Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 132.227.62.122, 129.10.120.193, 141.213.4.202, 146.57.249.98, 72.36.112.71, 147.83.30.166, 130.237.43.75 (2), 192.33.90.68, 128.31.1.14, 202.116.81.195, 193.63.75.18, 66.140.111.5, 130.206.158.138, 128.208.4.199 (2), 128.252.19.18 Resource List: Observed Start: 03/19/2013 05:27:02.338 PDT Gen. Time: 03/19/2013 05:29:45.899 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 132.227.62.122 (05:27:11.671 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 37619->6881 (05:27:11.671 PDT) 129.10.120.193 (05:27:11.577 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 36408->6881 (05:27:11.577 PDT) 141.213.4.202 (05:27:11.562 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 52177->6881 (05:27:11.562 PDT) 146.57.249.98 (05:27:11.559 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 34499->6881 (05:27:11.559 PDT) 72.36.112.71 (05:27:05.496 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->59934 (05:27:05.496 PDT) 147.83.30.166 (05:27:11.687 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 37476->6881 (05:27:11.687 PDT) 130.237.43.75 (2) (05:27:11.312 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 58333->6969 (05:27:11.312 PDT) ------------------------- event=1:2000369 {tcp} E7[info] ET P2P BitTorrent Announce, [] MAC_Src: 00:21:5A:08:BB:0C 58333->6969 (05:27:11.312 PDT) 192.33.90.68 (05:27:11.661 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 49028->6881 (05:27:11.661 PDT) 128.31.1.14 (05:27:11.579 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 34228->6881 (05:27:11.579 PDT) 202.116.81.195 (05:27:04.340 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 39369->6881 (05:27:04.340 PDT) 193.63.75.18 (05:27:11.652 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 46552->6881 (05:27:11.652 PDT) 66.140.111.5 (05:27:05.047 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->54814 (05:27:05.047 PDT) 130.206.158.138 (05:27:02.338 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->39077 (05:27:02.338 PDT) 128.208.4.199 (2) (05:27:11.525 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 43883->6881 (05:27:11.525 PDT) ------------------------- event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 43883->6881 (05:27:11.525 PDT) 128.252.19.18 (05:27:11.557 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 55728->6881 (05:27:11.557 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 94.23.32.56 (05:29:45.899 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->15707 (05:29:45.899 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363696022.338 1363696022.339 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 90.34.101.172, 128.10.19.52, 141.22.213.35 (2), 212.235.189.114 (4), 128.220.251.50, 130.237.43.75 (4), 198.133.224.149, 129.82.12.187 (2), 198.82.160.220 Resource List: Observed Start: 03/19/2013 06:06:35.588 PDT Gen. Time: 03/19/2013 06:08:49.218 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 90.34.101.172 (06:08:03.133 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61123 (06:08:03.133 PDT) 128.10.19.52 (06:08:04.069 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 50180->6881 (06:08:04.069 PDT) 141.22.213.35 (2) (06:06:40.027 PDT-06:06:53.520 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->35563 (06:06:40.027 PDT-06:06:53.520 PDT) 212.235.189.114 (4) (06:06:35.588 PDT-06:07:11.514 PDT) event=1:2000357 (4) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 4: 6881->40223 (06:06:35.588 PDT-06:07:11.514 PDT) 128.220.251.50 (06:08:04.084 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 54003->6881 (06:08:04.084 PDT) 130.237.43.75 (4) (06:07:13.821 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 44310->6969 (06:07:13.821 PDT) ------------------------- event=1:2000369 (2) {tcp} E7[info] ET P2P BitTorrent Announce, [] MAC_Src: 00:21:5A:08:BB:0C 44310->6969 (06:07:13.821 PDT) 44320->6969 (06:08:03.821 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:21:5A:08:BB:0C 44320->6969 (06:08:03.821 PDT) 198.133.224.149 (06:08:04.072 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 48790->6881 (06:08:04.072 PDT) 129.82.12.187 (2) (06:08:04.062 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 37081->6881 (06:08:04.062 PDT) ------------------------- event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 37081->6881 (06:08:04.062 PDT) 198.82.160.220 (06:07:04.732 PDT) event=1:2000357 {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6881->57434 (06:07:04.732 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (06:08:49.218 