Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/07/2013 14:00:08.551 PST Gen. Time: 11/07/2013 14:00:41.084 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 198.133.224.149 (2) (14:00:39.235 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 46469->22 (14:00:39.235 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 46469->22 (14:00:39.235 PST) 204.8.155.227 (14:00:26.750 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 56471->22 (14:00:26.750 PST) 128.10.19.53 (14:00:08.551 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 45655->22 (14:00:08.551 PST) 129.82.12.188 (14:00:16.731 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49246->22 (14:00:16.731 PST) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 192.91.235.230 (14:00:41.084 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (14 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (14:00:41.084 PST) tcpslice 1383861608.551 1383861608.552 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/07/2013 14:00:08.551 PST Gen. Time: 11/07/2013 14:17:40.127 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.208.4.197 (14:10:54.717 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 58094->22 (14:10:54.717 PST) 128.10.19.53 (14:00:08.551 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 45655->22 (14:00:08.551 PST) 128.10.19.52 (14:11:13.623 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 57870->22 (14:11:13.623 PST) 72.36.112.79 (3) (14:01:11.528 PST) event=1:2003068 (3) {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52679->22 (14:01:11.528 PST) 53750->22 (14:04:59.048 PST) 54855->22 (14:08:10.537 PST) 165.91.55.10 (14:10:49.596 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 60397->22 (14:10:49.596 PST) 155.246.12.164 (14:11:33.307 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 58935->22 (14:11:33.307 PST) 131.193.34.38 (14:00:58.039 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 33696->22 (14:00:58.039 PST) 165.91.55.8 (14:11:22.823 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 39525->22 (14:11:22.823 PST) 158.130.6.253 (2) (14:11:02.855 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 40487->22 (14:11:02.855 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 40487->22 (14:11:02.855 PST) 198.133.224.149 (2) (14:00:39.235 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 46469->22 (14:00:39.235 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 46469->22 (14:00:39.235 PST) 204.8.155.227 (14:00:26.750 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 56471->22 (14:00:26.750 PST) 129.82.12.188 (14:00:16.731 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49246->22 (14:00:16.731 PST) 128.111.52.59 (14:10:42.222 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 58060->22 (14:10:42.222 PST) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 130.127.39.153 (3) (14:12:06.328 PST-14:15:13.676 PST) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (24 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 1C:DF:0F:66:3D:B0 3: 0->0 (14:12:06.328 PST-14:15:13.676 PST) 192.91.235.230 (7) (14:00:41.084 PST-14:08:58.600 PST) event=777:7777008 (7) {tcp} E8[bh] Detected intense malware port scanning of 28 IPs (17 /24s) (# pkts S/M/O/I=0/28/0/0): 22:28, [] MAC_Src: 1C:DF:0F:66:3D:B0 5: 0->0 (14:02:35.752 PST-14:08:58.600 PST) 0->0 (14:00:41.084 PST) 0->0 (14:10:36.983 PST) tcpslice 1383861608.551 1383862513.677 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/07/2013 15:15:47.123 PST Gen. Time: 11/07/2013 15:18:14.390 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (15:16:26.387 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42309->22 (15:16:26.387 PST) 128.208.4.197 (15:17:16.368 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48072->22 (15:17:16.368 PST) 128.10.19.53 (2) (15:16:36.906 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 38423->22 (15:16:36.906 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38442->22 (15:16:40.627 PST) 131.179.150.72 (15:15:47.123 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49812->22 (15:15:47.123 PST) 131.179.150.70 (15:16:43.566 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 36676->22 (15:16:43.566 PST) 155.246.12.164 (15:17:27.246 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48844->22 (15:17:27.246 PST) 13.7.64.22 (2) (15:17:10.116 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 45590->22 (15:17:10.116 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 45602->22 (15:17:12.707 PST) 128.42.142.45 (15:15:57.169 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 36252->22 (15:15:57.169 PST) 204.8.155.227 (15:16:17.151 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49011->22 (15:16:17.151 PST) 192.91.235.230 (15:16:33.745 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 45669->22 (15:16:33.745 PST) 129.82.12.188 (15:16:58.987 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42073->22 (15:16:58.987 PST) 141.212.113.180 (15:16:23.349 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43265->22 (15:16:23.349 PST) 141.212.113.179 (15:17:07.999 