BotHunter Daily Analysis Index

BotHunter ®
Live Internet Monitor Page
Computer Science Laboratory
SRI International

Last Updated: Tue Jul 17 23:00:05 2012

www.BOTHUNTER.net

Victim IP	Max Score	Profiles	CCs	Events
192.168.1.180	1.9	VIEW 2	204.13.162.123 204.13.162.123 , , , .	1:22351 {tcp} Inbound Attack: REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode MAC_Dst: 00:30:48:30:03:AE; 135<-1421 1:2299913 {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 135<-1421 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 1031->707 1:1444 (2) {udp} Egg Download: TFTP GET from external source; 1032->69 1:2008120 (2) {udp} Egg Download: ET POLICY Outbound TFTP Read Request; 1032->69
192.168.1.100	2.1	VIEW 249	130.104.72.201 130.104.72.201 , , , . 129.93.229.138 129.93.229.138 , , , . 206.207.248.34 206.207.248.34 , , , . 128.2.211.114 128.2.211.114 , , , . 128.163.142.20 128.163.142.20 , , , . 143.89.49.74 143.89.49.74 , , , . 199.255.189.160 199.255.189.160 , , , . 132.239.17.226 132.239.17.226 , , , . 199.255.189.60 199.255.189.60 , , , . 130.149.49.136 130.149.49.136 , , , . 195.37.16.125 195.37.16.125 , , , . 137.165.1.111 137.165.1.111 , , , . 134.34.246.5 134.34.246.5 , , , . 138.238.250.155 138.238.250.155 , , , . 80.82.144.94 80.82.144.94 , , , . 84.22.106.30 84.22.106.30 , , , . 81.19.66.51 81.19.66.51 , , , . 82.209.213.60 82.209.213.60 , , , . 80.82.150.2 80.82.150.2 , , , . 81.28.128.34 81.28.128.34 , , , . 84.247.193.3 84.247.193.3 , , , . 81.21.34.35 81.21.34.35 , , , . 216.104.128.37 216.104.128.37 , , , . 216.224.224.10 216.224.224.10 , , , . 216.7.225.7 216.7.225.7 , , , . 66.28.209.5 66.28.209.5 , , , . 66.35.228.158 66.35.228.158 , , , . 72.2.10.4 72.2.10.4 , , , . 80.244.244.244 80.244.244.244 , , , .	1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:BB:0C; 2029<-2013 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:BB:0C; 2023<-2025 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:BB:0C; 2009<-2001 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:BB:0C; 2002<-2020 1:52012087 {udp} Outbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode; 2022->2003 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:BB:0C; 2008<-2014 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:BB:0C; 2007<-2023 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:BB:0C; 2001<-2022 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:BB:0C; 2009<-2018 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:BB:0C; 2006<-2030 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:BB:0C; 2007<-2025 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:BB:0C; 2015<-2029 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:BB:0C; 2003<-2024 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:BB:0C; 2003<-2003 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:BB:0C; 2006<-2031 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:BB:0C; 2006<-2007 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:BB:0C; 2016<-2019 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:BB:0C; 2006<-2004 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:BB:0C; 2007<-2008 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:BB:0C; 2001<-2006
192.168.1.229	1.6	VIEW 4	82.98.86.164 82.98.86.164 , , , .	1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-13452 1:22000033 {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-13452 1:2299913 (2) {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-13452 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->4538 1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-32726 1:22000033 {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-32726 1:2299913 (2) {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-32726
192.168.1.190	2.1	VIEW 2	118.87.28.118 118.87.28.118 , , , .	1:22351 {tcp} Inbound Attack: REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode MAC_Dst: 00:30:48:30:03:AE; 135<-34668 1:2299913 {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 135<-34668 1:1444 (2) {udp} Egg Download: TFTP GET from external source; 1028->69 1:2008120 (2) {udp} Egg Download: ET POLICY Outbound TFTP Read Request; 1028->69 1:3001441 (2) {udp} Egg Download: TFTP GET .exe from external source; 1028->69 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 1027->707
192.168.1.48	0.8	VIEW 1	67.215.242.139 67.215.242.139 , , , .
