Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 08/27/2013 14:00:08.264 PDT Gen. Time: 08/27/2013 14:00:48.421 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.10.19.53 (14:00:08.264 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46452->22 (14:00:08.264 PDT) 198.133.224.147 (2) (14:00:45.882 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 35650->22 (14:00:45.882 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35650->22 (14:00:45.882 PDT) 204.8.155.226 (14:00:35.406 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45118->22 (14:00:35.406 PDT) 204.123.28.56 (14:00:22.095 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58121->22 (14:00:22.095 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 155.246.12.164 (14:00:48.421 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (13 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (14:00:48.421 PDT) tcpslice 1377637208.264 1377637208.265 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 08/27/2013 14:00:08.264 PDT Gen. Time: 08/27/2013 14:09:53.275 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.208.4.197 (14:01:43.290 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33833->22 (14:01:43.290 PDT) 128.10.19.53 (14:00:08.264 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46452->22 (14:00:08.264 PDT) 128.10.19.52 (14:02:02.202 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56790->22 (14:02:02.202 PDT) 134.88.5.251 (2) (14:01:37.540 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 38748->22 (14:01:37.540 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38748->22 (14:01:37.540 PDT) 155.246.12.164 (14:02:21.938 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40800->22 (14:02:21.938 PDT) 165.91.55.8 (2) (14:02:12.023 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 40864->22 (14:02:12.023 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40864->22 (14:02:12.023 PDT) 158.130.6.253 (14:01:51.451 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53153->22 (14:01:51.451 PDT) 204.123.28.56 (14:00:22.095 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58121->22 (14:00:22.095 PDT) 128.42.142.44 (14:01:21.659 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40336->22 (14:01:21.659 PDT) 204.123.28.55 (14:02:33.516 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45175->22 (14:02:33.516 PDT) 204.8.155.226 (14:00:35.406 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45118->22 (14:00:35.406 PDT) 198.133.224.147 (2) (14:00:45.882 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 35650->22 (14:00:45.882 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35650->22 (14:00:45.882 PDT) 129.63.159.101 (14:01:28.386 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54970->22 (14:01:28.386 PDT) 128.252.19.18 (14:01:12.140 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34972->22 (14:01:12.140 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 155.246.12.164 (4) (14:00:48.421 PDT-14:05:22.789 PDT) event=777:7777008 (4) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (13 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (14:00:48.421 PDT) 3: 0->0 (14:02:20.722 PDT-14:05:22.789 PDT) tcpslice 1377637208.264 1377637522.790 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 08/27/2013 14:06:32.319 PDT Gen. Time: 08/27/2013 14:06:32.319 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 155.246.12.164 (14:06:32.319 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 43 IPs (25 /24s) (# pkts S/M/O/I=0/43/0/0): 22:43, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (14:06:32.319 PDT) tcpslice 1377637592.319 1377637592.320 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 08/27/2013 15:07:10.477 PDT Gen. Time: 08/27/2013 15:09:25.134 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (2) (15:07:57.523 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 54146->22 (15:07:57.523 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54153->22 (15:07:58.630 PDT) 128.208.4.197 (15:08:42.121 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49946->22 (15:08:42.121 PDT) 128.10.19.53 (15:08:13.574 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34710->22 (15:08:13.574 PDT) 131.179.150.72 (15:07:10.477 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49876->22 (15:07:10.477 PDT) 72.36.112.79 (15:07:34.039 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56735->22 (15:07:34.039 PDT) 131.179.150.70 (15:08:16.832 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48380->22 (15:08:16.832 PDT) 13.7.64.22 (15:08:37.531 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36035->22 (15:08:37.531 PDT) 128.42.142.45 (15:07:20.785 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53408->22 (15:07:20.785 PDT) 204.123.28.56 (15:07:23.313 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46094->22 (15:07:23.313 PDT) 204.8.155.227 (15:07:48.687 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41140->22 (15:07:48.687 PDT) 192.91.235.230 (15:08:06.389 