BotHunter Daily Analysis Index

BotHunter ®
Live Internet Monitor Page
Computer Science Laboratory
SRI International

Last Updated: Sun Jul 29 23:00:15 2012

www.BOTHUNTER.net

Victim IP	Max Score	Profiles	CCs	Events
192.168.1.117	1.6	VIEW 2	202.129.196.138 202.129.196.138 , , , .	1:22009200 {tcp} Inbound Attack: ET CURRENT_EVENTS Conficker.a Shellcode MAC_Dst: 00:30:48:30:03:AE; 445<-3437 1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 1028<-3032 1:2001685 {tcp} Egg Download: ET MALWARE Possible Windows executable sent when remote host claims to send an image; 1028<-3032 1:3300007 {tcp} Egg Download: BotHunter Malware Windows executable (PE) sent from remote host; 1028<-3032
192.168.1.6	0.8	VIEW 2		1:22003081 {tcp} Inbound Attack: ET EXPLOIT NETBIOS SMB DCERPC NetrpPathCanonicalize request (possible MS06-040) MAC_Dst: 00:30:48:30:03:AE; 139<-1170 1:22003082 {tcp} Inbound Attack: ET EXPLOIT NETBIOS SMB-DS DCERPC NetrpPathCanonicalize request (possible MS06-040) MAC_Dst: 00:30:48:30:03:AE; 139<-1170 1:2299913 {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 139<-1170 1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 9988<-1265
192.168.1.175	0.8	VIEW 2		1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-3859 1:22000033 {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-3859 1:2299913 (2) {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-3859 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->3932
192.168.1.100	1.4	VIEW 294	218.6.19.3 218.6.19.3 , , , . 128.2.211.114 128.2.211.114 , , , . 143.89.49.74 143.89.49.74 , , , . 132.239.17.226 132.239.17.226 , , , . 137.165.1.111 137.165.1.111 , , , . 128.227.150.11 128.227.150.11 , , , . 129.93.229.138 129.93.229.138 , , , . 195.37.16.125 195.37.16.125 , , , . 138.238.250.155 138.238.250.155 , , , . 130.149.49.136 130.149.49.136 , , , . 128.163.142.20 128.163.142.20 , , , . 66.28.209.5 66.28.209.5 , , , . 66.35.228.158 66.35.228.158 , , , . 66.28.20.170 66.28.20.170 , , , . 202.51.29.60 202.51.29.60 , , , . 208.101.207.9 208.101.207.9 , , , . 202.152.209.14 202.152.209.14 , , , . 208.10.145.9 208.10.145.9 , , , . 89.189.156.5 89.189.156.5 , , , . 194.95.202.198 194.95.202.198 , , , . 202.112.209.122 202.112.209.122 , , , . 200.124.247.205 200.124.247.205 , , , . 200.94.160.246 200.94.160.246 , , , . 64.8.76.10 64.8.76.10 , , , . 64.88.192.20 64.88.192.20 , , , . 208.82.176.131 208.82.176.131 , , , . 210.30.48.8 210.30.48.8 , , , . 208.83.220.215 208.83.220.215 , , , . 208.82.184.3 208.82.184.3 , , , . 210.26.0.10 210.26.0.10 , , , . 84.22.106.30 84.22.106.30 , , , . 80.82.0.50 80.82.0.50 , , , . 82.77.208.7 82.77.208.7 , , , . 82.207.71.2 82.207.71.2 , , , . 192.100.172.5 192.100.172.5 , , , . 130.104.72.201 130.104.72.201 , , , . 206.207.248.34 206.207.248.34 , , , . 134.34.246.5 134.34.246.5 , , , .	1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 4815->55044 1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 4815->56310 1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 4815->50002 1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 4815->44868 1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 4815->39418 1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 4815->45179 1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 4815->56395 1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 4815->51568 1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 4815->46557 1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 4815->52283 1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 4815->53062 1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 4815->42777 1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 4815->58108 1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 4815->57920 1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 4815->44939 1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 4815->35131 1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 4815->58396 1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 4815->36964 1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 4815->58116 1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 4815->38049
