BotHunter ®
  Live Internet Monitor Page
  Computer Science Laboratory
  SRI International


  Last Updated: Tue Sep 3 23:00:04 2013
BOTHUNTER LOGO
www.BOTHUNTER.net


Victim IP
 		Max Score
 		Profiles
 		CCs
 		Events
192.168.1.171
 1.3 VIEW 2
     
  • 1:22514 (2) {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-61689
  • 1:2000047 {tcp} Egg Download: ET WORM Sasser Transfer _up.exe; 9996<-28862
  • 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 9996->28862
192.168.1.100
 0.8 VIEW 2
     
  • 777:7777008 {tcp} Malware Scan: Detected intense malware port scanning of 120 IPs (103 /24s) (# pkts S/M/O/I=0/84/21/20): 5000:84
  • 777:7777008 (3) {tcp} Malware Scan: Detected intense malware port scanning of 120 IPs (103 /24s) (# pkts S/M/O/I=0/84/21/20): 5000:84
192.168.1.175
 2.7 VIEW 2
  • 213.155.14.161 213.155.14.161 (Comp), -, Ossadchy - Osadchiy Yuriy, Ukraine, Malware Controller.
  • 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-4588
  • 1:3300004 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031<-5679
  • 1:2003070 {tcp} C&C Communication: ET WORM Korgo.U Reporting, [/index.php?id=jwekbvczvgnotwjm&scn=4&inf=0&ver=19&cnt=USA]; 1054->80
  • 1:9920003 {tcp} Bot Space Access: BotHunter MTC confirmed botnet control server on standard port
128.18.30.247
 0.8 VIEW 14
     
192.168.1.214
 1.3 VIEW 2
     
  • 1:22514 (2) {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-59822
  • 1:2000047 {tcp} Egg Download: ET WORM Sasser Transfer _up.exe; 9996<-60427
  • 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 9996->60427
192.168.1.85
 1.0 VIEW 5
  • 69.30.238.162 69.30.238.162 (Dsl), Biglandingpro.Com, N-Lite Llc, Corona, California, United States.
  • 184.154.48.82 184.154.48.82 (-), -, -, -.
  • 1:2002033 {tcp} C&C Communication: ET TROJAN BOT - potential response; 80->35711
  • 1:552123 (9) {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 80->59129
  • 1:2002033 (2) {tcp} C&C Communication: ET TROJAN BOT - potential response; 80->35711
  • 1:552123 (13) {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 80->59129
  • 1:2016979 {tcp} Inbound Attack: ET WEB_SERVER suhosin.simulation PHP config option in uri, [/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d ] MAC_Dst: 00:01:64:FF:CE:EA; 80<-56330
  • 1:552123 (5) {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 80->45879
  • 1:552123 (2) {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 80->39616
  • 1:2016977 {tcp} Inbound Attack: ET WEB_SERVER allow_url_include PHP config option in uri MAC_Dst: 00:01:64:FF:CE:EA; 80<-56330
  • 1:2016979 {tcp} Inbound Attack: ET WEB_SERVER suhosin.simulation PHP config option in uri, [/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d ] MAC_Dst: 00:01:64:FF:CE:EA; 80<-56330
  • 1:2002033 {tcp} C&C Communication: ET TROJAN BOT - potential response; 80->38063
  • 1:552123 (17) {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 80->40878
192.168.1.232
 2.7 VIEW 2
  • 213.155.14.161 213.155.14.161 (Comp), -, Ossadchy - Osadchiy Yuriy, Ukraine, Malware Controller.
  • 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-3104
  • 1:3300004 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031<-6478
  • 1:2003070 {tcp} C&C Communication: ET WORM Korgo.U Reporting, [/index.php?id=xsgpamwvvbbggxbo&scn=0&inf=0&ver=19&cnt=USA]; 1032->80
  • 1:9920003 {tcp} Bot Space Access: BotHunter MTC confirmed botnet control server on standard port
192.168.1.41
 1.3 VIEW 21
     
  • 1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 52449->22
  • 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 52449->22
  • 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 32841->22
  • 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 54384->22
  • 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 48818->22
  • 777:7777008 {tcp} Malware Scan: Detected intense malware port scanning of 21 IPs (14 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21
  • 1:2003068 (2) {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 54384->22
  • 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 48773->22
  • 777:7777008 {tcp} Malware Scan: Detected intense malware port scanning of 41 IPs (24 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41
  • 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 34055->22
  • 1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 58010->22
  • 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 38583->22
  • 777:7777008 {tcp} Malware Scan: Detected intense malware port scanning of 42 IPs (25 /24s) (# pkts S/M/O/I=0/41/1/0): 22:41
  • 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 38898->22
  • 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 39414->22
  • 1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 39629->22
  • 1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 39841->22
  • 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 40049->22
192.168.1.170
 0.8 VIEW 1
     
  • 1:22514 (2) {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-3654
  • 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 1022->3678