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44674->22 (15:08:06.389 PDT) 129.82.12.188 (2) (15:08:20.237 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 57357->22 (15:08:20.237 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57370->22 (15:08:22.808 PDT) 141.212.113.180 (15:07:55.127 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39032->22 (15:07:55.127 PDT) 141.212.113.179 (15:08:29.854 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52297->22 (15:08:29.854 PDT) 130.127.39.152 (15:07:41.044 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48039->22 (15:07:41.044 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 13.7.64.22 (15:09:25.134 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (17 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:09:25.134 PDT) tcpslice 1377641230.477 1377641230.478 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 08/27/2013 15:07:10.477 PDT Gen. Time: 08/27/2013 15:15:58.191 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (2) (15:07:57.523 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 54146->22 (15:07:57.523 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54153->22 (15:07:58.630 PDT) 128.208.4.197 (15:08:42.121 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49946->22 (15:08:42.121 PDT) 128.10.19.53 (15:08:13.574 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34710->22 (15:08:13.574 PDT) 131.179.150.72 (15:07:10.477 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49876->22 (15:07:10.477 PDT) 72.36.112.79 (15:07:34.039 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56735->22 (15:07:34.039 PDT) 131.179.150.70 (15:08:16.832 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48380->22 (15:08:16.832 PDT) 13.7.64.22 (15:08:37.531 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36035->22 (15:08:37.531 PDT) 128.42.142.45 (15:07:20.785 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53408->22 (15:07:20.785 PDT) 204.123.28.56 (15:07:23.313 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46094->22 (15:07:23.313 PDT) 204.8.155.227 (15:07:48.687 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41140->22 (15:07:48.687 PDT) 192.91.235.230 (15:08:06.389 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44674->22 (15:08:06.389 PDT) 129.82.12.188 (2) (15:08:20.237 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 57357->22 (15:08:20.237 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57370->22 (15:08:22.808 PDT) 141.212.113.180 (15:07:55.127 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39032->22 (15:07:55.127 PDT) 141.212.113.179 (15:08:29.854 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52297->22 (15:08:29.854 PDT) 130.127.39.152 (15:07:41.044 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48039->22 (15:07:41.044 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 142.4.219.198 (15:10:56.171 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 34 IPs (23 /24s) (# pkts S/M/O/I=0/33/2/0): 22:33, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:10:56.171 PDT) 13.7.64.22 (15:09:25.134 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (17 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:09:25.134 PDT) tcpslice 1377641230.477 1377641230.478 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 08/27/2013 15:12:16.189 PDT Gen. Time: 08/27/2013 15:12:16.189 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 142.4.219.198 (15:12:16.189 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 44 IPs (26 /24s) (# pkts S/M/O/I=0/43/2/0): 22:43, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:12:16.189 PDT) tcpslice 1377641536.189 1377641536.190 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 08/27/2013 15:27:53.735 PDT Gen. Time: 08/27/2013 15:30:02.857 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (15:28:48.297 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58691->22 (15:28:48.297 PDT) 128.208.4.197 (15:29:27.208 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54361->22 (15:29:27.208 PDT) 128.10.19.53 (15:29:01.974 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39212->22 (15:29:01.974 PDT) 131.179.150.72 (15:27:53.735 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54430->22 (15:27:53.735 PDT) 72.36.112.79 (15:28:24.961 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33039->22 (15:28:24.961 PDT) 131.179.150.70 (2) (15:29:04.774 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 52866->22 (15:29:04.774 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52866->22 (15:29:04.774 PDT) 13.7.64.22 (15:29:23.567 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40466->22 (15:29:23.567 PDT) 128.42.142.45 (15:28:08.780 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57948->22 (15:28:08.780 PDT) 204.123.28.56 (15:28:11.032 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50626->22 (15:28:11.032 PDT) 204.8.155.227 (15:28:39.217 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45681->22 (15:28:39.217 PDT) 192.91.235.230 (15:28:55.164 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49191->22 (15:28:55.164 PDT) 129.82.12.188 (15:29:10.032 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33610->22 (15:29:10.032 PDT) 141.212.113.180 (2) (15:28:45.325 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 43572->22 (15:28:45.325 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43572->22 (15:28:45.325 PDT) 141.212.113.179 (15:29:17.513 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56757->22 (15:29:17.513 PDT) 130.127.39.152 (15:28:31.802 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52580->22 (15:28:31.802 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.42.142.45 (15:30:02.857 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (17 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:30:02.857 PDT) tcpslice 1377642473.735 1377642473.736 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 08/27/2013 15:27:53.735 PDT Gen. Time: 08/27/2013 15:35:31.507 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (15:28:48.297 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58691->22 (15:28:48.297 PDT) 128.208.4.197 (15:29:27.208 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54361->22 (15:29:27.208 PDT) 128.10.19.53 (15:29:01.974 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39212->22 (15:29:01.974 PDT) 131.179.150.72 (15:27:53.735 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54430->22 (15:27:53.735 PDT) 72.36.112.79 (15:28:24.961 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33039->22 (15:28:24.961 PDT) 131.179.150.70 (2) (15:29:04.774 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 52866->22 (15:29:04.774 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52866->22 (15:29:04.774 PDT) 13.7.64.22 (15:29:23.567 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40466->22 (15:29:23.567 PDT) 128.42.142.45 (15:28:08.780 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57948->22 (15:28:08.780 PDT) 204.123.28.56 (15:28:11.032 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50626->22 (15:28:11.032 PDT) 204.8.155.227 (15:28:39.217 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45681->22 (15:28:39.217 PDT) 192.91.235.230 (15:28:55.164 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49191->22 (15:28:55.164 PDT) 129.82.12.188 (15:29:10.032 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33610->22 (15:29:10.032 PDT) 141.212.113.180 (2) (15:28:45.325 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 43572->22 (15:28:45.325 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43572->22 (15:28:45.325 PDT) 141.212.113.179 (15:29:17.513 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56757->22 (15:29:17.513 PDT) 130.127.39.152 (15:28:31.802 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52580->22 (15:28:31.802 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.42.142.45 (15:30:02.857 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (17 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:30:02.857 PDT) 204.123.28.55 (15:31:33.063 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 32 IPs (22 /24s) (# pkts S/M/O/I=0/32/0/0): 22:32, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:31:33.063 PDT) tcpslice 1377642473.735 1377642473.736 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 08/27/2013 15:32:49.453 PDT Gen. Time: 08/27/2013 15:32:49.453 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.123.28.55 (15:32:49.453 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 43 IPs (25 /24s) (# pkts S/M/O/I=0/43/0/0): 22:43, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:32:49.453 PDT) tcpslice 1377642769.453 1377642769.454 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 08/27/2013 15:48:32.669 PDT Gen. Time: 08/27/2013 15:50:45.091 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (15:49:25.666 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33840->22 (15:49:25.666 PDT) 128.208.4.197 (15:49:58.124 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 57643->22 (15:49:58.124 PDT) 128.10.19.53 (15:49:39.176 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42560->22 (15:49:39.176 PDT) 131.179.150.72 (15:48:32.669 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57950->22 (15:48:32.669 PDT) 72.36.112.79 (15:49:01.992 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36483->22 (15:49:01.992 PDT) 131.179.150.70 (2) (15:49:40.305 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 56205->22 (15:49:40.305 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56209->22 (15:49:42.108 PDT) 13.7.64.22 (15:49:57.406 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43758->22 (15:49:57.406 PDT) 128.42.142.45 (15:48:47.571 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33200->22 (15:48:47.571 PDT) 204.123.28.56 (15:48:50.178 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54108->22 (15:48:50.178 PDT) 204.8.155.227 (15:49:16.170 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49084->22 (15:49:16.170 PDT) 