Score: 0.8 (>= 0.8) Infected Target: 192.168.1.101 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/08/2013 08:38:43.455 PDT Gen. Time: 10/08/2013 08:38:43.455 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (08:38:43.455 PDT) event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-34096 (08:38:43.455 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1381246723.455 1381246723.456 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.101' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.101 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/08/2013 08:38:43.455 PDT Gen. Time: 10/08/2013 08:45:03.551 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (5) (08:38:43.455 PDT) event=1:92009714 (4) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/WebID/IISWebAgentIF.dll?postdata=">] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-35904 (08:40:53.496 PDT) 80<-36443 (08:41:03.310 PDT) 80<-36445 (08:41:03.323 PDT) 80<-36446 (08:41:03.328 PDT) ------------------------- event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-34096 (08:38:43.455 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1381246723.455 1381246723.456 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.101' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.101 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/08/2013 08:47:44.322 PDT Gen. Time: 10/08/2013 08:47:44.322 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (08:47:44.322 PDT) event=1:92009714 {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/item.fts?href=">;] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-38581 (08:47:44.322 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1381247264.322 1381247264.323 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.101' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.101 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/08/2013 08:47:44.322 PDT Gen. Time: 10/08/2013 08:49:36.622 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (15) (08:47:44.322 PDT) event=1:92009714 (9) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/item.fts?href=">;] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-38581 (08:47:44.322 PDT) 80<-38582 (08:47:44.323 PDT) 80<-38589 (08:47:44.371 PDT) 80<-38590 (08:47:44.375 PDT) 80<-38615 (08:47:44.484 PDT) 80<-38615 (08:47:44.488 PDT) 80<-38634 (08:47:44.546 PDT) 80<-38827 (08:47:45.481 PDT) 80<-38839 (08:47:45.517 PDT) ------------------------- event=1:92016184 (3) {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/index.cfm] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-38599 (08:47:44.419 PDT) 80<-38626 (08:47:44.520 PDT) 80<-38819 (08:47:45.447 PDT) ------------------------- event=1:92016977 {tcp} E2[irb] ET WEB_SERVER allow_url_include PHP config option in uri, [] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-38800 (08:47:45.381 PDT) ------------------------- event=1:92016979 {tcp} E2[irb] ET WEB_SERVER suhosin.simulation PHP config option in uri, [/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d ] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-38800 (08:47:45.381 PDT) ------------------------- event=1:92016980 {tcp} E2[irb] ET WEB_SERVER disable_functions PHP config option in uri, [] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-38800 (08:47:45.381 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1381247264.322 1381247264.323 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.101' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.101 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/08/2013 09:37:26.276 PDT Gen. Time: 10/08/2013 09:37:26.276 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (09:37:26.276 PDT) event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-44883 (09:37:26.276 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1381250246.276 1381250246.277 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.101' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.101 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/08/2013 09:37:26.276 PDT Gen. Time: 10/08/2013 09:43:07.118 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (17) (09:37:26.276 PDT) event=1:92009714 (11) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-45349 (09:38:24.393 PDT) 80<-45357 (09:38:27.916 PDT) 80<-45370 (09:38:31.737 PDT) 80<-45518 (09:38:47.006 PDT) 80<-45520 (09:38:47.144 PDT) 80<-45552 (09:38:49.670 PDT) 80<-45557 (09:38:50.317 PDT) 80<-45571 (09:38:51.485 PDT) 80<-45589 (09:38:53.371 PDT) 80<-45591 (09:38:53.579 PDT) 80<-45693 (09:39:01.598 PDT) ------------------------- event=1:92016184 (3) {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-44883 (09:37:26.276 PDT) 80<-45534 (09:38:48.070 PDT) 80<-45549 (09:38:49.480 PDT) ------------------------- event=1:92016977 {tcp} E2[irb] ET WEB_SERVER allow_url_include PHP config option in uri, [] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-45662 (09:38:58.867 PDT) ------------------------- event=1:92016979 {tcp} E2[irb] ET WEB_SERVER suhosin.simulation PHP config option in uri, [/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d ] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-45662 (09:38:58.867 PDT) ------------------------- event=1:92016980 {tcp} E2[irb] ET WEB_SERVER disable_functions PHP config option in uri, [] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-45662 (09:38:58.867 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1381250246.276 1381250246.277 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.101' ============================== SEPARATOR ================================