:FF:CE:EA 41470->22 (18:13:28.819 PDT) DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342573983.320 1342573983.321 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 18:13:03.320 PDT Gen. Time: 07/17/2012 18:16:12.341 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 134.88.5.251 (18:13:03.320 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 48899->22 (18:13:03.320 PDT) 128.8.126.111 (18:13:55.442 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 57707->22 (18:13:55.442 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port 132.239.17.226 (18:13:28.819 PDT) event=1:9920005 {tcp} E8[std] BotHunter REPO confirmed botnet control server on standard port, [] MAC_Src: 00:01:64:FF:CE:EA 41470->22 (18:13:28.819 PDT) DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342573983.320 1342573983.321 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 18:29:48.229 PDT Gen. Time: 07/17/2012 18:31:01.481 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (18:29:48.229 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 55853->22 (18:29:48.229 PDT) 169.229.50.15 (18:30:40.674 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 41225->22 (18:30:40.674 PDT) 128.208.4.197 (18:30:14.340 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 38888->22 (18:30:14.340 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port 132.239.17.226 (18:31:01.481 PDT) event=1:9920005 {tcp} E8[std] BotHunter REPO confirmed botnet control server on standard port, [] MAC_Src: 00:01:64:FF:CE:EA 41962->22 (18:31:01.481 PDT) DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342574988.229 1342574988.230 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 18:29:48.229 PDT Gen. Time: 07/17/2012 18:33:53.443 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.252.19.18 (18:31:34.867 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 34956->22 (18:31:34.867 PDT) 128.111.52.58 (18:29:48.229 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 55853->22 (18:29:48.229 PDT) 169.229.50.15 (18:30:40.674 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 41225->22 (18:30:40.674 PDT) 128.208.4.197 (18:30:14.340 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 38888->22 (18:30:14.340 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port 132.239.17.226 (18:31:01.481 PDT) event=1:9920005 {tcp} E8[std] BotHunter REPO confirmed botnet control server on standard port, [] MAC_Src: 00:01:64:FF:CE:EA 41962->22 (18:31:01.481 PDT) DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342574988.229 1342574988.230 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 18:47:46.256 PDT Gen. Time: 07/17/2012 18:48:12.115 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 165.91.55.8 (18:47:46.256 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 33383->22 (18:47:46.256 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port 132.239.17.226 (18:48:12.115 PDT) event=1:9920005 {tcp} E8[std] BotHunter REPO confirmed botnet control server on standard port, [] MAC_Src: 00:01:64:FF:CE:EA 42176->22 (18:48:12.115 PDT) DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342576066.256 1342576066.257 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 18:47:46.256 PDT Gen. Time: 07/17/2012 18:52:24.431 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.84.154.45 (18:48:41.402 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 54227->22 (18:48:41.402 PDT) 165.91.55.8 (18:47:46.256 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 33383->22 (18:47:46.256 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port 132.239.17.226 (18:48:12.115 PDT) event=1:9920005 {tcp} E8[std] BotHunter REPO confirmed botnet control server on standard port, [] MAC_Src: 00:01:64:FF:CE:EA 42176->22 (18:48:12.115 PDT) DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342576066.256 1342576066.257 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================