Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/16/2013 14:04:10.853 PDT Gen. Time: 05/16/2013 14:09:49.840 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 80.86.82.22 (14:09:49.840 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 12 IPs (8 /24s) (# pkts S/M/O/I=0/10/2/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (14:09:49.840 PDT) OUTBOUND SCAN 204.123.28.55 (2) (14:04:10.853 PDT) event=1:2003068 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49413->22 (14:04:10.853 PDT) 49522->22 (14:07:22.213 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368738250.853 1368738250.854 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/16/2013 14:04:10.853 PDT Gen. Time: 05/16/2013 14:16:22.089 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 80.86.82.22 (14:09:49.840 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 12 IPs (8 /24s) (# pkts S/M/O/I=0/10/2/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (14:09:49.840 PDT) OUTBOUND SCAN 128.252.19.18 (14:10:15.673 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39931->22 (14:10:15.673 PDT) 128.84.154.45 (14:09:55.187 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55192->22 (14:09:55.187 PDT) 128.42.142.44 (2) (14:10:27.699 PDT-14:12:00.869 PDT) event=1:2003068 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 2: 45253->22 (14:10:27.699 PDT-14:12:00.869 PDT) 204.123.28.55 (2) (14:04:10.853 PDT) event=1:2003068 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49413->22 (14:04:10.853 PDT) 49522->22 (14:07:22.213 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.84.154.45 (4) (14:10:17.789 PDT-14:15:12.229 PDT) event=777:7777008 (4) {tcp} E8[bh] Detected intense malware port scanning of 25 IPs (17 /24s) (# pkts S/M/O/I=0/23/2/0): 22:23, [] MAC_Src: 00:01:64:FF:CE:EA 3: 0->0 (14:12:00.869 PDT-14:15:12.229 PDT) 0->0 (14:10:17.789 PDT) tcpslice 1368738250.853 1368738912.230 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/16/2013 14:16:50.504 PDT Gen. Time: 05/16/2013 14:16:50.504 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.84.154.45 (14:16:50.504 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 25 IPs (17 /24s) (# pkts S/M/O/I=0/23/2/0): 22:23, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (14:16:50.504 PDT) tcpslice 1368739010.504 1368739010.505 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/16/2013 14:16:50.504 PDT Gen. Time: 05/16/2013 14:22:55.885 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.36.233.153 (14:20:12.470 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41646->22 (14:20:12.470 PDT) 128.42.142.44 (14:17:35.589 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45470->22 (14:17:35.589 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.84.154.45 (4) (14:16:50.504 PDT-14:18:23.718 PDT) event=777:7777008 (4) {tcp} E8[bh] Detected intense malware port scanning of 28 IPs (19 /24s) (# pkts S/M/O/I=0/26/2/0): 22:26, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (14:21:36.614 PDT) 0->0 (14:20:02.065 PDT) 2: 0->0 (14:16:50.504 PDT-14:18:23.718 PDT) tcpslice 1368739010.504 1368739103.719 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/16/2013 14:23:14.892 PDT Gen. Time: 05/16/2013 14:23:14.892 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.84.154.45 (14:23:14.892 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 28 IPs (19 /24s) (# pkts S/M/O/I=0/26/2/0): 22:26, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (14:23:14.892 PDT) tcpslice 1368739394.892 1368739394.893 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/16/2013 14:23:14.892 PDT Gen. Time: 05/16/2013 14:35:21.829 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.208.4.197 (14:29:43.572 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39259->22 (14:29:43.572 PDT) 131.179.150.72 (14:31:09.733 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39728->22 (14:31:09.733 PDT) 158.130.6.254 (14:29:50.317 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34340->22 (14:29:50.317 PDT) 165.91.55.9 (2) (14:30:11.197 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 47475->22 (14:30:11.197 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47475->22 (14:30:11.197 PDT) 165.91.55.8 (14:30:00.818 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46142->22 (14:30:00.818 PDT) 192.52.240.214 (14:30:29.663 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58604->22 (14:30:29.663 PDT) 128.84.154.44 (14:30:40.066 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45064->22 (14:30:40.066 PDT) 204.123.28.56 (14:30:20.426 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35825->22 (14:30:20.426 PDT) 128.223.8.114 (14:31:17.273 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59629->22 (14:31:17.273 PDT) 204.8.155.226 (2) (14:30:49.466 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 51008->22 (14:30:49.466 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51008->22 (14:30:49.466 PDT) 198.133.224.147 (14:31:00.067 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41493->22 (14:31:00.067 PDT) 128.36.233.153 (2) (14:23:59.974 PDT) event=1:2003068 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41751->22 (14:23:59.974 PDT) 41854->22 (14:27:11.334 PDT) 152.3.138.6 (2) (14:31:25.165 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 39529->22 (14:31:25.165 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39529->22 (14:31:25.165 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.84.154.45 (6) (14:23:14.892 PDT-14:27:59.462 PDT) event=777:7777008 (6) {tcp} E8[bh] Detected intense malware port scanning of 28 IPs (19 /24s) (# pkts S/M/O/I=0/26/2/0): 22:26, [] MAC_Src: 00:01:64:FF:CE:EA 4: 0->0 (14:23:14.892 PDT-14:27:59.462 PDT) 0->0 (14:29:37.865 PDT) 0->0 (14:31:09.733 PDT) tcpslice 1368739394.892 1368739679.463 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/16/2013 14:31:54.430 PDT Gen. Time: 05/16/2013 14:31:54.430 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.84.154.45 (14:31:54.430 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 30 IPs (21 /24s) (# pkts S/M/O/I=0/28/2/0): 22:28, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (14:31:54.430 PDT) tcpslice 1368739914.430 1368739914.431 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/16/2013 15:31:57.055 PDT Gen. Time: 05/16/2013 15:32:47.550 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.8.155.227 (15:32:47.550 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (9 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:32:47.550 PDT) OUTBOUND SCAN 131.179.150.72 (15:31:57.055 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41737->22 (15:31:57.055 PDT) 158.130.6.254 (2) (15:32:13.623 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 36454->22 (15:32:13.623 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36454->22 (15:32:13.623 PDT) 192.52.240.214 (15:32:31.698 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60702->22 (15:32:31.698 PDT) 128.84.154.44 (15:32:04.258 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47110->22 (15:32:04.258 PDT) 204.123.28.56 (15:32:07.125 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37900->22 (15:32:07.125 PDT) 204.8.155.227 (2) (15:32:39.395 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 32900->22 (15:32:39.395 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 32900->22 (15:32:39.395 PDT) 141.212.113.180 (15:32:46.163 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59015->22 (15:32:46.163 PDT) 13.7.64.20 (15:32:17.490 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49912->22 (15:32:17.490 PDT) 198.133.224.147 (15:32:24.395 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43552->22 (15:32:24.395 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368743517.055 1368743517.056 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/16/2013 15:31:57.055 PDT Gen. Time: 05/16/2013 15:38:11.843 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.8.155.227 (15:32:47.550 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (9 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:32:47.550 PDT) OUTBOUND SCAN 128.111.52.58 (15:32:58.599 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45903->22 (15:32:58.599 PDT) 131.179.150.72 (15:31:57.055 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41737->22 (15:31:57.055 PDT) 165.91.55.9 (15:33:19.694 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49658->22 (15:33:19.694 PDT) 158.130.6.254 (2) (15:32:13.623 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 36454->22 (15:32:13.623 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36454->22 (15:32:13.623 PDT) 158.130.6.253 (15:32:55.072 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60711->22 (15:32:55.072 PDT) 192.52.240.214 (15:32:31.698 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60702->22 (15:32:31.698 PDT) 128.84.154.44 (15:32:04.258 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47110->22 (15:32:04.258 PDT) 204.123.28.56 (15:32:07.125 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37900->22 (15:32:07.125 PDT) 204.8.155.227 (2) (15:32:39.395 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 32900->22 (15:32:39.395 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 32900->22 (15:32:39.395 PDT) 141.212.113.180 (15:32:46.163 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59015->22 (15:32:46.163 PDT) 13.7.64.20 (15:32:17.490 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49912->22 (15:32:17.490 PDT) 198.133.224.147 (15:32:24.395 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43552->22 (15:32:24.395 PDT) 128.252.19.18 (15:33:13.450 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42792->22 (15:33:13.450 PDT) 152.3.138.6 (2) (15:33:06.679 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 41613->22 (15:33:06.679 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41613->22 (15:33:06.679 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.8.155.226 (15:33:55.583 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:33:55.583 PDT) tcpslice 1368743517.055 1368743517.056 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================