Score:            0.8 (>= 0.8)
Infected Target:  192.168.1.100
Infector List:    128.18.30.15
Egg Source List:  <unobserved>
C & C List:       <unobserved>
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   10/08/2013 08:38:45.113 PDT
Gen. Time:        10/08/2013 08:38:45.113 PDT


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT (INTERNAL)
    128.18.30.15 (08:38:45.113 PDT)
       event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 1C:DF:0F:66:3D:B0
          80<-39681 (08:38:45.113 PDT)
       
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
EGG DOWNLOAD (INTERNAL)
    <unobserved>
    
C and C TRAFFIC
    <unobserved>
    
C and C TRAFFIC (INTERNAL)
    <unobserved>
    
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND ATTACK
    <unobserved>
    
OUTBOUND ATTACK (INTERNAL)
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1381246725.113 1381246725.114 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100'

============================== SEPARATOR ================================
Score:            0.8 (>= 0.8)
Infected Target:  192.168.1.100
Infector List:    128.18.30.15
Egg Source List:  <unobserved>
C & C List:       <unobserved>
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   10/08/2013 08:38:45.113 PDT
Gen. Time:        10/08/2013 08:45:08.652 PDT


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT (INTERNAL)
    128.18.30.15 (5) (08:38:45.113 PDT)
       event=1:92009714 (4) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/WebID/IISWebAgentIF.dll?postdata="><script>foo</script>] MAC_Dst: 1C:DF:0F:66:3D:B0
          80<-41037 (08:40:48.393 PDT)
          80<-41912 (08:41:04.373 PDT)
          80<-41914 (08:41:04.426 PDT)
          80<-41915 (08:41:04.429 PDT)
       -------------------------
       event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 1C:DF:0F:66:3D:B0
          80<-39681 (08:38:45.113 PDT)
       
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
EGG DOWNLOAD (INTERNAL)
    <unobserved>
    
C and C TRAFFIC
    <unobserved>
    
C and C TRAFFIC (INTERNAL)
    <unobserved>
    
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND ATTACK
    <unobserved>
    
OUTBOUND ATTACK (INTERNAL)
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1381246725.113 1381246725.114 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100'

============================== SEPARATOR ================================
Score:            0.8 (>= 0.8)
Infected Target:  192.168.1.100
Infector List:    128.18.30.15
Egg Source List:  <unobserved>
C & C List:       <unobserved>
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   10/08/2013 08:48:25.377 PDT
Gen. Time:        10/08/2013 08:48:25.377 PDT


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT (INTERNAL)
    128.18.30.15 (08:48:25.377 PDT)
       event=1:92009714 {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/item.fts?href="><script>alert("ftgate_44002.nasl")</script>;] MAC_Dst: 1C:DF:0F:66:3D:B0
          80<-46747 (08:48:25.377 PDT)
       
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
EGG DOWNLOAD (INTERNAL)
    <unobserved>
    
C and C TRAFFIC
    <unobserved>
    
C and C TRAFFIC (INTERNAL)
    <unobserved>
    
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND ATTACK
    <unobserved>
    
OUTBOUND ATTACK (INTERNAL)
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1381247305.377 1381247305.378 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100'

============================== SEPARATOR ================================
Score:            0.8 (>= 0.8)
Infected Target:  192.168.1.100
Infector List:    128.18.30.15
Egg Source List:  <unobserved>
C & C List:       <unobserved>
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   10/08/2013 08:48:25.377 PDT
Gen. Time:        10/08/2013 08:52:54.861 PDT