192.168.1.131	1.9	VIEW 2	213.155.14.161 213.155.14.161 , , , .	1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-2400 1:22000033 {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-2400 1:2299913 (2) {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-2400 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->3270
192.168.1.103	0.8	VIEW 2		1:22009200 {tcp} Inbound Attack: ET CURRENT_EVENTS Conficker.a Shellcode MAC_Dst: 00:30:48:30:03:AE; 445<-4180 1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 1028<-5496 1:2001685 {tcp} Egg Download: ET MALWARE Possible Windows executable sent when remote host claims to send an image; 1028<-5496 1:3300007 {tcp} Egg Download: BotHunter Malware Windows executable (PE) sent from remote host; 1028<-5496
192.168.1.46	1.1	VIEW 4	132.239.17.226 132.239.17.226 , , , . 138.108.7.20 138.108.7.20 , , , .	1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 60494->22 1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 43909->22 1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 53236->22 1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 49484->22 1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 34494->22 1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 37010->22 1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 44699->22 1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 48847->22 1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 39592->22
192.168.1.229	1.1	VIEW 3	213.155.14.161 213.155.14.161 , , , .	1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-3136 1:22000033 {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-3136 1:2299913 (2) {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-3136 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->4102 1:2003070 {tcp} C&C Communication: ET WORM Korgo.U Reporting, [/index.php?id=hzzvyrhnuhpnwvhw&scn=0&inf=0&ver=19&cnt=USA]; 1032->80
192.168.1.98	0.8	VIEW 2		1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-4481 1:22000033 {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-4481 1:2299913 (2) {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-4481 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->6739
192.168.1.153	1.6	VIEW 4	202.129.196.138 202.129.196.138 , , , .	1:22009200 {tcp} Inbound Attack: ET CURRENT_EVENTS Conficker.a Shellcode MAC_Dst: 00:30:48:30:03:AE; 445<-1693 1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 1028<-3032 1:2001685 {tcp} Egg Download: ET MALWARE Possible Windows executable sent when remote host claims to send an image; 1028<-3032 1:3300007 {tcp} Egg Download: BotHunter Malware Windows executable (PE) sent from remote host; 1028<-3032 1:22003081 {tcp} Inbound Attack: ET EXPLOIT NETBIOS SMB DCERPC NetrpPathCanonicalize request (possible MS06-040) MAC_Dst: 00:30:48:30:03:AE; 139<-4176 1:22003082 {tcp} Inbound Attack: ET EXPLOIT NETBIOS SMB-DS DCERPC NetrpPathCanonicalize request (possible MS06-040) MAC_Dst: 00:30:48:30:03:AE; 139<-4176 1:2299913 {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 139<-4176
192.168.1.247	0.8	VIEW 2		1:22003081 {tcp} Inbound Attack: ET EXPLOIT NETBIOS SMB DCERPC NetrpPathCanonicalize request (possible MS06-040) MAC_Dst: 00:30:48:30:03:AE; 139<-3377 1:22003082 {tcp} Inbound Attack: ET EXPLOIT NETBIOS SMB-DS DCERPC NetrpPathCanonicalize request (possible MS06-040) MAC_Dst: 00:30:48:30:03:AE; 139<-3377 1:2299913 {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 139<-3377 1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 9988<-3476
192.168.1.144	0.8	VIEW 4		1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-50997 1:22000033 {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-50997 1:2299913 (2) {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-50997 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->5984 1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-3620 1:22000033 {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-3620 1:2299913 (2) {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-3620
192.168.1.216	0.8	VIEW 1	130.193.136.90 130.193.136.90 , , , .
