Score: 0.8 (>= 0.8) Infected Target: 128.18.30.247 Infector List: 192.168.1.19 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/03/2013 08:38:55.712 PDT Gen. Time: 09/03/2013 08:38:55.712 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL ATK SRC) 192.168.1.19 (08:38:55.712 PDT) event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 00:01:64:FF:CE:EA 57365->80 (08:38:55.712 PDT) EXPLOIT (ATK FROM INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL SRC) EGG DOWNLOAD (DL FROM INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL BOT) C and C TRAFFIC (INTERNAL CnC) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (ATK TO INTERNAL TARGET) OUTBOUND ATTACK (INTERNAL TARGET) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1378222735.712 1378222735.713 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 128.18.30.247' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 128.18.30.247 Infector List: 192.168.1.19 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/03/2013 08:38:55.712 PDT Gen. Time: 09/03/2013 09:07:53.004 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL ATK SRC) 192.168.1.19 (17) (08:38:55.712 PDT) event=1:92009714 (11) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/index.html?urlmaskfilter=] MAC_Dst: 00:01:64:FF:CE:EA 57471->80 (08:40:05.274 PDT) 57478->80 (08:40:07.306 PDT) 57484->80 (08:40:10.351 PDT) 58255->80 (08:42:36.917 PDT) 59773->80 (08:45:27.962 PDT) 59787->80 (08:45:28.501 PDT) 59788->80 (08:45:28.622 PDT) 59793->80 (08:45:28.921 PDT) 59797->80 (08:45:29.093 PDT) 59798->80 (08:45:29.116 PDT) 59799->80 (08:45:29.116 PDT) ------------------------- event=1:92016184 (3) {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 00:01:64:FF:CE:EA 57365->80 (08:38:55.712 PDT) 59766->80 (08:45:27.745 PDT) 59803->80 (08:45:29.224 PDT) ------------------------- event=1:92016977 {tcp} E2[irb] ET WEB_SERVER allow_url_include PHP config option in uri, [] MAC_Dst: 00:01:64:FF:CE:EA 59868->80 (08:45:34.871 PDT) ------------------------- event=1:92016979 {tcp} E2[irb] ET WEB_SERVER suhosin.simulation PHP config option in uri, [/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d ] MAC_Dst: 00:01:64:FF:CE:EA 59868->80 (08:45:34.871 PDT) ------------------------- event=1:92016980 {tcp} E2[irb] ET WEB_SERVER disable_functions PHP config option in uri, [] MAC_Dst: 00:01:64:FF:CE:EA 59868->80 (08:45:34.871 PDT) EXPLOIT (ATK FROM INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL SRC) EGG DOWNLOAD (DL FROM INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL BOT) C and C TRAFFIC (INTERNAL CnC) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (ATK TO INTERNAL TARGET) OUTBOUND ATTACK (INTERNAL TARGET) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1378222735.712 1378222735.713 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 128.18.30.247' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 128.18.30.247 Infector List: 192.168.1.243 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/03/2013 09:13:06.482 PDT Gen. Time: 09/03/2013 09:13:06.482 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL ATK SRC) 192.168.1.243 (09:13:06.482 PDT) event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 00:01:64:FF:CE:EA 40942->80 (09:13:06.482 PDT) EXPLOIT (ATK FROM INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL SRC) EGG DOWNLOAD (DL FROM INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL BOT) C and C TRAFFIC (INTERNAL CnC) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (ATK TO INTERNAL TARGET) OUTBOUND ATTACK (INTERNAL TARGET) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1378224786.482 1378224786.483 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 128.18.30.247' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 128.18.30.247 Infector List: 192.168.1.243, 192.168.1.228, 192.168.1.227 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/03/2013 09:13:06.482 PDT Gen. Time: 09/03/2013 09:28:12.465 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL ATK SRC) 192.168.1.243 (7) (09:13:06.482 PDT) event=1:92009714 (5) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/index.html?urlmaskfilter=] MAC_Dst: 00:01:64:FF:CE:EA 41335->80 (09:14:29.061 PDT) 41340->80 (09:14:31.076 PDT) 41351->80 (09:14:34.092 PDT) 42008->80 (09:17:05.467 PDT) 43467->80 (09:20:38.504 PDT) ------------------------- event=1:92016184 (2) {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 00:01:64:FF:CE:EA 40942->80 (09:13:06.482 PDT) 43459->80 (09:20:38.451 PDT) 192.168.1.228 (5) (09:13:15.383 PDT) event=1:92009714 (4) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/index.html?urlmaskfilter=] MAC_Dst: 00:01:64:FF:CE:EA 33492->80 (09:14:24.784 PDT) 33495->80 (09:14:26.793 PDT) 33503->80 (09:14:29.808 PDT) 34464->80 (09:17:32.996 