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 33432->22 (15:17:07.999 PST) 128.111.52.59 (15:17:19.154 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48126->22 (15:17:19.154 PST) 130.127.39.152 (15:16:09.095 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 41793->22 (15:16:09.095 PST) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 155.246.12.164 (15:18:14.390 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (15:18:14.390 PST) tcpslice 1383866147.123 1383866147.124 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/07/2013 15:15:47.123 PST Gen. Time: 11/07/2013 15:23:36.658 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (15:16:26.387 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42309->22 (15:16:26.387 PST) 128.208.4.197 (15:17:16.368 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48072->22 (15:17:16.368 PST) 128.10.19.53 (2) (15:16:36.906 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 38423->22 (15:16:36.906 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38442->22 (15:16:40.627 PST) 131.179.150.72 (15:15:47.123 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49812->22 (15:15:47.123 PST) 131.179.150.70 (15:16:43.566 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 36676->22 (15:16:43.566 PST) 155.246.12.164 (15:17:27.246 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48844->22 (15:17:27.246 PST) 13.7.64.22 (2) (15:17:10.116 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 45590->22 (15:17:10.116 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 45602->22 (15:17:12.707 PST) 128.42.142.45 (15:15:57.169 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 36252->22 (15:15:57.169 PST) 204.8.155.227 (15:16:17.151 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49011->22 (15:16:17.151 PST) 192.91.235.230 (15:16:33.745 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 45669->22 (15:16:33.745 PST) 129.82.12.188 (15:16:58.987 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42073->22 (15:16:58.987 PST) 141.212.113.180 (15:16:23.349 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43265->22 (15:16:23.349 PST) 141.212.113.179 (15:17:07.999 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 33432->22 (15:17:07.999 PST) 128.111.52.59 (15:17:19.154 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48126->22 (15:17:19.154 PST) 130.127.39.152 (15:16:09.095 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 41793->22 (15:16:09.095 PST) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 155.246.12.164 (2) (15:18:14.390 PST) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (15:18:14.390 PST) 0->0 (15:19:44.590 PST) tcpslice 1383866147.123 1383866147.124 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/07/2013 15:25:36.773 PST Gen. Time: 11/07/2013 15:25:36.773 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.208.4.198 (15:25:36.773 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (25 /24s) (# pkts S/M/O/I=0/40/1/0): 22:40, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (15:25:36.773 PST) tcpslice 1383866736.773 1383866736.774 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/07/2013 15:36:07.478 PST Gen. Time: 11/07/2013 15:38:17.606 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (15:36:53.300 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 42884->22 (15:36:53.300 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42884->22 (15:36:53.300 PST) 128.208.4.197 (15:37:32.838 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48411->22 (15:37:32.838 PST) 128.10.19.53 (15:37:07.603 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38947->22 (15:37:07.603 PST) 131.179.150.72 (15:36:07.478 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50597->22 (15:36:07.478 PST) 131.179.150.70 (15:37:10.417 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 37171->22 (15:37:10.417 PST) 13.7.64.22 (15:37:28.914 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 45960->22 (15:37:28.914 PST) 128.42.142.45 (15:36:25.659 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 36969->22 (15:36:25.659 PST) 204.8.155.227 (15:36:43.623 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49633->22 (15:36:43.623 PST) 192.91.235.230 (15:37:01.075 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 46204->22 (15:37:01.075 PST) 129.82.12.188 (2) (15:37:16.855 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 42494->22 (15:37:16.855 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42494->22 (15:37:16.855 PST) 141.212.113.180 (15:36:50.046 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43856->22 (15:36:50.046 PST) 141.212.113.179 (15:37:24.228 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 33808->22 (15:37:24.228 PST) 128.111.52.59 (2) (15:37:35.484 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 48449->22 (15:37:35.484 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48449->22 (15:37:35.484 PST) 130.127.39.152 (15:36:35.716 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42448->22 (15:36:35.716 PST) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.8.155.226 (15:38:17.606 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/20/1/0): 22:20, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (15:38:17.606 PST) tcpslice 1383867367.478 1383867367.479 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/07/2013 15:36:07.478 PST Gen. Time: 11/07/2013 15:43:05.172 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (15:36:53.300 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 42884->22 (15:36:53.300 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42884->22 (15:36:53.300 PST) 128.208.4.197 (15:37:32.838 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48411->22 (15:37:32.838 PST) 128.10.19.53 (15:37:07.603 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38947->22 (15:37:07.603 PST) 131.179.150.72 (15:36:07.478 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50597->22 (15:36:07.478 PST) 131.179.150.70 (15:37:10.417 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 37171->22 (15:37:10.417 PST) 13.7.64.22 (15:37:28.914 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 45960->22 (15:37:28.914 PST) 128.42.142.45 (15:36:25.659 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 36969->22 (15:36:25.659 PST) 204.8.155.227 (15:36:43.623 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49633->22 (15:36:43.623 PST) 192.91.235.230 (15:37:01.075 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 46204->22 (15:37:01.075 PST) 129.82.12.188 (2) (15:37:16.855 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 42494->22 (15:37:16.855 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42494->22 (15:37:16.855 PST) 141.212.113.180 (15:36:50.046 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43856->22 (15:36:50.046 PST) 141.212.113.179 (15:37:24.228 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 33808->22 (15:37:24.228 PST) 128.111.52.59 (2) (15:37:35.484 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 48449->22 (15:37:35.484 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48449->22 (15:37:35.484 PST) 130.127.39.152 (15:36:35.716 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42448->22 (15:36:35.716 PST) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.10.19.52 (15:39:48.197 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 32 IPs (22 /24s) (# pkts S/M/O/I=0/31/1/0): 22:31, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (15:39:48.197 PST) 204.8.155.226 (15:38:17.606 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/20/1/0): 22:20, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (15:38:17.606 PST) tcpslice 1383867367.478 1383867367.479 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/07/2013 15:41:01.239 PST Gen. Time: 11/07/2013 15:41:01.239 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.252.19.18 (15:41:01.239 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (25 /24s) (# pkts S/M/O/I=0/40/1/0): 22:40, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (15:41:01.239 PST) tcpslice 1383867661.239 1383867661.240 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/07/2013 15:56:36.358 PST Gen. Time: 11/07/2013 15:58:56.128 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (15:57:11.690 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43094->22 (15:57:11.690 PST) 128.208.4.197 (15:57:54.347 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48621->22 (15:57:54.347 PST) 128.10.19.53 (2) (15:57:27.300 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 39157->22 (15:57:27.300 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 39157->22 (15:57:27.300 PST) 131.179.150.72 (15:56:36.358 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50807->22 (15:56:36.358 PST) 131.179.150.70 (15:57:30.403 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 37381->22 (15:57:30.403 PST) 13.7.64.22 (2) (15:57:49.983 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 46170->22 (15:57:49.983 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 46170->22 (15:57:49.983 PST) 128.42.142.45 (15:56:42.681 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 37179->22 (15:56:42.681 PST) 204.8.155.227 (2) (15:57:01.785 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 49843->22 (15:57:01.785 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49843->22 (15:57:01.785 PST) 192.91.235.230 (15:57:19.798 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 46414->22 (15:57:19.798 PST) 129.82.12.188 (15:57:37.139 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42704->22 (15:57:37.139 PST) 141.212.113.180 (15:57:08.073 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 44066->22 (15:57:08.073 PST) 141.212.113.179 (15:57:45.088 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 34018->22 (15:57:45.088 PST) 128.111.52.59 (15:57:57.642 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48659->22 (15:57:57.642 PST) 130.127.39.152 (15:56:53.651 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42658->22 (15:56:53.651 PST) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.111.52.59 (15:58:56.128 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (15:58:56.128 