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (06:08:49.218 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363698395.588 1363698431.515 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 169.229.50.7 (4), 130.216.1.22 (2), 131.193.34.38 (3) Resource List: Observed Start: 03/19/2013 06:23:11.694 PDT Gen. Time: 03/19/2013 06:23:56.638 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 169.229.50.7 (4) (06:23:13.142 PDT-06:23:49.915 PDT) event=1:2000357 (4) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 4: 6881->32893 (06:23:13.142 PDT-06:23:49.915 PDT) 130.216.1.22 (2) (06:23:11.694 PDT-06:23:22.543 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->53270 (06:23:11.694 PDT-06:23:22.543 PDT) 131.193.34.38 (3) (06:23:24.287 PDT-06:23:50.364 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6881->39108 (06:23:24.287 PDT-06:23:50.364 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (06:23:56.638 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (06:23:56.638 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363699391.694 1363699430.365 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 203.178.133.2 (3), 141.212.113.178 (6), 142.103.2.1, 137.165.1.113 (2), 160.80.221.37, 204.123.28.55 (3), 195.130.124.2 Resource List: Observed Start: 03/19/2013 06:42:45.319 PDT Gen. Time: 03/19/2013 06:46:28.036 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 203.178.133.2 (3) (06:43:02.873 PDT-06:43:26.304 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 43831->6881 (06:43:02.873 PDT-06:43:26.304 PDT) 141.212.113.178 (6) (06:42:51.204 PDT-06:43:49.645 PDT) event=1:2000357 (6) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 6: 34764->6881 (06:42:51.204 PDT-06:43:49.645 PDT) 142.103.2.1 (06:42:57.251 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 33597->6881 (06:42:57.251 PDT) 137.165.1.113 (2) (06:42:45.319 PDT-06:42:56.188 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 33701->6881 (06:42:45.319 PDT-06:42:56.188 PDT) 160.80.221.37 (06:42:47.125 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 42659->6881 (06:42:47.125 PDT) 204.123.28.55 (3) (06:43:32.593 PDT-06:43:56.430 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 37741->6881 (06:43:32.593 PDT-06:43:56.430 PDT) 195.130.124.2 (06:43:43.476 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 42585->6881 (06:43:43.476 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (06:46:28.036 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (06:46:28.036 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363700565.319 1363700636.431 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 145.99.179.147 (2), 142.103.2.1, 131.247.2.248, 131.179.150.70 (4), 132.72.23.11 (2), 217.118.79.17, 130.37.193.141, 130.127.39.153 (3), 72.36.112.74 (2) Resource List: Observed Start: 03/19/2013 06:58:57.430 PDT Gen. Time: 03/19/2013 07:01:05.398 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 145.99.179.147 (2) (06:59:33.318 PDT-06:59:48.600 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->49525 (06:59:33.318 PDT-06:59:48.600 PDT) 142.103.2.1 (06:58:57.430 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 33597->6881 (06:58:57.430 PDT) 131.247.2.248 (06:59:24.317 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6881->41626 (06:59:24.317 PDT) 131.179.150.70 (4) (06:59:02.818 PDT-06:59:22.946 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6881->50602 (06:59:40.343 PDT) ------------------------- event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6881->50602 (06:59:02.818 PDT-06:59:22.946 PDT) 132.72.23.11 (2) (06:59:17.198 PDT-06:59:27.927 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->51896 (06:59:17.198 PDT-06:59:27.927 PDT) 217.118.79.17 (06:59:23.846 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->45353 (06:59:23.846 PDT) 130.37.193.141 (06:59:31.937 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6881->59366 (06:59:31.937 PDT) 130.127.39.153 (3) (06:58:59.134 PDT-06:59:44.545 PDT) event=1:2000334 {tcp} E7[info] ET P2P BitTorrent peer sync, [] MAC_Src: 00:21:5A:08:BB:0C 6881->45706 (06:59:27.391 PDT) ------------------------- event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->45706 (06:58:59.134 PDT-06:59:44.545 PDT) 72.36.112.74 (2) (06:58:57.749 PDT-06:59:32.868 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->33179 (06:58:57.749 PDT-06:59:32.868 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (07:01:05.398 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (07:01:05.398 