Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 130.237.43.220, 109.167.253.94, 75.9.102.246, 88.120.154.65, 13.7.64.22, 109.86.117.80 Resource List: Observed Start: 02/07/2013 06:08:48.160 PST Gen. Time: 02/07/2013 06:11:51.389 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 130.237.43.220 (06:11:18.098 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 51267->6969 (06:11:18.098 PST) 109.167.253.94 (06:09:48.833 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->38670 (06:09:48.833 PST) 75.9.102.246 (06:11:51.202 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->17784 (06:11:51.202 PST) 88.120.154.65 (06:08:48.160 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->51413 (06:08:48.160 PST) 13.7.64.22 (06:11:33.298 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 45107->6881 (06:11:33.298 PST) 109.86.117.80 (06:10:48.787 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->60860 (06:10:48.787 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (06:11:51.389 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61834 (06:11:51.389 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360246128.160 1360246128.161 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 130.237.43.220, 92.81.255.253, 169.229.50.14, 41.131.81.123, 91.117.42.139 Resource List: Observed Start: 02/07/2013 06:52:25.017 PST Gen. Time: 02/07/2013 06:55:23.552 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 130.237.43.220 (06:54:25.233 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 54263->6969 (06:54:25.233 PST) 92.81.255.253 (06:53:25.017 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->53641 (06:53:25.017 PST) 169.229.50.14 (06:55:16.893 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 47415->6881 (06:55:16.893 PST) 41.131.81.123 (06:52:25.017 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->27184 (06:52:25.017 PST) 91.117.42.139 (06:55:15.309 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->6881 (06:55:15.309 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 8.5.1.45 (06:55:23.552 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49725->49302 (06:55:23.552 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360248745.017 1360248745.018 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 130.237.43.220 (2), 92.81.255.253, 169.229.50.14, 117.26.150.20, 41.131.81.123, 91.117.42.139 Resource List: Observed Start: 02/07/2013 06:52:25.017 PST Gen. Time: 02/07/2013 06:56:26.396 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 130.237.43.220 (2) (06:54:25.233 PST) event=1:1100018 (2) {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 54263->6969 (06:54:25.233 PST) 40922->6969 (06:55:41.753 PST) 92.81.255.253 (06:53:25.017 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->53641 (06:53:25.017 PST) 169.229.50.14 (06:55:16.893 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 47415->6881 (06:55:16.893 PST) 117.26.150.20 (06:56:15.274 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->38279 (06:56:15.274 PST) 41.131.81.123 (06:52:25.017 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->27184 (06:52:25.017 PST) 91.117.42.139 (06:55:15.309 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->6881 (06:55:15.309 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 8.5.1.45 (06:55:23.552 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49725->49302 (06:55:23.552 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360248745.017 1360248745.018 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/07/2013 07:53:49.599 PST Gen. Time: 02/07/2013 07:53:49.599 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (07:53:49.599 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61834 (07:53:49.599 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360252429.599 1360252429.600 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 130.237.43.220, 187.10.30.243, 98.242.72.97, 13.7.64.22, 88.183.11.3, 178.46.13.194 Resource List: Observed Start: 02/07/2013 07:53:49.599 PST Gen. Time: 02/07/2013 07:57:54.053 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 130.237.43.220 (07:53:50.709 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 54532->6969 (07:53:50.709 PST) 187.10.30.243 (07:56:52.835 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->51638 (07:56:52.835 PST) 98.242.72.97 (07:57:54.053 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->15448 (07:57:54.053 PST) 13.7.64.22 (07:53:50.929 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 52637->6881 (07:53:50.929 PST) 88.183.11.3 (07:55:49.909 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->51413 (07:55:49.909 PST) 178.46.13.194 (07:54:49.908 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->47865 (07:54:49.908 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (07:53:49.599 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61834 (07:53:49.599 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360252429.599 1360252429.600 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 31.41.62.158, 95.167.66.156 Resource List: Observed Start: 02/07/2013 10:14:05.020 PST Gen. Time: 02/07/2013 10:15:34.739 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 31.41.62.158 (10:15:15.538 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->17018 (10:15:15.538 PST) 95.167.66.156 (10:14:05.020 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->35653 (10:14:05.020 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 8.5.1.45 (10:15:34.739 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 36792->49302 (10:15:34.739 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360260845.020 1360260845.021 