Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/13/2013 14:00:09.964 PDT Gen. Time: 09/13/2013 14:00:47.404 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 198.133.224.149 (2) (14:00:45.445 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 45018->22 (14:00:45.445 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45018->22 (14:00:45.445 PDT) 204.8.155.227 (14:00:34.943 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53641->22 (14:00:34.943 PDT) 128.10.19.53 (14:00:09.964 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46935->22 (14:00:09.964 PDT) 129.82.12.188 (14:00:18.785 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41362->22 (14:00:18.785 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.208.4.198 (14:00:47.404 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (14 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (14:00:47.404 PDT) tcpslice 1379106009.964 1379106009.965 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/13/2013 14:00:09.964 PDT Gen. Time: 09/13/2013 14:09:32.369 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.10.19.53 (2) (14:00:09.964 PDT) event=1:2003068 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46935->22 (14:00:09.964 PDT) 47709->22 (14:02:02.438 PDT) 155.246.12.164 (14:02:23.786 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41438->22 (14:02:23.786 PDT) 165.91.55.9 (2) (14:02:12.904 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 42803->22 (14:02:12.904 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42803->22 (14:02:12.904 PDT) 128.42.142.45 (14:01:23.569 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38119->22 (14:01:23.569 PDT) 131.193.34.38 (14:01:09.327 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36729->22 (14:01:09.327 PDT) 158.130.6.253 (14:01:54.067 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53755->22 (14:01:54.067 PDT) 198.133.224.149 (2) (14:00:45.445 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 45018->22 (14:00:45.445 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45018->22 (14:00:45.445 PDT) 204.8.155.227 (14:00:34.943 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53641->22 (14:00:34.943 PDT) 129.82.12.188 (2) (14:00:18.785 PDT) event=1:2003068 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41362->22 (14:00:18.785 PDT) 42290->22 (14:02:31.371 PDT) 13.7.64.20 (2) (14:01:38.090 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 42888->22 (14:01:38.090 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42888->22 (14:01:38.090 PDT) 130.127.39.153 (14:01:30.193 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54488->22 (14:01:30.193 PDT) 128.208.4.198 (14:01:44.549 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34511->22 (14:01:44.549 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.208.4.198 (14:00:47.404 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (14 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (14:00:47.404 PDT) 131.193.34.38 (3) (14:02:17.358 PDT-14:05:27.055 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (24 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 3: 0->0 (14:02:17.358 PDT-14:05:27.055 PDT) tcpslice 1379106009.964 1379106327.056 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/13/2013 15:06:37.359 PDT Gen. Time: 09/13/2013 15:08:52.786 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (15:07:27.988 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 49376->22 (15:07:27.988 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49377->22 (15:07:28.452 PDT) 128.208.4.197 (15:08:05.831 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44951->22 (15:08:05.831 PDT) 128.10.19.53 (15:07:42.570 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58097->22 (15:07:42.570 PDT) 131.179.150.72 (15:06:37.359 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45259->22 (15:06:37.359 PDT) 72.36.112.79 (15:07:04.525 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52020->22 (15:07:04.525 PDT) 131.179.150.70 (15:07:45.453 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43513->22 (15:07:45.453 PDT) 13.7.64.22 (15:08:02.251 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59295->22 (15:08:02.251 PDT) 128.42.142.45 (15:06:52.600 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48742->22 (15:06:52.600 PDT) 204.8.155.227 (15:07:19.259 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36388->22 (15:07:19.259 PDT) 192.91.235.230 (15:07:35.988 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39864->22 (15:07:35.988 PDT) 129.82.12.188 (2) (15:07:50.244 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 52473->22 (15:07:50.244 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52474->22 (15:07:51.419 PDT) 141.212.113.180 (15:07:25.325 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34266->22 (15:07:25.325 PDT) 141.212.113.179 (15:07:58.484 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47365->22 (15:07:58.484 PDT) 128.111.52.59 (15:08:07.970 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 44220->22 (15:08:07.970 PDT) 130.127.39.152 (15:07:11.943 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43307->22 (15:07:11.943 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 72.36.112.79 (15:08:52.786 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:08:52.786 PDT) tcpslice 1379109997.359 1379109997.360 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/13/2013 15:06:37.359 PDT Gen. Time: 09/13/2013 15:15:08.345 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (15:07:27.988 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 49376->22 (15:07:27.988 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49377->22 (15:07:28.452 PDT) 128.208.4.197 (15:08:05.831 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44951->22 (15:08:05.831 PDT) 128.10.19.53 (15:07:42.570 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58097->22 (15:07:42.570 PDT) 131.179.150.72 (15:06:37.359 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45259->22 (15:06:37.359 PDT) 72.36.112.79 (15:07:04.525 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52020->22 (15:07:04.525 PDT) 131.179.150.70 (15:07:45.453 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43513->22 (15:07:45.453 PDT) 13.7.64.22 (15:08:02.251 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59295->22 (15:08:02.251 PDT) 128.42.142.45 (15:06:52.600 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48742->22 (15:06:52.600 PDT) 204.8.155.227 (15:07:19.259 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36388->22 (15:07:19.259 PDT) 192.91.235.230 (15:07:35.988 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39864->22 (15:07:35.988 PDT) 129.82.12.188 (2) (15:07:50.244 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 52473->22 (15:07:50.244 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52474->22 (15:07:51.419 PDT) 141.212.113.180 (15:07:25.325 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34266->22 (15:07:25.325 PDT) 141.212.113.179 (15:07:58.484 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47365->22 (15:07:58.484 PDT) 128.111.52.59 (15:08:07.970 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 44220->22 (15:08:07.970 PDT) 130.127.39.152 (15:07:11.943 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43307->22 (15:07:11.943 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.8.126.98 (15:10:22.266 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 34 IPs (22 /24s) (# pkts S/M/O/I=0/34/0/0): 22:34, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:10:22.266 PDT) 72.36.112.79 (15:08:52.786 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:08:52.786 PDT) tcpslice 1379109997.359 1379109997.360 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/13/2013 15:11:15.475 PDT Gen. Time: 09/13/2013 15:11:15.475 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.8.126.98 (15:11:15.475 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (24 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:11:15.475 PDT) tcpslice 1379110275.475 1379110275.476 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/13/2013 15:26:43.466 PDT Gen. Time: 09/13/2013 15:29:06.005 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (15:27:36.385 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49592->22 (15:27:36.385 PDT) 128.208.4.197 (15:28:16.619 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45166->22 (15:28:16.619 PDT) 128.10.19.53 (15:27:52.031 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58312->22 (15:27:52.031 PDT) 131.179.150.72 (15:26:43.466 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45474->22 (15:26:43.466 PDT) 72.36.112.79 (15:27:11.636 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52235->22 (15:27:11.636 PDT) 131.179.150.70 (15:27:55.031 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43728->22 (15:27:55.031 PDT) 13.7.64.22 (15:28:12.899 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59510->22 (15:28:12.899 PDT) 128.42.142.45 (15:26:54.725 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48957->22 (15:26:54.725 PDT) 204.8.155.227 (15:27:26.260 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36603->22 (15:27:26.260 PDT) 192.91.235.230 (2) (15:27:38.865 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 40076->22 (15:27:38.865 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40079->22 (15:27:44.353 PDT) 129.82.12.188 (15:28:00.841 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52689->22 (15:28:00.841 PDT) 141.212.113.180 (15:27:32.907 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34481->22 (15:27:32.907 PDT) 141.212.113.179 (2) (15:28:03.692 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 47577->22 (15:28:03.692 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47580->22 (15:28:08.620 PDT) 128.111.52.59 (15:28:19.362 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44436->22 (15:28:19.362 PDT) 130.127.39.152 (15:27:18.851 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43522->22 (15:27:18.851 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 129.82.12.188 (15:29:06.005 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:29:06.005 PDT) tcpslice 1379111203.466 1379111203.467 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/13/2013 15:26:43.466 PDT Gen. Time: 09/13/2013 15:35:30.184 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (15:27:36.385 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49592->22 (15:27:36.385 PDT) 128.208.4.197 (15:28:16.619 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45166->22 (15:28:16.619 PDT) 128.10.19.53 (15:27:52.031 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58312->22 (15:27:52.031 PDT) 131.179.150.72 (15:26:43.466 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45474->22 (15:26:43.466 PDT) 72.36.112.79 (15:27:11.636 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52235->22 (15:27:11.636 PDT) 131.179.150.70 (15:27:55.031 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43728->22 (15:27:55.031 PDT) 13.7.64.22 (15:28:12.899 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59510->22 (15:28:12.899 PDT) 128.42.142.45 (15:26:54.725 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48957->22 (15:26:54.725 PDT) 204.8.155.227 (15:27:26.260 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36603->22 (15:27:26.260 PDT) 192.91.235.230 (2) (15:27:38.865 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 40076->22 (15:27:38.865 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40079->22 (15:27:44.353 PDT) 129.82.12.188 (15:28:00.841 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52689->22 (15:28:00.841 PDT) 141.212.113.180 (15:27:32.907 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34481->22 (15:27:32.907 PDT) 141.212.113.179 (2) (15:28:03.692 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 47577->22 (15:28:03.692 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47580->22 (15:28:08.620 PDT) 128.111.52.59 (15:28:19.362 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44436->22 (15:28:19.362 PDT) 130.127.39.152 (15:27:18.851 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43522->22 (15:27:18.851 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 158.130.6.253 (15:30:36.316 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 34 IPs (22 /24s) (# pkts S/M/O/I=0/34/0/0): 22:34, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:30:36.316 PDT) 129.82.12.188 (15:29:06.005 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:29:06.005 PDT) tcpslice 1379111203.466 1379111203.467 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/13/2013 15:31:31.051 PDT Gen. Time: 09/13/2013 15:31:31.051 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 158.130.6.253 (15:31:31.051 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (24 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:31:31.051 PDT) tcpslice 1379111491.051 1379111491.052 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/13/2013 15:47:09.124 PDT Gen. Time: 09/13/2013 15:49:52.703 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (15:48:05.921 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 49805->22 (15:48:05.921 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49807->22 (15:48:06.791 PDT) 128.208.4.197 (15:49:03.578 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45381->22 (15:49:03.578 PDT) 128.10.19.53 (15:48:21.189 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58527->22 (15:48:21.189 PDT) 131.179.150.72 (15:47:09.124 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45689->22 (15:47:09.124 PDT) 72.36.112.79 (15:47:43.188 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52450->22 (15:47:43.188 PDT) 131.179.150.70 (15:48:24.113 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43943->22 (15:48:24.113 PDT) 13.7.64.22 (15:48:59.468 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59725->22 (15:48:59.468 PDT) 128.42.142.45 (15:47:20.140 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49172->22 (15:47:20.140 PDT) 204.8.155.227 (15:47:57.687 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36818->22 (15:47:57.687 PDT) 192.91.235.230 (15:48:14.525 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40294->22 (15:48:14.525 PDT) 129.82.12.188 (2) (15:48:34.981 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 52902->22 (15:48:34.981 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52904->22 (15:48:44.668 PDT) 141.212.113.180 (15:48:03.872 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34696->22 (15:48:03.872 PDT) 141.212.113.179 (15:48:54.311 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47795->22 (15:48:54.311 PDT) 128.111.52.59 (15:49:05.488 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 44649->22 (15:49:05.488 PDT) 130.127.39.152 (15:47:50.481 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43737->22 (15:47:50.481 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 131.179.150.72 (15:49:52.703 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:49:52.703 PDT) tcpslice 1379112429.124 1379112429.125 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/13/2013 