Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 66.186.67.122 Resource List: Observed Start: 07/08/2013 00:52:39.440 PDT Gen. Time: 07/08/2013 00:52:41.261 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 66.186.67.122 (00:52:39.440 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->23306 (00:52:39.440 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (00:52:41.261 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 50660->6099 (00:52:41.261 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1373269959.440 1373269959.441 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 66.186.67.122 (2), 216.221.72.112, 91.218.38.132 (2), 178.89.56.226, 166.78.158.73 (3), 176.32.193.173 Resource List: Observed Start: 07/08/2013 00:52:39.440 PDT Gen. Time: 07/08/2013 00:56:40.422 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 66.186.67.122 (2) (00:52:39.440 PDT-00:56:40.422 PDT) event=1:1100013 (2) {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 2: 51413->23306 (00:52:39.440 PDT-00:56:40.422 PDT) 216.221.72.112 (00:55:40.016 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->28380 (00:55:40.016 PDT) 91.218.38.132 (2) (00:55:12.014 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51189->2710 (00:55:12.014 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 51189->2710 (00:55:12.014 PDT) 178.89.56.226 (00:53:39.236 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10417 (00:53:39.236 PDT) 166.78.158.73 (3) (00:54:11.530 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [%8C%CBj%B6%C8%0E%EB%9C93gW%E4%07%C1] MAC_Src: 00:01:64:FF:CE:EA 50964->80 (00:54:11.530 PDT) ------------------------- event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF~%FFn-%05z3PC/%B8%BBV%FF%07%A5] MAC_Src: 00:01:64:FF:CE:EA 50964->80 (00:54:11.530 PDT) 50967->80 (00:54:11.928 PDT) 176.32.193.173 (00:54:40.643 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (00:54:40.643 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (00:52:41.261 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 50660->6099 (00:52:41.261 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1373269959.440 1373270200.423 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 50.19.95.119 (2), 91.218.38.132, 80.66.181.240 Resource List: Observed Start: 07/08/2013 02:52:01.393 PDT Gen. Time: 07/08/2013 02:53:10.608 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 50.19.95.119 (2) (02:52:01.393 PDT) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62989->80 (02:52:01.393 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/trac/scrape.php?info_hash=%FF%F9%BAb%1A%FF%A6%FF%FF%97%9B%0F%93%FF%FD] MAC_Src: 00:01:64:FF:CE:EA 62989->80 (02:52:01.393 PDT) 91.218.38.132 (02:52:01.518 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62990->2710 (02:52:01.518 PDT) 80.66.181.240 (02:52:37.328 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->63303 (02:52:37.328 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (02:53:10.608 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (02:53:10.608 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1373277121.393 1373277121.394 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 50.19.95.119 (2), 91.218.38.132, 166.78.158.73, 24.69.60.170, 80.66.181.240 Resource List: Observed Start: 07/08/2013 02:52:01.393 PDT Gen. Time: 07/08/2013 02:54:41.156 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 50.19.95.119 (2) (02:52:01.393 PDT) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62989->80 (02:52:01.393 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/trac/scrape.php?info_hash=%FF%F9%BAb%1A%FF%A6%FF%FF%97%9B%0F%93%FF%FD] MAC_Src: 00:01:64:FF:CE:EA 62989->80 (02:52:01.393 PDT) 91.218.38.132 (02:52:01.518 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62990->2710 (02:52:01.518 PDT) 166.78.158.73 (02:54:41.156 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [/api/?callback=skimlinksApplyHandlers&data={"pubcode":"28238X892722","domains":["facebook.com","twitter.com"]}] MAC_Src: 00:01:64:FF:CE:EA 63646->80 (02:54:41.156 PDT) 24.69.60.170 (02:53:41.519 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->30991 (02:53:41.519 PDT) 80.66.181.240 (02:52:37.328 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->63303 (02:52:37.328 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (02:53:10.608 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (02:53:10.608 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1373277121.393 1373277121.394 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 72.75.205.98, 109.154.217.35 Resource List: Observed Start: 07/08/2013 03:17:29.647 PDT Gen. Time: 07/08/2013 03:18:55.680 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 