Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 213.110.89.66, 176.44.8.155, 121.14.98.151 Resource List: Observed Start: 02/07/2013 15:39:45.499 PST Gen. Time: 02/07/2013 15:41:40.820 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 213.110.89.66 (15:40:46.334 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->12935 (15:40:46.334 PST) 176.44.8.155 (15:39:45.499 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->24049 (15:39:45.499 PST) 121.14.98.151 (15:40:33.182 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54096->9090 (15:40:33.182 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:41:40.820 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (15:41:40.820 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360280385.499 1360280385.500 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 178.239.54.153, 213.110.89.66, 69.165.236.62, 86.19.255.51, 176.44.8.155, 79.45.13.107 (2), 208.83.20.164, 121.14.98.151 Resource List: Observed Start: 02/07/2013 15:39:45.499 PST Gen. Time: 02/07/2013 15:42:59.637 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 178.239.54.153 (15:42:56.331 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56142->3310 (15:42:56.331 PST) 213.110.89.66 (15:40:46.334 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->12935 (15:40:46.334 PST) 69.165.236.62 (15:41:49.499 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6881 (15:41:49.499 PST) 86.19.255.51 (15:42:50.460 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->61681 (15:42:50.460 PST) 176.44.8.155 (15:39:45.499 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->24049 (15:39:45.499 PST) 79.45.13.107 (2) (15:41:50.704 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55193->6881 (15:41:50.704 PST) 56221->6881 (15:42:55.709 PST) 208.83.20.164 (15:41:44.957 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [/search?q= 74.220.215.241 spyware&go=&qs=n&form=QBLH&pq= 74.220.215.241 spyware&sc=0-0&sp=-1&sk=] MAC_Src: 00:01:64:FF:CE:EA 55053->80 (15:41:44.957 PST) 121.14.98.151 (15:40:33.182 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 54096->9090 (15:40:33.182 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:41:40.820 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (15:41:40.820 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360280385.499 1360280385.500 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 81.136.150.113, 190.160.2.50, 50.19.95.119, 91.224.160.192, 79.45.13.107, 41.42.122.231 Resource List: Observed Start: 02/07/2013 15:43:00.026 PST Gen. Time: 02/07/2013 15:45:11.073 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 81.136.150.113 (15:43:51.648 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49906 (15:43:51.648 PST) 190.160.2.50 (15:43:56.368 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57538->16884 (15:43:56.368 PST) 50.19.95.119 (15:43:00.026 PST) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56249->80 (15:43:00.026 PST) 91.224.160.192 (15:43:00.026 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 56236->2710 (15:43:00.026 PST) 79.45.13.107 (15:45:01.724 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58375->6881 (15:45:01.724 PST) 41.42.122.231 (15:44:52.140 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->61387 (15:44:52.140 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:45:11.073 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 58441->6099 (15:45:11.073 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360280580.026 1360280580.027 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 190.160.2.50, 145.99.175.89, 81.136.150.113, 91.224.160.192 (2), 50.19.95.119, 68.12.130.34, 41.42.122.231, 79.45.13.107, 24.99.130.75 Resource List: Observed Start: 02/07/2013 15:43:00.026 PST Gen. Time: 02/07/2013 15:47:05.140 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 190.160.2.50 (15:43:56.368 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57538->16884 (15:43:56.368 PST) 145.99.175.89 (15:46:11.893 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58790->51413 (15:46:11.893 PST) 81.136.150.113 (15:43:51.648 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49906 (15:43:51.648 PST) 91.224.160.192 (2) (15:43:00.026 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 56236->2710 (15:43:00.026 PST) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59368->2710 (15:46:51.266 PST) 50.19.95.119 (15:43:00.026 PST) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 56249->80 (15:43:00.026 PST) 68.12.130.34 (15:45:52.145 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->53550 (15:45:52.145 PST) 41.42.122.231 (15:44:52.140 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->61387 (15:44:52.140 PST) 79.45.13.107 (15:45:01.724 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58375->6881 (15:45:01.724 PST) 24.99.130.75 (15:46:54.981 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->50486 (15:46:54.981 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:45:11.073 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 58441->6099 (15:45:11.073 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360280580.026 1360280580.027 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 79.121.58.6, 81.96.55.152, 79.45.13.107 (2) Resource List: Observed Start: 02/07/2013 15:55:59.041 PST Gen. Time: 02/07/2013 15:57:30.884 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 79.121.58.6 (15:56:59.094 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->20171 (15:56:59.094 PST) 81.96.55.152 (15:55:59.041 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->42937 (15:55:59.041 PST) 79.45.13.107 (2) (15:56:11.789 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63713->6881 (15:56:11.789 PST) 64019->6881 (15:57:17.296 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:57:30.884 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 64065->6099 (15:57:30.884 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360281359.041 1360281359.042 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 79.121.58.6, 94.204.139.225, 81.96.55.152, 91.218.38.132, 79.45.13.107 (2) Resource List: Observed Start: 02/07/2013 15:55:59.041 PST Gen. Time: 02/07/2013 15:58:40.105 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 79.121.58.6 (15:56:59.094 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->20171 (15:56:59.094 PST) 94.204.139.225 (15:57:59.414 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->37141 (15:57:59.414 PST) 81.96.55.152 (15:55:59.041 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->42937 (15:55:59.041 PST) 91.218.38.132 (15:58:40.105 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64392->2710 (15:58:40.105 PST) 79.45.13.107 (2) (15:56:11.789 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63713->6881 (15:56:11.789 PST) 64019->6881 (15:57:17.296 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:57:30.884 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 64065->6099 (15:57:30.884 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360281359.041 1360281359.042 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 37.6.148.175, 181.130.195.146, 121.14.98.151, 145.99.175.89 Resource List: Observed Start: 02/07/2013 16:11:07.334 PST Gen. Time: 02/07/2013 16:13:00.810 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 37.6.148.175 (16:11:07.334 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->57922 (16:11:07.334 PST) 181.130.195.146 (16:12:08.765 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->28752 (16:12:08.765 PST) 121.14.98.151 (16:11:51.731 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52181->9090 (16:11:51.731 PST) 145.99.175.89 (16:12:06.067 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52288->51413 (16:12:06.067 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (16:13:00.810 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (16:13:00.810 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360282267.334 1360282267.335 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 121.14.98.151, 81.34.51.179, 85.30.34.60, 145.99.175.89, 91.224.160.192, 181.130.195.146, 50.19.95.119, 37.6.148.175, 81.57.226.154 Resource List: Observed Start: 02/07/2013 16:11:07.334 PST Gen. Time: 02/07/2013 16:14:09.404 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 121.14.98.151 (16:11:51.731 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52181->9090 (16:11:51.731 PST) 81.34.51.179 (16:13:09.234 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6881 (16:13:09.234 PST) 85.30.34.60 (16:13:01.374 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52504->2710 (16:13:01.374 PST) 145.99.175.89 (16:12:06.067 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52288->51413 (16:12:06.067 PST) 91.224.160.192 (16:13:01.452 PST) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 52508->2710 (16:13:01.452 PST) 181.130.195.146 (16:12:08.765 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->28752 (16:12:08.765 PST) 50.19.95.119 (16:13:01.374 PST) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [/livecountping/31044820/996975861722?__=aj292wninbzt&routed=1] MAC_Src: 00:01:64:FF:CE:EA 52507->80 (16:13:01.374 PST) 37.6.148.175 (16:11:07.334 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->57922 (16:11:07.334 PST) 81.57.226.154 (16:14:09.404 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->46249 (16:14:09.404 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (16:13:00.810 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (16:13:00.810 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360282267.334 1360282267.335 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/07/2013 16:30:01.647 PST Gen. Time: 02/07/2013 16:30:01.647 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (16:30:01.647 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 58601->6099 (16:30:01.647 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360283401.647 1360283401.648 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 67.170.75.187, 96.49.232.241, 190.12.152.35, 95.211.162.90, 50.66.49.92, 145.99.175.89 (3) Resource List: Observed Start: 02/07/2013 16:30:01.647 PST Gen. Time: 02/07/2013 16:33:22.257 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 67.170.75.187 (16:32:21.900 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64792 (16:32:21.900 PST) 96.49.232.241 (16:30:19.910 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->56313 (16:30:19.910 PST) 190.12.152.35 (16:33:22.257 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->63315 (16:33:22.257 PST) 95.211.162.90 (16:32:41.842 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59372->2710 (16:32:41.842 PST) 50.66.49.92 (16:31:21.472 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14533 (16:31:21.472 PST) 145.99.175.89 (3) (16:30:01.710 PST) event=1:1100012 (3) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58597->51413 (16:30:01.710 PST) 58912->51413 (16:31:10.717 PST) 59366->51413 (16:32:34.728 