Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 128.18.30.247 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/01/2013 08:42:36.497 PDT Gen. Time: 10/01/2013 08:42:36.497 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.247 (08:42:36.497 PDT) event=1:92009714 {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/index.html?urlmaskfilter=] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-48366 (08:42:36.497 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1380642156.497 1380642156.498 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 128.18.30.247 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/01/2013 08:42:36.497 PDT Gen. Time: 10/01/2013 08:48:40.766 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.247 (5) (08:42:36.497 PDT) event=1:92009714 (4) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/index.html?urlmaskfilter=] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-48366 (08:42:36.497 PDT) 80<-48367 (08:42:37.701 PDT) 80<-48368 (08:42:37.702 PDT) 80<-50412 (08:45:28.803 PDT) ------------------------- event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-50391 (08:45:20.750 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1380642156.497 1380642156.498 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 128.18.30.247 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/01/2013 08:53:53.377 PDT Gen. Time: 10/01/2013 08:53:53.377 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.247 (08:53:53.377 PDT) event=1:92009714 {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/altercast/AlterCast?op=] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-56055 (08:53:53.377 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1380642833.377 1380642833.378 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 128.18.30.247 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/01/2013 08:53:53.377 PDT Gen. Time: 10/01/2013 08:59:06.390 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.247 (15) (08:53:53.377 PDT) event=1:92009714 (9) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/altercast/AlterCast?op=] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-56055 (08:53:53.377 PDT) 80<-56062 (08:53:57.055 PDT) 80<-56179 (08:54:08.911 PDT) 80<-56196 (08:54:11.419 PDT) 80<-56202 (08:54:19.080 PDT) 80<-56203 (08:54:19.084 PDT) 80<-56207 (08:54:21.598 PDT) 80<-56268 (08:54:42.349 PDT) 80<-56299 (08:54:51.080 PDT) ------------------------- event=1:92016184 (3) {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/index.cfm] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-56195 (08:54:14.358 PDT) 80<-56205 (08:54:20.346 PDT) 80<-56258 (08:54:42.162 PDT) ------------------------- event=1:92016977 {tcp} E2[irb] ET WEB_SERVER allow_url_include PHP config option in uri, [] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-56234 (08:54:32.401 PDT) ------------------------- event=1:92016979 {tcp} E2[irb] ET WEB_SERVER suhosin.simulation PHP config option in uri, [/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d ] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-56234 (08:54:32.401 PDT) ------------------------- event=1:92016980 {tcp} E2[irb] ET WEB_SERVER disable_functions PHP config option in uri, [] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-56234 (08:54:32.401 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1380642833.377 1380642833.378 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 128.18.30.16 Egg Source List: C & C List: Peer Coord. List: 121.14.98.151 (2) Resource List: Observed Start: 10/01/2013 22:15:46.384 PDT Gen. Time: 10/01/2013 22:17:18.939 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.16 (22:17:18.939 PDT) event=1:92009714 {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/servlet/webacc?User.lang=] MAC_Dst: 00:21:5A:08:BB:0C 80<-54495 (22:17:18.939 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info 121.14.98.151 (2) (22:15:46.384 PDT) event=1:1100018 (2) {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 39076->9090 (22:15:46.384 PDT) 39123->9090 (22:16:46.403 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1380690946.384 1380690946.385 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 128.18.30.16 Egg Source List: C & C List: Peer Coord. List: 128.112.139.18, 74.125.20.121, 188.190.120.74, 89.188.127.134 (2), 121.14.98.151 (3), 87.248.186.252 Resource List: Observed Start: 10/01/2013 22:15:46.384 PDT Gen. Time: 10/01/2013 22:23:41.843 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.16 (9) (22:17:18.939 PDT) event=1:92009714 (9) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/servlet/webacc?User.lang=] MAC_Dst: 00:21:5A:08:BB:0C 80<-54495 (22:17:18.939 PDT) 80<-54516 (22:17:20.255 PDT) 80<-54518 (22:17:20.488 PDT) 80<-54519 (22:17:20.737 PDT) 80<-54526 (22:17:20.985 