BotHunter ®
  Live Internet Monitor Page
  Computer Science Laboratory
  SRI International


  Last Updated: Thu May 2 23:00:03 2013
BOTHUNTER LOGO
www.BOTHUNTER.net


Victim IP
 		Max Score
 		Profiles
 		CCs
 		Events
192.168.1.138
 2.5 VIEW 4
  • 213.155.14.161 213.155.14.161 (Comp), -, Ossadchy - Osadchiy Yuriy, Ukraine, Malware Controller.
  • 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-8255
  • 1:3300004 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031<-6225
  • 777:7777005 {tcp} Outbound Scan: Detected moderate malware port scanning of 11 IPs (11 /24s) (# pkts S/M/O/I=0/10/1/0): 445:10
  • 1:9920003 {tcp} Bot Space Access: BotHunter MTC confirmed botnet control server on standard port
  • 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-47610
  • 1:3300004 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031<-2232
192.168.1.204
 0.8 VIEW 1
     
  • 1:22514 (2) {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-3689
  • 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 1022->3715
192.168.1.200
 1.3 VIEW 2
     
  • 1:22514 (2) {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-4270
  • 1:2000047 {tcp} Egg Download: ET WORM Sasser Transfer _up.exe; 9996<-4507
  • 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 9996->4507
192.168.1.43
 1.9 VIEW 2
     
  • 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-30396
  • 1:3300004 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031<-6225
  • 777:7777005 {tcp} Outbound Scan: Detected moderate malware port scanning of 11 IPs (11 /24s) (# pkts S/M/O/I=0/10/1/0): 445:10
  • 777:7777008 {tcp} Malware Scan: Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/20/1/0): 445:20
192.168.1.160
 0.8 VIEW 1
     
  • 1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-2493
  • 1:22000033 {tcp} Inbound Attack: ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-2493
  • 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-2493
  • 1:3300004 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031<-3354
192.168.1.113
 2.5 VIEW 3
  • 213.155.14.161 213.155.14.161 (Comp), -, Ossadchy - Osadchiy Yuriy, Ukraine, Malware Controller.
  • 1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-24598
  • 1:22000033 {tcp} Inbound Attack: ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-24598
  • 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-24598
  • 1:3300004 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031<-6381
  • 1:22009200 {tcp} Inbound Attack: ET CURRENT_EVENTS Conficker.a Shellcode MAC_Dst: 00:30:48:30:03:AE; 445<-4943
  • 1:2001685 {tcp} Egg Download: ET MALWARE Possible Windows executable sent when remote host claims to send an image; 1028<-9413
192.168.1.36
 0.8 VIEW 43
  • 69.43.161.167 69.43.161.167 (Dsl), 22a52.Com, Castle Access Inc, Coronado, California, United States, Mail Abuser Malware Controller.
  • 199.59.243.107 199.59.243.107 (-), -, -, -, Malware Controller.
  • 1:9930009 {tcp} Bot Space Access: ET ShadowServer confirmed botnet control server on non-standard port
  • 1:9930020 {udp} Bot Space Access: ET ShadowServer confirmed botnet control server on non-standard port
192.168.1.142
 2.5 VIEW 2
  • 213.155.14.161 213.155.14.161 (Comp), -, Ossadchy - Osadchiy Yuriy, Ukraine, Malware Controller.
  • 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-3223
  • 1:3300004 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031<-2001
  • 777:7777005 {tcp} Outbound Scan: Detected moderate malware port scanning of 11 IPs (11 /24s) (# pkts S/M/O/I=0/10/1/0): 445:10
  • 1:9920003 {tcp} Bot Space Access: BotHunter MTC confirmed botnet control server on standard port
192.168.1.98
 1.1 VIEW 40
     