72.75.205.98 (03:18:29.129 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->52798 (03:18:29.129 PDT) 109.154.217.35 (03:17:29.647 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->24296 (03:17:29.647 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 77.37.142.27 (03:18:55.680 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (03:18:55.680 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1373278649.647 1373278649.648 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 178.239.54.160, 178.207.16.118, 187.36.114.112, 85.17.143.16 (2), 72.75.205.98, 109.154.217.35, 99.230.104.255, 184.98.249.190 Resource List: Observed Start: 07/08/2013 03:17:29.647 PDT Gen. Time: 07/08/2013 03:21:31.019 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 178.239.54.160 (03:20:41.196 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53270->3310 (03:20:41.196 PDT) 178.207.16.118 (03:21:13.509 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53390->16882 (03:21:13.509 PDT) 187.36.114.112 (03:19:29.516 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->56335 (03:19:29.516 PDT) 85.17.143.16 (2) (03:19:21.190 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:01:64:FF:CE:EA 52897->6969 (03:19:21.190 PDT) ------------------------- event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 52897->6969 (03:19:21.190 PDT) 72.75.205.98 (03:18:29.129 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->52798 (03:18:29.129 PDT) 109.154.217.35 (03:17:29.647 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->24296 (03:17:29.647 PDT) 99.230.104.255 (03:20:30.031 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->53512 (03:20:30.031 PDT) 184.98.249.190 (03:21:31.019 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->57291 (03:21:31.019 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 77.37.142.27 (03:18:55.680 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (03:18:55.680 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1373278649.647 1373278649.648 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 178.239.54.153, 193.235.73.194 Resource List: Observed Start: 07/08/2013 03:43:42.680 PDT Gen. Time: 07/08/2013 03:44:31.588 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 178.239.54.153 (03:44:11.204 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58895->3310 (03:44:11.204 PDT) 193.235.73.194 (03:43:42.680 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->20793 (03:43:42.680 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 77.37.142.27 (03:44:31.588 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (03:44:31.588 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1373280222.680 1373280222.681 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 178.239.54.153, 86.181.117.244, 193.235.73.194, 218.207.102.101, 94.170.94.18 Resource List: Observed Start: 07/08/2013 03:43:42.680 PDT Gen. Time: 07/08/2013 03:46:24.044 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 178.239.54.153 (03:44:11.204 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58895->3310 (03:44:11.204 PDT) 86.181.117.244 (03:45:42.122 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->42777 (03:45:42.122 PDT) 193.235.73.194 (03:43:42.680 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->20793 (03:43:42.680 PDT) 218.207.102.101 (03:44:49.130 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59078->43776 (03:44:49.130 PDT) 94.170.94.18 (03:44:42.422 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->55440 (03:44:42.422 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 77.37.142.27 (03:44:31.588 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (03:44:31.588 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1373280222.680 1373280222.681 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 216.197.223.121, 50.19.95.119 (2), 91.218.38.132, 2.27.67.127 Resource List: Observed Start: 07/08/2013 04:52:41.209 PDT Gen. Time: 07/08/2013 04:55:10.568 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 216.197.223.121 (04:53:42.191 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->27639 (04:53:42.191 PDT) 50.19.95.119 (2) (04:52:41.209 PDT) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61614->80 (04:52:41.209 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/trac/scrape.php?info_hash=%FF%F9%BAb%1A%FF%A6%FF%FF%97%9B%0F%93%FF%FD] MAC_Src: 00:01:64:FF:CE:EA 61614->80 (04:52:41.209 PDT) 91.218.38.132 (04:52:41.347 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61615->2710 (04:52:41.347 PDT) 2.27.67.127 (04:54:43.527 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (04:54:43.527 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (04:55:10.568 