PDT) 80<-54528 (22:17:21.073 PDT) 80<-54536 (22:17:21.264 PDT) 80<-55988 (22:21:22.418 PDT) 80<-55989 (22:21:22.430 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info 128.112.139.18 (22:22:29.547 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [/b/ss/economistcomprod/1/H.25.4/s15569616551510?AQB=1&ndh=1&t=1/9/2013 22:22:29 2 420&fid=6D5DB58831334DD1-0878C8DA694FF28F&ce=] MAC_Src: 00:21:5A:08:BB:0C 58372->80 (22:22:29.547 PDT) 74.125.20.121 (22:19:00.221 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 59002->80 (22:19:00.221 PDT) 188.190.120.74 (22:17:57.412 PDT) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 49442->80 (22:17:57.412 PDT) 89.188.127.134 (2) (22:20:19.426 PDT) event=1:1100016 {tcp} E7[info] P2P torrent scrape tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 39476->80 (22:20:19.836 PDT) ------------------------- event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 39472->80 (22:20:19.426 PDT) 121.14.98.151 (3) (22:15:46.384 PDT) event=1:1100018 (3) {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 39076->9090 (22:15:46.384 PDT) 39123->9090 (22:16:46.403 PDT) 33799->9090 (22:21:26.394 PDT) 87.248.186.252 (22:22:11.956 PDT) event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:21:5A:08:BB:0C 39025->6969 (22:22:11.956 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1380690946.384 1380690946.385 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 128.18.30.16 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/01/2013 22:24:03.178 PDT Gen. Time: 10/01/2013 22:24:03.178 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.16 (22:24:03.178 PDT) event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 00:21:5A:08:BB:0C 80<-57195 (22:24:03.178 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1380691443.178 1380691443.179 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 128.18.30.16 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/01/2013 22:24:03.178 PDT Gen. Time: 10/01/2013 22:28:26.566 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.16 (2) (22:24:03.178 PDT) event=1:92009714 {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/WebID/IISWebAgentIF.dll?postdata=">] MAC_Dst: 00:21:5A:08:BB:0C 80<-57331 (22:24:13.038 PDT) ------------------------- event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 00:21:5A:08:BB:0C 80<-57195 (22:24:03.178 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1380691443.178 1380691443.179 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 128.18.30.16 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/01/2013 22:39:27.810 PDT Gen. Time: 10/01/2013 22:39:27.810 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.16 (22:39:27.810 PDT) event=1:92009714 {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/altercast/AlterCast?op=] MAC_Dst: 00:21:5A:08:BB:0C 80<-35537 (22:39:27.810 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1380692367.810 1380692367.811 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 128.18.30.16 Egg Source List: C & C List: Peer Coord. List: 87.248.186.252 Resource List: Observed Start: 10/01/2013 22:39:27.810 PDT Gen. Time: 10/01/2013 22:42:00.617 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.16 (16) (22:39:27.810 PDT) event=1:92009714 (10) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/altercast/AlterCast?op=] MAC_Dst: 00:21:5A:08:BB:0C 80<-35537 (22:39:27.810 PDT) 80<-35547 (22:39:28.520 PDT) 80<-35592 (22:39:31.585 PDT) 80<-35622 (22:39:33.884 PDT) 80<-35633 (22:39:34.695 PDT) 80<-35634 (22:39:34.700 PDT) 80<-35672 (22:39:37.056 PDT) 80<-35676 (22:39:37.445 PDT) 80<-35921 (22:39:56.834 PDT) 80<-36090 (22:40:16.407 PDT) ------------------------- event=1:92016184 (3) {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/index.cfm] MAC_Dst: 00:21:5A:08:BB:0C 80<-35612 (22:39:33.050 PDT) 80<-35661 (22:39:36.357 PDT) 80<-35875 (22:39:54.063 PDT) ------------------------- event=1:92016977 {tcp} E2[irb] ET WEB_SERVER allow_url_include PHP config option in uri, [] MAC_Dst: 00:21:5A:08:BB:0C 80<-35759 (22:39:42.935 PDT) ------------------------- event=1:92016979 {tcp} E2[irb] ET WEB_SERVER suhosin.simulation PHP config option in uri, [/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d ] MAC_Dst: 00:21:5A:08:BB:0C 80<-35759 (22:39:42.935 PDT) ------------------------- event=1:92016980 {tcp} E2[irb] ET WEB_SERVER disable_functions PHP config option in uri, [] MAC_Dst: 00:21:5A:08:BB:0C 80<-35759 (22:39:42.935 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info 87.248.186.252 (22:40:51.396 PDT) event=1:1100019 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 54908->8080 (22:40:51.396 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1380692367.810 1380692367.811 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================