Score: 0.8 (>= 0.8) Infected Target: 192.168.1.101 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/12/2013 08:19:27.185 PST Gen. Time: 11/12/2013 08:19:27.185 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (08:19:27.185 PST) event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-40733 (08:19:27.185 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1384273167.185 1384273167.186 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.101' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.101 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/12/2013 08:19:27.185 PST Gen. Time: 11/12/2013 08:23:41.210 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (4) (08:19:27.185 PST) event=1:92009714 (3) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/servlet/webacc?User.lang=] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-40794 (08:20:20.721 PST) 80<-40797 (08:20:23.748 PST) 80<-40800 (08:20:25.785 PST) ------------------------- event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-40733 (08:19:27.185 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1384273167.185 1384273167.186 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.101' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.101 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/12/2013 08:23:53.671 PST Gen. Time: 11/12/2013 08:23:53.671 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (08:23:53.671 PST) event=1:92009714 {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/WebID/IISWebAgentIF.dll?postdata=">] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-41269 (08:23:53.671 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1384273433.671 1384273433.672 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.101' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.101 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/12/2013 08:23:53.671 PST Gen. Time: 11/12/2013 08:29:07.671 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (16) (08:23:53.671 PST) event=1:92009714 (10) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/WebID/IISWebAgentIF.dll?postdata=">] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-41269 (08:23:53.671 PST) 80<-41483 (08:24:57.504 PST) 80<-41486 (08:24:57.516 PST) 80<-41491 (08:24:57.541 PST) 80<-41498 (08:24:57.578 PST) 80<-41498 (08:24:57.581 PST) 80<-41516 (08:24:57.669 PST) 80<-41523 (08:24:57.699 PST) 80<-41548 (08:24:57.831 PST) 80<-41555 (08:24:57.859 PST) ------------------------- event=1:92016184 (3) {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/index.cfm] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-41472 (08:24:57.428 PST) 80<-41509 (08:24:57.640 PST) 80<-41663 (08:24:58.480 PST) ------------------------- event=1:92016977 {tcp} E2[irb] ET WEB_SERVER allow_url_include PHP config option in uri, [] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-41607 (08:24:58.142 PST) ------------------------- event=1:92016979 {tcp} E2[irb] ET WEB_SERVER suhosin.simulation PHP config option in uri, [/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d ] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-41607 (08:24:58.142 PST) ------------------------- event=1:92016980 {tcp} E2[irb] ET WEB_SERVER disable_functions PHP config option in uri, [] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-41607 (08:24:58.142 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1384273433.671 1384273433.672 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.101' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.101 Infector List: 128.18.30.16 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/12/2013 09:57:39.612 PST Gen. Time: 11/12/2013 09:57:39.612 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.16 (09:57:39.612 PST) event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-46940 (09:57:39.612 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1384279059.612 1384279059.613 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.101' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.101 Infector List: 128.18.30.16 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/12/2013 09:57:39.612 PST Gen. Time: 11/12/2013 10:09:53.400 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.16 (17) (09:57:39.612 PST) event=1:92009714 (13) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/servlet/webacc?User.lang=] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-47078 (09:58:54.707 PST) 80<-47083 (09:58:58.247 PST) 80<-47089 (09:59:00.737 PST) 80<-48338 (10:02:54.939 PST) 80<-51315 (10:05:46.568 PST) 80<-51320 (10:05:47.044 PST) 80<-51323 (10:05:47.395 PST) 80<-51331 (10:05:48.207 PST) 80<-51332 (10:05:48.369 PST) 80<-51365 (10:05:50.117 PST) 80<-51376 (10:05:50.912 PST) 80<-51464 (10:05:54.202 PST) 80<-51466 (10:05:54.343 PST) ------------------------- event=1:92016184 (3) {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-46940 (09:57:39.612 PST) 80<-51301 (10:05:45.509 PST) 80<-51345 (10:05:49.491 PST) ------------------------- event=1:92016979 {tcp} E2[irb] ET WEB_SERVER suhosin.simulation PHP config option in uri, [/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d ] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-51658 (10:06:01.737 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1384279059.612 1384279059.613 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.101' ============================== SEPARATOR ================================