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT (INTERNAL)
    128.18.30.15 (15) (08:48:25.377 PDT)
       event=1:92009714 (9) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/item.fts?href="><script>alert("ftgate_44002.nasl")</script>;] MAC_Dst: 1C:DF:0F:66:3D:B0
          80<-46747 (08:48:25.377 PDT)
          80<-46749 (08:48:25.452 PDT)
          80<-46751 (08:48:25.559 PDT)
          80<-46753 (08:48:25.650 PDT)
          80<-46763 (08:48:26.080 PDT)
          80<-46764 (08:48:26.085 PDT)
          80<-46773 (08:48:26.437 PDT)
          80<-46893 (08:48:35.655 PDT)
          80<-46899 (08:48:35.900 PDT)
       -------------------------
       event=1:92016184 (3) {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/index.cfm] MAC_Dst: 1C:DF:0F:66:3D:B0
          80<-46758 (08:48:25.852 PDT)
          80<-46768 (08:48:26.233 PDT)
          80<-46891 (08:48:35.504 PDT)
       -------------------------
       event=1:92016977 {tcp} E2[irb] ET WEB_SERVER allow_url_include PHP config option in uri, [] MAC_Dst: 1C:DF:0F:66:3D:B0
          80<-46881 (08:48:35.037 PDT)
       -------------------------
       event=1:92016979 {tcp} E2[irb] ET WEB_SERVER suhosin.simulation PHP config option in uri, [/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d ] MAC_Dst: 1C:DF:0F:66:3D:B0
          80<-46881 (08:48:35.037 PDT)
       -------------------------
       event=1:92016980 {tcp} E2[irb] ET WEB_SERVER disable_functions PHP config option in uri, [] MAC_Dst: 1C:DF:0F:66:3D:B0
          80<-46881 (08:48:35.037 PDT)
       
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
EGG DOWNLOAD (INTERNAL)
    <unobserved>
    
C and C TRAFFIC
    <unobserved>
    
C and C TRAFFIC (INTERNAL)
    <unobserved>
    
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND ATTACK
    <unobserved>
    
OUTBOUND ATTACK (INTERNAL)
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1381247305.377 1381247305.378 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100'

============================== SEPARATOR ================================
Score:            0.8 (>= 0.8)
Infected Target:  192.168.1.100
Infector List:    128.18.30.15
Egg Source List:  <unobserved>
C & C List:       <unobserved>
Peer Coord. List: 203.106.113.60
Resource List:    <unobserved>
Observed Start:   10/08/2013 15:14:56.249 PDT
Gen. Time:        10/08/2013 15:17:02.118 PDT


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT (INTERNAL)
    128.18.30.15 (15:17:02.118 PDT)
       event=1:92009714 {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/WebID/IISWebAgentIF.dll?postdata="><script>foo</script>] MAC_Dst: 00:21:5A:08:BB:0C
          80<-51473 (15:17:02.118 PDT)
       
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
EGG DOWNLOAD (INTERNAL)
    <unobserved>
    
C and C TRAFFIC
    <unobserved>
    
C and C TRAFFIC (INTERNAL)
    <unobserved>
    
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND ATTACK
    <unobserved>
    
OUTBOUND ATTACK (INTERNAL)
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    203.106.113.60 (15:14:56.249 PDT)
       event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C
          22145->23683 (15:14:56.249 PDT)
       
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1381270496.249 1381270496.250 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100'

============================== SEPARATOR ================================
Score:            0.8 (>= 0.8)
Infected Target:  192.168.1.100
Infector List:    128.18.30.15
Egg Source List:  <unobserved>
C & C List:       <unobserved>
Peer Coord. List: 203.106.113.60, 87.248.186.252
Resource List:    <unobserved>
Observed Start:   10/08/2013 15:14:56.249 PDT
Gen. Time:        10/08/2013 15:20:35.100 PDT


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT (INTERNAL)
    128.18.30.15 (2) (15:17:02.118 PDT)
       event=1:92009714 {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/WebID/IISWebAgentIF.dll?postdata="><script>foo</script>] MAC_Dst: 00:21:5A:08:BB:0C
          80<-51473 (15:17:02.118 PDT)
       -------------------------
       event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 00:21:5A:08:BB:0C
          80<-51691 (15:18:26.705 PDT)
       
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
EGG DOWNLOAD (INTERNAL)
    <unobserved>
    
C and C TRAFFIC
    <unobserved>
    
C and C TRAFFIC (INTERNAL)
    <unobserved>
    
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND ATTACK
    <unobserved>
    
OUTBOUND ATTACK (INTERNAL)
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    203.106.113.60 (15:14:56.249 PDT)
       event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C
          22145->23683 (15:14:56.249 PDT)
       
    87.248.186.252 (15:18:16.499 PDT)
       event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C
          39591->6969 (15:18:16.499 PDT)
       
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1381270496.249 1381270496.250 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100'