192.168.1.49	1.1	VIEW 2	200.31.173.58 200.31.173.58 , , , .	1:22009200 {tcp} Inbound Attack: ET CURRENT_EVENTS Conficker.a Shellcode MAC_Dst: 00:30:48:30:03:AE; 445<-1584
192.168.1.169	2.1	VIEW 2	94.95.61.161 94.95.61.161 , , , .	1:2299913 (4) {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-3693 1:2000047 {tcp} Egg Download: ET WORM Sasser Transfer _up.exe; 9996<-3736 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 9996->3736
192.168.1.206	1.9	VIEW 2	213.155.14.161 213.155.14.161 , , , .	1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-3115 1:22000033 {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-3115 1:2299913 (2) {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-3115 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->3945
192.168.1.183	1.3	VIEW 2		1:22351 {tcp} Inbound Attack: REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode MAC_Dst: 00:30:48:30:03:AE; 135<-50523 1:2299913 {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 135<-50523 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 1027->707 1:1444 (2) {udp} Egg Download: TFTP GET from external source; 1028->69 1:2008120 (2) {udp} Egg Download: ET POLICY Outbound TFTP Read Request; 1028->69
192.168.1.149	2.4	VIEW 2	213.155.14.161 213.155.14.161 , , , .	1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-2293 1:22000033 {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-2293 1:2299913 (2) {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-2293 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->2665
192.168.1.113	1.4	VIEW 2	213.155.14.161 213.155.14.161 , , , .	1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-17429 1:22000033 {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-17429 1:2299913 (2) {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-17429 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->4459
192.168.1.148	1.1	VIEW 2	67.77.15.38 67.77.15.38 , , , .	1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-4348 1:22000046 (2) {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (Win2k) MAC_Dst: 00:30:48:30:03:AE; 445<-4348
192.168.1.3	1.1	VIEW 1	74.113.233.61 74.113.233.61 , , , .	1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 42388<-80 1:2007671 {tcp} Egg Download: ET POLICY Binary Download Smaller than 1 MB Likely Hostile; 42388<-80
192.168.1.40	0.8	VIEW 1	140.211.167.98 140.211.167.98 , , , .
192.168.1.131	1.3	VIEW 4		1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-44440 1:22000033 {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-44440 1:2299913 (2) {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-44440 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->3514 1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-10674 1:22000033 {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-10674 1:2299913 (2) {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-10674
192.168.1.46	1.1	VIEW 14	132.239.17.226 132.239.17.226 , , , . 130.104.72.201 130.104.72.201 , , , .	1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 53758->22 1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 38296->22 1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 55336->22 1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 35730->22 1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 55295->22 1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 57639->22 1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 60354->22 1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 49739->22 1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 38539->22 1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 47005->22 1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 51978->22 1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 51194->22 1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 59904->22 1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 48899->22 1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 55853->22 1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 34956->22 1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 33383->22 1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 54227->22
192.168.1.142	2.1	VIEW 4	64.16.46.185 64.16.46.185 , , , .	1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-14921 1:22000033 {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-14921 1:2299913 (2) {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-14921 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->7127 1:22351 {tcp} Inbound Attack: REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode MAC_Dst: 00:30:48:30:03:AE; 135<-54740 1:2299913 {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 135<-54740 1:1444 (6) {udp} Egg Download: TFTP GET from external source; 1032->69