PST) tcpslice 1383868596.358 1383868596.359 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/07/2013 15:56:36.358 PST Gen. Time: 11/07/2013 16:03:58.790 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (15:57:11.690 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43094->22 (15:57:11.690 PST) 128.208.4.197 (15:57:54.347 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48621->22 (15:57:54.347 PST) 128.10.19.53 (2) (15:57:27.300 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 39157->22 (15:57:27.300 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 39157->22 (15:57:27.300 PST) 131.179.150.72 (15:56:36.358 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50807->22 (15:56:36.358 PST) 131.179.150.70 (15:57:30.403 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 37381->22 (15:57:30.403 PST) 13.7.64.22 (2) (15:57:49.983 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 46170->22 (15:57:49.983 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 46170->22 (15:57:49.983 PST) 128.42.142.45 (15:56:42.681 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 37179->22 (15:56:42.681 PST) 204.8.155.227 (2) (15:57:01.785 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 49843->22 (15:57:01.785 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49843->22 (15:57:01.785 PST) 192.91.235.230 (15:57:19.798 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 46414->22 (15:57:19.798 PST) 129.82.12.188 (15:57:37.139 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42704->22 (15:57:37.139 PST) 141.212.113.180 (15:57:08.073 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 44066->22 (15:57:08.073 PST) 141.212.113.179 (15:57:45.088 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 34018->22 (15:57:45.088 PST) 128.111.52.59 (15:57:57.642 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48659->22 (15:57:57.642 PST) 130.127.39.152 (15:56:53.651 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42658->22 (15:56:53.651 PST) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.111.52.59 (2) (15:58:56.128 PST) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (15:58:56.128 PST) 0->0 (16:00:26.564 PST) tcpslice 1383868596.358 1383868596.359 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/07/2013 16:01:22.945 PST Gen. Time: 11/07/2013 16:01:22.945 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.111.52.59 (16:01:22.945 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 40 IPs (24 /24s) (# pkts S/M/O/I=0/40/0/0): 22:40, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (16:01:22.945 PST) tcpslice 1383868882.945 1383868882.946 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/07/2013 16:13:22.850 PST Gen. Time: 11/07/2013 16:13:22.850 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 131.179.150.70 (16:13:22.850 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (13 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (16:13:22.850 PST) tcpslice 1383869602.850 1383869602.851 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/07/2013 16:13:22.850 PST Gen. Time: 11/07/2013 16:16:13.065 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 131.179.150.70 (2) (16:13:22.850 PST) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (13 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (16:13:22.850 PST) 0->0 (16:14:57.337 PST) tcpslice 1383869602.850 1383869602.851 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/07/2013 16:16:33.715 PST Gen. Time: 11/07/2013 16:16:33.715 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 131.179.150.70 (16:16:33.715 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 39 IPs (23 /24s) (# pkts S/M/O/I=0/39/0/0): 22:39, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (16:16:33.715 PST) tcpslice 1383869793.715 1383869793.716 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/07/2013 16:16:33.715 PST Gen. Time: 11/07/2013 16:26:32.786 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (16:17:50.718 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 43732->22 (16:17:50.718 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43732->22 (16:17:50.718 PST) 128.208.4.197 (16:18:30.909 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49259->22 (16:18:30.909 PST) 128.10.19.53 (16:18:06.214 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 39795->22 (16:18:06.214 PST) 131.179.150.72 (16:17:05.927 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51445->22 (16:17:05.927 PST) 131.179.150.70 (16:18:09.016 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38019->22 (16:18:09.016 PST) 13.7.64.22 (16:18:26.892 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 46808->22 (16:18:26.892 PST) 128.42.142.45 (16:17:20.926 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 37817->22 (16:17:20.926 PST) 204.8.155.227 (16:17:41.163 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50481->22 (16:17:41.163 PST) 192.91.235.230 (16:17:59.009 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47052->22 (16:17:59.009 PST) 129.82.12.188 (2) (16:18:14.943 