Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 71.174.62.26, 85.17.143.16, 208.83.20.164 Resource List: Observed Start: 02/08/2013 01:36:38.928 PST Gen. Time: 02/08/2013 01:37:21.620 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 71.174.62.26 (01:37:20.642 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55086 (01:37:20.642 PST) 85.17.143.16 (01:36:38.928 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50127->6969 (01:36:38.928 PST) 208.83.20.164 (01:37:10.797 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50326->80 (01:37:10.797 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (01:37:21.620 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (01:37:21.620 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360316198.928 1360316198.929 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 71.174.62.26, 109.201.148.249, 110.175.169.247, 85.17.143.16, 79.52.97.167, 92.236.180.51, 211.31.40.227, 208.83.20.164 Resource List: Observed Start: 02/08/2013 01:36:38.928 PST Gen. Time: 02/08/2013 01:40:22.853 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 71.174.62.26 (01:37:20.642 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55086 (01:37:20.642 PST) 109.201.148.249 (01:39:21.409 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50823->2710 (01:39:21.409 PST) 110.175.169.247 (01:39:22.688 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->17475 (01:39:22.688 PST) 85.17.143.16 (01:36:38.928 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50127->6969 (01:36:38.928 PST) 79.52.97.167 (01:39:06.443 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 50668->6881 (01:39:06.443 PST) 92.236.180.51 (01:40:22.853 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->23104 (01:40:22.853 PST) 211.31.40.227 (01:38:20.255 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->21740 (01:38:20.255 PST) 208.83.20.164 (01:37:10.797 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50326->80 (01:37:10.797 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (01:37:21.620 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (01:37:21.620 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360316198.928 1360316198.929 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 03:39:11.416 PST Gen. Time: 02/08/2013 03:39:11.416 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (03:39:11.416 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 54682->6099 (03:39:11.416 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360323551.416 1360323551.417 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 62.30.123.123, 208.83.20.164, 91.218.38.132, 190.100.159.223, 94.202.51.54, 78.134.71.51 (2), 70.64.176.136, 188.190.98.38, 79.52.97.167 Resource List: Observed Start: 02/08/2013 03:39:11.416 PST Gen. Time: 02/08/2013 03:43:04.843 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 62.30.123.123 (03:41:04.033 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->11340 (03:41:04.033 PST) 208.83.20.164 (03:40:21.513 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [e%B3%ED%F1%F5%CC%DF%D8=%C9%A2%979%19*K%AA%AD%01Q%14%E1lF"%A2%A07U8%93%B2%E9%DD%11%86%96s%AE#!x%8D] MAC_Src: 00:01:64:FF:CE:EA 55171->80 (03:40:21.513 PST) 91.218.38.132 (03:41:21.613 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 55512->2710 (03:41:21.613 PST) 190.100.159.223 (03:40:04.168 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51460 (03:40:04.168 PST) 94.202.51.54 (03:42:04.038 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6882 (03:42:04.038 PST) 78.134.71.51 (2) (03:39:19.078 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54770->17942 (03:39:19.078 PST) 55496->17942 (03:41:20.092 PST) 70.64.176.136 (03:43:04.843 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->62415 (03:43:04.843 PST) 188.190.98.38 (03:40:19.588 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55148->2810 (03:40:19.588 PST) 79.52.97.167 (03:42:30.100 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55861->6881 (03:42:30.100 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (03:39:11.416 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 54682->6099 (03:39:11.416 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360323551.416 1360323551.417 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 05:39:50.104 PST Gen. Time: 02/08/2013 05:39:50.104 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (05:39:50.104 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (05:39:50.104 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360330790.104 1360330790.105 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 78.155.35.100, 219.78.35.115, 85.23.239.104, 79.52.97.167, 81.203.168.223, 208.83.20.164, 80.29.33.63, 145.99.175.89 (2) Resource List: Observed Start: 02/08/2013 05:39:50.104 PST Gen. Time: 02/08/2013 05:44:09.417 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 78.155.35.100 (05:40:09.477 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49173 (05:40:09.477 PST) 219.78.35.115 (05:43:09.707 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->18535 (05:43:09.707 PST) 85.23.239.104 (05:42:09.248 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->56383 (05:42:09.248 PST) 79.52.97.167 (05:40:05.356 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51755->6881 (05:40:05.356 PST) 81.203.168.223 (05:41:09.689 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->23514 (05:41:09.689 PST) 208.83.20.164 (05:41:01.164 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52038->80 (05:41:01.164 PST) 80.29.33.63 (05:44:09.417 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->13465 (05:44:09.417 PST) 145.99.175.89 (2) (05:41:12.049 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52203->51413 (05:41:12.049 PST) 52837->51413 (05:43:02.548 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (05:39:50.104 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (05:39:50.104 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360330790.104 1360330790.105 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 89.227.51.76, 79.14.23.43, 84.110.167.131, 119.224.64.52 (2), 110.74.40.159, 208.83.20.164 Resource List: Observed Start: 02/08/2013 07:38:29.718 PST Gen. Time: 02/08/2013 07:41:31.544 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 89.227.51.76 (07:38:29.718 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57154->6346 (07:38:29.718 PST) 79.14.23.43 (07:40:13.022 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->54604 (07:40:13.022 PST) 84.110.167.131 (07:41:13.984 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->19761 (07:41:13.984 PST) 119.224.64.52 (2) (07:39:34.724 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57749->9001 (07:39:34.724 PST) 58618->9001 (07:41:20.241 PST) 110.74.40.159 (07:39:13.093 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->53684 (07:39:13.093 PST) 208.83.20.164 (07:39:53.864 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57779->80 (07:39:53.864 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (07:41:31.544 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 58728->6099 (07:41:31.544 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360337909.718 1360337909.719 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 89.227.51.76, 79.14.23.43, 84.110.167.131, 119.224.64.52 (2), 78.134.71.51, 110.74.40.159, 91.132.60.189, 208.83.20.164 (2) Resource List: Observed Start: 02/08/2013 07:38:29.718 PST Gen. Time: 02/08/2013 07:42:30.413 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 89.227.51.76 (07:38:29.718 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57154->6346 (07:38:29.718 PST) 79.14.23.43 (07:40:13.022 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->54604 (07:40:13.022 PST) 84.110.167.131 (07:41:13.984 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->19761 (07:41:13.984 PST) 119.224.64.52 (2) (07:39:34.724 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57749->9001 (07:39:34.724 PST) 58618->9001 (07:41:20.241 PST) 78.134.71.51 (07:42:27.249 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59273->17942 (07:42:27.249 PST) 110.74.40.159 (07:39:13.093 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->53684 (07:39:13.093 PST) 91.132.60.189 (07:42:14.237 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->62338 (07:42:14.237 PST) 208.83.20.164 (2) (07:39:53.864 PST) event=1:1100016 (2) {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57779->80 (07:39:53.864 PST) 58805->80 (07:41:41.717 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (07:41:31.544 PST) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 58728->6099 (07:41:31.544 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360337909.718 1360337909.719 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 79.52.97.167 Resource List: Observed Start: 02/08/2013 09:41:36.728 PST Gen. Time: 02/08/2013 09:42:00.812 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 79.52.97.167 (09:41:36.728 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52174->6881 (09:41:36.728 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (09:42:00.812 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (09:42:00.812 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360345296.728 1360345296.729 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 219.78.35.115, 208.83.20.164, 145.99.175.89, 109.242.232.219, 176.194.4.175, 78.134.71.51, 212.59.28.49, 79.52.97.167, 41.233.121.103 Resource List: Observed Start: 02/08/2013 09:41:36.728 PST Gen. Time: 02/08/2013 09:45:34.590 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 219.78.35.115 (09:45:34.590 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->18535 (09:45:34.590 PST) 208.83.20.164 (09:42:21.192 PST) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52701->80 (09:42:21.192 PST) 145.99.175.89 (09:43:18.908 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53196->51413 (09:43:18.908 PST) 109.242.232.219 (09:42:31.137 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->57922 (09:42:31.137 PST) 176.194.4.175 (09:44:34.634 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->35892 (09:44:34.634 PST) 78.134.71.51 (09:44:27.251 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53761->17942 (09:44:27.251 PST) 212.59.28.49 (09:44:01.318 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53485->2710 (09:44:01.318 PST) 79.52.97.167 (09:41:36.728 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 52174->6881 (09:41:36.728 PST) 41.233.121.103 (09:43:33.270 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29733 (09:43:33.270 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (09:42:00.812 PST) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (09:42:00.812 PST) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360345296.728 1360345296.729 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================