Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 69.30.238.162 Peer Coord. List: Resource List: Observed Start: 09/03/2013 11:10:16.779 PDT Gen. Time: 09/03/2013 11:11:40.493 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL ATK SRC) EXPLOIT (ATK FROM INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL SRC) EGG DOWNLOAD (DL FROM INTERNAL) C and C TRAFFIC 69.30.238.162 (11:11:40.493 PDT) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->35711 (11:11:40.493 PDT) C and C TRAFFIC (INTERNAL BOT) C and C TRAFFIC (INTERNAL CnC) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 69.30.238.162 (9) (11:10:16.779 PDT) event=1:552123 (9) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->59129 (11:10:16.779 PDT) 80->55670 (11:10:34.439 PDT) 80->46368 (11:10:48.018 PDT) 80->35493 (11:11:00.437 PDT) 80->44634 (11:11:06.928 PDT) 80->54707 (11:11:14.092 PDT) 80->43782 (11:11:26.285 PDT) 80->51529 (11:11:31.725 PDT) 80->55352 (11:11:34.447 PDT) OUTBOUND ATTACK (ATK TO INTERNAL TARGET) OUTBOUND ATTACK (INTERNAL TARGET) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1378231816.779 1378231816.780 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 69.30.238.162 (2) Peer Coord. List: Resource List: Observed Start: 09/03/2013 11:10:16.779 PDT Gen. Time: 09/03/2013 11:16:21.216 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL ATK SRC) EXPLOIT (ATK FROM INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL SRC) EGG DOWNLOAD (DL FROM INTERNAL) C and C TRAFFIC 69.30.238.162 (2) (11:11:40.493 PDT) event=1:2002033 (2) {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->35711 (11:11:40.493 PDT) 80->44322 (11:11:46.691 PDT) C and C TRAFFIC (INTERNAL BOT) C and C TRAFFIC (INTERNAL CnC) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 69.30.238.162 (13) (11:10:16.779 PDT) event=1:552123 (13) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->59129 (11:10:16.779 PDT) 80->55670 (11:10:34.439 PDT) 80->46368 (11:10:48.018 PDT) 80->35493 (11:11:00.437 PDT) 80->44634 (11:11:06.928 PDT) 80->54707 (11:11:14.092 PDT) 80->43782 (11:11:26.285 PDT) 80->51529 (11:11:31.725 PDT) 80->55352 (11:11:34.447 PDT) 80->44789 (11:12:08.295 PDT) 80->37012 (11:12:23.001 PDT) 80->45388 (11:12:28.497 PDT) 80->36556 (11:12:41.822 PDT) OUTBOUND ATTACK (ATK TO INTERNAL TARGET) OUTBOUND ATTACK (INTERNAL TARGET) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1378231816.779 1378231816.780 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.85 Infector List: 188.190.98.18 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/03/2013 14:07:27.186 PDT Gen. Time: 09/03/2013 14:17:58.637 PDT INBOUND SCAN EXPLOIT 188.190.98.18 (14:17:58.637 PDT) event=1:2016979 {tcp} E2[rb] ET WEB_SERVER suhosin.simulation PHP config option in uri, [/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d ] MAC_Dst: 00:01:64:FF:CE:EA 80<-56330 (14:17:58.637 PDT) EXPLOIT (INTERNAL ATK SRC) EXPLOIT (ATK FROM INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL SRC) EGG DOWNLOAD (DL FROM INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL BOT) C and C TRAFFIC (INTERNAL CnC) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 66.249.74.230 (5) (14:07:27.186 PDT) event=1:552123 (5) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->45879 (14:07:27.186 PDT) 80->52654 (14:07:52.389 PDT) 80->64181 (14:08:23.407 PDT) 80->61640 (14:13:18.574 PDT) 80->50752 (14:15:37.581 PDT) 208.115.111.66 (2) (14:11:32.541 