============================== SEPARATOR ================================
Score:            0.8 (>= 0.8)
Infected Target:  192.168.1.100
Infector List:    128.18.30.15
Egg Source List:  <unobserved>
C & C List:       <unobserved>
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   10/08/2013 15:22:27.181 PDT
Gen. Time:        10/08/2013 15:22:27.181 PDT


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT (INTERNAL)
    128.18.30.15 (15:22:27.181 PDT)
       event=1:92009714 {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/<script>foo</script>] MAC_Dst: 00:21:5A:08:BB:0C
          80<-52709 (15:22:27.181 PDT)
       
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
EGG DOWNLOAD (INTERNAL)
    <unobserved>
    
C and C TRAFFIC
    <unobserved>
    
C and C TRAFFIC (INTERNAL)
    <unobserved>
    
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND ATTACK
    <unobserved>
    
OUTBOUND ATTACK (INTERNAL)
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1381270947.181 1381270947.182 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100'

============================== SEPARATOR ================================
Score:            0.8 (>= 0.8)
Infected Target:  192.168.1.100
Infector List:    128.18.30.15
Egg Source List:  <unobserved>
C & C List:       <unobserved>
Peer Coord. List: 130.127.39.152
Resource List:    <unobserved>
Observed Start:   10/08/2013 15:22:27.181 PDT
Gen. Time:        10/08/2013 15:25:13.696 PDT


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT (INTERNAL)
    128.18.30.15 (9) (15:22:27.181 PDT)
       event=1:92009714 (9) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/<script>foo</script>] MAC_Dst: 00:21:5A:08:BB:0C
          80<-52709 (15:22:27.181 PDT)
          80<-52724 (15:22:27.430 PDT)
          80<-52752 (15:22:28.651 PDT)
          80<-52769 (15:22:29.476 PDT)
          80<-52777 (15:22:29.610 PDT)
          80<-52787 (15:22:29.823 PDT)
          80<-52789 (15:22:29.826 PDT)
          80<-53089 (15:22:45.657 PDT)
          80<-53090 (15:22:45.905 PDT)
       
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
EGG DOWNLOAD (INTERNAL)
    <unobserved>
    
C and C TRAFFIC
    <unobserved>
    
C and C TRAFFIC (INTERNAL)
    <unobserved>
    
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND ATTACK
    <unobserved>
    
OUTBOUND ATTACK (INTERNAL)
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    130.127.39.152 (15:23:14.358 PDT)
       event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C
          40901->80 (15:23:14.358 PDT)
       
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1381270947.181 1381270947.182 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100'

============================== SEPARATOR ================================
Score:            0.8 (>= 0.8)
Infected Target:  192.168.1.100
Infector List:    128.18.30.15
Egg Source List:  <unobserved>
C & C List:       <unobserved>
Peer Coord. List: 91.121.164.52, 87.248.186.252 (2)
Resource List:    <unobserved>
Observed Start:   10/08/2013 15:32:19.492 PDT
Gen. Time:        10/08/2013 15:34:08.287 PDT


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT (INTERNAL)
    128.18.30.15 (15:34:08.287 PDT)
       event=1:92009714 {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/console/faces/com_sun_web_ui/help/masthead.jsp?windowTitle=</title><script>alert('sun_java_web_console_helpwindow_xss.nasl')</] MAC_Dst: 00:21:5A:08:BB:0C
          80<-56886 (15:34:08.287 PDT)
       
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
EGG DOWNLOAD (INTERNAL)
    <unobserved>
    
C and C TRAFFIC
    <unobserved>
    
C and C TRAFFIC (INTERNAL)
    <unobserved>
    
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND ATTACK
    <unobserved>
    
OUTBOUND ATTACK (INTERNAL)
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    91.121.164.52 (15:33:21.414 PDT)
       event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C
          55005->6969 (15:33:21.414 PDT)
       
    87.248.186.252 (2) (15:32:19.492 PDT)
       event=1:1100010 {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:21:5A:08:BB:0C
          49924->8080 (15:32:19.492 PDT)
       -------------------------
       event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C
          49924->8080 (15:32:19.492 PDT)
       
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1381271539.492 1381271539.493 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100'

