BotHunter ®
  Live Internet Monitor Page
  Computer Science Laboratory
  SRI International


  Last Updated: Wed Jul 3 23:00:05 2013
BOTHUNTER LOGO
www.BOTHUNTER.net


Victim IP
 		Max Score
 		Profiles
 		CCs
 		Events
192.168.1.212
 0.8 VIEW 1
     
  • 1:22514 (2) {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-3314
  • 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 1022->3331
192.168.1.36
 0.8 VIEW 21
  • 69.43.161.167 69.43.161.167 (Dsl), 22a52.Com, Castle Access Inc, Coronado, California, United States, Mail Abuser Malware Controller.
  • 1:9930020 {udp} Bot Space Access: ET ShadowServer confirmed botnet control server on non-standard port
  • 1:9930009 {tcp} Bot Space Access: ET ShadowServer confirmed botnet control server on non-standard port
192.168.1.151
 0.8 VIEW 1
  • 122.225.217.191 122.225.217.191 (Dsl), Hz.Zj.Cn, Chinanet Zhejiang Province Network, Beijing, China.
  • 1:9910002 {udp} Bot Space Access: BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host; 13010<-53
192.168.1.85
 1.0 VIEW 1
  • 66.249.74.230 66.249.74.230 (Dial), Google.Com, Google Inc, Cabot, Arkansas, United States.
  • 1:2002033 {tcp} C&C Communication: ET TROJAN BOT - potential response; 80->34405
  • 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 80->18400
  • 1:552123 (3) {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 80->44595
192.168.1.158
 1.6 VIEW 3
     
  • 777:7777005 {tcp} Outbound Scan: Detected moderate malware port scanning of 12 IPs (12 /24s) (# pkts S/M/O/I=0/12/0/3): 445:12
  • 777:7777008 {tcp} Malware Scan: Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/3): 445:21
  • 1:52000046 {tcp} Outbound Attack: ET NETBIOS MS04011 Lsasrv.dll RPC exploit (Win2k); 1263->445
  • 1:52314 (6) {tcp} Outbound Attack: GPL SHELLCODE x86 0x90 NOOP unicode; 1270->445
  • 1:52514 (3) {tcp} Outbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt; 1263->445
  • 777:7777008 {icmp} Malware Scan: Detected intense malware port scanning of 366 IPs (364 /24s) (# pkts S/M/O/I=0/200/6/200): 445:200
192.168.1.164
 3.0 VIEW 2
  • 213.155.14.161 213.155.14.161 (Comp), -, Ossadchy - Osadchiy Yuriy, Ukraine, Malware Controller.
  • 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-3044
  • 1:3300004 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031<-2256
  • 1:2003070 {tcp} C&C Communication: ET WORM Korgo.U Reporting, [/index.php?id=hooevknosf&scn=4&inf=0&ver=19&cnt=USA]; 1056->80
  • 777:7777005 {tcp} Outbound Scan: Detected moderate malware port scanning of 11 IPs (11 /24s) (# pkts S/M/O/I=0/10/1/0): 445:10
192.168.1.114
 1.9 VIEW 2
     
  • 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-4071
  • 1:3300004 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031<-2256
  • 777:7777005 {tcp} Outbound Scan: Detected moderate malware port scanning of 11 IPs (11 /24s) (# pkts S/M/O/I=0/10/1/0): 445:10
  • 777:7777008 {tcp} Malware Scan: Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/20/1/0): 445:20
192.168.1.234
 0.8 VIEW 1
     