192.168.1.190	1.1	VIEW 3	213.155.14.161 213.155.14.161 , , , . 178.151.147.98 178.151.147.98 , , , .	1:2003070 {tcp} C&C Communication: ET WORM Korgo.U Reporting, [/index.php?id=mbehnozqsstcyuwsi&scn=0&inf=0&ver=19&cnt=USA]; 1032->80 1:2003070 {tcp} C&C Communication: ET WORM Korgo.U Reporting, [/index.php?id=juwqinvjpmaxezraip&scn=0&inf=0&ver=19&cnt=USA]; 1032->80
192.168.1.128	0.8	VIEW 1		1:22003081 (2) {tcp} Inbound Attack: ET EXPLOIT NETBIOS SMB DCERPC NetrpPathCanonicalize request (possible MS06-040) MAC_Dst: 00:30:48:30:03:AE; 139<-4483 1:22003082 (2) {tcp} Inbound Attack: ET EXPLOIT NETBIOS SMB-DS DCERPC NetrpPathCanonicalize request (possible MS06-040) MAC_Dst: 00:30:48:30:03:AE; 139<-4483 1:2299913 (3) {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 139<-4544 1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 9988<-4657
192.168.1.71	1.4	VIEW 17	67.215.242.138 67.215.242.138 , , , . 67.215.242.139 67.215.242.139 , , , . 213.155.14.161 213.155.14.161 , , , .	1:2009295 (3) {tcp} Egg Download: ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/5.0), [/pdfm7/check_purchase_permission?product=os.win8rp]; 52327->80 1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-1336 1:22000033 {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-1336 1:2299913 (2) {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-1336 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->2555
192.168.1.30	1.1	VIEW 2	115.115.97.139 115.115.97.139 , , , .	1:22009200 {tcp} Inbound Attack: ET CURRENT_EVENTS Conficker.a Shellcode MAC_Dst: 00:30:48:30:03:AE; 445<-3436
192.168.1.138	0.8	VIEW 2		1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-4923 1:22000033 {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-4923 1:2299913 (2) {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-4923 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->475
192.168.1.149	0.8	VIEW 2		1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-3968 1:22000033 {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-3968 1:2299913 (2) {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-3968 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->2109
192.168.1.14	1.0	VIEW 1	208.115.113.85 208.115.113.85 , , , .	1:2002033 {tcp} C&C Communication: ET TROJAN BOT - potential response; 80->51127 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 80->51127
192.168.1.148	0.8	VIEW 2		1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-1945 1:22000033 {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-1945 1:2299913 (2) {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-1945 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->6739
192.168.1.159	0.8	VIEW 2		1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-62970 1:22000033 {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-62970 1:2299913 (2) {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-62970 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->1911
192.168.1.82	0.8	VIEW 2		1:22009200 {tcp} Inbound Attack: ET CURRENT_EVENTS Conficker.a Shellcode MAC_Dst: 00:30:48:30:03:AE; 445<-3840 1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 1028<-9763 1:2001685 {tcp} Egg Download: ET MALWARE Possible Windows executable sent when remote host claims to send an image; 1028<-9763 1:3300007 {tcp} Egg Download: BotHunter Malware Windows executable (PE) sent from remote host; 1028<-9763
192.168.1.221	0.8	VIEW 2		1:22003081 {tcp} Inbound Attack: ET EXPLOIT NETBIOS SMB DCERPC NetrpPathCanonicalize request (possible MS06-040) MAC_Dst: 00:30:48:30:03:AE; 139<-50377 1:22003082 {tcp} Inbound Attack: ET EXPLOIT NETBIOS SMB-DS DCERPC NetrpPathCanonicalize request (possible MS06-040) MAC_Dst: 00:30:48:30:03:AE; 139<-50377 1:2299913 {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 139<-50377 1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 9988<-50527
