Score: 0.8 (>= 0.8) Infected Target: 192.168.1.103 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/24/2013 08:34:26.766 PDT Gen. Time: 09/24/2013 08:34:26.766 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (08:34:26.766 PDT) event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 00:01:64:FF:CE:EA 80<-33053 (08:34:26.766 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1380036866.766 1380036866.767 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.103' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.103 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/24/2013 08:34:26.766 PDT Gen. Time: 09/24/2013 08:40:48.524 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (17) (08:34:26.766 PDT) event=1:92009714 (11) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/WebID/IISWebAgentIF.dll?postdata=">] MAC_Dst: 00:01:64:FF:CE:EA 80<-33311 (08:34:41.471 PDT) 80<-35613 (08:36:07.291 PDT) 80<-35629 (08:36:12.320 PDT) 80<-35663 (08:36:22.352 PDT) 80<-35795 (08:36:50.431 PDT) 80<-35818 (08:36:52.186 PDT) 80<-35826 (08:36:52.852 PDT) 80<-35834 (08:36:53.237 PDT) 80<-35842 (08:36:53.620 PDT) 80<-35846 (08:36:53.813 PDT) 80<-35846 (08:36:53.830 PDT) ------------------------- event=1:92016184 (4) {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 00:01:64:FF:CE:EA 80<-33053 (08:34:26.766 PDT) 80<-35807 (08:36:51.658 PDT) 80<-35830 (08:36:53.042 PDT) 80<-35901 (08:36:59.482 PDT) ------------------------- event=1:92016979 {tcp} E2[irb] ET WEB_SERVER suhosin.simulation PHP config option in uri, [/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d ] MAC_Dst: 00:01:64:FF:CE:EA 80<-35923 (08:36:59.630 PDT) ------------------------- event=1:92016980 {tcp} E2[irb] ET WEB_SERVER disable_functions PHP config option in uri, [] MAC_Dst: 00:01:64:FF:CE:EA 80<-35923 (08:36:59.630 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1380036866.766 1380036866.767 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.103' ============================== SEPARATOR ================================