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363701537.430 1363701588.601 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 198.133.224.149, 138.246.99.250 (3), 130.237.43.75 (2), 129.93.229.138 (4), 131.179.150.70 (4), 128.111.52.59 (2) Resource List: Observed Start: 03/19/2013 07:14:48.180 PDT Gen. Time: 03/19/2013 07:16:22.966 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 198.133.224.149 (07:15:30.678 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->6881 (07:15:30.678 PDT) 138.246.99.250 (3) (07:14:54.953 PDT-07:15:16.481 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6881->53682 (07:14:54.953 PDT-07:15:16.481 PDT) 130.237.43.75 (2) (07:16:08.614 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 51513->6969 (07:16:08.614 PDT) ------------------------- event=1:2000369 {tcp} E7[info] ET P2P BitTorrent Announce, [] MAC_Src: 00:21:5A:08:BB:0C 51513->6969 (07:16:08.614 PDT) 129.93.229.138 (4) (07:14:48.180 PDT-07:15:19.573 PDT) event=1:2000357 (4) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 4: 6881->39040 (07:14:48.180 PDT-07:15:19.573 PDT) 131.179.150.70 (4) (07:15:23.268 PDT-07:15:59.130 PDT) event=1:2000357 (4) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 4: 6881->50602 (07:15:23.268 PDT-07:15:59.130 PDT) 128.111.52.59 (2) (07:15:52.456 PDT-07:16:03.207 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->54083 (07:15:52.456 PDT-07:16:03.207 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (07:16:22.966 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (07:16:22.966 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363702488.180 1363702563.208 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: 141.213.4.202, 155.98.35.7, 131.179.150.70 (4), 129.93.229.138 (4), 169.229.50.7 (2), 208.77.77.197, 128.114.63.63, 130.237.43.75 (4), 198.133.224.149, 140.192.249.204, 128.111.52.59 (2), 138.246.99.250 (3), 129.130.252.140 Resource List: Observed Start: 03/19/2013 07:14:48.180 PDT Gen. Time: 03/19/2013 07:18:49.136 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 141.213.4.202 (07:16:24.462 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 37173->6881 (07:16:24.462 PDT) 155.98.35.7 (07:16:24.462 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 41449->6881 (07:16:24.462 PDT) 131.179.150.70 (4) (07:15:23.268 PDT-07:15:59.130 PDT) event=1:2000357 (4) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 4: 6881->50602 (07:15:23.268 PDT-07:15:59.130 PDT) 129.93.229.138 (4) (07:14:48.180 PDT-07:15:19.573 PDT) event=1:2000357 (4) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 4: 6881->39040 (07:14:48.180 PDT-07:15:19.573 PDT) 169.229.50.7 (2) (07:16:24.432 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 40931->6881 (07:16:24.432 PDT) ------------------------- event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 40931->6881 (07:16:24.432 PDT) 208.77.77.197 (07:16:24.462 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 34864->6881 (07:16:24.462 PDT) 128.114.63.63 (07:16:24.432 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 41112->6881 (07:16:24.432 PDT) 130.237.43.75 (4) (07:16:08.614 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 51513->6969 (07:16:08.614 PDT) ------------------------- event=1:2000369 (2) {tcp} E7[info] ET P2P BitTorrent Announce, [] MAC_Src: 00:21:5A:08:BB:0C 51513->6969 (07:16:08.614 PDT) 51521->6969 (07:16:23.924 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:21:5A:08:BB:0C 51521->6969 (07:16:23.924 PDT) 198.133.224.149 (07:15:30.678 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->6881 (07:15:30.678 PDT) 140.192.249.204 (07:16:24.501 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 53715->6881 (07:16:24.501 PDT) 128.111.52.59 (2) (07:15:52.456 PDT-07:16:03.207 PDT) event=1:2000357 (2) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 2: 6881->54083 (07:15:52.456 PDT-07:16:03.207 PDT) 138.246.99.250 (3) (07:14:54.953 PDT-07:15:16.481 PDT) event=1:2000357 (3) {tcp} E7[info] ET P2P BitTorrent Traffic, [] MAC_Src: 00:21:5A:08:BB:0C 3: 6881->53682 (07:14:54.953 PDT-07:15:16.481 PDT) 129.130.252.140 (07:16:24.462 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:21:5A:08:BB:0C 34851->6881 (07:16:24.462 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.128.181.52 (07:16:22.966 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 6881->61086 (07:16:22.966 PDT) DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1363702488.180 1363702563.208 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================