Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/05/2013 08:37:53.171 PST Gen. Time: 11/05/2013 08:37:53.171 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (08:37:53.171 PST) event=1:92009714 {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/WebID/IISWebAgentIF.dll?postdata=">] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-52689 (08:37:53.171 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1383669473.171 1383669473.172 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/05/2013 08:37:53.171 PST Gen. Time: 11/05/2013 08:43:25.343 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (17) (08:37:53.171 PST) event=1:92009714 (12) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/WebID/IISWebAgentIF.dll?postdata=">] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-52689 (08:37:53.171 PST) 80<-52965 (08:38:26.544 PST) 80<-52971 (08:38:29.567 PST) 80<-52983 (08:38:32.602 PST) 80<-56293 (08:39:26.692 PST) 80<-56297 (08:39:26.756 PST) 80<-56297 (08:39:26.759 PST) 80<-56302 (08:39:26.797 PST) 80<-56320 (08:39:26.989 PST) 80<-56338 (08:39:27.226 PST) 80<-56342 (08:39:27.318 PST) 80<-56357 (08:39:27.554 PST) ------------------------- event=1:92016184 (3) {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-56256 (08:39:25.804 PST) 80<-56306 (08:39:26.828 PST) 80<-56314 (08:39:26.934 PST) ------------------------- event=1:92016979 {tcp} E2[irb] ET WEB_SERVER suhosin.simulation PHP config option in uri, [/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d ] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-56401 (08:39:28.167 PST) ------------------------- event=1:92016980 {tcp} E2[irb] ET WEB_SERVER disable_functions PHP config option in uri, [] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-56401 (08:39:28.167 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1383669473.171 1383669473.172 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: 59.95.123.100, 83.246.92.210, 93.187.200.64 Resource List: Observed Start: 11/05/2013 15:59:19.022 PST Gen. Time: 11/05/2013 16:02:23.644 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (16:02:23.644 PST) event=1:92009714 {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/WebID/IISWebAgentIF.dll?postdata=">] MAC_Dst: 00:21:5A:08:EC:40 80<-49077 (16:02:23.644 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info 59.95.123.100 (15:59:19.022 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->59449 (15:59:19.022 PST) 83.246.92.210 (16:01:48.534 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->6881 (16:01:48.534 PST) 93.187.200.64 (16:00:31.319 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->27398 (16:00:31.319 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1383695959.022 1383695959.023 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 128.18.30.15 Egg Source List: C & C List: 218.30.115.254 Peer Coord. List: 59.95.123.100, 130.237.50.92 (2), 169.235.24.133, 72.137.32.40, 83.246.92.210, 204.123.28.55, 169.229.50.9, 93.187.200.64 Resource List: Observed Start: 11/05/2013 15:59:19.022 PST Gen. Time: 11/05/2013 16:04:33.689 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (16:02:23.644 PST) event=1:92009714 {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/WebID/IISWebAgentIF.dll?postdata=">] MAC_Dst: 00:21:5A:08:EC:40 80<-49077 (16:02:23.644 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) 218.30.115.254 (16:03:02.690 PST) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 41275->80 (16:03:02.690 PST) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info 59.95.123.100 (15:59:19.022 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->59449 (15:59:19.022 PST) 130.237.50.92 (2) (16:02:50.582 PST) event=1:1100018 (2) {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:EC:40 57948->6969 (16:02:50.582 PST) 43362->6969 (16:04:09.645 PST) 169.235.24.133 (16:02:50.865 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->6881 (16:02:50.865 PST) 72.137.32.40 (16:04:23.385 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->22171 (16:04:23.385 PST) 83.246.92.210 (16:01:48.534 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->6881 (16:01:48.534 PST) 204.123.28.55 (16:04:24.220 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:EC:40 55752->6881 (16:04:24.220 PST) 169.229.50.9 (16:02:50.793 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:EC:40 48700->6882 (16:02:50.793 PST) 93.187.200.64 (16:00:31.319 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->27398 (16:00:31.319 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1383695959.022 