PDT) ------------------------- event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 00:01:64:FF:CE:EA 33153->80 (09:13:15.383 PDT) 192.168.1.227 (5) (09:14:12.485 PDT) event=1:92009714 (4) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/index.html?urlmaskfilter=] MAC_Dst: 00:01:64:FF:CE:EA 57430->80 (09:15:21.931 PDT) 57432->80 (09:15:23.938 PDT) 57473->80 (09:15:29.953 PDT) 58461->80 (09:18:30.019 PDT) ------------------------- event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 00:01:64:FF:CE:EA 57062->80 (09:14:12.485 PDT) EXPLOIT (ATK FROM INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL SRC) EGG DOWNLOAD (DL FROM INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL BOT) C and C TRAFFIC (INTERNAL CnC) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (ATK TO INTERNAL TARGET) OUTBOUND ATTACK (INTERNAL TARGET) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1378224786.482 1378224786.483 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 128.18.30.247' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 128.18.30.247 Infector List: 192.168.1.9 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/03/2013 12:15:22.393 PDT Gen. Time: 09/03/2013 12:15:22.393 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL ATK SRC) 192.168.1.9 (12:15:22.393 PDT) event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 00:01:64:FF:CE:EA 34762->80 (12:15:22.393 PDT) EXPLOIT (ATK FROM INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL SRC) EGG DOWNLOAD (DL FROM INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL BOT) C and C TRAFFIC (INTERNAL CnC) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (ATK TO INTERNAL TARGET) OUTBOUND ATTACK (INTERNAL TARGET) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1378235722.393 1378235722.394 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 128.18.30.247' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 128.18.30.247 Infector List: 192.168.1.47, 192.168.1.14, 192.168.1.9 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/03/2013 12:15:22.393 PDT Gen. Time: 09/03/2013 12:29:58.482 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL ATK SRC) 192.168.1.47 (5) (12:17:20.033 PDT) event=1:92009714 (4) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/index.html?urlmaskfilter=] MAC_Dst: 00:01:64:FF:CE:EA 44645->80 (12:18:29.526 PDT) 44721->80 (12:18:31.543 PDT) 44863->80 (12:18:34.559 PDT) 52269->80 (12:21:41.229 PDT) ------------------------- event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 00:01:64:FF:CE:EA 42170->80 (12:17:20.033 PDT) 192.168.1.14 (5) (12:15:28.648 PDT) event=1:92009714 (4) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/index.html?urlmaskfilter=] MAC_Dst: 00:01:64:FF:CE:EA 59776->80 (12:16:38.725 PDT) 59833->80 (12:16:40.732 PDT) 59870->80 (12:16:43.747 PDT) 37518->80 (12:19:39.838 PDT) ------------------------- event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 00:01:64:FF:CE:EA 58923->80 (12:15:28.648 PDT) 192.168.1.9 (7) (12:15:22.393 PDT) event=1:92009714 (5) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/index.html?urlmaskfilter=] MAC_Dst: 00:01:64:FF:CE:EA 35740->80 (12:16:41.732 PDT) 35759->80 (12:16:43.739 PDT) 35795->80 (12:16:46.754 PDT) 41651->80 (12:19:40.753 PDT) 50220->80 (12:23:14.930 PDT) ------------------------- event=1:92016184 (2) {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 00:01:64:FF:CE:EA 34762->80 (12:15:22.393 PDT) 50208->80 (12:23:14.856 PDT) EXPLOIT (ATK FROM INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL SRC) EGG DOWNLOAD (DL FROM INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL BOT) C and C TRAFFIC (INTERNAL CnC) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (ATK TO INTERNAL TARGET) OUTBOUND ATTACK (INTERNAL TARGET) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1378235722.393 1378235722.394 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 128.18.30.247' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 128.18.30.247 Infector List: 192.168.1.221 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/03/2013 15:06:40.432 PDT Gen. Time: 09/03/2013 15:06:40.432 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL ATK SRC) 192.168.1.221 (15:06:40.432 PDT) event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 00:01:64:FF:CE:EA 50946->80 (15:06:40.432 PDT) EXPLOIT (ATK FROM INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL SRC) EGG DOWNLOAD (DL FROM INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL BOT) C and C TRAFFIC (INTERNAL CnC) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (ATK TO INTERNAL TARGET) OUTBOUND ATTACK (INTERNAL TARGET) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1378246000.432 1378246000.433 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 128.18.30.247' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 