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 62402->6099 (04:55:10.568 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1373284361.209 1373284361.210 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 216.197.223.121, 50.19.95.119 (2), 91.218.38.132, 99.45.252.38, 166.78.158.73 (3), 2.27.67.127, 77.251.193.21 Resource List: Observed Start: 07/08/2013 04:52:41.209 PDT Gen. Time: 07/08/2013 04:56:43.158 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 216.197.223.121 (04:53:42.191 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->27639 (04:53:42.191 PDT) 50.19.95.119 (2) (04:52:41.209 PDT) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61614->80 (04:52:41.209 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/trac/scrape.php?info_hash=%FF%F9%BAb%1A%FF%A6%FF%FF%97%9B%0F%93%FF%FD] MAC_Src: 00:01:64:FF:CE:EA 61614->80 (04:52:41.209 PDT) 91.218.38.132 (04:52:41.347 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 61615->2710 (04:52:41.347 PDT) 99.45.252.38 (04:55:43.520 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14264 (04:55:43.520 PDT) 166.78.158.73 (3) (04:55:20.635 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 62409->80 (04:55:20.635 PDT) ------------------------- event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF~%FFn-%05z3PC/%B8%BBV%FF%07%A5] MAC_Src: 00:01:64:FF:CE:EA 62409->80 (04:55:20.635 PDT) 62411->80 (04:55:20.790 PDT) 2.27.67.127 (04:54:43.527 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (04:54:43.527 PDT) 77.251.193.21 (04:56:43.158 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->39899 (04:56:43.158 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (04:55:10.568 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 62402->6099 (04:55:10.568 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1373284361.209 1373284361.210 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 86.181.117.244, 166.78.158.73 (3), 99.45.252.38, 193.235.73.194 Resource List: Observed Start: 07/08/2013 06:54:47.536 PDT Gen. Time: 07/08/2013 06:56:00.620 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 86.181.117.244 (06:55:52.856 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->42777 (06:55:52.856 PDT) 166.78.158.73 (3) (06:55:41.486 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [-|%B27%0B&%EBY%1B%80DAc%18u47%95%A3%C3[%1C%89%C7zjw%9D%C4%81%B1%1E8%F8x%90%90%B3%95%C4] MAC_Src: 00:01:64:FF:CE:EA 49671->80 (06:55:41.486 PDT) ------------------------- event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF~%FFn-%05z3PC/%B8%BBV%FF%07%A5] MAC_Src: 00:01:64:FF:CE:EA 49671->80 (06:55:41.486 PDT) 49675->80 (06:55:42.686 PDT) 99.45.252.38 (06:54:47.536 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14264 (06:54:47.536 PDT) 193.235.73.194 (06:54:49.814 PDT) event=1:2008583 {udp} E7[info] ET P2P BitTorrent DHT nodes reply, [] MAC_Src: 00:01:64:FF:CE:EA 51413->20793 (06:54:49.814 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (06:56:00.620 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (06:56:00.620 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1373291687.536 1373291687.537 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 86.181.117.244, 180.191.152.72, 166.78.158.73 (3), 99.45.252.38, 193.235.73.194, 121.14.98.151, 58.169.182.14, 176.32.193.173 Resource List: Observed Start: 07/08/2013 06:54:47.536 PDT Gen. Time: 07/08/2013 06:58:55.330 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 86.181.117.244 (06:55:52.856 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->42777 (06:55:52.856 PDT) 180.191.152.72 (06:58:55.330 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->23323 (06:58:55.330 PDT) 166.78.158.73 (3) (06:55:41.486 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [-|%B27%0B&%EBY%1B%80DAc%18u47%95%A3%C3[%1C%89%C7zjw%9D%C4%81%B1%1E8%F8x%90%90%B3%95%C4] MAC_Src: 00:01:64:FF:CE:EA 49671->80 (06:55:41.486 PDT) ------------------------- event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF~%FFn-%05z3PC/%B8%BBV%FF%07%A5] MAC_Src: 00:01:64:FF:CE:EA 49671->80 (06:55:41.486 PDT) 49675->80 (06:55:42.686 PDT) 99.45.252.38 (06:54:47.536 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->14264 (06:54:47.536 PDT) 193.235.73.194 (06:54:49.814 PDT) event=1:2008583 {udp} E7[info] ET P2P BitTorrent DHT nodes reply, [] MAC_Src: 00:01:64:FF:CE:EA 51413->20793 (06:54:49.814 PDT) 121.14.98.151 (06:57:51.055 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 50345->9090 (06:57:51.055 PDT) 58.169.182.14 (06:57:54.112 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->16243 (06:57:54.112 PDT) 176.32.193.173 (06:56:53.318 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (06:56:53.318 