Score: 1.0 (>= 0.8) Infected Target: 192.168.1.14 Infector List: Egg Source List: C & C List: 178.151.143.69 Peer Coord. List: Resource List: Observed Start: 09/10/2013 09:25:49.219 PDT Gen. Time: 09/10/2013 09:27:52.217 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC 178.151.143.69 (09:27:52.217 PDT) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->35770 (09:27:52.217 PDT) C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 178.151.143.69 (14) (09:25:49.219 PDT) event=1:552123 (14) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->54717 (09:25:49.219 PDT) 80->54938 (09:25:50.878 PDT) 80->55405 (09:25:59.095 PDT) 80->56366 (09:26:09.477 PDT) 80->57975 (09:26:35.014 PDT) 80->58438 (09:26:42.290 PDT) 80->59699 (09:26:58.177 PDT) 80->59954 (09:27:02.564 PDT) 80->60253 (09:27:07.046 PDT) 80->33651 (09:27:25.976 PDT) 80->33959 (09:27:29.274 PDT) 80->34339 (09:27:35.512 PDT) 80->34610 (09:27:38.839 PDT) 80->35270 (09:27:45.572 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1378830349.219 1378830349.220 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.14' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.14 Infector List: Egg Source List: C & C List: 178.151.143.69 (17) Peer Coord. List: Resource List: Observed Start: 09/10/2013 09:25:49.219 PDT Gen. Time: 09/10/2013 09:32:21.141 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC 178.151.143.69 (17) (09:27:52.217 PDT-09:27:52.218 PDT) event=1:2002033 (17) {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->38028 (09:28:20.950 PDT) 16: 80->35770 (09:27:52.217 PDT-09:27:52.218 PDT) C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 178.151.143.69 (17) (09:25:49.219 PDT) event=1:552123 (17) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->54717 (09:25:49.219 PDT) 80->54938 (09:25:50.878 PDT) 80->55405 (09:25:59.095 PDT) 80->56366 (09:26:09.477 PDT) 80->57975 (09:26:35.014 PDT) 80->58438 (09:26:42.290 PDT) 80->59699 (09:26:58.177 PDT) 80->59954 (09:27:02.564 PDT) 80->60253 (09:27:07.046 PDT) 80->33651 (09:27:25.976 PDT) 80->33959 (09:27:29.274 PDT) 80->34339 (09:27:35.512 PDT) 80->34610 (09:27:38.839 PDT) 80->35270 (09:27:45.572 PDT) 80->36526 (09:28:00.597 PDT) 80->36779 (09:28:05.953 PDT) 80->37098 (09:28:09.633 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1378830349.219 1378830472.219 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.14' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.14 Infector List: 128.18.30.247 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/10/2013 09:48:43.288 PDT Gen. Time: 09/10/2013 09:48:43.288 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.247 (09:48:43.288 PDT) event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 00:01:64:FF:CE:EA 80<-47730 (09:48:43.288 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1378831723.288 1378831723.289 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.14' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.14 Infector List: 128.18.30.247 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/10/2013 09:48:43.288 PDT Gen. Time: 09/10/2013 09:57:29.239 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.247 (17) (09:48:43.288 PDT) event=1:92009714 (11) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/index.html?urlmaskfilter=] MAC_Dst: 00:01:64:FF:CE:EA 80<-48012 (09:49:11.668 PDT) 80<-48238 (09:49:21.682 PDT) 80<-48272 (09:49:23.710 PDT) 80<-49884 (09:50:45.266 PDT) 80<-52570 (09:53:47.989 PDT) 80<-52571 (09:53:47.992 PDT) 80<-52584 (09:53:48.043 PDT) 80<-52585 (09:53:48.045 PDT) 80<-52586 (09:53:48.046 PDT) 80<-52590 (09:53:48.068 PDT) 80<-52593 (09:53:48.107 PDT) ------------------------- event=1:92016184 (3) {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 00:01:64:FF:CE:EA 80<-47730 (09:48:43.288 PDT) 80<-52589 (09:53:48.068 PDT) 80<-52597 (09:53:48.139 PDT) ------------------------- event=1:92016977 {tcp} E2[irb] ET WEB_SERVER allow_url_include PHP config option in uri, [] MAC_Dst: 00:01:64:FF:CE:EA 80<-52608 (09:53:48.195 PDT) ------------------------- event=1:92016979 {tcp} E2[irb] ET WEB_SERVER suhosin.simulation PHP config option in uri, [/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d ] MAC_Dst: 00:01:64:FF:CE:EA 80<-52608 (09:53:48.195 PDT) ------------------------- event=1:92016980 {tcp} E2[irb] ET WEB_SERVER disable_functions PHP config option in uri, [] MAC_Dst: 00:01:64:FF:CE:EA 80<-52608 (09:53:48.195 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1378831723.288 1378831723.289 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.14' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.14 Infector List: Egg Source List: C & C List: 69.197.128.26 Peer Coord. List: Resource List: Observed Start: 09/10/2013 13:52:39.324 PDT Gen. Time: 09/10/2013 13:53:19.433 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC 69.197.128.26 (13:53:19.433 PDT) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->35734 (13:53:19.433 PDT) C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 69.197.128.26 (8) (13:52:39.324 PDT) event=1:552123 (8) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->57150 (13:52:39.324 PDT) 80->36028 (13:52:43.810 PDT) 80->40435 (13:52:46.411 PDT) 80->43034 (13:52:47.887 PDT) 80->33435 (13:52:59.575 PDT) 80->36788 (13:53:01.408 PDT) 80->40527 (13:53:03.822 PDT) 80->56856 (13:53:14.987 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1378846359.324 1378846359.325 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.14' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.14 Infector List: Egg Source List: C & C List: 69.197.128.26 (17) Peer Coord. List: Resource List: Observed Start: 09/10/2013 13:52:39.324 PDT Gen. Time: 09/10/2013 13:56:14.585 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC 69.197.128.26 (17) (13:53:19.433 PDT-13:53:19.434 PDT) event=1:2002033 (17) {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 17: 80->35734 (13:53:19.433 PDT-13:53:19.434 PDT) C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 69.197.128.26 (12) (13:52:39.324 PDT) event=1:552123 (12) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->57150 (13:52:39.324 PDT) 80->36028 (13:52:43.810 PDT) 80->40435 (13:52:46.411 PDT) 80->43034 (13:52:47.887 PDT) 80->33435 (13:52:59.575 PDT) 80->36788 (13:53:01.408 PDT) 80->40527 (13:53:03.822 PDT) 80->56856 (13:53:14.987 PDT) 80->46269 (13:53:25.906 PDT) 80->52249 (13:53:29.656 PDT) 80->55680 (13:53:31.901 PDT) 80->58864 (13:53:33.844 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1378846359.324 1378846399.435 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.14' ============================== SEPARATOR ================================