192.168.1.237	1.3	VIEW 2		1:22351 {tcp} Inbound Attack: REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode MAC_Dst: 00:30:48:30:03:AE; 135<-20579 1:2299913 {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 135<-20579 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 1031->707 1:1444 (2) {udp} Egg Download: TFTP GET from external source; 1032->69 1:2008120 (2) {udp} Egg Download: ET POLICY Outbound TFTP Read Request; 1032->69
192.168.1.195	0.8	VIEW 1		1:22003081 (2) {tcp} Inbound Attack: ET EXPLOIT NETBIOS SMB DCERPC NetrpPathCanonicalize request (possible MS06-040) MAC_Dst: 00:30:48:30:03:AE; 139<-1078 1:22003082 (2) {tcp} Inbound Attack: ET EXPLOIT NETBIOS SMB-DS DCERPC NetrpPathCanonicalize request (possible MS06-040) MAC_Dst: 00:30:48:30:03:AE; 139<-1078 1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 9988<-1222
192.168.1.86	0.8	VIEW 2		1:22009200 {tcp} Inbound Attack: ET CURRENT_EVENTS Conficker.a Shellcode MAC_Dst: 00:30:48:30:03:AE; 445<-12827 1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 1028<-6000 1:2001685 {tcp} Egg Download: ET MALWARE Possible Windows executable sent when remote host claims to send an image; 1028<-6000 1:3300007 {tcp} Egg Download: BotHunter Malware Windows executable (PE) sent from remote host; 1028<-6000
192.168.1.153	1.3	VIEW 2		1:22351 {tcp} Inbound Attack: REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode MAC_Dst: 00:30:48:30:03:AE; 135<-38396 1:2299913 {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 135<-38396 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 1031->707 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:30:48:30:03:AE; 1032<-69 1:1444 {udp} Egg Download: TFTP GET from external source; 1032->69
192.168.1.144	1.6	VIEW 4	213.155.14.161 213.155.14.161 , , , . 89.145.131.32 89.145.131.32 , , , .	1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-1271 1:22000033 {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-1271 1:2299913 (2) {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-1271 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->2009 1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-1525 1:22000033 {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-1525 1:2299913 (2) {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-1525
192.168.1.91	1.9	VIEW 2	213.155.14.161 213.155.14.161 , , , .	1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-1110 1:22000033 {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-1110 1:2299913 (2) {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-1110 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->7914
192.168.1.135	0.8	VIEW 2		1:22003081 {tcp} Inbound Attack: ET EXPLOIT NETBIOS SMB DCERPC NetrpPathCanonicalize request (possible MS06-040) MAC_Dst: 00:30:48:30:03:AE; 139<-3492 1:22003082 {tcp} Inbound Attack: ET EXPLOIT NETBIOS SMB-DS DCERPC NetrpPathCanonicalize request (possible MS06-040) MAC_Dst: 00:30:48:30:03:AE; 139<-3492 1:2299913 {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 139<-3492 1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 9988<-3577
192.168.1.128	1.1	VIEW 2	207.191.244.184 207.191.244.184 , , , .	1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-6147 1:22000033 {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-6147 1:2299913 (2) {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-6147
192.168.1.71	1.3	VIEW 17	67.215.242.139 67.215.242.139 , , , .	1:2009295 (3) {tcp} Egg Download: ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/5.0), [/pdfm7/check_purchase_permission?product=os.win]; 50236->80
192.168.1.140	1.3	VIEW 2		1:22351 {tcp} Inbound Attack: REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode MAC_Dst: 00:30:48:30:03:AE; 135<-1529 1:2299913 {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 135<-1529 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 1031->707 1:1444 (2) {udp} Egg Download: TFTP GET from external source; 1032->69 1:2008120 (2) {udp} Egg Download: ET POLICY Outbound TFTP Read Request; 1032->69
192.168.1.220	0.8	VIEW 1		1:2299913 (4) {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-50446 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 1022->50475
192.168.1.85	1.0	VIEW 8	180.76.5.169 180.76.5.169 , , , . 66.249.67.11 66.249.67.11 , , , . 66.249.68.48 66.249.68.48 , , , . 180.76.5.157 180.76.5.157 , , , .	1:2001220 {tcp} C&C Communication: BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report; 80->63878 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 80->36109 1:2001220 {tcp} C&C Communication: BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report; 80->48295 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 80->63977 1:2001220 {tcp} C&C Communication: BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report; 80->60877 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 80->62354 1:2001220 {tcp} C&C Communication: BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report; 80->41208 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 80->61228 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 80->57782 1:2001220 {tcp} C&C Communication: BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report; 80->53107 1:552123 (2) {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 80->52905 1:2001220 {tcp} C&C Communication: BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report; 80->50673 1:2001220 (2) {tcp} C&C Communication: BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report; 80->50673
