BotHunter ®
  Live Internet Monitor Page
  Computer Science Laboratory
  SRI International


  Last Updated: Fri Apr 26 23:00:02 2013
BOTHUNTER LOGO
www.BOTHUNTER.net


Victim IP
 		Max Score
 		Profiles
 		CCs
 		Events
192.168.1.138
 1.3 VIEW 2
     
  • 1:22351 {tcp} Inbound Attack: REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode MAC_Dst: 00:30:48:30:03:AE; 135<-2589
  • 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 1027->707
  • 1:1444 (2) {udp} Egg Download: TFTP GET from external source; 1028->69
  • 1:2008120 (2) {udp} Egg Download: ET POLICY Outbound TFTP Read Request; 1028->69
  • 1:3001441 (2) {udp} Egg Download: TFTP GET .exe from external source; 1028->69
192.168.1.21
 0.8 VIEW 1
     
  • 1:22009200 {tcp} Inbound Attack: ET CURRENT_EVENTS Conficker.a Shellcode MAC_Dst: 00:30:48:30:03:AE; 445<-1915
  • 1:2001685 {tcp} Egg Download: ET MALWARE Possible Windows executable sent when remote host claims to send an image; 1028<-5040
192.168.1.100
 1.1 VIEW 5
  • 195.128.181.52 195.128.181.52 (Dsl), Net.Pl, Eurofux-Wojkowice-Pl, Warsaw, Mazowieckie, Poland, Malware Controller.
  • 198.51.132.160 198.51.132.160 (Dsl), Speakeasy.Net, -, United States.
  • 195.70.51.165 195.70.51.165 (Comp), Interware.Hu, Interware Inc, Budapest, Hungary, Malware Controller.
  • 64.46.38.31 64.46.38.31 (Comp), Vacationmedia.Net, Rackforce Hosting Inc, Kelowna, British Columbia, Canada, Malware Controller Mail Abuser.
  • 1:9930020 {udp} Bot Space Access: ET ShadowServer confirmed botnet control server on non-standard port
  • 1:2012801 {tcp} C&C Communication: ET TROJAN Spoofed MSIE 7 User-Agent Likely Ponmocup, [/user_details_thanx?userid=o84KZeqgy0YGLmz5I9P-pg&thanx_start=3280]; 52270->80
  • 1:9920020 {udp} Bot Space Access: ET ShadowServer confirmed botnet control server on standard port
  • 1:3810008 {udp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 60532->53
192.168.1.36
 0.9 VIEW 28
  • 208.95.172.130 208.95.172.130 (Dsl), Cognosnet.Com, Isohunt Web Technologies Inc, Vancouver, British Columbia, Canada, Malware Controller.
  • 69.43.161.167 69.43.161.167 (Dsl), 22a52.Com, Castle Access Inc, Coronado, California, United States, Mail Abuser Malware Controller.
  • 199.59.243.109 199.59.243.109 (-), -, -, -, Malware Controller.
  • 208.87.35.103 208.87.35.103 (Dsl), Adkix.Com, Secure Hosting Ltd, Nassau, New Providence, Bahamas, Malware Controller.
  • 199.59.243.107 199.59.243.107 (-), -, -, -, Malware Controller.
  • 1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 64770->80
  • 1:9930020 {udp} Bot Space Access: ET ShadowServer confirmed botnet control server on non-standard port
  • 1:9930009 {tcp} Bot Space Access: ET ShadowServer confirmed botnet control server on non-standard port
  • 1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 53362->80
  • 1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 56043->80
192.168.1.229
 3.0 VIEW 2
  • 213.155.14.161 213.155.14.161 (Comp), -, Ossadchy - Osadchiy Yuriy, Ukraine, Malware Controller.
  • 1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-46689
  • 1:22000033 {tcp} Inbound Attack: ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-46689
  • 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-46689
  • 1:3300004 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031<-669
192.168.1.14
 1.0 VIEW 3
  • 93.63.195.11 93.63.195.11 (Comp), Ip29.Fastwebnet.It, Editcom.It Srl Public Subnet, Rome, Lazio, Italy.
  • 180.76.5.171 180.76.5.171 (Dsl), -, Beijing Baidu Netcom Science And Technology Co. Ltd, Beijing, China.
  • 1:2002033 {tcp} C&C Communication: ET TROJAN BOT - potential response; 80->35524
  • 1:552123 (6) {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 80->35524
  • 1:2002033 {tcp} C&C Communication: ET TROJAN BOT - potential response; 80->12651
  • 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 80->33367
  • 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 80->8344
192.168.1.119
 0.8 VIEW 1
     
