BotHunter Daily Analysis Index

BotHunter ®
Live Internet Monitor Page
Computer Science Laboratory
SRI International

Last Updated: Sun Mar 24 23:00:03 2013

www.BOTHUNTER.net

Victim IP	Max Score	Profiles	CCs	Events
192.168.1.85	1.0	VIEW 1	66.249.74.230 66.249.74.230 (Dial), Google.Com, Google Inc, Cabot, Arkansas, United States.	1:2002033 {tcp} C&C Communication: ET TROJAN BOT - potential response; 80->42258 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 80->61026
192.168.1.100	1.2	VIEW 2	199.255.189.160 199.255.189.160 (-), -, -, -. 213.249.68.98 213.249.68.98 (Dsl), -, Networking4all, Amsterdam, Noord-Holland, Netherlands, Malware Controller. 207.58.145.102 207.58.145.102 (Dsl), Servint.Net, Smv, Mclean, Virginia, United States, Malware Controller Mail Abuser.	1:2012801 {tcp} C&C Communication: ET TROJAN Spoofed MSIE 7 User-Agent Likely Ponmocup, [/biz/j-and-j-drug-austin?start=0&sort_by=date_desc&rpp=40]; 36666->80 1:9920020 {udp} Bot Space Access: ET ShadowServer confirmed botnet control server on standard port 1:2012801 (2) {tcp} C&C Communication: ET TROJAN Spoofed MSIE 7 User-Agent Likely Ponmocup, [/biz/j-and-j-drug-austin?start=0&sort_by=date_desc&rpp=40]; 36666->80 1:3810008 {udp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 43720->53
192.168.1.41	1.6	VIEW 171		777:7777005 {tcp} Outbound Scan: Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 45567->22 1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 41136->22 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 41136->22 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 39693->22 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 55480->22 777:7777008 {tcp} Malware Scan: Detected intense malware port scanning of 43 IPs (28 /24s) (# pkts S/M/O/I=0/43/0/0): 22:43 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 45793->22 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 39919->22 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 46018->22 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 46694->22 777:7777005 {tcp} Outbound Scan: Detected moderate malware port scanning of 10 IPs (9 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10 777:7777008 {tcp} Malware Scan: Detected intense malware port scanning of 44 IPs (29 /24s) (# pkts S/M/O/I=0/43/1/0): 22:43 777:7777008 {icmp} Malware Scan: Detected intense malware port scanning of 44 IPs (29 /24s) (# pkts S/M/O/I=0/43/2/0): 22:43 777:7777008 {tcp} Malware Scan: Detected intense malware port scanning of 44 IPs (29 /24s) (# pkts S/M/O/I=0/43/2/0): 22:43 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 48053->22 777:7777005 {tcp} Outbound Scan: Detected moderate malware port scanning of 10 IPs (8 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 48728->22 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 48955->22 777:7777005 {tcp} Outbound Scan: Detected moderate malware port scanning of 19 IPs (15 /24s) (# pkts S/M/O/I=0/19/0/0): 22:19
192.168.1.14	1.0	VIEW 3	188.165.248.204 188.165.248.204 (Dsl), Elginux.Com, Ovh, France. 173.199.117.243 173.199.117.243 (-), -, -, -.	1:2002033 {tcp} C&C Communication: ET TROJAN BOT - potential response; 80->52282 1:552123 (4) {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 80->40223 1:2002033 (9) {tcp} C&C Communication: ET TROJAN BOT - potential response; 80->52282 1:552123 (5) {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 80->40223 1:2002033 {tcp} C&C Communication: ET TROJAN BOT - potential response; 80->35348 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 80->35348
192.168.1.36	0.8	VIEW 22	69.43.161.167 69.43.161.167 (Dsl), 22a52.Com, Castle Access Inc, Coronado, California, United States, Mail Abuser Malware Controller.	1:9930009 {tcp} Bot Space Access: ET ShadowServer confirmed botnet control server on non-standard port 1:9930020 {udp} Bot Space Access: ET ShadowServer confirmed botnet control server on non-standard port