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 43342->22 (16:18:14.943 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43342->22 (16:18:14.943 PST) 141.212.113.180 (16:17:47.629 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 44704->22 (16:17:47.629 PST) 141.212.113.179 (16:18:22.187 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 34656->22 (16:18:22.187 PST) 128.111.52.59 (2) (16:18:33.782 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 49297->22 (16:18:33.782 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49297->22 (16:18:33.782 PST) 130.127.39.152 (16:17:33.499 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43296->22 (16:17:33.499 PST) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 131.179.150.70 (6) (16:16:33.715 PST-16:25:03.465 PST) event=777:7777008 (6) {tcp} E8[bh] Detected intense malware port scanning of 40 IPs (24 /24s) (# pkts S/M/O/I=0/40/0/0): 22:40, [] MAC_Src: 1C:DF:0F:66:3D:B0 4: 0->0 (16:19:34.782 PST-16:25:03.465 PST) 2: 0->0 (16:16:33.715 PST-16:18:03.702 PST) tcpslice 1383869793.715 1383870303.466 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/07/2013 16:26:18.729 PST Gen. Time: 11/07/2013 16:26:18.729 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 131.179.150.70 (16:26:18.729 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 40 IPs (24 /24s) (# pkts S/M/O/I=0/40/0/0): 22:40, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (16:26:18.729 PST) tcpslice 1383870378.729 1383870378.730 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/07/2013 16:37:51.551 PST Gen. Time: 11/07/2013 16:40:17.150 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (16:38:38.361 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 43942->22 (16:38:38.361 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43942->22 (16:38:38.361 PST) 128.208.4.197 (16:39:20.889 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49469->22 (16:39:20.889 PST) 128.10.19.53 (16:38:55.653 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 40005->22 (16:38:55.653 PST) 131.179.150.72 (16:37:51.551 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51655->22 (16:37:51.551 PST) 131.179.150.70 (16:38:58.625 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38229->22 (16:38:58.625 PST) 13.7.64.22 (16:39:17.192 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47018->22 (16:39:17.192 PST) 128.42.142.45 (16:38:07.003 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38027->22 (16:38:07.003 PST) 204.8.155.227 (16:38:28.554 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50691->22 (16:38:28.554 PST) 192.91.235.230 (16:38:48.358 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47262->22 (16:38:48.358 PST) 129.82.12.188 (2) (16:39:04.814 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 43552->22 (16:39:04.814 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43552->22 (16:39:04.814 PST) 141.212.113.180 (16:38:35.222 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 44914->22 (16:38:35.222 PST) 141.212.113.179 (16:39:12.386 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 34866->22 (16:39:12.386 PST) 128.111.52.59 (2) (16:39:23.694 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 49507->22 (16:39:23.694 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49507->22 (16:39:23.694 PST) 130.127.39.152 (16:38:20.821 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43506->22 (16:38:20.821 PST) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.111.52.59 (16:40:17.150 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (16:40:17.150 PST) tcpslice 1383871071.551 1383871071.552 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/07/2013 16:37:51.551 PST Gen. Time: 11/07/2013 16:45:52.675 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (16:38:38.361 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 43942->22 (16:38:38.361 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43942->22 (16:38:38.361 PST) 128.208.4.197 (16:39:20.889 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49469->22 (16:39:20.889 PST) 128.10.19.53 (16:38:55.653 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 40005->22 (16:38:55.653 PST) 131.179.150.72 (16:37:51.551 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51655->22 (16:37:51.551 PST) 131.179.150.70 (16:38:58.625 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38229->22 (16:38:58.625 PST) 13.7.64.22 (16:39:17.192 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47018->22 (16:39:17.192 PST) 128.42.142.45 (16:38:07.003 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38027->22 (16:38:07.003 PST) 204.8.155.227 (16:38:28.554 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50691->22 (16:38:28.554 PST) 192.91.235.230 (16:38:48.358 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47262->22 (16:38:48.358 PST) 129.82.12.188 (2) (16:39:04.814 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 43552->22 (16:39:04.814 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43552->22 (16:39:04.814 PST) 141.212.113.180 (16:38:35.222 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 