Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/29/2013 08:31:26.406 PDT Gen. Time: 10/29/2013 08:31:26.406 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (08:31:26.406 PDT) event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-47810 (08:31:26.406 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1383060686.406 1383060686.407 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/29/2013 08:31:26.406 PDT Gen. Time: 10/29/2013 08:36:07.597 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (5) (08:31:26.406 PDT) event=1:92009714 (4) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/WebID/IISWebAgentIF.dll?postdata=">] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-48529 (08:31:48.489 PDT) 80<-48622 (08:31:48.854 PDT) 80<-48623 (08:31:48.863 PDT) 80<-48626 (08:31:48.889 PDT) ------------------------- event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-47810 (08:31:26.406 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1383060686.406 1383060686.407 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/29/2013 08:38:52.961 PDT Gen. Time: 10/29/2013 08:38:52.961 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (08:38:52.961 PDT) event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/index.cfm] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-54031 (08:38:52.961 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1383061132.961 1383061132.962 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/29/2013 08:38:52.961 PDT Gen. Time: 10/29/2013 08:42:31.034 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (15) (08:38:52.961 PDT) event=1:92009714 (9) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/item.fts?href=">;] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-54040 (08:38:52.995 PDT) 80<-54043 (08:38:53.007 PDT) 80<-54051 (08:38:53.033 PDT) 80<-54051 (08:38:53.036 PDT) 80<-54056 (08:38:53.051 PDT) 80<-54061 (08:38:53.079 PDT) 80<-54074 (08:38:53.137 PDT) 80<-54229 (08:38:53.940 PDT) 80<-54238 (08:38:53.973 PDT) ------------------------- event=1:92016184 (3) {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/index.cfm] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-54031 (08:38:52.961 PDT) 80<-54069 (08:38:53.114 PDT) 80<-54244 (08:38:53.989 PDT) ------------------------- event=1:92016977 {tcp} E2[irb] ET WEB_SERVER allow_url_include PHP config option in uri, [] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-54150 (08:38:53.590 PDT) ------------------------- event=1:92016979 {tcp} E2[irb] ET WEB_SERVER suhosin.simulation PHP config option in uri, [/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d ] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-54150 (08:38:53.590 PDT) ------------------------- event=1:92016980 {tcp} E2[irb] ET WEB_SERVER disable_functions PHP config option in uri, [] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-54150 (08:38:53.590 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1383061132.961 1383061132.962 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/29/2013 15:41:02.052 PDT Gen. Time: 10/29/2013 15:41:02.052 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (15:41:02.052 PDT) event=1:92009714 {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/citrix/nfuse/default/login.asp?NFuse_LogoutId=&NFuse_MessageType=Error&NFuse_Message=&ClientD] MAC_Dst: 00:21:5A:08:EC:40 80<-47197 (15:41:02.052 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1383086462.052 1383086462.053 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/29/2013 15:41:02.052 PDT Gen. Time: 10/29/2013 15:45:14.534 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (2) (15:41:02.052 PDT) event=1:92009714 (2) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/citrix/nfuse/default/login.asp?NFuse_LogoutId=&NFuse_MessageType=Error&NFuse_Message=&ClientD] MAC_Dst: 00:21:5A:08:EC:40 80<-47197 (15:41:02.052 PDT) 80<-47198 (15:41:02.055 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1383086462.052 1383086462.053 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/29/2013 15:51:47.172 PDT Gen. Time: 10/29/2013 15:51:47.172 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (15:51:47.172 PDT) event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 00:21:5A:08:EC:40 80<-51303 (15:51:47.172 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1383087107.172 1383087107.173 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/29/2013 16:09:23.779 PDT Gen. Time: 10/29/2013 16:09:23.779 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (16:09:23.779 PDT) event=1:92009714 {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/WebID/IISWebAgentIF.dll?postdata=">] MAC_Dst: 00:21:5A:08:EC:40 80<-54217 (16:09:23.779 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1383088163.779 1383088163.780 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/29/2013 16:09:23.779 PDT Gen. Time: 10/29/2013 16:12:09.726 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (8) (16:09:23.779 PDT) event=1:92009714 (8) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/WebID/IISWebAgentIF.dll?postdata=">] MAC_Dst: 00:21:5A:08:EC:40 80<-54217 (16:09:23.779 PDT) 80<-54389 (16:09:28.423 PDT) 80<-54395 (16:09:28.536 PDT) 80<-54401 (16:09:28.673 PDT) 80<-54407 (16:09:28.863 PDT) 80<-54422 (16:09:29.328 PDT) 80<-54427 (16:09:29.563 PDT) 80<-54429 (16:09:29.575 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1383088163.779 1383088163.780 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/29/2013 16:38:01.169 PDT Gen. Time: 10/29/2013 16:38:01.169 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (16:38:01.169 PDT) event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/index.cfm] MAC_Dst: 00:21:5A:08:EC:40 80<-57717 (16:38:01.169 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1383089881.169 1383089881.170 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/29/2013 16:38:01.169 PDT Gen. Time: 10/29/2013 16:42:40.779 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (16) (16:38:01.169 PDT) event=1:92009714 (10) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/item.fts?href=">;] MAC_Dst: 00:21:5A:08:EC:40 80<-57733 (16:38:22.443 PDT) 80<-57737 (16:38:22.518 PDT) 80<-57751 (16:38:46.051 PDT) 80<-57753 (16:38:46.076 PDT) 80<-57766 (16:39:05.727 PDT) 80<-57775 (16:39:18.830 PDT) 80<-57805 (16:39:59.703 PDT) 80<-57821 (16:40:16.475 PDT) 80<-58096 (16:41:21.963 PDT) 80<-58116 (16:41:22.744 PDT) ------------------------- event=1:92016184 (3) {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/index.cfm] MAC_Dst: 00:21:5A:08:EC:40 80<-57717 (16:38:01.169 PDT) 80<-57793 (16:39:46.658 PDT) 80<-58126 (16:41:23.011 PDT) ------------------------- event=1:92016977 {tcp} E2[irb] ET WEB_SERVER allow_url_include PHP config option in uri, [] MAC_Dst: 00:21:5A:08:EC:40 80<-57942 (16:41:14.640 PDT) ------------------------- event=1:92016979 {tcp} E2[irb] ET WEB_SERVER suhosin.simulation PHP config option in uri, [/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d ] MAC_Dst: 00:21:5A:08:EC:40 80<-57942 (16:41:14.640 PDT) ------------------------- event=1:92016980 {tcp} E2[irb] ET WEB_SERVER disable_functions PHP config option in uri, [] MAC_Dst: 00:21:5A:08:EC:40 80<-57942 (16:41:14.640 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1383089881.169 1383089881.170 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================