192.168.1.164	1.3	VIEW 2		1:22351 {tcp} Inbound Attack: REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode MAC_Dst: 00:30:48:30:03:AE; 135<-1169 1:2299913 {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 135<-1169 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 1031->707 1:1444 (2) {udp} Egg Download: TFTP GET from external source; 1032->69 1:2008120 (2) {udp} Egg Download: ET POLICY Outbound TFTP Read Request; 1032->69
192.168.1.191	0.8	VIEW 2		1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-2974 1:22000033 {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-2974 1:2299913 (2) {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-2974 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->4385
192.168.1.187	1.1	VIEW 2	216.223.0.211 216.223.0.211 , , , .	1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 49979<-80 1:2007671 {tcp} Egg Download: ET POLICY Binary Download Smaller than 1 MB Likely Hostile; 49979<-80 1:3300007 {tcp} Egg Download: BotHunter Malware Windows executable (PE) sent from remote host; 49979<-80 1:2008576 {tcp} Egg Download: ET TROJAN TinyPE Binary - Possibly Hostile; 49980<-80 1:3300007 {tcp} Egg Download: BotHunter Malware Windows executable (PE) sent from remote host; 49980<-80
192.168.1.245	0.8	VIEW 2		1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-52670 1:22000033 {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-52670 1:2299913 (2) {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-52670 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->7149
192.168.1.209	2.1	VIEW 2	70.60.191.151 70.60.191.151 , , , .	1:22351 {tcp} Inbound Attack: REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode MAC_Dst: 00:30:48:30:03:AE; 135<-1387 1:2299913 {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 135<-1387 1:1444 (2) {udp} Egg Download: TFTP GET from external source; 1032->69 1:2008120 (2) {udp} Egg Download: ET POLICY Outbound TFTP Read Request; 1032->69 1:3001441 (2) {udp} Egg Download: TFTP GET .exe from external source; 1032->69 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 1031->707
192.168.1.102	1.7	VIEW 213	138.238.250.155 138.238.250.155 , , , . 206.207.248.34 206.207.248.34 , , , . 132.239.17.226 132.239.17.226 , , , . 143.89.49.74 143.89.49.74 , , , . 130.104.72.201 130.104.72.201 , , , . 128.2.211.114 128.2.211.114 , , , . 188.93.19.162 188.93.19.162 , , , . 128.163.142.20 128.163.142.20 , , , . 195.37.16.125 195.37.16.125 , , , . 129.93.229.138 129.93.229.138 , , , . 130.149.49.136 130.149.49.136 , , , . 218.6.19.3 218.6.19.3 , , , . 137.165.1.111 137.165.1.111 , , , . 134.34.246.5 134.34.246.5 , , , . 8.5.1.45 8.5.1.45 , , , .	1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:EC:40; 2007<-2004 1:22012087 (2) {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:EC:40; 2027<-2001 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:EC:40; 2014<-2003 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:EC:40; 2022<-2006 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:EC:40; 2011<-2006 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:EC:40; 2022<-2016 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:EC:40; 2008<-2001 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:EC:40; 2028<-2008 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:EC:40; 2026<-2009 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:EC:40; 2007<-2022 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:EC:40; 2003<-2029 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:EC:40; 2025<-2020 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:EC:40; 2008<-2009 1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 4815->51461 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:EC:40; 2029<-2015 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:EC:40; 2003<-2012 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:EC:40; 2019<-2003 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:EC:40; 2029<-2002 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:EC:40; 2027<-2026 1:22012087 {udp} Inbound Attack: (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode MAC_Dst: 00:21:5A:08:EC:40; 2003<-2006
192.168.1.87	1.1	VIEW 1	74.125.224.52 74.125.224.52 , , , . 138.108.7.20 138.108.7.20 , , , .	1:2009024 {tcp} C&C Communication: ET TROJAN Downadup/Conficker A or B Worm reporting, [/search?q=538]; 60435->80