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (06:56:00.620 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (06:56:00.620 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1373291687.536 1373291687.537 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 166.78.158.73 (3), 91.218.38.132 (3), 176.32.193.173, 92.43.227.18, 58.95.243.108, 200.24.16.223, 50.19.95.119 (2), 37.208.248.122, 210.195.251.115 Resource List: Observed Start: 07/08/2013 08:53:34.678 PDT Gen. Time: 07/08/2013 08:57:30.864 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 166.78.158.73 (3) (08:56:11.221 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [%DD%01%00%00%D9%03%02Q%DA%E1%1B%CC%C9%C2%DD%B3%C6%D9u%EFp}%A3z%91%C0%87m%7F%15%FA%B4%A5%F4%1E%C3%AD%0B%C1%00%00f%C0%14] MAC_Src: 00:01:64:FF:CE:EA 59352->80 (08:56:11.221 PDT) ------------------------- event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF~%FFn-%05z3PC/%B8%BBV%FF%07%A5] MAC_Src: 00:01:64:FF:CE:EA 59352->80 (08:56:11.221 PDT) 59355->80 (08:56:11.505 PDT) 91.218.38.132 (3) (08:54:00.539 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58541->2710 (08:54:00.539 PDT) ------------------------- event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59004->2710 (08:55:29.960 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 59004->2710 (08:55:29.960 PDT) 176.32.193.173 (08:56:34.797 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (08:56:34.797 PDT) 92.43.227.18 (08:55:56.737 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59303->58196 (08:55:56.737 PDT) 58.95.243.108 (08:57:01.242 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59663->20133 (08:57:01.242 PDT) 200.24.16.223 (08:53:34.678 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->16758 (08:53:34.678 PDT) 50.19.95.119 (2) (08:53:41.256 PDT) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58425->80 (08:53:41.256 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/trac/scrape.php?info_hash=%FF%F9%BAb%1A%FF%A6%FF%FF%97%9B%0F%93%FF%FD] MAC_Src: 00:01:64:FF:CE:EA 58425->80 (08:53:41.256 PDT) 37.208.248.122 (08:54:34.237 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49756 (08:54:34.237 PDT) 210.195.251.115 (08:55:34.200 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64874 (08:55:34.200 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (08:57:30.864 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 59818->6099 (08:57:30.864 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1373298814.678 1373298814.679 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 166.78.158.73 (3), 91.218.38.132 (3), 176.32.193.173, 92.43.227.18, 58.95.243.108, 200.24.16.223, 50.19.95.119 (2), 37.208.248.122, 71.123.132.247, 210.195.251.115 Resource List: Observed Start: 07/08/2013 08:53:34.678 PDT Gen. Time: 07/08/2013 08:57:36.228 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 166.78.158.73 (3) (08:56:11.221 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [%DD%01%00%00%D9%03%02Q%DA%E1%1B%CC%C9%C2%DD%B3%C6%D9u%EFp}%A3z%91%C0%87m%7F%15%FA%B4%A5%F4%1E%C3%AD%0B%C1%00%00f%C0%14] MAC_Src: 00:01:64:FF:CE:EA 59352->80 (08:56:11.221 PDT) ------------------------- event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF~%FFn-%05z3PC/%B8%BBV%FF%07%A5] MAC_Src: 00:01:64:FF:CE:EA 59352->80 (08:56:11.221 PDT) 59355->80 (08:56:11.505 PDT) 91.218.38.132 (3) (08:54:00.539 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58541->2710 (08:54:00.539 PDT) ------------------------- event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 59004->2710 (08:55:29.960 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 59004->2710 (08:55:29.960 PDT) 176.32.193.173 (08:56:34.797 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (08:56:34.797 PDT) 92.43.227.18 (08:55:56.737 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59303->58196 (08:55:56.737 PDT) 58.95.243.108 (08:57:01.242 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 59663->20133 (08:57:01.242 PDT) 200.24.16.223 (08:53:34.678 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->16758 (08:53:34.678 PDT) 50.19.95.119 (2) (08:53:41.256 PDT) event=1:1100017 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 58425->80 (08:53:41.256 PDT) ------------------------- event=1:2011699 {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/trac/scrape.php?info_hash=%FF%F9%BAb%1A%FF%A6%FF%FF%97%9B%0F%93%FF%FD] MAC_Src: 00:01:64:FF:CE:EA 58425->80 (08:53:41.256 PDT) 37.208.248.122 (08:54:34.237 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->49756 (08:54:34.237 PDT) 71.123.132.247 (08:57:36.228 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (08:57:36.228 PDT) 210.195.251.115 (08:55:34.200 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64874 (08:55:34.200 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (08:57:30.864 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 59818->6099 (08:57:30.864 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1373298814.678 1373298814.679 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 91.218.38.132 (2), 109.15.0.228, 166.78.158.73 (3), 82.84.92.18, 174.92.227.151, 58.95.243.108 Resource List: Observed Start: 07/08/2013 10:55:40.436 PDT Gen. Time: 07/08/2013 10:57:40.876 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 91.218.38.132 (2) (10:56:15.221 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57059->2710 (10:56:15.221 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 57059->2710 (10:56:15.221 PDT) 109.15.0.228 (10:55:40.436 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->54414 (10:55:40.436 PDT) 166.78.158.73 (3) (10:56:51.481 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57341->80 (10:56:51.481 PDT) ------------------------- event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF~%FFn-%05z3PC/%B8%BBV%FF%07%A5] MAC_Src: 00:01:64:FF:CE:EA 57341->80 (10:56:51.481 PDT) 57342->80 (10:56:51.633 PDT) 82.84.92.18 (10:57:40.345 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->39329 (10:57:40.345 PDT) 174.92.227.151 (10:56:40.440 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10101 (10:56:40.440 PDT) 58.95.243.108 (10:57:01.400 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57353->20133 (10:57:01.400 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (10:57:40.876 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (10:57:40.876 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1373306140.436 1373306140.437 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 166.78.158.73 (3), 174.92.227.151, 109.15.0.228, 91.218.38.132 (2), 82.84.92.18, 46.12.176.51, 58.95.243.108, 119.46.206.44, 150.101.100.2 Resource List: Observed Start: 07/08/2013 10:55:40.436 PDT Gen. Time: 07/08/2013 10:59:41.641 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 166.78.158.73 (3) (10:56:51.481 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57341->80 (10:56:51.481 PDT) ------------------------- event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF~%FFn-%05z3PC/%B8%BBV%FF%07%A5] MAC_Src: 00:01:64:FF:CE:EA 57341->80 (10:56:51.481 PDT) 57342->80 (10:56:51.633 PDT) 174.92.227.151 (10:56:40.440 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10101 (10:56:40.440 PDT) 109.15.0.228 (10:55:40.436 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->54414 (10:55:40.436 PDT) 91.218.38.132 (2) (10:56:15.221 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 57059->2710 (10:56:15.221 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 57059->2710 (10:56:15.221 PDT) 82.84.92.18 (10:57:40.345 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->39329 (10:57:40.345 PDT) 46.12.176.51 (10:58:40.444 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->30669 (10:58:40.444 PDT) 58.95.243.108 (10:57:01.400 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57353->20133 (10:57:01.400 PDT) 119.46.206.44 (10:59:00.139 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 58122->16883 (10:59:00.139 PDT) 150.101.100.2 (10:59:41.641 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->60053 (10:59:41.641 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (10:57:40.876 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (10:57:40.876 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1373306140.436 1373306140.437 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 70.95.91.144, 61.91.88.60 (2), 77.122.64.250, 166.78.158.73 (3), 163.178.126.66 Resource List: Observed Start: 07/08/2013 12:57:18.940 PDT Gen. Time: 07/08/2013 12:59:21.406 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 70.95.91.144 (12:58:27.939 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->30031 (12:58:27.939 PDT) 61.91.88.60 (2) (12:57:18.940 PDT) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57165->16884 (12:57:18.940 PDT) 57574->16884 (12:58:20.951 PDT) 77.122.64.250 (12:58:51.218 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 57807->6881 (12:58:51.218 PDT) 166.78.158.73 (3) (12:57:51.062 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [/i/data/120x120/1/4/2/aHR0cDovL2wueWltZy5jb20vYnQvYXBpL3Jlcy8xLjIvQnZzbGM0TTdCT1Q4Vlh6OTNzbTJpdy0tL1lYQndhV1E5ZVc1bGQzTTdabWs5W] MAC_Src: 00:01:64:FF:CE:EA 57421->80 (12:57:51.062 PDT) ------------------------- event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF~%FFn-%05z3PC/%B8%BBV%FF%07%A5] MAC_Src: 00:01:64:FF:CE:EA 57421->80 (12:57:51.062 PDT) 57423->80 (12:57:51.349 PDT) 163.178.126.66 (12:57:27.444 