15:47:09.124 PDT Gen. Time: 09/13/2013 15:56:19.457 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (15:48:05.921 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 49805->22 (15:48:05.921 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49807->22 (15:48:06.791 PDT) 128.208.4.197 (15:49:03.578 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45381->22 (15:49:03.578 PDT) 128.10.19.53 (15:48:21.189 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58527->22 (15:48:21.189 PDT) 131.179.150.72 (15:47:09.124 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45689->22 (15:47:09.124 PDT) 72.36.112.79 (15:47:43.188 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52450->22 (15:47:43.188 PDT) 131.179.150.70 (15:48:24.113 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43943->22 (15:48:24.113 PDT) 13.7.64.22 (15:48:59.468 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59725->22 (15:48:59.468 PDT) 128.42.142.45 (15:47:20.140 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49172->22 (15:47:20.140 PDT) 204.8.155.227 (15:47:57.687 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36818->22 (15:47:57.687 PDT) 192.91.235.230 (15:48:14.525 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40294->22 (15:48:14.525 PDT) 129.82.12.188 (2) (15:48:34.981 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 52902->22 (15:48:34.981 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52904->22 (15:48:44.668 PDT) 141.212.113.180 (15:48:03.872 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34696->22 (15:48:03.872 PDT) 141.212.113.179 (15:48:54.311 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47795->22 (15:48:54.311 PDT) 128.111.52.59 (15:49:05.488 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 44649->22 (15:49:05.488 PDT) 130.127.39.152 (15:47:50.481 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43737->22 (15:47:50.481 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 131.179.150.72 (2) (15:49:52.703 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:49:52.703 PDT) 0->0 (15:51:22.896 PDT) tcpslice 1379112429.124 1379112429.125 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/13/2013 15:52:24.496 PDT Gen. Time: 09/13/2013 15:52:24.496 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 131.179.150.72 (15:52:24.496 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (24 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:52:24.496 PDT) tcpslice 1379112744.496 1379112744.497 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/13/2013 16:05:03.792 PDT Gen. Time: 09/13/2013 16:05:03.792 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 198.133.224.147 (16:05:03.792 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:05:03.792 PDT) tcpslice 1379113503.792 1379113503.793 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/13/2013 16:05:03.792 PDT Gen. Time: 09/13/2013 16:16:58.075 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (16:08:51.488 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 50018->22 (16:08:51.488 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50022->22 (16:08:53.372 PDT) 128.208.4.197 (16:09:31.306 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45596->22 (16:09:31.306 PDT) 128.10.19.53 (16:09:07.884 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58742->22 (16:09:07.884 PDT) 131.179.150.72 (16:08:02.435 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45904->22 (16:08:02.435 PDT) 72.36.112.79 (16:08:29.076 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52665->22 (16:08:29.076 PDT) 131.179.150.70 (16:09:10.824 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44158->22 (16:09:10.824 PDT) 13.7.64.22 (16:09:27.407 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59940->22 (16:09:27.407 PDT) 128.42.142.45 (16:08:17.517 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49387->22 (16:08:17.517 PDT) 204.8.155.227 (16:08:44.054 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37033->22 (16:08:44.054 PDT) 192.91.235.230 (16:09:01.235 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40509->22 (16:09:01.235 PDT) 129.82.12.188 (2) (16:09:11.248 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 53115->22 (16:09:11.248 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53119->22 (16:09:16.364 PDT) 141.212.113.180 (16:08:50.367 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34911->22 (16:08:50.367 PDT) 141.212.113.179 (16:09:23.384 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48010->22 (16:09:23.384 PDT) 128.111.52.59 (16:09:32.220 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 44862->22 (16:09:32.220 PDT) 130.127.39.152 (16:08:36.715 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43952->22 (16:08:36.715 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 198.133.224.147 (3) (16:05:03.792 PDT-16:08:30.391 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 28 IPs (20 /24s) (# pkts S/M/O/I=0/28/0/0): 22:28, [] MAC_Src: 00:01:64:FF:CE:EA 2: 0->0 (16:07:00.712 PDT-16:08:30.391 PDT) 