128.18.30.247 Infector List: 192.168.1.221 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/03/2013 15:06:40.432 PDT Gen. Time: 09/03/2013 15:10:41.734 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL ATK SRC) 192.168.1.221 (4) (15:06:40.432 PDT) event=1:92009714 (3) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/index.html?urlmaskfilter=] MAC_Dst: 00:01:64:FF:CE:EA 52644->80 (15:07:49.788 PDT) 52719->80 (15:07:51.795 PDT) 52811->80 (15:07:54.808 PDT) ------------------------- event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 00:01:64:FF:CE:EA 50946->80 (15:06:40.432 PDT) EXPLOIT (ATK FROM INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL SRC) EGG DOWNLOAD (DL FROM INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL BOT) C and C TRAFFIC (INTERNAL CnC) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (ATK TO INTERNAL TARGET) OUTBOUND ATTACK (INTERNAL TARGET) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1378246000.432 1378246000.433 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 128.18.30.247' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 128.18.30.247 Infector List: 192.168.1.221 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/03/2013 15:11:02.785 PDT Gen. Time: 09/03/2013 15:11:02.785 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL ATK SRC) 192.168.1.221 (15:11:02.785 PDT) event=1:92009714 {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/WebID/IISWebAgentIF.dll?postdata=">] MAC_Dst: 00:01:64:FF:CE:EA 55962->80 (15:11:02.785 PDT) EXPLOIT (ATK FROM INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL SRC) EGG DOWNLOAD (DL FROM INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL BOT) C and C TRAFFIC (INTERNAL CnC) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (ATK TO INTERNAL TARGET) OUTBOUND ATTACK (INTERNAL TARGET) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1378246262.785 1378246262.786 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 128.18.30.247' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 128.18.30.247 Infector List: 192.168.1.221 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/03/2013 15:11:02.785 PDT Gen. Time: 09/03/2013 15:18:37.283 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL ATK SRC) 192.168.1.221 (16) (15:11:02.785 PDT) event=1:92009714 (10) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/WebID/IISWebAgentIF.dll?postdata=">] MAC_Dst: 00:01:64:FF:CE:EA 55962->80 (15:11:02.785 PDT) 59008->80 (15:14:29.964 PDT) 59023->80 (15:14:30.006 PDT) 59024->80 (15:14:30.011 PDT) 59027->80 (15:14:30.022 PDT) 59031->80 (15:14:30.048 PDT) 59032->80 (15:14:30.050 PDT) 59033->80 (15:14:30.051 PDT) 59139->80 (15:14:35.245 PDT) 59192->80 (15:14:35.526 PDT) ------------------------- event=1:92016184 (3) {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/index.cfm] MAC_Dst: 00:01:64:FF:CE:EA 58995->80 (15:14:29.838 PDT) 59037->80 (15:14:30.065 PDT) 59170->80 (15:14:35.423 PDT) ------------------------- event=1:92016977 {tcp} E2[irb] ET WEB_SERVER allow_url_include PHP config option in uri, [] MAC_Dst: 00:01:64:FF:CE:EA 59135->80 (15:14:35.225 PDT) ------------------------- event=1:92016979 {tcp} E2[irb] ET WEB_SERVER suhosin.simulation PHP config option in uri, [/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d ] MAC_Dst: 00:01:64:FF:CE:EA 59135->80 (15:14:35.225 PDT) ------------------------- event=1:92016980 {tcp} E2[irb] ET WEB_SERVER disable_functions PHP config option in uri, [] MAC_Dst: 00:01:64:FF:CE:EA 59135->80 (15:14:35.225 PDT) EXPLOIT (ATK FROM INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL SRC) EGG DOWNLOAD (DL FROM INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL BOT) C and C TRAFFIC (INTERNAL CnC) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (ATK TO INTERNAL TARGET) OUTBOUND ATTACK (INTERNAL TARGET) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1378246262.785 1378246262.786 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 128.18.30.247' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 128.18.30.247 Infector List: 192.168.1.50 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/03/2013 20:34:58.349 PDT Gen. Time: 09/03/2013 20:34:58.349 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL ATK SRC) 192.168.1.50 (20:34:58.349 PDT) event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 00:01:64:FF:CE:EA 53297->80 (20:34:58.349 PDT) EXPLOIT (ATK FROM INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL SRC) EGG DOWNLOAD (DL FROM INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL BOT) C and C TRAFFIC (INTERNAL CnC) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (ATK TO INTERNAL TARGET) OUTBOUND ATTACK (INTERNAL TARGET) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1378265698.349 