  • 777:7777005 {tcp} Outbound Scan: Detected moderate malware port scanning of 20 IPs (20 /24s) (# pkts S/M/O/I=0/20/0/0): 445:20
  • 777:7777008 {tcp} Malware Scan: Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21
  • 777:7777008 {tcp} Malware Scan: Detected intense malware port scanning of 24 IPs (24 /24s) (# pkts S/M/O/I=0/24/0/0): 445:24
  • 777:7777008 {tcp} Malware Scan: Detected intense malware port scanning of 26 IPs (26 /24s) (# pkts S/M/O/I=0/26/0/0): 445:26
  • 777:7777005 {icmp} Outbound Scan: Detected moderate malware port scanning of 20 IPs (20 /24s) (# pkts S/M/O/I=0/20/0/0): 445:20
  • 777:7777008 {tcp} Malware Scan: Detected intense malware port scanning of 22 IPs (22 /24s) (# pkts S/M/O/I=0/22/0/0): 445:22
  • 777:7777008 {tcp} Malware Scan: Detected intense malware port scanning of 27 IPs (27 /24s) (# pkts S/M/O/I=0/27/0/0): 445:27
  • 777:7777008 (2) {tcp} Malware Scan: Detected intense malware port scanning of 27 IPs (27 /24s) (# pkts S/M/O/I=0/27/0/0): 445:27
  • 777:7777008 {icmp} Malware Scan: Detected intense malware port scanning of 31 IPs (31 /24s) (# pkts S/M/O/I=0/31/0/0): 445:31
  • 777:7777008 (2) {icmp} Malware Scan: Detected intense malware port scanning of 31 IPs (31 /24s) (# pkts S/M/O/I=0/31/0/0): 445:31
  • 777:7777008 {tcp} Malware Scan: Detected intense malware port scanning of 35 IPs (35 /24s) (# pkts S/M/O/I=0/35/0/0): 445:35
  • 777:7777008 {icmp} Malware Scan: Detected intense malware port scanning of 36 IPs (36 /24s) (# pkts S/M/O/I=0/36/0/0): 445:36
  • 777:7777008 {tcp} Malware Scan: Detected intense malware port scanning of 37 IPs (37 /24s) (# pkts S/M/O/I=0/37/0/0): 445:37
  • 777:7777008 {tcp} Malware Scan: Detected intense malware port scanning of 40 IPs (40 /24s) (# pkts S/M/O/I=0/40/0/0): 445:40
  • 777:7777008 {tcp} Malware Scan: Detected intense malware port scanning of 41 IPs (41 /24s) (# pkts S/M/O/I=0/41/0/0): 445:41
  • 777:7777005 {icmp} Outbound Scan: Detected moderate malware port scanning of 16 IPs (16 /24s) (# pkts S/M/O/I=0/16/0/0): 445:16
  • 777:7777008 {tcp} Malware Scan: Detected intense malware port scanning of 23 IPs (23 /24s) (# pkts S/M/O/I=0/23/0/0): 445:23
  • 777:7777008 (2) {tcp} Malware Scan: Detected intense malware port scanning of 23 IPs (23 /24s) (# pkts S/M/O/I=0/23/0/0): 445:23
  • 777:7777008 (2) {tcp} Malware Scan: Detected intense malware port scanning of 26 IPs (26 /24s) (# pkts S/M/O/I=0/26/0/0): 445:26
  • 777:7777008 {tcp} Malware Scan: Detected intense malware port scanning of 29 IPs (29 /24s) (# pkts S/M/O/I=0/29/0/0): 445:29
192.168.1.247
 1.3 VIEW 2
     
  • 1:22514 (2) {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-34592
  • 1:2000047 {tcp} Egg Download: ET WORM Sasser Transfer _up.exe; 9996<-33459
  • 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 9996->33459
192.168.1.115
 0.8 VIEW 1
     
  • 1:22009200 {tcp} Inbound Attack: ET CURRENT_EVENTS Conficker.a Shellcode MAC_Dst: 00:30:48:30:03:AE; 445<-3054
  • 1:2001685 {tcp} Egg Download: ET MALWARE Possible Windows executable sent when remote host claims to send an image; 1028<-8271
192.168.1.41
 1.6 VIEW 32
     