  • 1:22009200 {tcp} Inbound Attack: ET CURRENT_EVENTS Conficker.a Shellcode MAC_Dst: 00:30:48:30:03:AE; 445<-61423
  • 1:2001685 {tcp} Egg Download: ET MALWARE Possible Windows executable sent when remote host claims to send an image; 1028<-7776
192.168.1.54
 0.8 VIEW 1
     
  • 1:22009200 {tcp} Inbound Attack: ET CURRENT_EVENTS Conficker.a Shellcode MAC_Dst: 00:30:48:30:03:AE; 445<-1964
  • 1:2001685 {tcp} Egg Download: ET MALWARE Possible Windows executable sent when remote host claims to send an image; 1028<-3748
192.168.1.134
 0.8 VIEW 1
     
  • 1:22009200 {tcp} Inbound Attack: ET CURRENT_EVENTS Conficker.a Shellcode MAC_Dst: 00:30:48:30:03:AE; 445<-2261
  • 1:2001685 {tcp} Egg Download: ET MALWARE Possible Windows executable sent when remote host claims to send an image; 1028<-3748
192.168.1.98
 1.1 VIEW 221
     
  • 777:7777008 (2) {icmp} Malware Scan: Detected intense malware port scanning of 83 IPs (82 /24s) (# pkts S/M/O/I=0/83/0/0): 445:83
  • 777:7777008 {tcp} Malware Scan: Detected intense malware port scanning of 85 IPs (84 /24s) (# pkts S/M/O/I=0/85/0/0): 445:85
  • 777:7777008 (2) {tcp} Malware Scan: Detected intense malware port scanning of 85 IPs (84 /24s) (# pkts S/M/O/I=0/85/0/0): 445:85
  • 777:7777008 {icmp} Malware Scan: Detected intense malware port scanning of 90 IPs (89 /24s) (# pkts S/M/O/I=0/90/0/0): 445:90
  • 777:7777008 (2) {icmp} Malware Scan: Detected intense malware port scanning of 90 IPs (89 /24s) (# pkts S/M/O/I=0/90/0/0): 445:90
  • 777:7777008 {icmp} Malware Scan: Detected intense malware port scanning of 95 IPs (94 /24s) (# pkts S/M/O/I=0/95/0/0): 445:95
  • 777:7777008 (3) {icmp} Malware Scan: Detected intense malware port scanning of 95 IPs (94 /24s) (# pkts S/M/O/I=0/95/0/0): 445:95
  • 777:7777008 {tcp} Malware Scan: Detected intense malware port scanning of 99 IPs (98 /24s) (# pkts S/M/O/I=0/99/0/0): 445:99
  • 777:7777008 (2) {tcp} Malware Scan: Detected intense malware port scanning of 99 IPs (98 /24s) (# pkts S/M/O/I=0/99/0/0): 445:99
  • 777:7777008 {icmp} Malware Scan: Detected intense malware port scanning of 105 IPs (104 /24s) (# pkts S/M/O/I=0/105/0/0): 445:105
  • 777:7777008 (2) {icmp} Malware Scan: Detected intense malware port scanning of 105 IPs (104 /24s) (# pkts S/M/O/I=0/105/0/0): 445:105
  • 777:7777008 {tcp} Malware Scan: Detected intense malware port scanning of 109 IPs (108 /24s) (# pkts S/M/O/I=0/109/0/0): 445:109
  • 777:7777008 {tcp} Malware Scan: Detected intense malware port scanning of 114 IPs (113 /24s) (# pkts S/M/O/I=0/114/0/0): 445:114
  • 777:7777008 (2) {tcp} Malware Scan: Detected intense malware port scanning of 114 IPs (113 /24s) (# pkts S/M/O/I=0/114/0/0): 445:114
  • 777:7777008 {icmp} Malware Scan: Detected intense malware port scanning of 122 IPs (121 /24s) (# pkts S/M/O/I=0/122/0/0): 445:122
  • 777:7777008 (2) {icmp} Malware Scan: Detected intense malware port scanning of 122 IPs (121 /24s) (# pkts S/M/O/I=0/122/0/0): 445:122
  • 777:7777008 {icmp} Malware Scan: Detected intense malware port scanning of 125 IPs (124 /24s) (# pkts S/M/O/I=0/125/0/0): 445:125
  • 777:7777008 (2) {icmp} Malware Scan: Detected intense malware port scanning of 125 IPs (124 /24s) (# pkts S/M/O/I=0/125/0/0): 445:125
  • 777:7777008 {tcp} Malware Scan: Detected intense malware port scanning of 129 IPs (127 /24s) (# pkts S/M/O/I=0/129/0/0): 445:129
  • 777:7777008 (2) {tcp} Malware Scan: Detected intense malware port scanning of 129 IPs (127 /24s) (# pkts S/M/O/I=0/129/0/0): 445:129
192.168.1.51
 1.9 VIEW 2
     
