Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: 91.121.164.52 Resource List: Observed Start: 09/17/2013 14:44:16.068 PDT Gen. Time: 09/17/2013 14:45:33.712 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (14:45:33.712 PDT) event=1:92009714 {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/launch.jsp?NFuse_Application=>alert(document.cookie);] MAC_Dst: 00:21:5A:08:BB:0C 80<-45215 (14:45:33.712 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info 91.121.164.52 (14:44:16.068 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 51993->6969 (14:44:16.068 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1379454256.068 1379454256.069 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: 89.188.127.134 (2), 121.14.98.151, 87.248.186.252, 91.121.164.52 Resource List: Observed Start: 09/17/2013 14:44:16.068 PDT Gen. Time: 09/17/2013 14:54:22.370 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (11) (14:45:33.712 PDT) event=1:92009714 (10) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/launch.jsp?NFuse_Application=>alert(document.cookie);] MAC_Dst: 00:21:5A:08:BB:0C 80<-45215 (14:45:33.712 PDT) 80<-45217 (14:45:33.715 PDT) 80<-45222 (14:45:33.981 PDT) 80<-45225 (14:45:34.057 PDT) 80<-45232 (14:45:34.374 PDT) 80<-45240 (14:45:34.691 PDT) 80<-45248 (14:45:34.870 PDT) 80<-45899 (14:45:52.950 PDT) 80<-45901 (14:45:52.952 PDT) 80<-47461 (14:49:47.756 PDT) ------------------------- event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 00:21:5A:08:BB:0C 80<-46635 (14:47:05.686 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info 89.188.127.134 (2) (14:52:20.706 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [/search?q= 95.25.46.141 virus&go=&qs=n&form=QBLH&pq= 95.25.46.141 virus&sc=0-0&sp=-1&sk=] MAC_Src: 00:21:5A:08:BB:0C 42783->80 (14:52:21.108 PDT) ------------------------- event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 42781->80 (14:52:20.706 PDT) 121.14.98.151 (14:46:09.710 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 51688->9090 (14:46:09.710 PDT) 87.248.186.252 (14:51:11.777 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [a] MAC_Src: 00:21:5A:08:BB:0C 59231->8080 (14:51:11.777 PDT) 91.121.164.52 (14:44:16.068 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 51993->6969 (14:44:16.068 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1379454256.068 1379454256.069 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: 133.15.59.1 Resource List: Observed Start: 09/17/2013 15:11:08.760 PDT Gen. Time: 09/17/2013 15:11:29.174 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (15:11:29.174 PDT) event=1:92009714 {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/login?user=**] MAC_Dst: 00:21:5A:08:BB:0C 80<-56582 (15:11:29.174 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info 133.15.59.1 (15:11:08.760 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [/search?q= 62.148.128.5 attack&go=&qs=n&form=QBLH&pq= 62.148.128.5 attack&sc=0-0&sp=-1&sk=] MAC_Src: 00:21:5A:08:BB:0C 46476->80 (15:11:08.760 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1379455868.760 1379455868.761 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: 133.15.59.1, 91.121.164.52, 87.248.186.252 (2) Resource List: Observed Start: 09/17/2013 15:11:08.760 PDT Gen. Time: 09/17/2013 15:15:20.521 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (16) (15:11:29.174 PDT) event=1:92009714 (10) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/login?user=**] MAC_Dst: 00:21:5A:08:BB:0C 80<-56582 (15:11:29.174 PDT) 80<-56590 (15:11:29.728 PDT) 80<-56599 (15:11:30.143 PDT) 80<-56608 (15:11:30.535 PDT) 80<-56609 (15:11:30.538 PDT) 80<-56628 (15:11:31.502 PDT) 80<-56637 (15:11:31.895 PDT) 80<-56672 (15:11:33.777 PDT) 80<-56879 (15:11:43.817 PDT) 80<-56995 (15:11:53.701 PDT) ------------------------- event=1:92016184 (3) {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/index.cfm] MAC_Dst: 00:21:5A:08:BB:0C 80<-56619 (15:11:30.983 PDT) 80<-56684 (15:11:34.491 PDT) 80<-57132 (15:12:04.150 PDT) ------------------------- event=1:92016977 {tcp} E2[irb] ET WEB_SERVER allow_url_include PHP config option in uri, [] MAC_Dst: 00:21:5A:08:BB:0C 80<-56940 (15:11:46.530 PDT) ------------------------- event=1:92016979 {tcp} E2[irb] ET WEB_SERVER suhosin.simulation PHP config option in uri, [/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d ] MAC_Dst: 00:21:5A:08:BB:0C 80<-56940 (15:11:46.530 PDT) ------------------------- event=1:92016980 {tcp} E2[irb] ET WEB_SERVER disable_functions PHP config option in uri, [] MAC_Dst: 00:21:5A:08:BB:0C 80<-56940 (15:11:46.530 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info 133.15.59.1 (15:11:08.760 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [/search?q= 62.148.128.5 attack&go=&qs=n&form=QBLH&pq= 62.148.128.5 attack&sc=0-0&sp=-1&sk=] MAC_Src: 00:21:5A:08:BB:0C 46476->80 (15:11:08.760 PDT) 91.121.164.52 (15:13:53.663 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 52035->6969 (15:13:53.663 PDT) 87.248.186.252 (2) (15:11:34.785 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:21:5A:08:BB:0C 45362->8080 (15:11:34.785 PDT) ------------------------- event=1:1100019 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 45362->8080 (15:11:34.785 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1379455868.760 1379455868.761 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================