Score: 0.8 (>= 0.8) Infected Target: 192.168.1.240 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/17/2013 10:16:13.610 PDT Gen. Time: 09/17/2013 10:16:13.610 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (10:16:13.610 PDT) event=1:92009714 {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/index.html?urlmaskfilter=] MAC_Dst: 00:01:64:FF:CE:EA 80<-51869 (10:16:13.610 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1379438173.610 1379438173.611 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.240' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.240 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/17/2013 10:16:13.610 PDT Gen. Time: 09/17/2013 10:22:30.164 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (5) (10:16:13.610 PDT) event=1:92009714 (4) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/index.html?urlmaskfilter=] MAC_Dst: 00:01:64:FF:CE:EA 80<-51869 (10:16:13.610 PDT) 80<-51870 (10:16:13.617 PDT) 80<-51871 (10:16:13.617 PDT) 80<-53815 (10:18:28.208 PDT) ------------------------- event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 00:01:64:FF:CE:EA 80<-52140 (10:16:22.726 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1379438173.610 1379438173.611 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.240' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.240 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/17/2013 10:26:16.396 PDT Gen. Time: 09/17/2013 10:26:16.396 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (10:26:16.396 PDT) event=1:92009714 {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/login?user=**] MAC_Dst: 00:01:64:FF:CE:EA 80<-57441 (10:26:16.396 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1379438776.396 1379438776.397 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.240' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.240 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/17/2013 10:26:16.396 PDT Gen. Time: 09/17/2013 10:29:58.401 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (12) (10:26:16.396 PDT) event=1:92009714 (9) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/login?user=**] MAC_Dst: 00:01:64:FF:CE:EA 80<-57441 (10:26:16.396 PDT) 80<-57446 (10:26:16.423 PDT) 80<-57447 (10:26:16.430 PDT) 80<-57450 (10:26:16.450 PDT) 80<-57452 (10:26:16.454 PDT) 80<-57455 (10:26:16.477 PDT) 80<-57456 (10:26:16.477 PDT) 80<-57522 (10:26:21.074 PDT) 80<-57553 (10:26:21.819 PDT) ------------------------- event=1:92016184 (3) {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/index.cfm] MAC_Dst: 00:01:64:FF:CE:EA 80<-57451 (10:26:16.453 PDT) 80<-57468 (10:26:16.557 PDT) 80<-57576 (10:26:21.949 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1379438776.396 1379438776.397 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.240' ============================== SEPARATOR ================================