192.91.235.230 (15:49:32.614 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52560->22 (15:49:32.614 PDT) 129.82.12.188 (15:49:47.141 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36937->22 (15:49:47.141 PDT) 141.212.113.180 (2) (15:49:17.592 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 46958->22 (15:49:17.592 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46962->22 (15:49:22.499 PDT) 141.212.113.179 (15:49:53.374 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60061->22 (15:49:53.374 PDT) 130.127.39.152 (15:49:08.586 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56003->22 (15:49:08.586 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 134.88.5.251 (15:50:45.091 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (17 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:50:45.091 PDT) tcpslice 1377643712.669 1377643712.670 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 08/27/2013 15:48:32.669 PDT Gen. Time: 08/27/2013 15:56:29.269 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (15:49:25.666 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33840->22 (15:49:25.666 PDT) 128.208.4.197 (15:49:58.124 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 57643->22 (15:49:58.124 PDT) 128.10.19.53 (15:49:39.176 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42560->22 (15:49:39.176 PDT) 131.179.150.72 (15:48:32.669 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57950->22 (15:48:32.669 PDT) 72.36.112.79 (15:49:01.992 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36483->22 (15:49:01.992 PDT) 131.179.150.70 (2) (15:49:40.305 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 56205->22 (15:49:40.305 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56209->22 (15:49:42.108 PDT) 13.7.64.22 (15:49:57.406 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43758->22 (15:49:57.406 PDT) 128.42.142.45 (15:48:47.571 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33200->22 (15:48:47.571 PDT) 204.123.28.56 (15:48:50.178 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54108->22 (15:48:50.178 PDT) 204.8.155.227 (15:49:16.170 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49084->22 (15:49:16.170 PDT) 192.91.235.230 (15:49:32.614 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52560->22 (15:49:32.614 PDT) 129.82.12.188 (15:49:47.141 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36937->22 (15:49:47.141 PDT) 141.212.113.180 (2) (15:49:17.592 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 46958->22 (15:49:17.592 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46962->22 (15:49:22.499 PDT) 141.212.113.179 (15:49:53.374 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60061->22 (15:49:53.374 PDT) 130.127.39.152 (15:49:08.586 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56003->22 (15:49:08.586 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 134.88.5.251 (2) (15:50:45.091 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (17 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:50:45.091 PDT) 0->0 (15:52:15.389 PDT) tcpslice 1377643712.669 1377643712.670 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 08/27/2013 15:59:36.547 PDT Gen. Time: 08/27/2013 15:59:36.547 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.36.233.153 (15:59:36.547 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 46 IPs (28 /24s) (# pkts S/M/O/I=0/43/3/0): 22:43, [] MAC_Src: 00:01:64:FF:CE:EA (15:59:36.547 PDT) tcpslice 1377644376.547 1377644376.548 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 08/27/2013 16:05:24.731 PDT Gen. Time: 08/27/2013 16:05:24.731 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.123.28.56 (16:05:24.731 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:05:24.731 PDT) tcpslice 1377644724.731 1377644724.732 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 08/27/2013 16:05:24.731 PDT Gen. Time: 08/27/2013 15:32:12.108 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (2) (16:09:56.975 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 34067->22 (16:09:56.975 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34067->22 (16:09:56.975 PDT) 128.10.19.53 (16:10:10.440 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42787->22 (16:10:10.440 PDT) 131.179.150.72 (16:09:11.444 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58177->22 (16:09:11.444 PDT) 72.36.112.79 (2) (16:09:33.431 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 36710->22 (16:09:33.431 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36710->22 (16:09:33.431 PDT) 131.179.150.70 (16:10:13.263 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56436->22 (16:10:13.263 PDT) 13.7.64.22 (16:10:31.136 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43984->22 (16:10:31.136 PDT) 128.42.142.45 (16:09:21.698 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33427->22 (16:09:21.698 PDT) 204.123.28.56 (16:09:23.981 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54335->22 (16:09:23.981 PDT) 204.8.155.227 (16:09:47.736 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49311->22 (16:09:47.736 PDT) 192.91.235.230 (16:10:04.087 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52787->22 (16:10:04.087 PDT) 129.82.12.188 (2) (16:10:18.737 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 37164->22 (16:10:18.737 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37164->22 (16:10:18.737 PDT) 141.212.113.180 (16:09:53.987 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47189->22 (16:09:53.987 PDT) 141.212.113.179 (16:10:26.569 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60287->22 (16:10:26.569 PDT) 130.127.39.152 (16:09:40.113 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56230->22 (16:09:40.113 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.123.28.56 (7) (16:05:24.731 PDT-16:08:38.779 PDT) event=777:7777008 (7) {tcp} E8[bh] Detected intense malware port scanning of 36 IPs (23 /24s) (# pkts S/M/O/I=0/36/0/0): 22:36, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:11:39.342 PDT) 0->0 (16:14:55.843 PDT) 0->0 (16:05:24.731 PDT) 0->0 (16:13:10.266 PDT) 2: 0->0 (16:07:00.195 PDT-16:08:38.779 PDT) 0->0 (16:10:08.036 PDT) tcpslice 1377644724.731 1377644918.780 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 08/27/2013 16:17:02.307 PDT Gen. Time: 08/27/2013 16:17:02.307 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.123.28.56 (16:17:02.307 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 43 IPs (25 /24s) (# pkts S/M/O/I=0/43/0/0): 22:43, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:17:02.307 PDT) tcpslice 1377645422.307 1377645422.308 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 08/27/2013 16:21:58.243 PDT Gen. Time: 08/27/2013 16:21:58.243 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.123.28.56 (16:21:58.243 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 43 IPs (25 /24s) (# pkts S/M/O/I=0/43/0/0): 22:43, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:21:58.243 PDT) tcpslice 1377645718.243 1377645718.244 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 08/27/2013 16:26:56.002 PDT Gen. Time: 08/27/2013 16:26:56.002 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.123.28.56 (16:26:56.002 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 44 IPs (26 /24s) (# pkts S/M/O/I=0/43/1/0): 22:43, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:26:56.002 PDT) tcpslice 1377646016.002 1377646016.003 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 08/27/2013 16:26:56.002 PDT Gen. Time: 08/27/2013 16:38:25.722 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (16:30:25.452 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34293->22 (16:30:25.452 PDT) 128.208.4.197 (16:31:05.297 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58100->22 (16:31:05.297 PDT) 128.10.19.53 (16:30:39.197 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43013->22 (16:30:39.197 PDT) 131.179.150.72 (16:29:27.314 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58403->22 (16:29:27.314 PDT) 72.36.112.79 (16:30:01.796 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36936->22 (16:30:01.796 PDT) 131.179.150.70 (2) (16:30:42.286 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 56662->22 (16:30:42.286 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56662->22 (16:30:42.286 PDT) 13.7.64.22 (16:31:00.762 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44211->22 (16:31:00.762 PDT) 128.42.142.45 (16:29:42.404 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33653->22 (16:29:42.404 PDT) 204.123.28.56 (16:29:44.750 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54561->22 (16:29:44.750 PDT) 204.8.155.227 (16:30:16.352 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49537->22 (16:30:16.352 PDT) 192.91.235.230 (16:30:32.653 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53013->22 (16:30:32.653 PDT) 129.82.12.188 (16:30:48.162 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37390->22 (16:30:48.162 PDT) 141.212.113.180 (2) (16:30:22.511 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 47415->22 (16:30:22.511 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47415->22 (16:30:22.511 PDT) 141.212.113.179 (16:30:54.163 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60514->22 (16:30:54.163 PDT) 130.127.39.152 (16:30:08.795 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56456->22 (16:30:08.795 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.123.28.56 (5) (16:26:56.002 PDT-16:33:20.007 PDT) event=777:7777008 (5) {tcp} E8[bh] Detected intense malware port scanning of 44 IPs (26 /24s) (# pkts S/M/O/I=0/43/1/0): 22:43, [] MAC_Src: 00:01:64:FF:CE:EA 5: 0->0 (16:26:56.002 PDT-16:33:20.007 PDT) tcpslice 1377646016.002 1377646400.008 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 08/27/2013 16:43:47.818 PDT Gen. Time: 08/27/2013 16:43:47.818 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.123.28.56 (16:43:47.818 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 45 IPs (27 /24s) (# pkts