0->0 (16:05:03.792 PDT) 128.111.52.59 (4) (16:10:00.715 PDT-16:14:51.752 PDT) event=777:7777008 (4) {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (24 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 3: 0->0 (16:11:32.158 PDT-16:14:51.752 PDT) 0->0 (16:10:00.715 PDT) tcpslice 1379113503.792 1379114091.753 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/13/2013 16:17:02.824 PDT Gen. Time: 09/13/2013 16:17:02.824 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.111.52.59 (16:17:02.824 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (24 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:17:02.824 PDT) tcpslice 1379114222.824 1379114222.825 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/13/2013 16:28:38.201 PDT Gen. Time: 09/13/2013 16:31:06.654 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (16:29:38.832 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50237->22 (16:29:38.832 PDT) 128.208.4.197 (2) (16:30:17.527 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 45811->22 (16:30:17.527 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45811->22 (16:30:17.527 PDT) 128.10.19.53 (16:29:53.347 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58957->22 (16:29:53.347 PDT) 131.179.150.72 (16:28:38.201 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46119->22 (16:28:38.201 PDT) 72.36.112.79 (16:29:13.524 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52880->22 (16:29:13.524 PDT) 131.179.150.70 (2) (16:29:56.172 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 44373->22 (16:29:56.172 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44373->22 (16:29:56.172 PDT) 13.7.64.22 (16:30:13.544 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60155->22 (16:30:13.544 PDT) 128.42.142.45 (16:28:53.242 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49602->22 (16:28:53.242 PDT) 204.8.155.227 (16:29:29.294 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37248->22 (16:29:29.294 PDT) 192.91.235.230 (16:29:46.730 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40724->22 (16:29:46.730 PDT) 129.82.12.188 (16:30:02.364 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53334->22 (16:30:02.364 PDT) 141.212.113.180 (2) (16:29:35.750 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 35126->22 (16:29:35.750 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35126->22 (16:29:35.750 PDT) 141.212.113.179 (16:30:09.593 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48225->22 (16:30:09.593 PDT) 130.127.39.152 (16:29:21.825 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44167->22 (16:29:21.825 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.111.52.59 (16:31:06.654 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:31:06.654 PDT) tcpslice 1379114918.201 1379114918.202 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/13/2013 16:28:38.201 PDT Gen. Time: 09/13/2013 16:36:27.968 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (16:29:38.832 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50237->22 (16:29:38.832 PDT) 128.208.4.197 (2) (16:30:17.527 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 45811->22 (16:30:17.527 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45811->22 (16:30:17.527 PDT) 128.10.19.53 (16:29:53.347 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58957->22 (16:29:53.347 PDT) 131.179.150.72 (16:28:38.201 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46119->22 (16:28:38.201 PDT) 72.36.112.79 (16:29:13.524 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52880->22 (16:29:13.524 PDT) 131.179.150.70 (2) (16:29:56.172 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 44373->22 (16:29:56.172 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44373->22 (16:29:56.172 PDT) 13.7.64.22 (16:30:13.544 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60155->22 (16:30:13.544 PDT) 128.42.142.45 (16:28:53.242 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49602->22 (16:28:53.242 PDT) 204.8.155.227 (16:29:29.294 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37248->22 (16:29:29.294 PDT) 192.91.235.230 (16:29:46.730 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40724->22 (16:29:46.730 PDT) 129.82.12.188 (16:30:02.364 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53334->22 (16:30:02.364 PDT) 141.212.113.180 (2) (16:29:35.750 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 35126->22 (16:29:35.750 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35126->22 (16:29:35.750 PDT) 141.212.113.179 (16:30:09.593 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48225->22 (16:30:09.593 PDT) 130.127.39.152 (16:29:21.825 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44167->22 (16:29:21.825 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.111.52.59 (2) (16:31:06.654 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:31:06.654 PDT) 0->0 (16:32:36.328 PDT) tcpslice 1379114918.201 1379114918.202 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/13/2013 16:40:14.781 PDT Gen. Time: 09/13/2013 