1378265698.350 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 128.18.30.247' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 128.18.30.247 Infector List: 192.168.1.50 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/03/2013 20:34:58.349 PDT Gen. Time: 09/03/2013 20:53:58.847 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL ATK SRC) 192.168.1.50 (17) (20:34:58.349 PDT) event=1:92009714 (11) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/index.html?urlmaskfilter=] MAC_Dst: 00:01:64:FF:CE:EA 53439->80 (20:36:07.833 PDT) 53441->80 (20:36:09.846 PDT) 53446->80 (20:36:12.866 PDT) 55326->80 (20:39:20.375 PDT) 56192->80 (20:42:52.689 PDT) 56203->80 (20:42:52.737 PDT) 56204->80 (20:42:52.741 PDT) 56207->80 (20:42:52.752 PDT) 56211->80 (20:42:52.773 PDT) 56212->80 (20:42:52.777 PDT) 56213->80 (20:42:52.777 PDT) ------------------------- event=1:92016184 (3) {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 00:01:64:FF:CE:EA 53297->80 (20:34:58.349 PDT) 56184->80 (20:42:52.661 PDT) 56216->80 (20:42:52.791 PDT) ------------------------- event=1:92016977 {tcp} E2[irb] ET WEB_SERVER allow_url_include PHP config option in uri, [] MAC_Dst: 00:01:64:FF:CE:EA 56257->80 (20:42:58.216 PDT) ------------------------- event=1:92016979 {tcp} E2[irb] ET WEB_SERVER suhosin.simulation PHP config option in uri, [/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d ] MAC_Dst: 00:01:64:FF:CE:EA 56257->80 (20:42:58.216 PDT) ------------------------- event=1:92016980 {tcp} E2[irb] ET WEB_SERVER disable_functions PHP config option in uri, [] MAC_Dst: 00:01:64:FF:CE:EA 56257->80 (20:42:58.216 PDT) EXPLOIT (ATK FROM INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL SRC) EGG DOWNLOAD (DL FROM INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL BOT) C and C TRAFFIC (INTERNAL CnC) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (ATK TO INTERNAL TARGET) OUTBOUND ATTACK (INTERNAL TARGET) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1378265698.349 1378265698.350 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 128.18.30.247' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 128.18.30.247 Infector List: 192.168.1.101 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/03/2013 20:54:42.166 PDT Gen. Time: 09/03/2013 20:54:42.166 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL ATK SRC) 192.168.1.101 (20:54:42.166 PDT) event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/index.cfm] MAC_Dst: 00:01:64:FF:CE:EA 43092->80 (20:54:42.166 PDT) EXPLOIT (ATK FROM INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL SRC) EGG DOWNLOAD (DL FROM INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL BOT) C and C TRAFFIC (INTERNAL CnC) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (ATK TO INTERNAL TARGET) OUTBOUND ATTACK (INTERNAL TARGET) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1378266882.166 1378266882.167 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 128.18.30.247' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 128.18.30.247 Infector List: 192.168.1.101 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/03/2013 20:54:42.166 PDT Gen. Time: 09/03/2013 20:56:10.494 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL ATK SRC) 192.168.1.101 (15) (20:54:42.166 PDT) event=1:92009714 (9) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/item.fts?href=">;] MAC_Dst: 00:01:64:FF:CE:EA 43168->80 (20:54:42.946 PDT) 43337->80 (20:54:44.441 PDT) 43339->80 (20:54:44.595 PDT) 43388->80 (20:54:45.265 PDT) 43398->80 (20:54:45.969 PDT) 43399->80 (20:54:46.098 PDT) 43400->80 (20:54:46.103 PDT) 43539->80 (20:55:02.303 PDT) 43687->80 (20:55:13.605 PDT) ------------------------- event=1:92016184 (3) {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/index.cfm] MAC_Dst: 00:01:64:FF:CE:EA 43092->80 (20:54:42.166 PDT) 43408->80 (20:54:46.936 PDT) 43636->80 (20:55:10.189 PDT) ------------------------- event=1:92016977 {tcp} E2[irb] ET WEB_SERVER allow_url_include PHP config option in uri, [] MAC_Dst: 00:01:64:FF:CE:EA 43519->80 (20:55:00.253 PDT) ------------------------- event=1:92016979 {tcp} E2[irb] ET WEB_SERVER suhosin.simulation PHP config option in uri, [/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d ] MAC_Dst: 00:01:64:FF:CE:EA 43519->80 (20:55:00.253 PDT) ------------------------- event=1:92016980 {tcp} E2[irb] ET WEB_SERVER disable_functions PHP config option in uri, [] MAC_Dst: 00:01:64:FF:CE:EA 43519->80 (20:55:00.253 PDT) EXPLOIT (ATK FROM INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL SRC) EGG DOWNLOAD (DL FROM INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL BOT) C and C TRAFFIC (INTERNAL CnC) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (ATK TO INTERNAL TARGET) OUTBOUND ATTACK (INTERNAL TARGET) ATTACK PREP PEER COORDINATION Info