  • 1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-3782
  • 1:22000033 {tcp} Inbound Attack: ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-3782
  • 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-3782
  • 1:3300004 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031<-915
192.168.1.234
 1.3 VIEW 4
     
  • 1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 25341->22
  • 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 25341->22
  • 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 25341->22
  • 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 25341->22
  • 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 25341->22
  • 1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 25341->22
  • 1:2001219 (2) {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 2991->22
  • 1:2001569 {tcp} Outbound Attack: ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs); 20->139
  • 1:2001219 (2) {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 3680->22
  • 777:7777008 {tcp} Malware Scan: Detected intense malware port scanning of 132 IPs (4 /24s) (# pkts S/M/O/I=384/2563/2529/0): 22:128, 136:128, 137:128, 138:128, 139:128, 445:128, 559:128, 1025:128, 1433:128, 2067:128, 2100:128, 3127:128, 3306:128, 4445:128, 5000:128, 5554:128, 6129:128, 9996:128, 10000:128, 27374:128, 4350, 6101, 11768
192.168.1.141
 0.8 VIEW 1
     
  • 1:22009200 {tcp} Inbound Attack: ET CURRENT_EVENTS Conficker.a Shellcode MAC_Dst: 00:30:48:30:03:AE; 445<-20596
  • 1:2001685 {tcp} Egg Download: ET MALWARE Possible Windows executable sent when remote host claims to send an image; 1028<-7776
192.168.1.245
 1.9 VIEW 2
     
  • 1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-3539
  • 1:22000033 {tcp} Inbound Attack: ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-3539
  • 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-3539
  • 1:3300004 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031<-915
192.168.1.41
 1.6 VIEW 34
     
  • 777:7777005 {tcp} Outbound Scan: Detected moderate malware port scanning of 10 IPs (6 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10
  • 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 54583->22
  • 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 33090->22
  • 1:2003068 (2) {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 38894->22
  • 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 45166->22
  • 777:7777008 {tcp} Malware Scan: Detected intense malware port scanning of 36 IPs (22 /24s) (# pkts S/M/O/I=1/34/1/0): 22:34
  • 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 51976->22
  • 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 54883->22
  • 777:7777005 {tcp} Outbound Scan: Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10
  • 1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 36732->22
  • 777:7777008 {tcp} Malware Scan: Detected intense malware port scanning of 41 IPs (26 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41
  • 777:7777005 {tcp} Outbound Scan: Detected moderate malware port scanning of 10 IPs (8 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10
  • 777:7777005 (2) {tcp} Outbound Scan: Detected moderate malware port scanning of 10 IPs (8 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10
  • 1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 37590->22
  • 1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 38234->22
  • 1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 38449->22
  • 777:7777005 {tcp} Outbound Scan: Detected moderate malware port scanning of 10 IPs (9 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10
192.168.1.102
 0.8 VIEW 2
  • 195.128.181.52 195.128.181.52 (Dsl), Net.Pl, Eurofux-Wojkowice-Pl, Warsaw, Mazowieckie, Poland, Malware Controller.
  • 193.138.229.18 193.138.229.18 (Dsl), As34305.Net, Euroaccess, Eindhoven, Noord-Brabant, Netherlands, Malware Controller Mail Abuser.
  • 1:9930020 {udp} Bot Space Access: ET ShadowServer confirmed botnet control server on non-standard port
192.168.1.128
 0.8 VIEW 1
     
  • 1:22351 {tcp} Inbound Attack: REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode MAC_Dst: 00:30:48:30:03:AE; 135<-61729
  • 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 4444->61758