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (16:30:01.647 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 58601->6099 (16:30:01.647 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360283401.647 1360283401.648 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/07/2013 17:00:40.146 PST Gen. Time: 02/07/2013 17:00:40.146 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (17:00:40.146 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (17:00:40.146 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360285240.146 1360285240.147 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 72.11.161.254, 151.226.254.15, 91.218.38.132, 91.224.160.192, 184.18.202.139, 99.0.36.64, 79.45.13.107 (2), 145.99.175.89 (2) Resource List: Observed Start: 02/07/2013 17:00:40.146 PST Gen. Time: 02/07/2013 17:05:00.632 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 72.11.161.254 (17:03:12.777 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->33462 (17:03:12.777 PST) 151.226.254.15 (17:04:15.598 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60670 (17:04:15.598 PST) 91.218.38.132 (17:04:29.281 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53268->2710 (17:04:29.281 PST) 91.224.160.192 (17:05:00.632 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53408->2710 (17:05:00.632 PST) 184.18.202.139 (17:01:09.442 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->15494 (17:01:09.442 PST) 99.0.36.64 (17:02:12.027 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->39092 (17:02:12.027 PST) 79.45.13.107 (2) (17:02:08.779 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52560->6881 (17:02:08.779 PST) 53252->6881 (17:04:20.295 PST) 145.99.175.89 (2) (17:01:03.943 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52191->51413 (17:01:03.943 PST) 52871->51413 (17:03:14.958 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (17:00:40.146 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (17:00:40.146 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360285240.146 1360285240.147 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 99.230.104.255, 145.99.175.89 Resource List: Observed Start: 02/07/2013 17:31:13.172 PST Gen. Time: 02/07/2013 17:32:41.023 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 99.230.104.255 (17:31:52.794 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->53512 (17:31:52.794 PST) 145.99.175.89 (17:31:13.172 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63360->51413 (17:31:13.172 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (17:32:41.023 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 63739->6099 (17:32:41.023 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360287073.172 1360287073.173 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 180.191.2.105, 99.230.104.255, 82.240.201.198, 95.211.162.90, 79.45.13.107, 145.99.175.89 Resource List: Observed Start: 02/07/2013 17:31:13.172 PST Gen. Time: 02/07/2013 17:34:27.939 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 180.191.2.105 (17:32:52.106 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->21139 (17:32:52.106 PST) 99.230.104.255 (17:31:52.794 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->53512 (17:31:52.794 PST) 82.240.201.198 (17:33:53.219 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->17299 (17:33:53.219 PST) 95.211.162.90 (17:33:30.412 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 64035->2710 (17:33:30.412 PST) 79.45.13.107 (17:33:10.014 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63966->6881 (17:33:10.014 PST) 145.99.175.89 (17:31:13.172 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 63360->51413 (17:31:13.172 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (17:32:41.023 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 63739->6099 (17:32:41.023 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360287073.172 1360287073.173 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 175.143.197.162, 82.3.137.27, 121.1.46.110, 41.237.244.44, 177.96.84.148, 79.45.13.107, 145.99.175.89 Resource List: Observed Start: 02/07/2013 18:29:58.224 PST Gen. Time: 02/07/2013 18:33:03.574 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 175.143.197.162 (18:31:58.922 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64875 (18:31:58.922 PST) 82.3.137.27 (18:30:04.431 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 49647->51413 (18:30:04.431 PST) 121.1.46.110 (18:29:58.224 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->16795 (18:29:58.224 PST) 41.237.244.44 (18:30:58.903 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->28068 (18:30:58.903 PST) 177.96.84.148 (18:32:58.436 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->50344 (18:32:58.436 PST) 79.45.13.107 (18:31:57.440 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50242->6881 (18:31:57.440 PST) 145.99.175.89 (18:33:00.611 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50620->51413 (18:33:00.611 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (18:33:03.574 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (18:33:03.574 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360290598.224 1360290598.225 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 175.143.197.162, 82.3.137.27, 121.1.46.110, 190.100.159.223, 41.237.244.44, 177.96.84.148, 79.45.13.107, 145.99.175.89 Resource List: Observed Start: 02/07/2013 18:29:58.224 PST Gen. Time: 02/07/2013 18:33:58.058 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 