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->62348 (12:57:27.444 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (12:59:21.406 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 57855->6099 (12:59:21.406 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1373313438.940 1373313438.941 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 70.95.91.144, 61.91.88.60 (2), 201.141.138.1, 77.122.64.250, 87.0.48.215, 166.78.158.73 (3), 163.178.126.66 Resource List: Observed Start: 07/08/2013 12:57:18.940 PDT Gen. Time: 07/08/2013 13:00:29.012 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 70.95.91.144 (12:58:27.939 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->30031 (12:58:27.939 PDT) 61.91.88.60 (2) (12:57:18.940 PDT) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 57165->16884 (12:57:18.940 PDT) 57574->16884 (12:58:20.951 PDT) 201.141.138.1 (12:59:29.740 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->12297 (12:59:29.740 PDT) 77.122.64.250 (12:58:51.218 PDT) event=1:2102181 {tcp} E7[info] GPL P2P BitTorrent transfer, [] MAC_Src: 00:01:64:FF:CE:EA 57807->6881 (12:58:51.218 PDT) 87.0.48.215 (13:00:29.012 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43039 (13:00:29.012 PDT) 166.78.158.73 (3) (12:57:51.062 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [/i/data/120x120/1/4/2/aHR0cDovL2wueWltZy5jb20vYnQvYXBpL3Jlcy8xLjIvQnZzbGM0TTdCT1Q4Vlh6OTNzbTJpdy0tL1lYQndhV1E5ZVc1bGQzTTdabWs5W] MAC_Src: 00:01:64:FF:CE:EA 57421->80 (12:57:51.062 PDT) ------------------------- event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF~%FFn-%05z3PC/%B8%BBV%FF%07%A5] MAC_Src: 00:01:64:FF:CE:EA 57421->80 (12:57:51.062 PDT) 57423->80 (12:57:51.349 PDT) 163.178.126.66 (12:57:27.444 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->62348 (12:57:27.444 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (12:59:21.406 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 57855->6099 (12:59:21.406 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1373313438.940 1373313438.941 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 166.78.158.73 (3), 178.207.16.252, 186.159.113.86, 94.1.76.181, 88.26.252.43, 58.95.243.108, 86.49.119.110 Resource List: Observed Start: 07/08/2013 14:56:36.225 PDT Gen. Time: 07/08/2013 15:00:01.740 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 166.78.158.73 (3) (14:58:32.065 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 53891->80 (14:58:32.065 PDT) ------------------------- event=1:2011699 (2) {tcp} E7[info] ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x), [/scrape?info_hash=%FF~%FFn-%05z3PC/%B8%BBV%FF%07%A5] MAC_Src: 00:01:64:FF:CE:EA 53891->80 (14:58:32.065 PDT) 53908->80 (14:58:32.256 PDT) 178.207.16.252 (14:59:50.079 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 54374->16881 (14:59:50.079 PDT) 186.159.113.86 (14:58:38.159 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->29227 (14:58:38.159 PDT) 94.1.76.181 (14:59:38.224 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->35804 (14:59:38.224 PDT) 88.26.252.43 (14:57:36.398 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->43611 (14:57:36.398 PDT) 58.95.243.108 (14:57:01.336 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 53452->20133 (14:57:01.336 PDT) 86.49.119.110 (14:56:36.225 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->52998 (14:56:36.225 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (15:00:01.740 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (15:00:01.740 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1373320596.225 1373320596.226 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 123.110.141.189, 2.27.67.127, 174.114.58.60, 58.169.182.14 Resource List: Observed Start: 07/08/2013 16:59:07.045 PDT Gen. Time: 07/08/2013 17:01:41.282 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 123.110.141.189 (17:00:35.628 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55418->16881 (17:00:35.628 PDT) 2.27.67.127 (17:00:09.316 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (17:00:09.316 PDT) 174.114.58.60 (16:59:07.045 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->48815 (16:59:07.045 PDT) 58.169.182.14 (17:01:09.304 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->16243 (17:01:09.304 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (17:01:41.282 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 55831->6099 (17:01:41.282 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1373327947.045 1373327947.046 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 61.91.88.44, 123.110.141.189, 71.123.132.247, 2.27.67.127, 174.114.58.60, 58.169.182.14 Resource List: Observed Start: 07/08/2013 16:59:07.045 