PDT) event=1:552123 (2) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->39616 (14:11:32.541 PDT) 80->44651 (14:11:36.120 PDT) OUTBOUND ATTACK (ATK TO INTERNAL TARGET) OUTBOUND ATTACK (INTERNAL TARGET) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1378242447.186 1378242447.187 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.85 Infector List: 188.190.98.18 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/03/2013 14:07:27.186 PDT Gen. Time: 09/03/2013 14:24:53.932 PDT INBOUND SCAN EXPLOIT 188.190.98.18 (3) (14:17:58.637 PDT) event=1:2016977 {tcp} E2[rb] ET WEB_SERVER allow_url_include PHP config option in uri, [] MAC_Dst: 00:01:64:FF:CE:EA 80<-56330 (14:17:58.637 PDT) ------------------------- event=1:2016979 {tcp} E2[rb] ET WEB_SERVER suhosin.simulation PHP config option in uri, [/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d ] MAC_Dst: 00:01:64:FF:CE:EA 80<-56330 (14:17:58.637 PDT) ------------------------- event=1:2016980 {tcp} E2[rb] ET WEB_SERVER disable_functions PHP config option in uri, [] MAC_Dst: 00:01:64:FF:CE:EA 80<-56330 (14:17:58.637 PDT) EXPLOIT (INTERNAL ATK SRC) EXPLOIT (ATK FROM INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL SRC) EGG DOWNLOAD (DL FROM INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL BOT) C and C TRAFFIC (INTERNAL CnC) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 66.249.74.230 (7) (14:07:27.186 PDT) event=1:552123 (7) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->45879 (14:07:27.186 PDT) 80->52654 (14:07:52.389 PDT) 80->64181 (14:08:23.407 PDT) 80->61640 (14:13:18.574 PDT) 80->50752 (14:15:37.581 PDT) 80->55245 (14:18:55.198 PDT) 80->48845 (14:20:48.340 PDT) 208.115.111.66 (2) (14:11:32.541 PDT) event=1:552123 (2) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->39616 (14:11:32.541 PDT) 80->44651 (14:11:36.120 PDT) OUTBOUND ATTACK (ATK TO INTERNAL TARGET) OUTBOUND ATTACK (INTERNAL TARGET) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1378242447.186 1378242447.187 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 184.154.48.82 Peer Coord. List: Resource List: Observed Start: 09/03/2013 16:00:49.430 PDT Gen. Time: 09/03/2013 16:06:18.020 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL ATK SRC) EXPLOIT (ATK FROM INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL SRC) EGG DOWNLOAD (DL FROM INTERNAL) C and C TRAFFIC 184.154.48.82 (16:06:18.020 PDT) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->38063 (16:06:18.020 PDT) C and C TRAFFIC (INTERNAL BOT) C and C TRAFFIC (INTERNAL CnC) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 184.154.48.82 (17) (16:00:49.430 PDT) event=1:552123 (17) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->40878 (16:00:49.430 PDT) 80->55863 (16:00:58.923 PDT) 80->33634 (16:01:20.874 PDT) 80->42191 (16:02:02.643 PDT) 80->59666 (16:02:13.958 PDT) 80->58932 (16:02:31.885 PDT) 80->34871 (16:02:34.593 PDT) 80->41479 (16:02:38.949 PDT) 80->51703 (16:02:45.605 PDT) 80->60970 (16:02:51.657 PDT) 80->39118 (16:03:32.105 PDT) 80->56367 (16:03:43.372 PDT) 80->36975 (16:03:49.161 PDT) 80->45494 (16:03:54.704 PDT) 80->43125 (16:04:11.615 PDT) 80->46771 (16:04:32.302 PDT) 80->59024 (16:04:58.837 PDT) OUTBOUND ATTACK (ATK TO INTERNAL TARGET) OUTBOUND ATTACK (INTERNAL TARGET) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1378249249.430 1378249249.431 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================