  • 1:22514 (2) {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-4763
  • 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 1022->4813
192.168.1.190
 3.0 VIEW 2
  • 213.155.14.161 213.155.14.161 (Comp), -, Ossadchy - Osadchiy Yuriy, Ukraine, Malware Controller.
  • 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-4975
  • 1:3300004 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031<-4849
  • 1:2003070 {tcp} C&C Communication: ET WORM Korgo.U Reporting, [/index.php?id=oxabesfbkvrsqwx&scn=0&inf=0&ver=19&cnt=USA]; 1032->80
  • 777:7777005 {tcp} Outbound Scan: Detected moderate malware port scanning of 11 IPs (11 /24s) (# pkts S/M/O/I=0/10/1/0): 445:10
192.168.1.102
 1.3 VIEW 35
  • 71.114.134.16 71.114.134.16 (Dsl), Verizon.Net, Verizon Internet Services Inc, York, Pennsylvania, United States.
  • 96.237.24.205 96.237.24.205 (Dsl), Verizon.Net, Verizon Internet Services Inc, Lowell, Massachusetts, United States.
  • 36.224.39.189 36.224.39.189 (-), -, -, -.
  • 36.224.35.237 36.224.35.237 (-), -, -, -.
  • 31.162.190.58 31.162.190.58 (-), -, -, -.
  • 192.183.234.162 192.183.234.162 (-), -, -, -.
  • 111.250.41.151 111.250.41.151 (Dsl), Sterlingstudents.Net, Chtd Chunghwa Telecom Co. Ltd, Taipei, T'Ai-Pei, Taiwan.
  • 118.160.221.150 118.160.221.150 (Dsl), Hinet.Net, Chunghwa Telecom Data Communication Business Group, Taipei, T'Ai-Pei, Taiwan.
  • 66.86.12.146 66.86.12.146 (Dsl), Qwest.Net, Qwest Broadband Services Inc, Denver, Colorado, United States.
  • 50.102.167.203 50.102.167.203 (-), -, -, -.
  • 79.100.2.21 79.100.2.21 (Dsl), 79-100-4-10.Btc-Net.Bg, Btc Broadband Service, Sofia, Sofiya, Bulgaria.
  • 68.236.124.193 68.236.124.193 (Dsl), Verizon.Net, Verizon Internet Services Inc, Boston, Massachusetts, United States.
  • 79.189.39.181 79.189.39.181 (Comp), Tpnet.Pl, Customer-Idsl, Poland.
  • 202.150.208.75 202.150.208.75 (Comp), Ne.Com.Sg, Linqingping, Singapore, Singapore, Malware Controller Mail Abuser.
  • 83.12.227.212 83.12.227.212 (Comp), Tpnet.Pl, Customer-Idsl, Gdynia, Pomorskie, Poland.
  • 71.99.19.40 71.99.19.40 (Dsl), Verizon.Net, Verizon Internet Services Inc, Pinellas Park, Florida, United States.
  • 180.155.136.55 180.155.136.55 (Dsl), Davita.Com, Chinanet Shanghai Province Network, Beijing, China.
  • 71.126.50.70 71.126.50.70 (Dsl), Verizon.Net, Verizon Internet Services Inc, Bridgewater, Massachusetts, United States.
  • 71.110.198.240 71.110.198.240 (Dsl), Verizon.Net, Verizon Internet Services Inc, Redlands, California, United States.
  • 71.178.132.129 71.178.132.129 (Dsl), Verizon.Net, Verizon Internet Services Inc, Washington, District Of Columbia, United States.
  • 114.41.86.118 114.41.86.118 (Dsl), Hinet.Net, Chunghwa Telecom Data Communication Business Group, Taipei, T'Ai-Pei, Taiwan.
  • 114.42.77.209 114.42.77.209 (Dsl), Hinet.Net, Chunghwa Telecom Data Communication Business Group, Taipei, T'Ai-Pei, Taiwan.
  • 95.51.207.89 95.51.207.89 (Dsl), Tpnet.Pl, Tpsa, Poland.
  • 101.80.23.169 101.80.23.169 (-), -, -, -.
  • 114.36.182.243 114.36.182.243 (Dsl), Hinet.Net, Chunghwa Telecom Data Communication Business Group, Taipei, T'Ai-Pei, Taiwan.
  • 178.60.156.189 178.60.156.189 (Dsl), Hoodpackaging.Com, Eu-Zz, United Kingdom.
  • 71.116.253.221 71.116.253.221 (Dsl), Verizon.Net, Verizon Internet Services Inc, North Hills, California, United States.
  • 27.153.176.33 27.153.176.33 (-), -, -, -.
  • 1:9910002 {udp} Bot Space Access: BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host; 47113<-53
  • 1:2002910 {tcp} Outbound Attack: ET SCAN Potential VNC Scan 5800-5820; 54011->5802
  • 1:2002910 {tcp} Outbound Attack: ET SCAN Potential VNC Scan 5800-5820; 59856->5802
  • 1:3810008 {udp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 47113->53
192.168.1.41
 1.6 VIEW 21
     
  • 777:7777005 {tcp} Outbound Scan: Detected moderate malware port scanning of 10 IPs (6 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10
  • 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 34776->22
  • 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 40973->22
  • 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 60194->22
  • 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 54305->22
  • 777:7777008 {tcp} Malware Scan: Detected intense malware port scanning of 43 IPs (25 /24s) (# pkts S/M/O/I=0/43/0/0): 22:43
  • 777:7777005 {tcp} Outbound Scan: Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10
  • 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 39576->22
  • 777:7777008 {tcp} Malware Scan: Detected intense malware port scanning of 44 IPs (26 /24s) (# pkts S/M/O/I=0/43/1/0): 22:43
  • 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 39802->22
  • 777:7777005 {tcp} Outbound Scan: Detected moderate malware port scanning of 11 IPs (11 /24s) (# pkts S/M/O/I=0/10/1/0): 22:10
  • 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 40620->22
  • 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 40845->22
  • 777:7777005 {tcp} Outbound Scan: Detected moderate malware port scanning of 10 IPs (9 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10
  • 777:7777005 (2) {tcp} Outbound Scan: Detected moderate malware port scanning of 10 IPs (9 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10