Score:            0.8 (>= 0.8)
Infected Target:  192.168.1.101
Infector List:    128.18.30.15
Egg Source List:  <unobserved>
C & C List:       <unobserved>
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   09/24/2013 08:35:07.720 PDT
Gen. Time:        09/24/2013 08:35:07.720 PDT


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT (INTERNAL)
    128.18.30.15 (08:35:07.720 PDT)
       event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 00:01:64:FF:CE:EA
          80<-58701 (08:35:07.720 PDT)
       
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
EGG DOWNLOAD (INTERNAL)
    <unobserved>
    
C and C TRAFFIC
    <unobserved>
    
C and C TRAFFIC (INTERNAL)
    <unobserved>
    
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND ATTACK
    <unobserved>
    
OUTBOUND ATTACK (INTERNAL)
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1380036907.720 1380036907.721 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.101'

============================== SEPARATOR ================================
Score:            0.8 (>= 0.8)
Infected Target:  192.168.1.101
Infector List:    128.18.30.15
Egg Source List:  <unobserved>
C & C List:       <unobserved>
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   09/24/2013 08:35:07.720 PDT
Gen. Time:        09/24/2013 08:41:27.953 PDT


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT (INTERNAL)
    128.18.30.15 (17) (08:35:07.720 PDT)
       event=1:92009714 (11) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/WebID/IISWebAgentIF.dll?postdata="><script>foo</script>] MAC_Dst: 00:01:64:FF:CE:EA
          80<-59004 (08:35:16.546 PDT)
          80<-59891 (08:36:42.501 PDT)
          80<-59905 (08:36:47.609 PDT)
          80<-60005 (08:36:54.658 PDT)
          80<-60885 (08:37:49.173 PDT)
          80<-60908 (08:37:49.275 PDT)
          80<-60915 (08:37:49.311 PDT)
          80<-60923 (08:37:49.340 PDT)
          80<-60931 (08:37:49.371 PDT)
          80<-60934 (08:37:49.382 PDT)
          80<-60934 (08:37:49.385 PDT)
       -------------------------
       event=1:92016184 (4) {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 00:01:64:FF:CE:EA
          80<-58701 (08:35:07.720 PDT)
          80<-60900 (08:37:49.248 PDT)
          80<-60918 (08:37:49.324 PDT)
          80<-60967 (08:37:49.607 PDT)
       -------------------------
       event=1:92016979 {tcp} E2[irb] ET WEB_SERVER suhosin.simulation PHP config option in uri, [/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d ] MAC_Dst: 00:01:64:FF:CE:EA
          80<-60990 (08:37:49.714 PDT)
       -------------------------
       event=1:92016980 {tcp} E2[irb] ET WEB_SERVER disable_functions PHP config option in uri, [] MAC_Dst: 00:01:64:FF:CE:EA
          80<-60990 (08:37:49.714 PDT)
       
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
EGG DOWNLOAD (INTERNAL)
    <unobserved>
    
C and C TRAFFIC
    <unobserved>
    
C and C TRAFFIC (INTERNAL)
    <unobserved>
    
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND ATTACK
    <unobserved>
    
OUTBOUND ATTACK (INTERNAL)
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1380036907.720 1380036907.721 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.101'

============================== SEPARATOR ================================
Score:            0.8 (>= 0.8)
Infected Target:  192.168.1.101
Infector List:    128.18.30.15
Egg Source List:  <unobserved>
C & C List:       <unobserved>
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   09/24/2013 09:18:29.985 PDT
Gen. Time:        09/24/2013 09:18:29.985 PDT


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT (INTERNAL)
    128.18.30.15 (09:18:29.985 PDT)
       event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 00:01:64:FF:CE:EA
          80<-48274 (09:18:29.985 PDT)
       
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
EGG DOWNLOAD (INTERNAL)
    <unobserved>
    
C and C TRAFFIC
    <unobserved>
    
C and C TRAFFIC (INTERNAL)
    <unobserved>
    
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND ATTACK
    <unobserved>
    
OUTBOUND ATTACK (INTERNAL)
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1380039509.985 1380039509.986 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.101'

============================== SEPARATOR ================================
Score:            0.8 (>= 0.8)
Infected Target:  192.168.1.101
Infector List:    128.18.30.15
Egg Source List:  <unobserved>
C & C List:       <unobserved>
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   09/24/2013 09:18:29.985 PDT
Gen. Time:        09/24/2013 09:25:55.170 PDT


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT (INTERNAL)
    128.18.30.15 (17) (09:18:29.985 PDT)
       event=1:92009714 (11) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/WebID/IISWebAgentIF.dll?postdata="><script>foo</script>] MAC_Dst: 00:01:64:FF:CE:EA
          80<-48354 (09:18:46.947 PDT)
          80<-49191 (09:20:56.357 PDT)
          80<-49193 (09:20:56.859 PDT)
          80<-49199 (09:20:57.678 PDT)
          80<-49403 (09:21:21.431 PDT)
          80<-49466 (09:21:26.043 PDT)
          80<-49471 (09:21:27.263 PDT)
          80<-49480 (09:21:28.821 PDT)
          80<-49489 (09:21:29.512 PDT)
          80<-49496 (09:21:30.308 PDT)
          80<-49497 (09:21:30.436 PDT)
       -------------------------
       event=1:92016184 (4) {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 00:01:64:FF:CE:EA
          80<-48274 (09:18:29.985 PDT)
          80<-49453 (09:21:24.068 PDT)
          80<-49475 (09:21:28.063 PDT)
          80<-49536 (09:21:34.349 PDT)
       -------------------------
       event=1:92016979 {tcp} E2[irb] ET WEB_SERVER suhosin.simulation PHP config option in uri, [/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d ] MAC_Dst: 00:01:64:FF:CE:EA
          80<-49562 (09:21:36.461 PDT)
       -------------------------
       event=1:92016980 {tcp} E2[irb] ET WEB_SERVER disable_functions PHP config option in uri, [] MAC_Dst: 00:01:64:FF:CE:EA
          80<-49562 (09:21:36.461 PDT)
       
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
EGG DOWNLOAD (INTERNAL)
    <unobserved>
    
C and C TRAFFIC
    <unobserved>
    
C and C TRAFFIC (INTERNAL)
    <unobserved>
    
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND ATTACK
    <unobserved>
    
OUTBOUND ATTACK (INTERNAL)
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1380039509.985 1380039509.986 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.101'

============================== SEPARATOR ================================