Score:            1.3 (>= 0.8)
Infected Target:  192.168.1.85
Infector List:    128.18.30.247
Egg Source List:  <unobserved>
C & C List:       <unobserved>
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   10/15/2013 08:17:43.901 PDT
Gen. Time:        10/15/2013 08:27:28.124 PDT


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT (INTERNAL)
    128.18.30.247 (08:27:28.124 PDT)
       event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 1C:DF:0F:66:3D:B0
          80<-50626 (08:27:28.124 PDT)
       
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
EGG DOWNLOAD (INTERNAL)
    <unobserved>
    
C and C TRAFFIC
    <unobserved>
    
C and C TRAFFIC (INTERNAL)
    <unobserved>
    
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND ATTACK
    46.163.161.111 (08:23:35.717 PDT)
       event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 1C:DF:0F:66:3D:B0
          80->37118 (08:23:35.717 PDT)
       
    66.249.74.230 (3) (08:17:43.901 PDT)
       event=1:552123 (3) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 1C:DF:0F:66:3D:B0
          80->56401 (08:17:43.901 PDT)
          80->50770 (08:18:34.921 PDT)
          80->44483 (08:20:17.300 PDT)
       
OUTBOUND ATTACK (INTERNAL)
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1381850263.901 1381850263.902 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85'

============================== SEPARATOR ================================
Score:            1.3 (>= 0.8)
Infected Target:  192.168.1.85
Infector List:    128.18.30.247
Egg Source List:  <unobserved>
C & C List:       <unobserved>
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   10/15/2013 08:17:43.901 PDT
Gen. Time:        10/15/2013 08:47:22.962 PDT


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT (INTERNAL)
    128.18.30.247 (17) (08:27:28.124 PDT)
       event=1:92009714 (12) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/<script>foo</script>] MAC_Dst: 1C:DF:0F:66:3D:B0
          80<-50728 (08:27:40.033 PDT)
          80<-50731 (08:27:40.053 PDT)
          80<-50732 (08:27:40.064 PDT)
          80<-50738 (08:27:40.118 PDT)
          80<-54919 (08:35:20.546 PDT)
          80<-54922 (08:35:20.579 PDT)
          80<-54926 (08:35:20.684 PDT)
          80<-54932 (08:35:20.712 PDT)
          80<-54943 (08:35:21.011 PDT)
          80<-54944 (08:35:21.015 PDT)
          80<-54946 (08:35:21.044 PDT)
          80<-54973 (08:35:21.593 PDT)
       -------------------------
       event=1:92016184 (4) {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 1C:DF:0F:66:3D:B0
          80<-50626 (08:27:28.124 PDT)
          80<-54941 (08:35:20.983 PDT)
          80<-54951 (08:35:21.104 PDT)
          80<-54976 (08:35:21.700 PDT)
       -------------------------
       event=1:92016979 {tcp} E2[irb] ET WEB_SERVER suhosin.simulation PHP config option in uri, [/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d ] MAC_Dst: 1C:DF:0F:66:3D:B0
          80<-55002 (08:35:26.201 PDT)
       
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
EGG DOWNLOAD (INTERNAL)
    <unobserved>
    
C and C TRAFFIC
    <unobserved>
    
C and C TRAFFIC (INTERNAL)
    <unobserved>
    
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND ATTACK
    46.163.161.111 (08:23:35.717 PDT)
       event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 1C:DF:0F:66:3D:B0
          80->37118 (08:23:35.717 PDT)
       
    208.115.113.83 (08:38:47.395 PDT)
       event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 1C:DF:0F:66:3D:B0
          80->52833 (08:38:47.395 PDT)
       
    66.249.74.230 (15) (08:17:43.901 PDT)
       event=1:552123 (15) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 1C:DF:0F:66:3D:B0
          80->56401 (08:17:43.901 PDT)
          80->50770 (08:18:34.921 PDT)
          80->44483 (08:20:17.300 PDT)
          80->56779 (08:28:47.675 PDT)
          80->55145 (08:29:38.714 PDT)
          80->52071 (08:30:29.768 PDT)
          80->52430 (08:32:11.928 PDT)
          80->51156 (08:33:02.959 PDT)
          80->37760 (08:35:36.168 PDT)
          80->38449 (08:36:27.217 PDT)
          80->60324 (08:37:18.287 PDT)
          80->54397 (08:38:09.355 PDT)
          80->64558 (08:39:00.419 PDT)
          80->60857 (08:39:51.492 PDT)
          80->54079 (08:40:42.547 PDT)
       
OUTBOUND ATTACK (INTERNAL)
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1381850263.901 1381850263.902 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85'

============================== SEPARATOR ================================