S/M/O/I=0/43/2/0): 22:43, [] MAC_Src: 00:01:64:FF:CE:EA (16:43:47.818 PDT) tcpslice 1377647027.818 1377647027.819 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 08/27/2013 16:50:04.948 PDT Gen. Time: 08/27/2013 16:52:25.247 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (16:51:03.334 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34839->22 (16:51:03.334 PDT) 128.208.4.197 (16:51:41.639 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58646->22 (16:51:41.639 PDT) 128.10.19.53 (16:51:16.754 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43559->22 (16:51:16.754 PDT) 131.179.150.72 (16:50:04.948 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58949->22 (16:50:04.948 PDT) 72.36.112.79 (16:50:39.189 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37482->22 (16:50:39.189 PDT) 131.179.150.70 (2) (16:51:19.901 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 57208->22 (16:51:19.901 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57208->22 (16:51:19.901 PDT) 13.7.64.22 (16:51:37.903 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44757->22 (16:51:37.903 PDT) 128.42.142.45 (16:50:19.998 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34199->22 (16:50:19.998 PDT) 204.123.28.56 (16:50:22.374 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55107->22 (16:50:22.374 PDT) 204.8.155.227 (16:50:53.655 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50083->22 (16:50:53.655 PDT) 192.91.235.230 (16:51:10.115 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53559->22 (16:51:10.115 PDT) 129.82.12.188 (16:51:25.207 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37936->22 (16:51:25.207 PDT) 141.212.113.180 (2) (16:51:00.312 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 47961->22 (16:51:00.312 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47961->22 (16:51:00.312 PDT) 141.212.113.179 (16:51:31.160 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 32827->22 (16:51:31.160 PDT) 130.127.39.152 (16:50:45.888 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57002->22 (16:50:45.888 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.208.4.197 (16:52:25.247 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (17 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:52:25.247 PDT) tcpslice 1377647404.948 1377647404.949 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 08/27/2013 16:50:04.948 PDT Gen. Time: 08/27/2013 16:59:27.624 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (16:51:03.334 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34839->22 (16:51:03.334 PDT) 128.208.4.197 (16:51:41.639 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58646->22 (16:51:41.639 PDT) 128.10.19.53 (16:51:16.754 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43559->22 (16:51:16.754 PDT) 131.179.150.72 (16:50:04.948 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58949->22 (16:50:04.948 PDT) 72.36.112.79 (16:50:39.189 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37482->22 (16:50:39.189 PDT) 131.179.150.70 (2) (16:51:19.901 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 57208->22 (16:51:19.901 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57208->22 (16:51:19.901 PDT) 13.7.64.22 (16:51:37.903 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44757->22 (16:51:37.903 PDT) 128.42.142.45 (16:50:19.998 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34199->22 (16:50:19.998 PDT) 204.123.28.56 (16:50:22.374 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55107->22 (16:50:22.374 PDT) 204.8.155.227 (16:50:53.655 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50083->22 (16:50:53.655 PDT) 192.91.235.230 (16:51:10.115 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53559->22 (16:51:10.115 PDT) 129.82.12.188 (16:51:25.207 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37936->22 (16:51:25.207 PDT) 141.212.113.180 (2) (16:51:00.312 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 47961->22 (16:51:00.312 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47961->22 (16:51:00.312 PDT) 141.212.113.179 (16:51:31.160 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 32827->22 (16:51:31.160 PDT) 130.127.39.152 (16:50:45.888 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57002->22 (16:50:45.888 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.208.4.198 (16:55:25.103 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 43 IPs (25 /24s) (# pkts S/M/O/I=0/43/0/0): 22:43, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:55:25.103 PDT) 128.208.4.197 (16:52:25.247 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (17 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:52:25.247 PDT) 198.133.224.147 (16:53:55.127 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 33 IPs (22 /24s) (# pkts S/M/O/I=0/33/0/0): 22:33, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:53:55.127 PDT) tcpslice 1377647404.948 1377647404.949 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================