192.168.1.85	1.0	VIEW 24	180.76.6.222 180.76.6.222 , , , . 66.249.67.11 66.249.67.11 , , , . 180.76.5.137 180.76.5.137 , , , . 66.249.68.48 66.249.68.48 , , , . 180.76.5.60 180.76.5.60 , , , . 180.76.5.149 180.76.5.149 , , , . 180.76.5.57 180.76.5.57 , , , . 180.76.5.65 180.76.5.65 , , , . 180.76.5.88 180.76.5.88 , , , .	1:2001220 {tcp} C&C Communication: BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report; 80->19198 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 80->56543 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 80->64863 1:552123 (2) {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 80->56543 1:2001220 {tcp} C&C Communication: BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report; 80->44376 1:552123 (4) {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 80->62553 1:2001220 (2) {tcp} C&C Communication: BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report; 80->44376 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 80->45320 1:2001220 {tcp} C&C Communication: BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report; 80->43712 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 80->44819 1:2001220 (2) {tcp} C&C Communication: BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report; 80->43712 1:2001220 {tcp} C&C Communication: BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report; 80->49144 1:2001220 {tcp} C&C Communication: BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report; 80->40633 1:2001220 {tcp} C&C Communication: BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report; 80->26490 1:2001220 {tcp} C&C Communication: BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report; 80->49359 1:2001220 {tcp} C&C Communication: BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report; 80->51153 1:2001220 {tcp} C&C Communication: BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report; 80->62717 1:2001220 (3) {tcp} C&C Communication: BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report; 80->53439 1:2002033 {tcp} C&C Communication: ET TROJAN BOT - potential response; 80->35505 1:2001220 {tcp} C&C Communication: BLEEDING-EDGE WORM RXBOT / rbOT Exploit Report; 80->52865
192.168.1.164	0.8	VIEW 2		1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-3652 1:22000033 {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-3652 1:2299913 (2) {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-3652 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->6739
192.168.1.245	1.1	VIEW 4	201.173.95.187 201.173.95.187 , , , .	1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-1374 1:22000033 {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-1374 1:2299913 (2) {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-1374 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->4735 1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-33856 1:22000033 {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-33856 1:2299913 (2) {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-33856
192.168.1.69	1.1	VIEW 2	173.20.83.42 173.20.83.42 , , , .	1:22009201 {tcp} Inbound Attack: ET CURRENT_EVENTS Conficker.b Shellcode MAC_Dst: 00:30:48:30:03:AE; 445<-4176
192.168.1.102	1.4	VIEW 332	216.103.101.8 216.103.101.8 , , , . 130.104.72.201 130.104.72.201 , , , . 216.104.128.37 216.104.128.37 , , , . 194.95.202.198 194.95.202.198 , , , . 128.2.211.114 128.2.211.114 , , , . 200.46.127.100 200.46.127.100 , , , . 200.3.212.27 200.3.212.27 , , , . 202.152.209.14 202.152.209.14 , , , . 128.227.150.11 128.227.150.11 , , , . 208.38.65.37 208.38.65.37 , , , . 128.163.142.20 128.163.142.20 , , , . 208.66.0.95 208.66.0.95 , , , . 202.57.160.129 202.57.160.129 , , , . 195.37.16.125 195.37.16.125 , , , . 66.35.228.158 66.35.228.158 , , , . 66.28.20.170 66.28.20.170 , , , . 138.238.250.155 138.238.250.155 , , , . 132.239.17.226 132.239.17.226 , , , . 208.83.220.215 208.83.220.215 , , , . 137.165.1.111 137.165.1.111 , , , . 64.88.192.20 64.88.192.20 , , , . 66.162.25.200 66.162.25.200 , , , . 66.185.36.19 66.185.36.19 , , , . 84.22.106.30 84.22.106.30 , , , . 81.24.224.2 81.24.224.2 , , , . 82.209.213.51 82.209.213.51 , , , . 80.82.150.2 80.82.150.2 , , , . 