Score: 0.8 (>= 0.8) Infected Target: 192.168.1.122 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/08/2013 09:47:19.547 PDT Gen. Time: 10/08/2013 09:47:19.547 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (09:47:19.547 PDT) event=1:92003508 {tcp} E2[irb] ET WEB_SPECIFIC_APPS Wordpress wp-login.php redirect_to credentials stealing attempt, [/wp-login.php?redirect_to=http:/dent.csl.sri.com/wp-admin/&reauth=1] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-42869 (09:47:19.547 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1381250839.547 1381250839.548 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.122' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.122 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/08/2013 09:47:19.547 PDT Gen. Time: 10/08/2013 09:56:11.101 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (17) (09:47:19.547 PDT) event=1:92003508 {tcp} E2[irb] ET WEB_SPECIFIC_APPS Wordpress wp-login.php redirect_to credentials stealing attempt, [/wp-login.php?redirect_to=http:/dent.csl.sri.com/wp-admin/&reauth=1] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-42869 (09:47:19.547 PDT) ------------------------- event=1:92009714 (11) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/WebID/IISWebAgentIF.dll?postdata=">] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-43145 (09:48:33.477 PDT) 80<-43413 (09:50:20.030 PDT) 80<-43421 (09:50:20.475 PDT) 80<-43425 (09:50:20.807 PDT) 80<-43615 (09:51:39.178 PDT) 80<-43616 (09:51:39.315 PDT) 80<-43624 (09:51:40.400 PDT) 80<-43626 (09:51:40.732 PDT) 80<-43641 (09:51:42.622 PDT) 80<-43648 (09:51:43.888 PDT) 80<-43650 (09:51:44.237 PDT) ------------------------- event=1:92016184 (3) {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-43240 (09:49:39.131 PDT) 80<-43618 (09:51:39.658 PDT) 80<-43622 (09:51:40.029 PDT) ------------------------- event=1:92016979 {tcp} E2[irb] ET WEB_SERVER suhosin.simulation PHP config option in uri, [/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d ] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-43680 (09:51:48.621 PDT) ------------------------- event=1:92016980 {tcp} E2[irb] ET WEB_SERVER disable_functions PHP config option in uri, [] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-43680 (09:51:48.621 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1381250839.547 1381250839.548 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.122' ============================== SEPARATOR ================================