16:40:14.781 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.111.52.59 (16:40:14.781 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (24 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:40:14.781 PDT) tcpslice 1379115614.781 1379115614.782 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/13/2013 16:49:03.219 PDT Gen. Time: 09/13/2013 16:51:23.903 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (16:49:54.793 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 50450->22 (16:49:54.793 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50452->22 (16:49:55.763 PDT) 128.208.4.197 (16:50:35.429 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46026->22 (16:50:35.429 PDT) 128.10.19.53 (16:50:09.982 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59172->22 (16:50:09.982 PDT) 131.179.150.72 (16:49:03.219 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46334->22 (16:49:03.219 PDT) 72.36.112.79 (16:49:31.576 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53095->22 (16:49:31.576 PDT) 131.179.150.70 (16:50:13.107 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44588->22 (16:50:13.107 PDT) 13.7.64.22 (16:50:30.995 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60370->22 (16:50:30.995 PDT) 128.42.142.45 (16:49:13.190 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49817->22 (16:49:13.190 PDT) 204.8.155.227 (16:49:46.250 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37463->22 (16:49:46.250 PDT) 192.91.235.230 (16:50:03.420 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40939->22 (16:50:03.420 PDT) 129.82.12.188 (2) (16:50:17.043 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 53547->22 (16:50:17.043 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53549->22 (16:50:20.156 PDT) 141.212.113.180 (16:49:52.728 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35341->22 (16:49:52.728 PDT) 141.212.113.179 (16:50:27.294 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48440->22 (16:50:27.294 PDT) 128.111.52.59 (16:50:37.322 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 45294->22 (16:50:37.322 PDT) 130.127.39.152 (16:49:38.932 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44382->22 (16:49:38.932 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.10.19.53 (16:51:23.903 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:51:23.903 PDT) tcpslice 1379116143.219 1379116143.220 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/13/2013 16:49:03.219 PDT Gen. Time: 09/13/2013 16:56:55.158 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (16:49:54.793 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 50450->22 (16:49:54.793 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50452->22 (16:49:55.763 PDT) 128.208.4.197 (16:50:35.429 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46026->22 (16:50:35.429 PDT) 128.10.19.53 (16:50:09.982 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59172->22 (16:50:09.982 PDT) 131.179.150.72 (16:49:03.219 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46334->22 (16:49:03.219 PDT) 72.36.112.79 (16:49:31.576 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53095->22 (16:49:31.576 PDT) 131.179.150.70 (16:50:13.107 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44588->22 (16:50:13.107 PDT) 13.7.64.22 (16:50:30.995 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60370->22 (16:50:30.995 PDT) 128.42.142.45 (16:49:13.190 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49817->22 (16:49:13.190 PDT) 204.8.155.227 (16:49:46.250 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37463->22 (16:49:46.250 PDT) 192.91.235.230 (16:50:03.420 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40939->22 (16:50:03.420 PDT) 129.82.12.188 (2) (16:50:17.043 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 53547->22 (16:50:17.043 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53549->22 (16:50:20.156 PDT) 141.212.113.180 (16:49:52.728 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35341->22 (16:49:52.728 PDT) 141.212.113.179 (16:50:27.294 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48440->22 (16:50:27.294 PDT) 128.111.52.59 (16:50:37.322 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 45294->22 (16:50:37.322 PDT) 130.127.39.152 (16:49:38.932 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44382->22 (16:49:38.932 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.36.233.153 (2) (16:54:25.442 PDT-16:56:55.158 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (24 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 2: 0->0 (16:54:25.442 PDT-16:56:55.158 PDT) 128.10.19.53 (16:51:23.903 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:51:23.903 PDT) 198.133.224.147 (16:52:54.070 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 33 IPs (22 /24s) (# pkts S/M/O/I=0/33/0/0): 22:33, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:52:54.070 PDT) tcpslice 1379116143.219 1379116615.159 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/13/2013 17:04:29.587 PDT