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 130.237.43.220, 31.41.62.158, 169.229.50.12, 95.167.66.156, 92.81.134.73, 79.117.208.62 Resource List: Observed Start: 02/07/2013 10:14:05.020 PST Gen. Time: 02/07/2013 10:17:42.568 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 130.237.43.220 (10:16:42.647 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 56316->6969 (10:16:42.647 PST) 31.41.62.158 (10:15:15.538 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->17018 (10:15:15.538 PST) 169.229.50.12 (10:16:42.873 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 42742->6881 (10:16:42.873 PST) 95.167.66.156 (10:14:05.020 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->35653 (10:14:05.020 PST) 92.81.134.73 (10:16:35.361 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->19748 (10:16:35.361 PST) 79.117.208.62 (10:17:35.666 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->10741 (10:17:35.666 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 8.5.1.45 (10:15:34.739 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 36792->49302 (10:15:34.739 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360260845.020 1360260845.021 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 130.237.43.220, 188.124.98.155, 128.114.63.15, 90.216.201.148 Resource List: Observed Start: 02/07/2013 11:22:36.047 PST Gen. Time: 02/07/2013 11:24:43.411 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 130.237.43.220 (11:24:03.271 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 34892->6969 (11:24:03.271 PST) 188.124.98.155 (11:22:36.047 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->6881 (11:22:36.047 PST) 128.114.63.15 (11:24:03.664 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 32783->6881 (11:24:03.664 PST) 90.216.201.148 (11:23:54.454 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->63024 (11:23:54.454 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (11:24:43.411 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61834 (11:24:43.411 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360264956.047 1360264956.048 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 130.237.43.220, 188.124.98.155, 128.114.63.15, 90.216.201.148, 84.99.226.114, 206.12.16.155 Resource List: Observed Start: 02/07/2013 11:22:36.047 PST Gen. Time: 02/07/2013 11:26:45.767 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 130.237.43.220 (11:24:03.271 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 34892->6969 (11:24:03.271 PST) 188.124.98.155 (11:22:36.047 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->6881 (11:22:36.047 PST) 128.114.63.15 (11:24:03.664 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 32783->6881 (11:24:03.664 PST) 90.216.201.148 (11:23:54.454 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->63024 (11:23:54.454 PST) 84.99.226.114 (11:24:55.595 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->11698 (11:24:55.595 PST) 206.12.16.155 (11:26:00.517 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->6881 (11:26:00.517 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (11:24:43.411 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6882->61834 (11:24:43.411 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360264956.047 1360264956.048 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 130.237.43.220, 83.149.35.171, 139.78.141.245, 188.25.56.17, 134.121.64.7 Resource List: Observed Start: 02/07/2013 12:14:33.419 PST Gen. Time: 02/07/2013 12:17:02.009 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 130.237.43.220 (12:15:54.891 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 53987->6969 (12:15:54.891 PST) 83.149.35.171 (12:14:33.419 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->24754 (12:14:33.419 PST) 139.78.141.245 (12:15:55.141 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 51439->6881 (12:15:55.141 PST) 188.25.56.17 (12:16:33.172 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->27289 (12:16:33.172 PST) 134.121.64.7 (12:15:33.244 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->6881 (12:15:33.244 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (12:17:02.009 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61834 (12:17:02.009 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360268073.419 1360268073.420 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 130.237.43.220, 83.149.35.171, 139.78.141.245, 93.96.48.79, 188.25.56.17, 134.121.64.7, 82.117.229.237 Resource List: Observed Start: 02/07/2013 12:14:33.419 PST Gen. Time: 02/07/2013 12:18:34.778 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 130.237.43.220 (12:15:54.891 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 53987->6969 (12:15:54.891 PST) 83.149.35.171 (12:14:33.419 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->24754 (12:14:33.419 PST) 139.78.141.245 (12:15:55.141 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 51439->6881 (12:15:55.141 PST) 93.96.48.79 (12:17:34.756 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->11468 (12:17:34.756 PST) 188.25.56.17 (12:16:33.172 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->27289 (12:16:33.172 PST) 134.121.64.7 (12:15:33.244 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->6881 (12:15:33.244 PST) 82.117.229.237 (12:18:34.778 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->48257 (12:18:34.778 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (12:17:02.009 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61834 (12:17:02.009 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360268073.419 1360268073.420 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================