BotHunter Daily Analysis Index

BotHunter ®
Live Internet Monitor Page
Computer Science Laboratory
SRI International

Last Updated: Fri Sep 6 23:00:02 2013

www.BOTHUNTER.net

Victim IP	Max Score	Profiles	CCs	Events
192.168.1.196	1.3	VIEW 2		1:22514 (2) {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-1954 1:2000047 {tcp} Egg Download: ET WORM Sasser Transfer _up.exe; 9996<-2181 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 9996->2181
192.168.1.179	1.3	VIEW 2		1:22351 {tcp} Inbound Attack: REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode MAC_Dst: 00:30:48:30:03:AE; 135<-43474 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 1031->707 1:1444 (2) {udp} Egg Download: TFTP GET from external source; 1032->69 1:2008120 (2) {udp} Egg Download: ET POLICY Outbound TFTP Read Request; 1032->69 1:3001441 (2) {udp} Egg Download: TFTP GET .exe from external source; 1032->69
192.168.1.29	0.8	VIEW 1		1:22009200 {tcp} Inbound Attack: ET CURRENT_EVENTS Conficker.a Shellcode MAC_Dst: 00:30:48:30:03:AE; 445<-56279 1:2001685 {tcp} Egg Download: ET MALWARE Possible Windows executable sent when remote host claims to send an image; 1028<-6808
192.168.1.101	0.8	VIEW 1		1:22009200 {tcp} Inbound Attack: ET CURRENT_EVENTS Conficker.a Shellcode MAC_Dst: 00:30:48:30:03:AE; 445<-41334 1:2001685 {tcp} Egg Download: ET MALWARE Possible Windows executable sent when remote host claims to send an image; 1028<-1236
192.168.1.85	1.0	VIEW 1	66.249.74.230 66.249.74.230 (Dial), Google.Com, Google Inc, Cabot, Arkansas, United States.	1:2002033 {tcp} C&C Communication: ET TROJAN BOT - potential response; 80->56794 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 80->60858 1:552123 (16) {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 80->53210
192.168.1.191	2.7	VIEW 2	213.155.14.161 213.155.14.161 (Comp), -, Ossadchy - Osadchiy Yuriy, Ukraine, Malware Controller.	1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-45492 1:3300004 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031<-8187 1:2003070 {tcp} C&C Communication: ET WORM Korgo.U Reporting, [/index.php?id=kmthyejkqsftrl&scn=0&inf=0&ver=19&cnt=USA]; 1037->80 1:9920003 {tcp} Bot Space Access: BotHunter MTC confirmed botnet control server on standard port
192.168.1.234	1.6	VIEW 2		1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-3354 1:22000033 {tcp} Inbound Attack: ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-3354 1:22514 {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-3354 1:3300004 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031<-1350
192.168.1.102	1.9	VIEW 1	198.51.132.60 198.51.132.60 (Dsl), Speakeasy.Net, -, United States. 94.23.1.180 94.23.1.180 (Dsl), Ovh.Net, Ovh Sas, France, Malware Controller Mail Abuser. 194.33.180.41 194.33.180.41 (Dsl), Utel.Net.Ua, Hostpro Ltd, Ukraine, Malware Controller. 140.113.207.143 140.113.207.143 (Dsl), Nctu.Edu.Tw, Taiwan Academic Network, Taipei, T'Ai-Pei, Taiwan, Malware Controller.	1:2012801 (2) {tcp} C&C Communication: ET TROJAN Spoofed MSIE 7 User-Agent Likely Ponmocup, [/biz/little-steves-house-of-pizza-boston?start=0&sort_by=date_desc&rpp=40]; 50370->80 1:3810008 {udp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 22145->63033 1:3810008 {udp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 42398->53 1:2002911 {tcp} Outbound Attack: ET SCAN Potential VNC Scan 5900-5920; 46169->5900 1:2002911 {tcp} Outbound Attack: ET SCAN Potential VNC Scan 5900-5920; 41929->5900 1:2002911 {tcp} Outbound Attack: ET SCAN Potential VNC Scan 5900-5920; 36347->5900
192.168.1.41	1.3	VIEW 23		1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 48745->22 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 57333->22 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 50159->22 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 44577->22 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 56909->22 777:7777008 {tcp} Malware Scan: Detected intense malware port scanning of 21 IPs (14 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 38030->22 777:7777008 {tcp} Malware Scan: Detected intense malware port scanning of 41 IPs (24 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 58826->22 1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 54604->22 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 60774->22 777:7777008 {tcp} Malware Scan: Detected intense malware port scanning of 43 IPs (26 /24s) (# pkts S/M/O/I=0/41/2/0): 22:41 1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 33067->22 1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 33282->22 1:2001219 {tcp} Outbound Attack: ET SCAN Potential SSH Scan (20 in 60 secs); 33495->22 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 33713->22 1:2003068 {tcp} Outbound Attack: ET SCAN Potential SSH Scan OUTBOUND; 33928->22
192.168.1.128	1.3	VIEW 2		1:22514 (2) {tcp} Inbound Attack: GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt MAC_Dst: 00:30:48:30:03:AE; 445<-1455 1:2000047 {tcp} Egg Download: ET WORM Sasser Transfer _up.exe; 9996<-1700 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 9996->1700