Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 128.18.30.16 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/15/2013 08:45:01.502 PDT Gen. Time: 10/15/2013 08:45:01.502 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.16 (08:45:01.502 PDT) event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-43825 (08:45:01.502 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1381851901.502 1381851901.503 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 128.18.30.16 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/15/2013 08:45:01.502 PDT Gen. Time: 10/15/2013 08:51:04.429 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.16 (17) (08:45:01.502 PDT) event=1:92009714 (12) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-44055 (08:45:20.655 PDT) 80<-44058 (08:45:20.675 PDT) 80<-44061 (08:45:20.684 PDT) 80<-44069 (08:45:20.749 PDT) 80<-44515 (08:47:31.594 PDT) 80<-44518 (08:47:31.612 PDT) 80<-44525 (08:47:31.662 PDT) 80<-44532 (08:47:31.689 PDT) 80<-44552 (08:47:31.837 PDT) 80<-44552 (08:47:31.841 PDT) 80<-44559 (08:47:31.864 PDT) 80<-44602 (08:47:32.085 PDT) ------------------------- event=1:92016184 (4) {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-43825 (08:45:01.502 PDT) 80<-44551 (08:47:31.836 PDT) 80<-44566 (08:47:31.894 PDT) 80<-44607 (08:47:32.122 PDT) ------------------------- event=1:92016979 {tcp} E2[irb] ET WEB_SERVER suhosin.simulation PHP config option in uri, [/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d ] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-44621 (08:47:32.216 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1381851901.502 1381851901.503 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/15/2013 16:12:50.848 PDT Gen. Time: 10/15/2013 16:12:50.848 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (16:12:50.848 PDT) event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 00:21:5A:08:EC:40 80<-59920 (16:12:50.848 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1381878770.848 1381878770.849 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/15/2013 16:12:50.848 PDT Gen. Time: 10/15/2013 16:21:20.767 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (11) (16:12:50.848 PDT) event=1:92009714 (10) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/citrix/nfuse/default/login.asp?NFuse_LogoutId=&NFuse_MessageType=Error&NFuse_Message=&ClientD] MAC_Dst: 00:21:5A:08:EC:40 80<-60154 (16:15:47.397 PDT) 80<-60156 (16:15:47.436 PDT) 80<-60285 (16:16:57.183 PDT) 80<-60287 (16:16:57.231 PDT) 80<-60288 (16:16:57.232 PDT) 80<-60291 (16:17:00.432 PDT) 80<-60292 (16:17:00.435 PDT) 80<-60296 (16:17:02.707 PDT) 80<-60297 (16:17:02.708 PDT) 80<-60324 (16:17:32.205 PDT) ------------------------- event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 00:21:5A:08:EC:40 80<-59920 (16:12:50.848 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1381878770.848 1381878770.849 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/15/2013 16:39:59.159 PDT Gen. Time: 10/15/2013 16:39:59.159 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (16:39:59.159 PDT) event=1:92009714 {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/item.fts?href=">;] MAC_Dst: 00:21:5A:08:EC:40 80<-33479 (16:39:59.159 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1381880399.159 1381880399.160 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/15/2013 16:39:59.159 PDT Gen. Time: 10/15/2013 16:51:09.034 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (16) (16:39:59.159 PDT) event=1:92009714 (10) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/item.fts?href=">;] MAC_Dst: 00:21:5A:08:EC:40 80<-33479 (16:39:59.159 PDT) 80<-33514 (16:40:37.044 PDT) 80<-33527 (16:41:04.585 PDT) 80<-33540 (16:41:13.903 PDT) 80<-33555 (16:41:44.579 PDT) 80<-33581 (16:42:35.244 PDT) 80<-33582 (16:42:35.249 PDT) 80<-33593 (16:43:24.416 PDT) 80<-33690 (16:47:06.503 PDT) 80<-33939 (16:47:14.277 PDT) ------------------------- event=1:92016184 (3) {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/index.cfm] MAC_Dst: 00:21:5A:08:EC:40 80<-33574 (16:42:32.162 PDT) 80<-33612 (16:44:29.554 PDT) 80<-33699 (16:47:06.872 PDT) ------------------------- event=1:92016977 {tcp} E2[irb] ET WEB_SERVER allow_url_include PHP config option in uri, [] MAC_Dst: 00:21:5A:08:EC:40 80<-33721 (16:47:07.598 PDT) ------------------------- event=1:92016979 {tcp} E2[irb] ET WEB_SERVER suhosin.simulation PHP config option in uri, [/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d ] MAC_Dst: 00:21:5A:08:EC:40 80<-33721 (16:47:07.598 PDT) ------------------------- event=1:92016980 {tcp} E2[irb] ET WEB_SERVER disable_functions PHP config option in uri, [] MAC_Dst: 00:21:5A:08:EC:40 80<-33721 (16:47:07.598 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1381880399.159 1381880399.160 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================