PDT Gen. Time: 07/08/2013 17:03:07.102 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 61.91.88.44 (17:01:42.867 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55847->16881 (17:01:42.867 PDT) 123.110.141.189 (17:00:35.628 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 55418->16881 (17:00:35.628 PDT) 71.123.132.247 (17:02:13.056 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (17:02:13.056 PDT) 2.27.67.127 (17:00:09.316 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (17:00:09.316 PDT) 174.114.58.60 (16:59:07.045 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->48815 (16:59:07.045 PDT) 58.169.182.14 (17:01:09.304 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->16243 (17:01:09.304 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (17:01:41.282 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 55831->6099 (17:01:41.282 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1373327947.045 1373327947.046 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 110.136.220.235 Resource List: Observed Start: 07/08/2013 19:01:14.994 PDT Gen. Time: 07/08/2013 19:01:50.442 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 110.136.220.235 (19:01:14.994 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45682 (19:01:14.994 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (19:01:50.442 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (19:01:50.442 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1373335274.994 1373335274.995 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 91.218.38.132 (2), 181.47.89.155, 110.136.220.235, 94.1.76.181, 121.7.253.149, 202.175.42.226 Resource List: Observed Start: 07/08/2013 19:01:14.994 PDT Gen. Time: 07/08/2013 19:05:16.448 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 91.218.38.132 (2) (19:03:38.438 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:01:64:FF:CE:EA 51383->2710 (19:03:38.438 PDT) ------------------------- event=1:2102180 {tcp} E7[info] GPL P2P BitTorrent announce request, [] MAC_Src: 00:01:64:FF:CE:EA 51383->2710 (19:03:38.438 PDT) 181.47.89.155 (19:03:21.281 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->64476 (19:03:21.281 PDT) 110.136.220.235 (19:01:14.994 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45682 (19:01:14.994 PDT) 94.1.76.181 (19:04:21.129 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->35806 (19:04:21.129 PDT) 121.7.253.149 (19:02:21.547 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->59696 (19:02:21.547 PDT) 202.175.42.226 (19:02:12.406 PDT) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:01:64:FF:CE:EA 51127->56788 (19:02:12.406 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (19:01:50.442 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 51413->6099 (19:01:50.442 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1373335274.994 1373335274.995 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 86.59.152.111, 50.46.192.68 Resource List: Observed Start: 07/08/2013 21:01:55.270 PDT Gen. Time: 07/08/2013 21:03:21.021 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 86.59.152.111 (21:01:55.270 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10127 (21:01:55.270 PDT) 50.46.192.68 (21:03:05.898 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (21:03:05.898 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (21:03:21.021 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 59252->6099 (21:03:21.021 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1373342515.270 1373342515.271 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.36 Infector List: Egg Source List: C & C List: Peer Coord. List: 90.222.144.201, 86.59.152.111, 50.46.192.68, 110.136.220.235 Resource List: Observed Start: 07/08/2013 21:01:55.270 PDT Gen. Time: 07/08/2013 21:05:13.216 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info 90.222.144.201 (21:04:12.203 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->19152 (21:04:12.203 PDT) 86.59.152.111 (21:01:55.270 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->10127 (21:01:55.270 PDT) 50.46.192.68 (21:03:05.898 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->51413 (21:03:05.898 PDT) 110.136.220.235 (21:05:13.216 PDT) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:01:64:FF:CE:EA 51413->45682 (21:05:13.216 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (21:03:21.021 PDT) event=1:9930009 {tcp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 59252->6099 (21:03:21.021 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1373342515.270 1373342515.271 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.36' ============================== SEPARATOR ================================