Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/05/2013 08:34:14.108 PST Gen. Time: 11/05/2013 08:34:14.108 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (08:34:14.108 PST) event=1:92009714 {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/WebID/IISWebAgentIF.dll?postdata=">] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-60221 (08:34:14.108 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1383669254.108 1383669254.109 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/05/2013 08:34:14.108 PST Gen. Time: 11/05/2013 08:39:56.411 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (5) (08:34:14.108 PST) event=1:92009714 (4) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/WebID/IISWebAgentIF.dll?postdata=">] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-60221 (08:34:14.108 PST) 80<-60844 (08:35:29.135 PST) 80<-60869 (08:35:34.208 PST) 80<-60870 (08:35:34.209 PST) ------------------------- event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-33151 (08:35:54.301 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1383669254.108 1383669254.109 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/05/2013 08:43:09.104 PST Gen. Time: 11/05/2013 08:43:09.104 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (08:43:09.104 PST) event=1:92009714 {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/Websense/cgi-bin/WsCgiLogin.exe?Page=login&UserName=nessus">] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-40187 (08:43:09.104 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1383669789.104 1383669789.105 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/05/2013 08:43:09.104 PST Gen. Time: 11/05/2013 08:46:06.066 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (15) (08:43:09.104 PST) event=1:92009714 (9) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/Websense/cgi-bin/WsCgiLogin.exe?Page=login&UserName=nessus">] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-40187 (08:43:09.104 PST) 80<-40189 (08:43:09.164 PST) 80<-40190 (08:43:09.210 PST) 80<-40192 (08:43:09.223 PST) 80<-40201 (08:43:09.472 PST) 80<-40211 (08:43:09.757 PST) 80<-40213 (08:43:09.829 PST) 80<-40222 (08:43:10.057 PST) 80<-40263 (08:43:11.030 PST) ------------------------- event=1:92016184 (3) {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/index.cfm] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-40194 (08:43:09.281 PST) 80<-40199 (08:43:09.408 PST) 80<-40260 (08:43:10.958 PST) ------------------------- event=1:92016977 {tcp} E2[irb] ET WEB_SERVER allow_url_include PHP config option in uri, [] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-40249 (08:43:10.753 PST) ------------------------- event=1:92016979 {tcp} E2[irb] ET WEB_SERVER suhosin.simulation PHP config option in uri, [/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d ] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-40249 (08:43:10.753 PST) ------------------------- event=1:92016980 {tcp} E2[irb] ET WEB_SERVER disable_functions PHP config option in uri, [] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-40249 (08:43:10.753 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1383669789.104 1383669789.105 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: 71.170.207.118, 83.230.127.124 Resource List: Observed Start: 11/05/2013 15:48:51.591 PST Gen. Time: 11/05/2013 15:50:27.479 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (15:50:27.479 PST) event=1:92009714 {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/WebID/IISWebAgentIF.dll?postdata=">] MAC_Dst: 00:21:5A:08:BB:0C 80<-47803 (15:50:27.479 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info 71.170.207.118 (15:49:58.639 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->55368 (15:49:58.639 PST) 83.230.127.124 (15:48:51.591 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->6881 (15:48:51.591 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1383695331.591 1383695331.592 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: 169.229.50.10, 136.159.220.40, 71.170.207.118, 83.230.127.124, 24.126.232.241, 130.237.50.92 (2), 206.117.37.4, 79.33.168.156, 150.65.32.68, 138.26.66.4 Resource List: Observed Start: 11/05/2013 15:48:51.591 PST Gen. Time: 11/05/2013 15:56:13.186 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (10) (15:50:27.479 PST) event=1:92009714 (10) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/WebID/IISWebAgentIF.dll?postdata=">] MAC_Dst: 00:21:5A:08:BB:0C 80<-47803 (15:50:27.479 PST) 80<-48161 (15:51:55.681 PST) 80<-48166 (15:51:57.393 PST) 80<-48175 (15:51:59.080 PST) 80<-48177 (15:51:59.502 PST) 80<-48186 (15:52:02.176 PST) 80<-48203 (15:52:08.609 PST) 80<-48211 (15:52:08.738 PST) 80<-48669 (15:53:05.169 PST) 80<-48674 (15:53:05.512 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info 169.229.50.10 (15:55:34.179 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 47737->6881 (15:55:34.179 PST) 136.159.220.40 (15:52:01.440 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->6881 (15:52:01.440 PST) 71.170.207.118 (15:49:58.639 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->55368 (15:49:58.639 PST) 83.230.127.124 (15:48:51.591 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->6881 (15:48:51.591 PST) 24.126.232.241 (15:54:25.063 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->47275 (15:54:25.063 PST) 130.237.50.92 (2) (15:50:57.427 PST) event=1:1100018 (2) {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 36865->6969 (15:50:57.427 PST) 58966->6969 (15:55:33.136 PST) 206.117.37.4 (15:50:57.651 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 48928->6882 (15:50:57.651 PST) 79.33.168.156 (15:55:28.620 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->19956 (15:55:28.620 PST) 150.65.32.68 (15:50:58.231 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->6881 (15:50:58.231 PST) 138.26.66.4 (15:53:24.933 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->6881 (15:53:24.933 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1383695331.591 1383695331.592 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: 130.237.50.92, 110.171.9.63, 110.174.167.64 Resource List: Observed Start: 11/05/2013 15:56:28.830 PST Gen. Time: 11/05/2013 15:57:55.910 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (15:57:55.910 PST) event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 