Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/29/2013 08:32:42.481 PDT Gen. Time: 10/29/2013 08:32:42.481 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (08:32:42.481 PDT) event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-58395 (08:32:42.481 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1383060762.481 1383060762.482 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/29/2013 08:32:42.481 PDT Gen. Time: 10/29/2013 08:36:08.235 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (5) (08:32:42.481 PDT) event=1:92009714 (4) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/WebID/IISWebAgentIF.dll?postdata=">] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-58737 (08:32:57.537 PDT) 80<-58769 (08:32:59.967 PDT) 80<-58770 (08:32:59.975 PDT) 80<-58774 (08:33:00.050 PDT) ------------------------- event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-58395 (08:32:42.481 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1383060762.481 1383060762.482 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/29/2013 08:40:29.867 PDT Gen. Time: 10/29/2013 08:40:29.867 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (08:40:29.867 PDT) event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/index.cfm] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-35666 (08:40:29.867 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1383061229.867 1383061229.868 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/29/2013 08:40:29.867 PDT Gen. Time: 10/29/2013 08:44:47.274 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (15) (08:40:29.867 PDT) event=1:92009714 (9) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/item.fts?href=">;] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-35674 (08:40:30.063 PDT) 80<-35676 (08:40:30.151 PDT) 80<-35680 (08:40:30.298 PDT) 80<-35681 (08:40:30.303 PDT) 80<-35683 (08:40:30.376 PDT) 80<-35685 (08:40:30.466 PDT) 80<-35694 (08:40:30.779 PDT) 80<-35825 (08:40:39.829 PDT) 80<-35833 (08:40:40.179 PDT) ------------------------- event=1:92016184 (3) {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/index.cfm] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-35666 (08:40:29.867 PDT) 80<-35692 (08:40:30.688 PDT) 80<-35837 (08:40:40.221 PDT) ------------------------- event=1:92016977 {tcp} E2[irb] ET WEB_SERVER allow_url_include PHP config option in uri, [] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-35775 (08:40:37.849 PDT) ------------------------- event=1:92016979 {tcp} E2[irb] ET WEB_SERVER suhosin.simulation PHP config option in uri, [/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d ] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-35775 (08:40:37.849 PDT) ------------------------- event=1:92016980 {tcp} E2[irb] ET WEB_SERVER disable_functions PHP config option in uri, [] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-35775 (08:40:37.849 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1383061229.867 1383061229.868 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 115.186.133.196 Egg Source List: 115.186.133.196 C & C List: Peer Coord. List: Resource List: Observed Start: 10/29/2013 12:03:17.160 PDT Gen. Time: 10/29/2013 12:03:18.530 PDT INBOUND SCAN EXPLOIT 115.186.133.196 (12:03:17.160 PDT) event=1:22009200 {tcp} E2[rb] ET CURRENT_EVENTS Conficker.a Shellcode, [] MAC_Dst: 00:30:48:30:03:AE 445<-2307 (12:03:17.160 PDT) EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD 115.186.133.196 (12:03:18.530 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 1028<-6332 (12:03:18.530 PDT) EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1383073397.160 1383073397.161 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/29/2013 15:26:22.711 PDT Gen. Time: 10/29/2013 15:26:22.711 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (15:26:22.711 PDT) event=1:92009714 {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/citrix/nfuse/default/login.asp?NFuse_LogoutId=&NFuse_MessageType=Error&NFuse_Message=&ClientD] MAC_Dst: 00:21:5A:08:BB:0C 80<-43509 (15:26:22.711 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1383085582.711 1383085582.712 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/29/2013 15:26:22.711 PDT Gen. Time: 10/29/2013 15:29:41.275 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (2) (15:26:22.711 PDT) event=1:92009714 (2) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/citrix/nfuse/default/login.asp?NFuse_LogoutId=&NFuse_MessageType=Error&NFuse_Message=&ClientD] MAC_Dst: 00:21:5A:08:BB:0C 80<-43509 (15:26:22.711 PDT) 80<-43511 (15:26:22.734 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1383085582.711 1383085582.712 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/29/2013 15:31:33.039 PDT Gen. Time: 10/29/2013 15:31:33.039 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (15:31:33.039 PDT) event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 00:21:5A:08:BB:0C 80<-45373 (15:31:33.039 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1383085893.039 1383085893.040 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/29/2013 15:31:33.039 PDT Gen. Time: 10/29/2013 15:38:34.026 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (9) (15:31:33.039 PDT) event=1:92009714 (8) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/WebID/IISWebAgentIF.dll?postdata=">] MAC_Dst: 00:21:5A:08:BB:0C 80<-47526 (15:34:48.562 PDT) 80<-47792 (15:35:07.659 PDT) 80<-47800 (15:35:08.277 PDT) 80<-47808 (15:35:08.501 PDT) 80<-47817 (15:35:08.680 PDT) 80<-47833 (15:35:09.524 PDT) 80<-47837 (15:35:09.805 PDT) 80<-47838 (15:35:09.906 PDT) ------------------------- event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 00:21:5A:08:BB:0C 80<-45373 (15:31:33.039 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1383085893.039 1383085893.040 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/29/2013 15:58:47.829 PDT Gen. Time: 10/29/2013 15:58:47.829 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (15:58:47.829 PDT) event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/index.cfm] MAC_Dst: 00:21:5A:08:BB:0C 80<-55812 (15:58:47.829 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1383087527.829 1383087527.830 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/29/2013 15:58:47.829 PDT Gen. Time: 10/29/2013 16:01:23.144 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (16) (15:58:47.829 PDT) event=1:92009714 (10) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/item.fts?href=">;] MAC_Dst: 00:21:5A:08:BB:0C 80<-55827 (15:58:49.407 PDT) 80<-55833 (15:58:49.493 PDT) 80<-55862 (15:58:51.128 PDT) 80<-55864 (15:58:51.186 PDT) 80<-55877 (15:58:52.280 PDT) 80<-55886 (15:58:53.194 PDT) 80<-55915 (15:58:56.031 PDT) 80<-55932 (15:58:57.047 PDT) 80<-56286 (15:59:27.624 PDT) 80<-56315 (15:59:31.291 PDT) ------------------------- event=1:92016184 (3) {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/index.cfm] MAC_Dst: 00:21:5A:08:BB:0C 80<-55812 (15:58:47.829 PDT) 80<-55905 (15:58:54.578 PDT) 80<-56331 (15:59:32.652 PDT) ------------------------- event=1:92016977 {tcp} E2[irb] ET WEB_SERVER allow_url_include PHP config option in uri, [] MAC_Dst: 00:21:5A:08:BB:0C 80<-56084 (15:59:12.405 PDT) ------------------------- event=1:92016979 {tcp} E2[irb] ET WEB_SERVER suhosin.simulation PHP config option in uri, [/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d ] MAC_Dst: 00:21:5A:08:BB:0C 80<-56084 (15:59:12.405 PDT) ------------------------- event=1:92016980 {tcp} E2[irb] ET WEB_SERVER disable_functions PHP config option in uri, [] MAC_Dst: 00:21:5A:08:BB:0C 80<-56084 (15:59:12.405 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1383087527.829 1383087527.830 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================