Score:            0.8 (>= 0.8)
Infected Target:  192.168.1.101
Infector List:    128.18.30.15
Egg Source List:  <unobserved>
C & C List:       <unobserved>
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   11/05/2013 08:37:55.768 PST
Gen. Time:        11/05/2013 08:37:55.768 PST


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT (INTERNAL)
    128.18.30.15 (08:37:55.768 PST)
       event=1:92009714 {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/WebID/IISWebAgentIF.dll?postdata="><script>foo</script>] MAC_Dst: 1C:DF:0F:66:3D:B0
          80<-45681 (08:37:55.768 PST)
       
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
EGG DOWNLOAD (INTERNAL)
    <unobserved>
    
C and C TRAFFIC
    <unobserved>
    
C and C TRAFFIC (INTERNAL)
    <unobserved>
    
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND ATTACK
    <unobserved>
    
OUTBOUND ATTACK (INTERNAL)
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1383669475.768 1383669475.769 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.101'

============================== SEPARATOR ================================
Score:            0.8 (>= 0.8)
Infected Target:  192.168.1.101
Infector List:    128.18.30.15
Egg Source List:  <unobserved>
C & C List:       <unobserved>
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   11/05/2013 08:37:55.768 PST
Gen. Time:        11/05/2013 08:44:10.407 PST


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT (INTERNAL)
    128.18.30.15 (17) (08:37:55.768 PST)
       event=1:92009714 (12) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/WebID/IISWebAgentIF.dll?postdata="><script>foo</script>] MAC_Dst: 1C:DF:0F:66:3D:B0
          80<-45681 (08:37:55.768 PST)
          80<-45947 (08:38:29.129 PST)
          80<-45958 (08:38:32.147 PST)
          80<-45974 (08:38:35.180 PST)
          80<-50260 (08:40:02.941 PST)
          80<-50264 (08:40:03.002 PST)
          80<-50264 (08:40:03.005 PST)
          80<-50269 (08:40:03.042 PST)
          80<-50287 (08:40:03.235 PST)
          80<-50312 (08:40:03.483 PST)
          80<-50318 (08:40:03.577 PST)
          80<-50333 (08:40:03.829 PST)
       -------------------------
       event=1:92016184 (3) {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 1C:DF:0F:66:3D:B0
          80<-50227 (08:40:02.085 PST)
          80<-50273 (08:40:03.076 PST)
          80<-50281 (08:40:03.178 PST)
       -------------------------
       event=1:92016979 {tcp} E2[irb] ET WEB_SERVER suhosin.simulation PHP config option in uri, [/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d ] MAC_Dst: 1C:DF:0F:66:3D:B0
          80<-50381 (08:40:04.432 PST)
       -------------------------
       event=1:92016980 {tcp} E2[irb] ET WEB_SERVER disable_functions PHP config option in uri, [] MAC_Dst: 1C:DF:0F:66:3D:B0
          80<-50381 (08:40:04.432 PST)
       
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
EGG DOWNLOAD (INTERNAL)
    <unobserved>
    
C and C TRAFFIC
    <unobserved>
    
C and C TRAFFIC (INTERNAL)
    <unobserved>
    
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND ATTACK
    <unobserved>
    
OUTBOUND ATTACK (INTERNAL)
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1383669475.768 1383669475.769 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.101'

============================== SEPARATOR ================================
Score:            0.8 (>= 0.8)
Infected Target:  192.168.1.101
Infector List:    128.18.30.15
Egg Source List:  <unobserved>
C & C List:       <unobserved>
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   11/05/2013 09:49:40.402 PST
Gen. Time:        11/05/2013 09:49:40.402 PST


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT (INTERNAL)
    128.18.30.15 (09:49:40.402 PST)
       event=1:92009714 {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/WebID/IISWebAgentIF.dll?postdata="><script>foo</script>] MAC_Dst: 1C:DF:0F:66:3D:B0
          80<-43957 (09:49:40.402 PST)
       
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
EGG DOWNLOAD (INTERNAL)
    <unobserved>
    
C and C TRAFFIC
    <unobserved>
    
C and C TRAFFIC (INTERNAL)
    <unobserved>
    
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND ATTACK
    <unobserved>
    
OUTBOUND ATTACK (INTERNAL)
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1383673780.402 1383673780.403 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.101'

============================== SEPARATOR ================================
Score:            0.8 (>= 0.8)
Infected Target:  192.168.1.101
Infector List:    128.18.30.15
Egg Source List:  <unobserved>
C & C List:       <unobserved>
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   11/05/2013 09:49:40.402 PST
Gen. Time:        11/05/2013 10:02:29.323 PST


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT (INTERNAL)
    128.18.30.15 (17) (09:49:40.402 PST)
       event=1:92009714 (12) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/WebID/IISWebAgentIF.dll?postdata="><script>foo</script>] MAC_Dst: 1C:DF:0F:66:3D:B0
          80<-43957 (09:49:40.402 PST)
          80<-44027 (09:50:55.697 PST)
          80<-44032 (09:50:56.303 PST)
          80<-44033 (09:50:56.304 PST)
          80<-47384 (09:56:40.385 PST)
          80<-47400 (09:56:44.130 PST)
          80<-47401 (09:56:44.276 PST)
          80<-47419 (09:56:46.223 PST)
          80<-47464 (09:56:56.135 PST)
          80<-47512 (09:57:09.753 PST)
          80<-47523 (09:57:15.495 PST)
          80<-47675 (09:57:32.365 PST)
       -------------------------
       event=1:92016184 (3) {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 1C:DF:0F:66:3D:B0
          80<-45111 (09:53:27.489 PST)
          80<-47424 (09:56:47.950 PST)
          80<-47460 (09:56:53.415 PST)
       -------------------------
       event=1:92016979 {tcp} E2[irb] ET WEB_SERVER suhosin.simulation PHP config option in uri, [/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d ] MAC_Dst: 1C:DF:0F:66:3D:B0
          80<-47803 (09:58:30.834 PST)
       -------------------------
       event=1:92016980 {tcp} E2[irb] ET WEB_SERVER disable_functions PHP config option in uri, [] MAC_Dst: 1C:DF:0F:66:3D:B0
          80<-47803 (09:58:30.834 PST)
       
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
EGG DOWNLOAD (INTERNAL)
    <unobserved>
    
C and C TRAFFIC
    <unobserved>
    
C and C TRAFFIC (INTERNAL)
    <unobserved>
    
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND ATTACK
    <unobserved>
    
OUTBOUND ATTACK (INTERNAL)
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1383673780.402 1383673780.403 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.101'

============================== SEPARATOR ================================