44914->22 (16:38:35.222 PST) 141.212.113.179 (16:39:12.386 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 34866->22 (16:39:12.386 PST) 128.111.52.59 (2) (16:39:23.694 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 49507->22 (16:39:23.694 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49507->22 (16:39:23.694 PST) 130.127.39.152 (16:38:20.821 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43506->22 (16:38:20.821 PST) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.111.52.59 (16:40:17.150 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (16:40:17.150 PST) 131.193.34.38 (16:41:47.724 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 33 IPs (22 /24s) (# pkts S/M/O/I=0/33/0/0): 22:33, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (16:41:47.724 PST) tcpslice 1383871071.551 1383871071.552 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/07/2013 16:42:34.429 PST Gen. Time: 11/07/2013 16:42:34.429 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 131.193.34.38 (16:42:34.429 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 40 IPs (24 /24s) (# pkts S/M/O/I=0/40/0/0): 22:40, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (16:42:34.429 PST) tcpslice 1383871354.429 1383871354.430 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/07/2013 16:58:13.260 PST Gen. Time: 11/07/2013 17:00:38.246 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (16:58:56.961 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 44153->22 (16:58:56.961 PST) 128.208.4.197 (16:59:39.321 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49680->22 (16:59:39.321 PST) 128.10.19.53 (16:59:13.164 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 40216->22 (16:59:13.164 PST) 131.179.150.72 (16:58:13.260 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51865->22 (16:58:13.260 PST) 131.179.150.70 (16:59:16.063 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38440->22 (16:59:16.063 PST) 155.246.12.164 (16:59:42.261 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 50388->22 (16:59:42.261 PST) 13.7.64.22 (16:59:35.522 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47229->22 (16:59:35.522 PST) 128.42.142.45 (16:58:28.540 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38237->22 (16:58:28.540 PST) 204.8.155.227 (16:58:47.345 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50901->22 (16:58:47.345 PST) 192.91.235.230 (2) (16:58:57.548 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 47469->22 (16:58:57.548 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47473->22 (16:59:05.991 PST) 129.82.12.188 (16:59:22.637 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43763->22 (16:59:22.637 PST) 141.212.113.180 (16:58:53.888 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 45125->22 (16:58:53.888 PST) 141.212.113.179 (2) (16:59:23.799 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 35073->22 (16:59:23.799 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 35077->22 (16:59:30.933 PST) 128.111.52.59 (16:59:41.847 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49718->22 (16:59:41.847 PST) 130.127.39.152 (16:58:39.516 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43716->22 (16:58:39.516 PST) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 130.127.39.152 (17:00:38.246 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (17:00:38.246 PST) tcpslice 1383872293.260 1383872293.261 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/07/2013 16:58:13.260 PST Gen. Time: 11/07/2013 17:06:17.363 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (16:58:56.961 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 44153->22 (16:58:56.961 PST) 128.208.4.197 (16:59:39.321 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49680->22 (16:59:39.321 PST) 128.10.19.53 (16:59:13.164 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 40216->22 (16:59:13.164 PST) 131.179.150.72 (16:58:13.260 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51865->22 (16:58:13.260 PST) 131.179.150.70 (16:59:16.063 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38440->22 (16:59:16.063 PST) 155.246.12.164 (16:59:42.261 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 50388->22 (16:59:42.261 PST) 13.7.64.22 (16:59:35.522 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47229->22 (16:59:35.522 PST) 128.42.142.45 (16:58:28.540 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38237->22 (16:58:28.540 PST) 204.8.155.227 (16:58:47.345 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50901->22 (16:58:47.345 PST) 192.91.235.230 (2) (16:58:57.548 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 47469->22 (16:58:57.548 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47473->22 (16:59:05.991 PST) 129.82.12.188 (16:59:22.637 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43763->22 (16:59:22.637 PST) 141.212.113.180 (16:58:53.888 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 45125->22 (16:58:53.888 PST) 141.212.113.179 (2) (16:59:23.799 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 35073->22 (16:59:23.799 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 35077->22 (16:59:30.933 PST) 128.111.52.59 (16:59:41.847 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49718->22 (16:59:41.847 PST) 130.127.39.152 (16:58:39.516 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43716->22 (16:58:39.516 PST) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 130.127.39.153 (17:02:08.831 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 33 IPs (22 /24s) (# pkts S/M/O/I=0/33/0/0): 22:33, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (17:02:08.831 PST) 130.127.39.152 (17:00:38.246 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (17:00:38.246 PST) tcpslice 1383872293.260 1383872293.261 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/07/2013 17:02:56.112 PST Gen. Time: 11/07/2013 17:02:56.112 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 130.127.39.153 (17:02:56.112 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 40 IPs (24 /24s) (# pkts S/M/O/I=0/40/0/0): 22:40, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (17:02:56.112 PST) tcpslice 1383872576.112 1383872576.113 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/07/2013 17:18:28.927 PST Gen. Time: 11/07/2013 17:21:12.974 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (17:19:13.584 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 44363->22 (17:19:13.584 PST) 128.208.4.197 (17:20:11.950 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49890->22 (17:20:11.950 PST) 128.10.19.53 (17:19:31.975 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 40426->22 (17:19:31.975 PST) 131.179.150.72 (17:18:28.927 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52076->22 (17:18:28.927 PST) 131.179.150.70 (17:19:35.267 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38650->22 (17:19:35.267 PST) 155.246.12.164 (17:20:20.700 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 50601->22 (17:20:20.700 PST) 13.7.64.22 (17:20:07.465 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47439->22 (17:20:07.465 PST) 128.42.142.45 (17:18:43.960 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38448->22 (17:18:43.960 PST) 204.8.155.227 (17:19:04.407 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51112->22 (17:19:04.407 PST) 192.91.235.230 (2) (17:19:22.012 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 47682->22 (17:19:22.012 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47683->22 (17:19:24.321 PST) 129.82.12.188 (17:19:53.090 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43973->22 (17:19:53.090 PST) 141.212.113.180 (17:19:10.643 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 45335->22 (17:19:10.643 PST) 141.212.113.179 (2) (17:20:00.197 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 35286->22 (17:20:00.197 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 35287->22 (17:20:01.564 PST) 128.111.52.59 (17:20:14.574 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49928->22 (17:20:14.574 PST) 130.127.39.152 (17:18:56.272 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43927->22 (17:18:56.272 PST) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 165.91.55.8 (17:21:12.974 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (17:21:12.974 PST) tcpslice 1383873508.927 1383873508.928 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/07/2013 17:18:28.927 PST Gen. Time: 11/07/2013 17:30:51.013 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (17:19:13.584 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 44363->22 (17:19:13.584 PST) 128.208.4.197 (17:20:11.950 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49890->22 (17:20:11.950 PST) 128.10.19.53 (17:19:31.975 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 40426->22 (17:19:31.975 PST) 131.179.150.72 (17:18:28.927 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52076->22 (17:18:28.927 PST) 131.179.150.70 (17:19:35.267 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38650->22 (17:19:35.267 PST) 155.246.12.164 (17:20:20.700 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 50601->22 (17:20:20.700 PST) 13.7.64.22 (17:20:07.465 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47439->22 (17:20:07.465 PST) 128.42.142.45 (17:18:43.960 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38448->22 (17:18:43.960 PST) 204.8.155.227 (17:19:04.407 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51112->22 (17:19:04.407 PST) 192.91.235.230 (2) (17:19:22.012 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 47682->22 (17:19:22.012 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47683->22 (17:19:24.321 PST) 129.82.12.188 (17:19:53.090 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43973->22 (17:19:53.090 PST) 141.212.113.180 (17:19:10.643 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 45335->22 (17:19:10.643 PST) 141.212.113.179 (2) (17:20:00.197 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 35286->22 (17:20:00.197 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 35287->22 (17:20:01.564 PST) 128.111.52.59 (17:20:14.574 