  • 777:7777005 {tcp} Outbound Scan: Detected moderate malware port scanning of 10 IPs (6 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10
  • 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 45328->22
  • 1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 50758->22
  • 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 50758->22
  • 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 35814->22
  • 777:7777005 {tcp} Outbound Scan: Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10
  • 1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 55692->22
  • 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 55692->22
  • 1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 55912->22
  • 777:7777008 {tcp} Malware Scan: Detected intense malware port scanning of 42 IPs (26 /24s) (# pkts S/M/O/I=0/42/0/0): 22:42
  • 1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 56342->22
  • 1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 57600->22
192.168.1.102
 1.5 VIEW 81
  • 213.239.193.176 213.239.193.176 (Dsl), Your-Server.De, Hetzner-Rz-Nbg-Net, Gunzenhausen, Bayern, Germany, Malware Controller.
  • 204.11.237.4 204.11.237.4 (Dsl), -, Vault Networks Inc, Miami, Florida, United States, Malware Controller.
  • 81.177.3.211 81.177.3.211 (Dsl), Flashirc.Ru, Besttest - Hw Lab, Yakutsk, Sakha, Russian Federation, Malware Controller.
  • 210.145.102.19 210.145.102.19 (Comp), -, Robotechs Inc, Tokyo, Japan, Malware Controller Mail Abuser.
  • 221.143.43.214 221.143.43.214 (Dsl), Hananet.Net, Hanaro Telecom Inc, Seoul, Kyonggi-Do, Korea Republic Of, Malware Controller.
  • 82.146.33.103 82.146.33.103 (Dsl), Ns2.Jannat-Hotel.Kg, Ispsystem Uunet Collocation, Belgium, Malware Controller.
  • 219.240.39.230 219.240.39.230 (Dsl), Hananet.Net, Hanaro Telecom Inc, Seoul, Kyonggi-Do, Korea Republic Of, Malware Controller Mail Abuser.
  • 195.70.51.165 195.70.51.165 (Comp), Interware.Hu, Interware Inc, Budapest, Hungary, Malware Controller.
  • 208.110.73.34 208.110.73.34 (Comp), 8inet.Com, Frozen Hosting, Bellingham, Washington, United States, Malware Controller.
  • 221.139.0.44 221.139.0.44 (Dsl), Hananet.Net, Hanaro Telecom Inc, Seoul, Kyonggi-Do, Korea Republic Of, Malware Controller Mail Abuser.
  • 194.187.96.47 194.187.96.47 (Dsl), Webazilla.Com, Webazilla, Utrecht, Netherlands, Malware Controller.
  • 84.22.106.30 84.22.106.30 (Dsl), Public-Root.Net, Republic Cyberbunker Colocation Customers, Antarctica, Malware Controller Mail Abuser.
  • 62.212.130.107 62.212.130.107 (Dsl), Xenosite.Net, Xenosite, Amsterdam, Noord-Holland, Netherlands, Malware Controller.
  • 194.242.113.210 194.242.113.210 (Dsl), Futie.Net, Sivit Servers Subnet, Paris, Ile-De-France, France, Malware Controller Mail Abuser.
  • 121.254.129.67 121.254.129.67 (Dsl), Kidc.Net, Korea Internet Data Center Inc, Seoul, Kyonggi-Do, Korea Republic Of, Mail Abuser Malware Controller.
  • 213.249.68.98 213.249.68.98 (Dsl), -, Networking4all, Amsterdam, Noord-Holland, Netherlands, Malware Controller.
  • 69.16.229.102 69.16.229.102 (Dsl), Liquidweb.Com, Liquid Web Inc, Lansing, Michigan, United States, Malware Controller Mail Abuser.
  • 75.126.150.82 75.126.150.82 (Comp), Softlayer.Com, Softlayer Technologies Inc, Dallas, Texas, United States, Malware Controller.
  • 1:22009201 {tcp} Inbound Attack: ET TROJAN Conficker.b Shellcode MAC_Dst: 00:21:5A:08:EC:40; 445<-2463
  • 1:9920020 {udp} Bot Space Access: ET ShadowServer confirmed botnet control server on standard port
  • 1:22009201 {tcp} Inbound Attack: ET TROJAN Conficker.b Shellcode MAC_Dst: 00:21:5A:08:EC:40; 445<-3599
  • 1:2001685 {tcp} Egg Download: ET MALWARE Possible Windows executable sent when remote host claims to send an image; 57173<-9487
  • 1:22009201 {tcp} Inbound Attack: ET TROJAN Conficker.b Shellcode MAC_Dst: 00:21:5A:08:EC:40; 445<-1693
  • 1:2001685 {tcp} Egg Download: ET MALWARE Possible Windows executable sent when remote host claims to send an image; 37538<-5766
  • 1:22009201 {tcp} Inbound Attack: ET TROJAN Conficker.b Shellcode MAC_Dst: 00:21:5A:08:EC:40; 445<-3450
  • 1:22009201 {tcp} Inbound Attack: ET TROJAN Conficker.b Shellcode MAC_Dst: 00:21:5A:08:EC:40; 445<-4370
  • 1:2001685 {tcp} Egg Download: ET MALWARE Possible Windows executable sent when remote host claims to send an image; 34611<-8567
  • 1:22009201 {tcp} Inbound Attack: ET TROJAN Conficker.b Shellcode MAC_Dst: 00:21:5A:08:EC:40; 445<-2882
  • 1:22009201 {tcp} Inbound Attack: ET TROJAN Conficker.b Shellcode MAC_Dst: 00:21:5A:08:EC:40; 445<-4261
  • 1:22009201 {tcp} Inbound Attack: ET TROJAN Conficker.b Shellcode MAC_Dst: 00:21:5A:08:EC:40; 445<-4031
  • 1:22009201 {tcp} Inbound Attack: ET TROJAN Conficker.b Shellcode MAC_Dst: 00:21:5A:08:EC:40; 445<-1510
  • 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:21:5A:08:EC:40; 445<-10249
  • 1:22009201 {tcp} Inbound Attack: ET TROJAN Conficker.b Shellcode MAC_Dst: 00:21:5A:08:EC:40; 445<-4260
  • 1:22465 {tcp} Inbound Attack: GPL NETBIOS SMB-DS IPC$ share access MAC_Dst: 00:21:5A:08:EC:40; 445<-57721
  • 1:22009201 {tcp} Inbound Attack: ET TROJAN Conficker.b Shellcode MAC_Dst: 00:21:5A:08:EC:40; 445<-2985
  • 1:22009201 {tcp} Inbound Attack: ET TROJAN Conficker.b Shellcode MAC_Dst: 00:21:5A:08:EC:40; 445<-3407
  • 1:22009201 {tcp} Inbound Attack: ET TROJAN Conficker.b Shellcode MAC_Dst: 00:21:5A:08:EC:40; 445<-2098
  • 1:22009201 {tcp} Inbound Attack: ET TROJAN Conficker.b Shellcode MAC_Dst: 00:21:5A:08:EC:40; 445<-2240