============================== SEPARATOR ================================
Score:            0.8 (>= 0.8)
Infected Target:  192.168.1.100
Infector List:    128.18.30.15
Egg Source List:  <unobserved>
C & C List:       <unobserved>
Peer Coord. List: 91.121.164.52, 87.248.186.252 (5)
Resource List:    <unobserved>
Observed Start:   10/08/2013 15:32:19.492 PDT
Gen. Time:        10/08/2013 15:38:42.922 PDT


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT (INTERNAL)
    128.18.30.15 (16) (15:34:08.287 PDT)
       event=1:92009714 (10) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/console/faces/com_sun_web_ui/help/masthead.jsp?windowTitle=</title><script>alert('sun_java_web_console_helpwindow_xss.nasl')</] MAC_Dst: 00:21:5A:08:BB:0C
          80<-56886 (15:34:08.287 PDT)
          80<-56888 (15:34:08.306 PDT)
          80<-56923 (15:34:10.477 PDT)
          80<-56934 (15:34:11.454 PDT)
          80<-56965 (15:34:13.281 PDT)
          80<-56980 (15:34:15.002 PDT)
          80<-57009 (15:34:16.601 PDT)
          80<-57014 (15:34:16.687 PDT)
          80<-57188 (15:34:28.968 PDT)
          80<-57540 (15:34:55.958 PDT)
       -------------------------
       event=1:92016184 (3) {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/index.cfm] MAC_Dst: 00:21:5A:08:BB:0C
          80<-56903 (15:34:09.321 PDT)
          80<-56914 (15:34:10.323 PDT)
          80<-57528 (15:34:55.204 PDT)
       -------------------------
       event=1:92016977 {tcp} E2[irb] ET WEB_SERVER allow_url_include PHP config option in uri, [] MAC_Dst: 00:21:5A:08:BB:0C
          80<-57126 (15:34:23.476 PDT)
       -------------------------
       event=1:92016979 {tcp} E2[irb] ET WEB_SERVER suhosin.simulation PHP config option in uri, [/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d ] MAC_Dst: 00:21:5A:08:BB:0C
          80<-57126 (15:34:23.476 PDT)
       -------------------------
       event=1:92016980 {tcp} E2[irb] ET WEB_SERVER disable_functions PHP config option in uri, [] MAC_Dst: 00:21:5A:08:BB:0C
          80<-57126 (15:34:23.476 PDT)
       
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
EGG DOWNLOAD (INTERNAL)
    <unobserved>
    
C and C TRAFFIC
    <unobserved>
    
C and C TRAFFIC (INTERNAL)
    <unobserved>
    
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND ATTACK
    <unobserved>
    
OUTBOUND ATTACK (INTERNAL)
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    91.121.164.52 (15:33:21.414 PDT)
       event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C
          55005->6969 (15:33:21.414 PDT)
       
    87.248.186.252 (5) (15:32:19.492 PDT)
       event=1:1100010 (2) {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:21:5A:08:BB:0C
          49924->8080 (15:32:19.492 PDT)
          57519->8080 (15:36:00.486 PDT)
       -------------------------
       event=1:1100018 (2) {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C
          49924->8080 (15:32:19.492 PDT)
          57751->8080 (15:38:37.483 PDT)
       -------------------------
       event=1:1100019 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C
          57519->8080 (15:36:00.486 PDT)
       
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1381271539.492 1381271539.493 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100'

============================== SEPARATOR ================================
Score:            0.8 (>= 0.8)
Infected Target:  192.168.1.100
Infector List:    <unobserved>
Egg Source List:  <unobserved>
C & C List:       <unobserved>
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   10/08/2013 20:09:57.475 PDT
Gen. Time:        10/08/2013 20:09:57.475 PDT


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT (INTERNAL)
    <unobserved>
    
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
EGG DOWNLOAD (INTERNAL)
    <unobserved>
    
C and C TRAFFIC
    <unobserved>
    
C and C TRAFFIC (INTERNAL)
    <unobserved>
    
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND ATTACK
    <unobserved>
    
OUTBOUND ATTACK (INTERNAL)
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    87.98.216.112 (20:09:57.475 PDT)
       event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C
          22145->47034 (20:09:57.475 PDT)
       
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1381288197.475 1381288197.476 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100'

============================== SEPARATOR ================================