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49928->22 (17:20:14.574 PST) 130.127.39.152 (17:18:56.272 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43927->22 (17:18:56.272 PST) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 165.91.55.9 (2) (17:24:49.256 PST) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 36 IPs (23 /24s) (# pkts S/M/O/I=0/36/0/0): 22:36, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (17:24:49.256 PST) 0->0 (17:26:25.526 PST) 165.91.55.8 (2) (17:21:12.974 PST) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (17:21:12.974 PST) 0->0 (17:22:43.052 PST) tcpslice 1383873508.927 1383873508.928 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/07/2013 17:42:35.238 PST Gen. Time: 11/07/2013 17:44:57.873 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (17:43:22.748 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 44569->22 (17:43:22.748 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 44569->22 (17:43:22.748 PST) 128.208.4.197 (17:44:05.422 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50096->22 (17:44:05.422 PST) 128.10.19.53 (17:43:40.419 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 40632->22 (17:43:40.419 PST) 131.179.150.72 (17:42:35.238 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52282->22 (17:42:35.238 PST) 131.179.150.70 (17:43:44.068 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38856->22 (17:43:44.068 PST) 13.7.64.22 (17:44:01.667 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47645->22 (17:44:01.667 PST) 128.42.142.45 (17:42:50.808 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38654->22 (17:42:50.808 PST) 204.8.155.227 (17:43:13.050 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51318->22 (17:43:13.050 PST) 192.91.235.230 (17:43:33.010 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47889->22 (17:43:33.010 PST) 129.82.12.188 (2) (17:43:49.553 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 44179->22 (17:43:49.553 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 44179->22 (17:43:49.553 PST) 141.212.113.180 (17:43:19.639 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 45541->22 (17:43:19.639 PST) 141.212.113.179 (17:43:56.657 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 35493->22 (17:43:56.657 PST) 128.111.52.59 (2) (17:44:08.054 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 50134->22 (17:44:08.054 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50134->22 (17:44:08.054 PST) 130.127.39.152 (17:43:05.134 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 44133->22 (17:43:05.134 PST) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 141.212.113.180 (17:44:57.873 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (17:44:57.873 PST) tcpslice 1383874955.238 1383874955.239 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/07/2013 17:42:35.238 PST Gen. Time: 11/07/2013 17:52:24.487 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (17:43:22.748 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 44569->22 (17:43:22.748 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 44569->22 (17:43:22.748 PST) 128.208.4.197 (17:44:05.422 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50096->22 (17:44:05.422 PST) 128.10.19.53 (17:43:40.419 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 40632->22 (17:43:40.419 PST) 131.179.150.72 (17:42:35.238 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52282->22 (17:42:35.238 PST) 131.179.150.70 (17:43:44.068 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38856->22 (17:43:44.068 PST) 13.7.64.22 (17:44:01.667 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47645->22 (17:44:01.667 PST) 128.42.142.45 (17:42:50.808 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38654->22 (17:42:50.808 PST) 204.8.155.227 (17:43:13.050 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51318->22 (17:43:13.050 PST) 192.91.235.230 (17:43:33.010 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47889->22 (17:43:33.010 PST) 129.82.12.188 (2) (17:43:49.553 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 44179->22 (17:43:49.553 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 44179->22 (17:43:49.553 PST) 141.212.113.180 (17:43:19.639 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 45541->22 (17:43:19.639 PST) 141.212.113.179 (17:43:56.657 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 35493->22 (17:43:56.657 PST) 128.111.52.59 (2) (17:44:08.054 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 50134->22 (17:44:08.054 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50134->22 (17:44:08.054 PST) 130.127.39.152 (17:43:05.134 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 44133->22 (17:43:05.134 PST) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 141.212.113.180 (4) (17:44:57.873 PST) event=777:7777008 (4) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (17:44:57.873 PST) 0->0 (17:46:27.582 PST) 0->0 (17:48:19.560 PST) 0->0 (17:49:55.834 PST) tcpslice 1383874955.238 1383874955.239 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================