1383695959.023 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: 95.62.109.44, 69.235.3.8 Resource List: Observed Start: 11/05/2013 16:05:23.334 PST Gen. Time: 11/05/2013 16:07:05.587 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (16:07:05.587 PST) event=1:92009714 {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/index.html?urlmaskfilter=] MAC_Dst: 00:21:5A:08:EC:40 80<-49649 (16:07:05.587 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info 95.62.109.44 (16:05:23.334 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->61934 (16:05:23.334 PST) 69.235.3.8 (16:06:23.544 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->51995 (16:06:23.544 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1383696323.334 1383696323.335 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: 78.139.229.58, 13.7.64.20, 84.113.194.71, 130.237.50.92, 95.62.109.44, 134.76.249.229, 128.114.63.63, 69.235.3.8 Resource List: Observed Start: 11/05/2013 16:05:23.334 PST Gen. Time: 11/05/2013 16:11:17.330 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (7) (16:07:05.587 PST) event=1:92009714 (7) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/index.html?urlmaskfilter=] MAC_Dst: 00:21:5A:08:EC:40 80<-49649 (16:07:05.587 PST) 80<-49650 (16:07:05.588 PST) 80<-49659 (16:07:05.730 PST) 80<-49661 (16:07:05.779 PST) 80<-49663 (16:07:05.866 PST) 80<-49665 (16:07:05.942 PST) 80<-49705 (16:07:17.308 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info 78.139.229.58 (16:07:44.840 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->47252 (16:07:44.840 PST) 13.7.64.20 (16:09:49.070 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->6881 (16:09:49.070 PST) 84.113.194.71 (16:08:44.885 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->56881 (16:08:44.885 PST) 130.237.50.92 (16:07:22.484 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:EC:40 43585->6969 (16:07:22.484 PST) 95.62.109.44 (16:05:23.334 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->61934 (16:05:23.334 PST) 134.76.249.229 (16:10:50.180 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->6881 (16:10:50.180 PST) 128.114.63.63 (16:07:45.832 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:EC:40 57509->6882 (16:07:45.832 PST) 69.235.3.8 (16:06:23.544 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->51995 (16:06:23.544 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1383696323.334 1383696323.335 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/05/2013 16:11:52.311 PST Gen. Time: 11/05/2013 16:11:52.311 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (16:11:52.311 PST) event=1:92009714 {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/citrix/nfuse/default/login.asp?NFuse_LogoutId=&NFuse_MessageType=Error&NFuse_Message=&ClientD] MAC_Dst: 00:21:5A:08:EC:40 80<-50471 (16:11:52.311 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1383696712.311 1383696712.312 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 128.18.30.15 Egg Source List: C & C List: 218.30.115.254 Peer Coord. List: 189.101.88.246, 166.230.18.17, 89.212.218.144, 69.235.3.8 Resource List: Observed Start: 11/05/2013 16:11:52.311 PST Gen. Time: 11/05/2013 16:16:00.712 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (2) (16:11:52.311 PST) event=1:92009714 (2) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/citrix/nfuse/default/login.asp?NFuse_LogoutId=&NFuse_MessageType=Error&NFuse_Message=&ClientD] MAC_Dst: 00:21:5A:08:EC:40 80<-50471 (16:11:52.311 PST) 80<-50473 (16:11:52.356 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) 218.30.115.254 (16:15:02.764 PST) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 41407->80 (16:15:02.764 PST) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info 189.101.88.246 (16:14:53.684 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->58574 (16:14:53.684 PST) 166.230.18.17 (16:11:53.868 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->26184 (16:11:53.868 PST) 89.212.218.144 (16:12:53.299 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->24972 (16:12:53.299 PST) 69.235.3.8 (16:13:53.325 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->51995 (16:13:53.325 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1383696712.311 1383696712.312 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: 5.23.13.164, 82.208.100.158 Resource List: Observed Start: 11/05/2013 16:33:27.622 PST Gen. Time: 11/05/2013 16:35:27.035 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (16:35:27.035 