00:21:5A:08:BB:0C 80<-51507 (15:57:55.910 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info 130.237.50.92 (15:57:32.865 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 59120->6969 (15:57:32.865 PST) 110.171.9.63 (15:56:28.830 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->64857 (15:56:28.830 PST) 110.174.167.64 (15:57:29.680 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->12713 (15:57:29.680 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1383695788.830 1383695788.831 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: 78.13.185.3, 130.237.50.92 (2), 110.171.9.63, 188.238.44.128, 110.174.167.64, 169.229.50.11, 79.44.237.142 Resource List: Observed Start: 11/05/2013 15:56:28.830 PST Gen. Time: 11/05/2013 16:01:07.708 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (15:57:55.910 PST) event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 00:21:5A:08:BB:0C 80<-51507 (15:57:55.910 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info 78.13.185.3 (15:59:39.029 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->1025 (15:59:39.029 PST) 130.237.50.92 (2) (15:57:32.865 PST) event=1:1100018 (2) {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 59120->6969 (15:57:32.865 PST) 59293->6969 (15:59:58.747 PST) 110.171.9.63 (15:56:28.830 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->64857 (15:56:28.830 PST) 188.238.44.128 (15:58:30.665 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->15249 (15:58:30.665 PST) 110.174.167.64 (15:57:29.680 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->12713 (15:57:29.680 PST) 169.229.50.11 (15:59:58.993 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 53852->6881 (15:59:58.993 PST) 79.44.237.142 (16:00:39.054 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->63968 (16:00:39.054 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1383695788.830 1383695788.831 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: 169.229.50.12, 130.237.50.92, 109.15.5.74, 143.248.55.129, 201.82.83.189 Resource List: Observed Start: 11/05/2013 16:13:18.494 PST Gen. Time: 11/05/2013 16:16:46.639 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (16:16:46.639 PST) event=1:92009714 {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/Websense/cgi-bin/WsCgiLogin.exe?Page=login&UserName=nessus">] MAC_Dst: 00:21:5A:08:BB:0C 80<-55627 (16:16:46.639 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info 169.229.50.12 (16:13:18.732 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 51711->6881 (16:13:18.732 PST) 130.237.50.92 (16:13:18.494 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 56641->6969 (16:13:18.494 PST) 109.15.5.74 (16:16:00.712 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->47407 (16:16:00.712 PST) 143.248.55.129 (16:14:54.873 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->6881 (16:14:54.873 PST) 201.82.83.189 (16:13:53.040 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->21985 (16:13:53.040 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1383696798.494 1383696798.495 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: 109.15.5.74, 131.179.150.70, 217.6.225.74, 46.251.104.34, 108.85.221.35, 130.237.50.92 (4), 201.82.83.189, 143.248.55.129, 169.229.50.12 (2), 129.63.159.101, 85.76.100.201 Resource List: Observed Start: 11/05/2013 16:13:18.494 PST Gen. Time: 11/05/2013 16:22:04.606 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (16) (16:16:46.639 PST) event=1:92009714 (10) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/Websense/cgi-bin/WsCgiLogin.exe?Page=login&UserName=nessus">] MAC_Dst: 00:21:5A:08:BB:0C 80<-55627 (16:16:46.639 PST) 80<-55641 (16:16:48.218 PST) 80<-55642 (16:16:48.281 PST) 80<-55643 (16:16:48.281 PST) 80<-55726 (16:17:09.852 PST) 80<-55761 (16:17:18.255 PST) 80<-55767 (16:17:18.709 PST) 80<-55776 (16:17:20.367 PST) 80<-55814 (16:17:27.656 PST) 80<-56014 (16:18:01.646 PST) ------------------------- event=1:92016184 (3) {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/index.cfm] MAC_Dst: 00:21:5A:08:BB:0C 80<-55667 (16:16:53.289 PST) 80<-55710 (16:17:01.143 PST) 80<-56006 (16:18:01.277 PST) ------------------------- event=1:92016977 {tcp} E2[irb] ET WEB_SERVER allow_url_include PHP config option in uri, [] MAC_Dst: 00:21:5A:08:BB:0C 80<-55937 (16:17:47.009 PST) ------------------------- event=1:92016979 {tcp} E2[irb] ET WEB_SERVER suhosin.simulation PHP config option in uri, [/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d ] MAC_Dst: 00:21:5A:08:BB:0C 80<-55937 (16:17:47.009 PST) ------------------------- event=1:92016980 {tcp} E2[irb] ET WEB_SERVER disable_functions PHP config option in uri, [] MAC_Dst: 00:21:5A:08:BB:0C 80<-55937 (16:17:47.009 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info 109.15.5.74 (16:16:00.712 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->47407 (16:16:00.712 PST) 131.179.150.70 (16:21:55.767 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 54632->6881 (16:21:55.767 PST) 217.6.225.74 (16:20:27.548 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6881->17532 (16:20:27.548 PST) 46.251.104.34 (16:19:27.710 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->10535 (16:19:27.710 PST) 108.85.221.35 (16:18:23.644 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->39235 (16:18:23.644 PST) 130.237.50.92 (4) (16:13:18.494 PST) event=1:1100018 (4) {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:BB:0C 56641->6969 (16:13:18.494 PST) 37918->6969 (16:17:37.674 PST) 38109->6969 (16:19:39.146 PST) 58274->6969 (16:21:55.533 PST) 201.82.83.189 (16:13:53.040 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->21985 (16:13:53.040 PST) 143.248.55.129 (16:14:54.873 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->6881 (16:14:54.873 PST) 169.229.50.12 (2) (16:13:18.732 PST) event=1:1100012 (2) {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:BB:0C 51711->6881 (16:13:18.732 PST) 50056->6881 (16:19:39.437 PST) 129.63.159.101 (16:21:27.202 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->6881 (16:21:27.202 PST) 85.76.100.201 (16:17:08.206 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:BB:0C 6882->24988 (16:17:08.206 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1383696798.494 1383696798.495 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================