175.143.197.162 (18:31:58.922 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64875 (18:31:58.922 PST) 82.3.137.27 (18:30:04.431 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 49647->51413 (18:30:04.431 PST) 121.1.46.110 (18:29:58.224 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->16795 (18:29:58.224 PST) 190.100.159.223 (18:33:58.058 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51460 (18:33:58.058 PST) 41.237.244.44 (18:30:58.903 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->28068 (18:30:58.903 PST) 177.96.84.148 (18:32:58.436 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->50344 (18:32:58.436 PST) 79.45.13.107 (18:31:57.440 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50242->6881 (18:31:57.440 PST) 145.99.175.89 (18:33:00.611 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50620->51413 (18:33:00.611 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (18:33:03.574 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (18:33:03.574 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360290598.224 1360290598.225 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 117.254.245.12, 145.99.175.89 Resource List: Observed Start: 02/07/2013 19:34:03.077 PST Gen. Time: 02/07/2013 19:34:21.684 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 117.254.245.12 (19:34:03.077 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->13997 (19:34:03.077 PST) 145.99.175.89 (19:34:08.033 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55039->51413 (19:34:08.033 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (19:34:21.684 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 55089->6099 (19:34:21.684 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360294443.077 1360294443.078 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 93.50.57.31, 208.83.20.164, 145.99.175.89 (2), 209.240.118.167, 95.211.162.90, 92.6.146.233, 117.254.245.12, 24.212.146.17, 79.45.13.107 (2) Resource List: Observed Start: 02/07/2013 19:34:03.077 PST Gen. Time: 02/07/2013 19:38:06.717 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 93.50.57.31 (19:36:05.441 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->22580 (19:36:05.441 PST) 208.83.20.164 (19:36:01.162 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [/v3.0/collection/31209390/1360283727949139/] MAC_Src: 00:01:64:FF:CE:EA 55551->80 (19:36:01.162 PST) 145.99.175.89 (2) (19:34:08.033 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55039->51413 (19:34:08.033 PST) 55330->51413 (19:35:09.036 PST) 209.240.118.167 (19:38:06.717 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->13911 (19:38:06.717 PST) 95.211.162.90 (19:34:21.848 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55088->2710 (19:34:21.848 PST) 92.6.146.233 (19:37:05.441 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14500 (19:37:05.441 PST) 117.254.245.12 (19:34:03.077 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->13997 (19:34:03.077 PST) 24.212.146.17 (19:35:05.098 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->33665 (19:35:05.098 PST) 79.45.13.107 (2) (19:36:51.887 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55757->6881 (19:36:51.887 PST) 56075->6881 (19:38:01.393 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (19:34:21.684 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 55089->6099 (19:34:21.684 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360294443.077 1360294443.078 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 121.54.34.55, 95.211.162.90 Resource List: Observed Start: 02/07/2013 21:34:15.820 PST Gen. Time: 02/07/2013 21:35:10.579 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 121.54.34.55 (21:34:15.820 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43350 (21:34:15.820 PST) 95.211.162.90 (21:34:31.091 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49967->2710 (21:34:31.091 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (21:35:10.579 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (21:35:10.579 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360301655.820 1360301655.821 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 2.80.232.213, 121.54.34.55, 190.44.2.186, 208.83.20.164, 95.211.162.90, 83.228.113.129, 145.99.175.89 (2) Resource List: Observed Start: 02/07/2013 21:34:15.820 PST Gen. Time: 02/07/2013 21:37:24.231 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 2.80.232.213 (21:37:24.231 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->18607 (21:37:24.231 PST) 121.54.34.55 (21:34:15.820 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43350 (21:34:15.820 PST) 190.44.2.186 (21:35:23.308 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->44530 (21:35:23.308 PST) 208.83.20.164 (21:36:21.338 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50348->80 (21:36:21.338 PST) 95.211.162.90 (21:34:31.091 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 49967->2710 (21:34:31.091 PST) 83.228.113.129 (21:36:24.847 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60042 (21:36:24.847 PST) 145.99.175.89 (2) (21:35:20.721 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50154->51413 (21:35:20.721 PST) 50533->51413 (21:37:06.732 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (21:35:10.579 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (21:35:10.579 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360301655.820 1360301655.821 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================