BotHunter Daily Analysis Index

BotHunter ®
Live Internet Monitor Page
Computer Science Laboratory
SRI International

Last Updated: Thu Apr 18 23:00:03 2013

www.BOTHUNTER.net

Victim IP	Max Score	Profiles	CCs	Events
192.168.1.64	0.8	VIEW 1		1:22009200 {tcp} Inbound Attack: ET CURRENT_EVENTS Conficker.a Shellcode MAC_Dst: 00:30:48:30:03:AE; 445<-2828 1:2001685 {tcp} Egg Download: ET MALWARE Possible Windows executable sent when remote host claims to send an image; 1028<-4368
192.168.1.167	1.3	VIEW 2		1:22514 (2) {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-2532 1:2000047 {tcp} Egg Download: ET WORM Sasser Transfer _up.exe; 9996<-2562 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 9996->2562
192.168.1.21	0.8	VIEW 1		1:22009200 {tcp} Inbound Attack: ET CURRENT_EVENTS Conficker.a Shellcode MAC_Dst: 00:30:48:30:03:AE; 445<-3804 1:2001685 {tcp} Egg Download: ET MALWARE Possible Windows executable sent when remote host claims to send an image; 1028<-4055
192.168.1.175	3.0	VIEW 2	213.155.14.161 213.155.14.161 (Comp), -, Ossadchy - Osadchiy Yuriy, Ukraine, Malware Controller.	1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-46370 1:22000033 {tcp} Inbound Attack: ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-46370 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-46370 1:3300004 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031<-2377
192.168.1.100	2.3	VIEW 2	208.88.226.10 208.88.226.10 (Comp), Webazilla.Com, Dac Division B.V, Netherlands, Malware Controller. 64.111.199.221 64.111.199.221 (Dsl), Isprime.Com, Isprime Inc, United States, Mail Abuser Malware Controller. 64.111.214.2 64.111.214.2 (Dsl), Isprime.Com, Isprime Inc, New York, United States, Malware Controller. 217.199.217.100 217.199.217.100 (Comp), Ucoz.Net, Ucoz, Russian Federation, Malware Controller. 218.30.115.254 218.30.115.254 (Dsl), Hichina.Com, Chinanet Idc Center, Beijing, China, Malware Controller. 84.45.63.21 84.45.63.21 (Dsl), -, Axill Europe, United Kingdom, Malware Controller. 199.59.243.109 199.59.243.109 (-), -, -, -, Malware Controller.	1:3810007 (2) {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 39559->80 1:3810007 (2) {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 32930->80 1:3810007 (2) {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 57926->80 1:3810007 (2) {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 35646->80 1:3810007 (8) {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 45909->80 1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 34185->80 1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 50614->80 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 44378->22
192.168.1.160	2.4	VIEW 2		1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-41239 1:3300004 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031<-1661 777:7777005 {tcp} Outbound Scan: Detected moderate malware port scanning of 11 IPs (11 /24s) (# pkts S/M/O/I=0/10/1/0): 445:10 1:2001569 {tcp} Outbound Attack: ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs); 1049->445
192.168.1.85	1.0	VIEW 2	66.249.74.230 66.249.74.230 (Dial), Google.Com, Google Inc, Cabot, Arkansas, United States.	1:2002033 {tcp} C&C Communication: ET TROJAN BOT - potential response; 80->55016 1:552123 (2) {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 80->44321 1:2002033 {tcp} C&C Communication: ET TROJAN BOT - potential response; 80->40246 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 80->54190
192.168.1.144	1.9	VIEW 3		1:22351 {tcp} Inbound Attack: REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode MAC_Dst: 00:30:48:30:03:AE; 135<-1779 1:1444 (2) {udp} Egg Download: TFTP GET from external source; 1032->69 1:2008120 (2) {udp} Egg Download: ET POLICY Outbound TFTP Read Request; 1032->69 1:3001441 (2) {udp} Egg Download: TFTP GET .exe from external source; 1032->69 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 1031->707 1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-2066 1:22000033 {tcp} Inbound Attack: ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-2066 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-2066
192.168.1.170	1.4	VIEW 2	195.22.26.231 195.22.26.231 (Dsl), Ca1por-E1.Esoterica.Pt, Via Net.Works Portugal - Tecnologias De Informa Cao Sa, Lisbon, Lisboa, Portugal, Malware Controller.	1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-2179 1:3300004 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031<-80 1:9920009 {tcp} Bot Space Access: ET ShadowServer confirmed botnet control server on standard port
192.168.1.41	1.6	VIEW 31		777:7777005 {tcp} Outbound Scan: Detected moderate malware port scanning of 11 IPs (7 /24s) (# pkts S/M/O/I=0/10/1/0): 22:10 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 48004->22 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 39786->22 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 48591->22 1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 58530->22 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 35885->22 777:7777008 {icmp} Malware Scan: Detected intense malware port scanning of 44 IPs (28 /24s) (# pkts S/M/O/I=0/42/2/0): 22:42 777:7777005 {tcp} Outbound Scan: Detected moderate malware port scanning of 10 IPs (7 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 57015->22 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 48674->22 777:7777008 {tcp} Malware Scan: Detected intense malware port scanning of 45 IPs (28 /24s) (# pkts S/M/O/I=0/45/0/0): 22:45 777:7777005 {tcp} Outbound Scan: Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10 777:7777008 {tcp} Malware Scan: Detected intense malware port scanning of 44 IPs (27 /24s) (# pkts S/M/O/I=0/44/0/0): 22:44 777:7777005 {tcp} Outbound Scan: Detected moderate malware port scanning of 18 IPs (14 /24s) (# pkts S/M/O/I=0/18/0/0): 22:18 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 34346->22 777:7777005 (2) {tcp} Outbound Scan: Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10 777:7777008 {tcp} Malware Scan: Detected intense malware port scanning of 45 IPs (28 /24s) (# pkts S/M/O/I=0/45/0/0): 22:44, 3306 777:7777005 {tcp} Outbound Scan: Detected moderate malware port scanning of 10 IPs (9 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10 777:7777008 {tcp} Malware Scan: Detected intense malware port scanning of 33 IPs (22 /24s) (# pkts S/M/O/I=0/33/0/0): 22:33
192.168.1.128	0.8	VIEW 1		1:22009200 {tcp} Inbound Attack: ET CURRENT_EVENTS Conficker.a Shellcode MAC_Dst: 00:30:48:30:03:AE; 445<-4578 1:2001685 {tcp} Egg Download: ET MALWARE Possible Windows executable sent when remote host claims to send an image; 1028<-4368