Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 128.18.30.16 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/15/2013 08:36:54.276 PDT Gen. Time: 10/15/2013 08:36:54.276 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.16 (08:36:54.276 PDT) event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-47467 (08:36:54.276 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1381851414.276 1381851414.277 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 128.18.30.16 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/15/2013 08:36:54.276 PDT Gen. Time: 10/15/2013 08:41:37.226 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.16 (5) (08:36:54.276 PDT) event=1:92009714 (4) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-48379 (08:38:14.418 PDT) 80<-48381 (08:38:14.434 PDT) 80<-48383 (08:38:14.491 PDT) 80<-48386 (08:38:14.685 PDT) ------------------------- event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-47467 (08:36:54.276 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1381851414.276 1381851414.277 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 128.18.30.16 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/15/2013 08:44:36.765 PDT Gen. Time: 10/15/2013 08:44:36.765 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.16 (08:44:36.765 PDT) event=1:92009714 {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/item.fts?href=">;] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-54156 (08:44:36.765 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1381851876.765 1381851876.766 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 128.18.30.16 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/15/2013 08:44:36.765 PDT Gen. Time: 10/15/2013 08:49:20.494 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.16 (12) (08:44:36.765 PDT) event=1:92009714 (6) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/item.fts?href=">;] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-54156 (08:44:36.765 PDT) 80<-54158 (08:44:36.832 PDT) 80<-54162 (08:44:36.948 PDT) 80<-54164 (08:44:37.010 PDT) 80<-54422 (08:45:00.982 PDT) 80<-54667 (08:45:10.359 PDT) ------------------------- event=1:92016184 (3) {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/index.cfm] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-54173 (08:44:37.305 PDT) 80<-54334 (08:44:57.473 PDT) 80<-54427 (08:45:01.044 PDT) ------------------------- event=1:92016977 {tcp} E2[irb] ET WEB_SERVER allow_url_include PHP config option in uri, [] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-54574 (08:45:07.505 PDT) ------------------------- event=1:92016979 {tcp} E2[irb] ET WEB_SERVER suhosin.simulation PHP config option in uri, [/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d ] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-54574 (08:45:07.505 PDT) ------------------------- event=1:92016980 {tcp} E2[irb] ET WEB_SERVER disable_functions PHP config option in uri, [] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-54574 (08:45:07.505 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1381851876.765 1381851876.766 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/15/2013 15:39:37.305 PDT Gen. Time: 10/15/2013 15:39:37.305 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (15:39:37.305 PDT) event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 00:21:5A:08:BB:0C 80<-57006 (15:39:37.305 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1381876777.305 1381876777.306 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/15/2013 15:39:37.305 PDT Gen. Time: 10/15/2013 15:44:42.868 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (11) (15:39:37.305 PDT) event=1:92009714 (10) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/citrix/nfuse/default/login.asp?NFuse_LogoutId=&NFuse_MessageType=Error&NFuse_Message=&ClientD] MAC_Dst: 00:21:5A:08:BB:0C 80<-57243 (15:40:01.364 PDT) 80<-57245 (15:40:01.450 PDT) 80<-57410 (15:40:31.555 PDT) 80<-57413 (15:40:31.630 PDT) 80<-57414 (15:40:31.650 PDT) 80<-57433 (15:40:32.616 PDT) 80<-57434 (15:40:32.650 PDT) 80<-57437 (15:40:32.736 PDT) 80<-57440 (15:40:32.757 PDT) 80<-57479 (15:40:35.941 PDT) ------------------------- event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 00:21:5A:08:BB:0C 80<-57006 (15:39:37.305 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1381876777.305 1381876777.306 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/15/2013 15:48:21.797 PDT Gen. Time: 10/15/2013 15:48:21.797 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (15:48:21.797 PDT) event=1:92009714 {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/item.fts?href=">;] MAC_Dst: 00:21:5A:08:BB:0C 80<-59774 (15:48:21.797 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1381877301.797 1381877301.798 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/15/2013 15:48:21.797 PDT Gen. Time: 10/15/2013 15:53:16.154 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (16) (15:48:21.797 PDT) event=1:92009714 (10) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/item.fts?href=">;] MAC_Dst: 00:21:5A:08:BB:0C 80<-59774 (15:48:21.797 PDT) 80<-59782 (15:48:22.478 PDT) 80<-59802 (15:48:24.286 PDT) 80<-59811 (15:48:25.004 PDT) 80<-59840 (15:48:27.455 PDT) 80<-59859 (15:48:29.370 PDT) 80<-59860 (15:48:29.376 PDT) 80<-59871 (15:48:30.155 PDT) 80<-59976 (15:48:43.841 PDT) 80<-60338 (15:49:29.175 PDT) ------------------------- event=1:92016184 (3) {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/index.cfm] MAC_Dst: 00:21:5A:08:BB:0C 80<-59851 (15:48:28.616 PDT) 80<-59893 (15:48:35.669 PDT) 80<-59987 (15:48:45.372 PDT) ------------------------- event=1:92016977 {tcp} E2[irb] ET WEB_SERVER allow_url_include PHP config option in uri, [] MAC_Dst: 00:21:5A:08:BB:0C 80<-60021 (15:48:53.383 PDT) ------------------------- event=1:92016979 {tcp} E2[irb] ET WEB_SERVER suhosin.simulation PHP config option in uri, [/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d ] MAC_Dst: 00:21:5A:08:BB:0C 80<-60021 (15:48:53.383 PDT) ------------------------- event=1:92016980 {tcp} E2[irb] ET WEB_SERVER disable_functions PHP config option in uri, [] MAC_Dst: 00:21:5A:08:BB:0C 80<-60021 (15:48:53.383 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1381877301.797 1381877301.798 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================