82.149.230.247 82.149.230.247 , , , . 129.93.229.138 129.93.229.138 , , , . 81.29.32.14 81.29.32.14 , , , . 66.158.224.2 66.158.224.2 , , , . 64.88.0.41 64.88.0.41 , , , . 200.59.224.1 200.59.224.1 , , , . 200.54.0.10 200.54.0.10 , , , . 143.89.49.74 143.89.49.74 , , , . 134.34.246.5 134.34.246.5 , , , . 206.207.248.34 206.207.248.34 , , , . 173.194.35.144 173.194.35.144 , , , . 173.194.73.105 173.194.73.105 , , , . 217.73.194.98 217.73.194.98 , , , . 84.247.50.60 84.247.50.60 , , , . 82.195.225.5 82.195.225.5 , , , . 12.191.148.2 12.191.148.2 , , , . 168.95.192.142 168.95.192.142 , , , . 168.95.192.101 168.95.192.101 , , , . 192.100.172.5 192.100.172.5 , , , . 194.177.67.36 194.177.67.36 , , , . 193.33.236.17 193.33.236.17 , , , . 64.136.173.5 64.136.173.5 , , , . 64.58.254.2 64.58.254.2 , , , . 64.25.208.8 64.25.208.8 , , , . 168.126.63.15 168.126.63.15 , , , . 164.2.255.241 164.2.255.241 , , , . 168.126.63.122 168.126.63.122 , , , . 66.218.245.10 66.218.245.10 , , , . 65.68.49.50 65.68.49.50 , , , . 210.21.230.58 210.21.230.58 , , , . 208.83.207.242 208.83.207.242 , , , . 193.28.100.200 193.28.100.200 , , , . 193.194.140.3 193.194.140.3 , , , . 202.44.100.1 202.44.100.1 , , , . 202.70.150.10 202.70.150.10 , , , . 208.124.124.2 208.124.124.2 , , , . 200.2.126.70 200.2.126.70 , , , . 200.57.7.61 200.57.7.61 , , , . 202.102.7.90 202.102.7.90 , , , . 200.37.28.12 200.37.28.12 , , , . 202.103.19.34 202.103.19.34 , , , . 68.64.126.240 68.64.126.240 , , , . 188.93.19.162 188.93.19.162 , , , . 200.32.249.225 200.32.249.225 , , , . 202.102.227.82 202.102.227.82 , , , . 202.102.214.9 202.102.214.9 , , , . 200.76.182.2 200.76.182.2 , , , . 64.33.128.200 64.33.128.200 , , , . 82.207.79.199 82.207.79.199 , , , . 82.135.26.30 82.135.26.30 , , , . 202.96.119.202 202.96.119.202 , , , . 202.80.255.150 202.80.255.150 , , , . 208.110.128.2 208.110.128.2 , , , . 66.18.3.142 66.18.3.142 , , , . 66.160.179.77 66.160.179.77 , , , .	1:9910001 {udp} Bot Space Access: ET POLICY Spambot Host DNS MX Query High Count; 52720->53 1:2003330 {udp} Attack Prep: ET POLICY Possible Spambot Host DNS MX Query High Count; 51820->53 1:2003330 {udp} Attack Prep: ET POLICY Possible Spambot Host DNS MX Query High Count; 60614->53 1:2003330 {udp} Attack Prep: ET POLICY Possible Spambot Host DNS MX Query High Count; 44521->53 1:2003330 {udp} Attack Prep: ET POLICY Possible Spambot Host DNS MX Query High Count; 46599->53 1:2003330 {udp} Attack Prep: ET POLICY Possible Spambot Host DNS MX Query High Count; 55850->53 1:9910001 {udp} Bot Space Access: ET POLICY Spambot Host DNS MX Query High Count; 43690->53 1:2003330 {udp} Attack Prep: ET POLICY Possible Spambot Host DNS MX Query High Count; 56529->53 1:2003330 {udp} Attack Prep: ET POLICY Possible Spambot Host DNS MX Query High Count; 36346->53 1:9910001 {udp} Bot Space Access: ET POLICY Spambot Host DNS MX Query High Count; 34483->53 1:2003330 {udp} Attack Prep: ET POLICY Possible Spambot Host DNS MX Query High Count; 48306->53 1:2003330 {udp} Attack Prep: ET POLICY Possible Spambot Host DNS MX Query High Count; 51924->53 1:2003330 {udp} Attack Prep: ET POLICY Possible Spambot Host DNS MX Query High Count; 59780->53 1:2003330 {udp} Attack Prep: ET POLICY Possible Spambot Host DNS MX Query High Count; 60693->53 1:2003330 {udp} Attack Prep: ET POLICY Possible Spambot Host DNS MX Query High Count; 53584->53 1:9910001 {udp} Bot Space Access: ET POLICY Spambot Host DNS MX Query High Count; 53140->53 1:2003330 {udp} Attack Prep: ET POLICY Possible Spambot Host DNS MX Query High Count; 51674->53 1:9910001 {udp} Bot Space Access: ET POLICY Spambot Host DNS MX Query High Count; 56422->53 1:2003330 {udp} Attack Prep: ET POLICY Possible Spambot Host DNS MX Query High Count; 40315->53 1:2003330 {udp} Attack Prep: ET POLICY Possible Spambot Host DNS MX Query High Count; 48920->53
192.168.1.60	1.1	VIEW 2	201.173.95.187 201.173.95.187 , , , .	1:22000033 {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-49410 1:2299913 (2) {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-49410