Score:            0.8 (>= 0.8)
Infected Target:  192.168.1.240
Infector List:    128.18.30.15
Egg Source List:  <unobserved>
C & C List:       <unobserved>
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   10/01/2013 17:02:42.622 PDT
Gen. Time:        10/01/2013 17:02:42.622 PDT


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT (INTERNAL)
    128.18.30.15 (17:02:42.622 PDT)
       event=1:92009714 {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/servlet/webacc?User.lang=<script>foo</script>] MAC_Dst: 1C:DF:0F:66:3D:B0
          80<-45797 (17:02:42.622 PDT)
       
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
EGG DOWNLOAD (INTERNAL)
    <unobserved>
    
C and C TRAFFIC
    <unobserved>
    
C and C TRAFFIC (INTERNAL)
    <unobserved>
    
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND ATTACK
    <unobserved>
    
OUTBOUND ATTACK (INTERNAL)
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1380672162.622 1380672162.623 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.240'

============================== SEPARATOR ================================
Score:            0.8 (>= 0.8)
Infected Target:  192.168.1.240
Infector List:    128.18.30.15
Egg Source List:  <unobserved>
C & C List:       <unobserved>
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   10/01/2013 17:02:42.622 PDT
Gen. Time:        10/01/2013 17:08:41.025 PDT


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT (INTERNAL)
    128.18.30.15 (5) (17:02:42.622 PDT)
       event=1:92009714 (4) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/servlet/webacc?User.lang=<script>foo</script>] MAC_Dst: 1C:DF:0F:66:3D:B0
          80<-45797 (17:02:42.622 PDT)
          80<-45800 (17:02:42.635 PDT)
          80<-45802 (17:02:42.848 PDT)
          80<-46058 (17:04:57.414 PDT)
       -------------------------
       event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 1C:DF:0F:66:3D:B0
          80<-46047 (17:04:57.073 PDT)
       
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
EGG DOWNLOAD (INTERNAL)
    <unobserved>
    
C and C TRAFFIC
    <unobserved>
    
C and C TRAFFIC (INTERNAL)
    <unobserved>
    
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND ATTACK
    <unobserved>
    
OUTBOUND ATTACK (INTERNAL)
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1380672162.622 1380672162.623 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.240'

============================== SEPARATOR ================================
Score:            0.8 (>= 0.8)
Infected Target:  192.168.1.240
Infector List:    128.18.30.15
Egg Source List:  <unobserved>
C & C List:       <unobserved>
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   10/01/2013 17:13:28.144 PDT
Gen. Time:        10/01/2013 17:13:28.144 PDT


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT (INTERNAL)
    128.18.30.15 (17:13:28.144 PDT)
       event=1:92009714 {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/altercast/AlterCast?op=<script>alert("adobe_document_server_61.nasl")</script>] MAC_Dst: 1C:DF:0F:66:3D:B0
          80<-46427 (17:13:28.144 PDT)
       
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
EGG DOWNLOAD (INTERNAL)
    <unobserved>
    
C and C TRAFFIC
    <unobserved>
    
C and C TRAFFIC (INTERNAL)
    <unobserved>
    
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND ATTACK
    <unobserved>
    
OUTBOUND ATTACK (INTERNAL)
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1380672808.144 1380672808.145 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.240'

============================== SEPARATOR ================================
Score:            0.8 (>= 0.8)
Infected Target:  192.168.1.240
Infector List:    128.18.30.15
Egg Source List:  <unobserved>
C & C List:       <unobserved>
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   10/01/2013 17:13:28.144 PDT
Gen. Time:        10/01/2013 17:17:46.445 PDT


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT (INTERNAL)
    128.18.30.15 (12) (17:13:28.144 PDT)
       event=1:92009714 (9) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/altercast/AlterCast?op=<script>alert("adobe_document_server_61.nasl")</script>] MAC_Dst: 1C:DF:0F:66:3D:B0
          80<-46427 (17:13:28.144 PDT)
          80<-46429 (17:13:28.636 PDT)
          80<-46438 (17:13:29.274 PDT)
          80<-46448 (17:13:37.963 PDT)
          80<-46450 (17:13:38.018 PDT)
          80<-46451 (17:13:38.022 PDT)
          80<-46458 (17:13:38.787 PDT)
          80<-46501 (17:13:50.872 PDT)
          80<-46526 (17:13:51.807 PDT)
       -------------------------
       event=1:92016184 (3) {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/index.cfm] MAC_Dst: 1C:DF:0F:66:3D:B0
          80<-46446 (17:13:37.709 PDT)
          80<-46456 (17:13:38.473 PDT)
          80<-46491 (17:13:49.986 PDT)
       
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
EGG DOWNLOAD (INTERNAL)
    <unobserved>
    
C and C TRAFFIC
    <unobserved>
    
C and C TRAFFIC (INTERNAL)
    <unobserved>
    
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND ATTACK
    <unobserved>
    
OUTBOUND ATTACK (INTERNAL)
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1380672808.144 1380672808.145 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.240'

============================== SEPARATOR ================================