Gen. Time: 09/13/2013 17:04:29.587 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.36.233.153 (17:04:29.587 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (24 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:04:29.587 PDT) tcpslice 1379117069.587 1379117069.588 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/13/2013 17:08:56.643 PDT Gen. Time: 09/13/2013 17:08:56.643 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.36.233.153 (17:08:56.643 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (24 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:08:56.643 PDT) tcpslice 1379117336.643 1379117336.644 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/13/2013 17:08:56.643 PDT Gen. Time: 09/13/2013 17:17:45.352 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (17:10:23.766 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 50664->22 (17:10:23.766 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50667->22 (17:10:25.771 PDT) 128.208.4.197 (17:11:08.924 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46241->22 (17:11:08.924 PDT) 128.10.19.53 (17:10:42.336 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59387->22 (17:10:42.336 PDT) 131.179.150.72 (17:09:30.488 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46549->22 (17:09:30.488 PDT) 72.36.112.79 (17:10:00.100 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53310->22 (17:10:00.100 PDT) 131.179.150.70 (17:10:45.903 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44803->22 (17:10:45.903 PDT) 13.7.64.22 (17:11:05.031 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60585->22 (17:11:05.031 PDT) 128.42.142.45 (17:09:45.985 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50032->22 (17:09:45.985 PDT) 204.8.155.227 (17:10:15.033 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37678->22 (17:10:15.033 PDT) 192.91.235.230 (17:10:33.985 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41154->22 (17:10:33.985 PDT) 129.82.12.188 (2) (17:10:48.696 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 53761->22 (17:10:48.696 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53764->22 (17:10:53.515 PDT) 141.212.113.180 (17:10:21.952 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35556->22 (17:10:21.952 PDT) 141.212.113.179 (17:11:01.053 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48655->22 (17:11:01.053 PDT) 128.111.52.59 (17:11:10.196 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 45508->22 (17:11:10.196 PDT) 130.127.39.152 (17:10:07.601 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44597->22 (17:10:07.601 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.36.233.153 (5) (17:08:56.643 PDT-17:17:45.352 PDT) event=777:7777008 (5) {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (24 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 5: 0->0 (17:08:56.643 PDT-17:17:45.352 PDT) tcpslice 1379117336.643 1379117865.353 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/13/2013 17:30:06.539 PDT Gen. Time: 09/13/2013 17:32:42.004 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (17:31:12.657 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 50878->22 (17:31:12.657 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50882->22 (17:31:15.196 PDT) 128.208.4.197 (17:31:53.330 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46457->22 (17:31:53.330 PDT) 128.10.19.53 (17:31:29.863 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59602->22 (17:31:29.863 PDT) 131.179.150.72 (17:30:06.539 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46764->22 (17:30:06.539 PDT) 72.36.112.79 (17:30:44.289 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53525->22 (17:30:44.289 PDT) 131.179.150.70 (17:31:32.833 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45019->22 (17:31:32.833 PDT) 13.7.64.22 (17:31:49.461 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60801->22 (17:31:49.461 PDT) 128.42.142.45 (17:30:21.500 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50247->22 (17:30:21.500 PDT) 204.8.155.227 (17:31:04.997 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37893->22 (17:31:04.997 PDT) 192.91.235.230 (17:31:23.322 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41369->22 (17:31:23.322 PDT) 129.82.12.188 (2) (17:31:33.240 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 53976->22 (17:31:33.240 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53980->22 (17:31:38.909 PDT) 141.212.113.180 (17:31:11.446 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35771->22 (17:31:11.446 PDT) 141.212.113.179 (17:31:45.831 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48871->22 (17:31:45.831 PDT) 128.111.52.59 (17:31:54.013 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 45723->22 (17:31:54.013 PDT) 130.127.39.152 (17:30:53.677 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44812->22 (17:30:53.677 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.8.155.227 (17:32:42.004 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:32:42.004 PDT) tcpslice 1379118606.539 