PST) event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 00:21:5A:08:EC:40 80<-54647 (16:35:27.035 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info 5.23.13.164 (16:34:27.589 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->2669 (16:34:27.589 PST) 82.208.100.158 (16:33:27.622 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->44737 (16:33:27.622 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1383698007.622 1383698007.623 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: 5.23.13.164, 160.80.221.39, 139.19.158.233, 148.81.140.194, 87.178.252.69, 82.208.100.158 Resource List: Observed Start: 11/05/2013 16:33:27.622 PST Gen. Time: 11/05/2013 16:38:59.125 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (16:35:27.035 PST) event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 00:21:5A:08:EC:40 80<-54647 (16:35:27.035 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info 5.23.13.164 (16:34:27.589 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->2669 (16:34:27.589 PST) 160.80.221.39 (16:36:33.721 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->6881 (16:36:33.721 PST) 139.19.158.233 (16:38:39.552 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->6881 (16:38:39.552 PST) 148.81.140.194 (16:37:39.871 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->6881 (16:37:39.871 PST) 87.178.252.69 (16:35:27.788 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->4600 (16:35:27.788 PST) 82.208.100.158 (16:33:27.622 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->44737 (16:33:27.622 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1383698007.622 1383698007.623 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: 190.171.229.157 Resource List: Observed Start: 11/05/2013 16:58:26.026 PST Gen. Time: 11/05/2013 16:59:04.228 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (16:59:04.228 PST) event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/index.cfm] MAC_Dst: 00:21:5A:08:EC:40 80<-57076 (16:59:04.228 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info 190.171.229.157 (16:58:26.026 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->24444 (16:58:26.026 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1383699506.026 1383699506.027 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: 128.111.52.58, 130.237.50.92, 190.171.229.157, 128.119.247.250, 180.190.131.25, 169.229.50.9 Resource List: Observed Start: 11/05/2013 16:58:26.026 PST Gen. Time: 11/05/2013 17:03:07.428 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (12) (16:59:04.228 PST) event=1:92009714 (6) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/altercast/AlterCast?op=] MAC_Dst: 00:21:5A:08:EC:40 80<-57095 (16:59:04.850 PST) 80<-57127 (16:59:05.720 PST) 80<-57133 (16:59:05.815 PST) 80<-57141 (16:59:06.143 PST) 80<-57169 (16:59:07.107 PST) 80<-57290 (16:59:12.153 PST) ------------------------- event=1:92016184 (3) {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/index.cfm] MAC_Dst: 00:21:5A:08:EC:40 80<-57076 (16:59:04.228 PST) 80<-57090 (16:59:04.788 PST) 80<-57284 (16:59:11.825 PST) ------------------------- event=1:92016977 {tcp} E2[irb] ET WEB_SERVER allow_url_include PHP config option in uri, [] MAC_Dst: 00:21:5A:08:EC:40 80<-57245 (16:59:10.198 PST) ------------------------- event=1:92016979 {tcp} E2[irb] ET WEB_SERVER suhosin.simulation PHP config option in uri, [/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d ] MAC_Dst: 00:21:5A:08:EC:40 80<-57245 (16:59:10.198 PST) ------------------------- event=1:92016980 {tcp} E2[irb] ET WEB_SERVER disable_functions PHP config option in uri, [] MAC_Dst: 00:21:5A:08:EC:40 80<-57245 (16:59:10.198 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info 128.111.52.58 (17:02:17.018 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->6881 (17:02:17.018 PST) 130.237.50.92 (17:03:07.213 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:EC:40 50307->6969 (17:03:07.213 PST) 190.171.229.157 (16:58:26.026 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->24444 (16:58:26.026 PST) 128.119.247.250 (17:01:11.609 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->6881 (17:01:11.609 PST) 180.190.131.25 (17:00:00.731 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->1312 (17:00:00.731 PST) 169.229.50.9 (17:03:07.428 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:EC:40 41294->6881 (17:03:07.428 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1383699506.026 1383699506.027 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================