1379118606.540 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/13/2013 17:30:06.539 PDT Gen. Time: 09/13/2013 17:38:27.141 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (17:31:12.657 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 50878->22 (17:31:12.657 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50882->22 (17:31:15.196 PDT) 128.208.4.197 (17:31:53.330 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46457->22 (17:31:53.330 PDT) 128.10.19.53 (17:31:29.863 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59602->22 (17:31:29.863 PDT) 131.179.150.72 (17:30:06.539 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46764->22 (17:30:06.539 PDT) 72.36.112.79 (17:30:44.289 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53525->22 (17:30:44.289 PDT) 131.179.150.70 (17:31:32.833 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45019->22 (17:31:32.833 PDT) 13.7.64.22 (17:31:49.461 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60801->22 (17:31:49.461 PDT) 128.42.142.45 (17:30:21.500 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50247->22 (17:30:21.500 PDT) 204.8.155.227 (17:31:04.997 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37893->22 (17:31:04.997 PDT) 192.91.235.230 (17:31:23.322 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41369->22 (17:31:23.322 PDT) 129.82.12.188 (2) (17:31:33.240 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 53976->22 (17:31:33.240 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53980->22 (17:31:38.909 PDT) 141.212.113.180 (17:31:11.446 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35771->22 (17:31:11.446 PDT) 141.212.113.179 (17:31:45.831 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48871->22 (17:31:45.831 PDT) 128.111.52.59 (17:31:54.013 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 45723->22 (17:31:54.013 PDT) 130.127.39.152 (17:30:53.677 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44812->22 (17:30:53.677 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.8.155.227 (17:32:42.004 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:32:42.004 PDT) 129.63.159.101 (17:34:12.584 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 34 IPs (23 /24s) (# pkts S/M/O/I=0/33/1/0): 22:33, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:34:12.584 PDT) tcpslice 1379118606.539 1379118606.540 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/13/2013 17:35:14.768 PDT Gen. Time: 09/13/2013 17:35:14.768 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 129.63.159.101 (17:35:14.768 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 42 IPs (25 /24s) (# pkts S/M/O/I=0/41/1/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:35:14.768 PDT) tcpslice 1379118914.768 1379118914.769 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/13/2013 17:50:47.959 PDT Gen. Time: 09/13/2013 17:53:11.738 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (17:51:18.157 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51083->22 (17:51:18.157 PDT) 128.208.4.197 (17:51:45.055 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46647->22 (17:51:45.055 PDT) 131.179.150.72 (17:50:47.959 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46980->22 (17:50:47.959 PDT) 131.179.150.70 (17:51:30.950 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45214->22 (17:51:30.950 PDT) 155.246.12.164 (2) (17:51:56.577 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 53397->22 (17:51:56.577 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53398->22 (17:51:58.815 PDT) 13.7.64.22 (17:51:41.418 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60991->22 (17:51:41.418 PDT) 128.42.142.45 (17:51:03.005 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50463->22 (17:51:03.005 PDT) 165.91.55.8 (17:52:15.223 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53530->22 (17:52:15.223 PDT) 128.84.154.44 (17:52:27.050 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52419->22 (17:52:27.050 PDT) 192.91.235.230 (17:51:27.431 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41570->22 (17:51:27.431 PDT) 129.82.12.188 (2) (17:51:35.423 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 54174->22 (17:51:35.423 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54175->22 (17:51:37.020 PDT) 128.252.19.19 (17:52:34.071 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 35920->22 (17:52:34.071 PDT) 204.8.155.226 (17:52:07.587 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58339->22 (17:52:07.587 PDT) 128.111.52.59 (17:51:47.668 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45917->22 (17:51:47.668 PDT) 130.127.39.152 (17:51:14.016 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45023->22 (17:51:14.016 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 130.127.39.152 (17:53:11.738 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (14 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:53:11.738 PDT) tcpslice 1379119847.959 1379119847.960 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================