Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/12/2013 08:33:17.970 PST Gen. Time: 11/12/2013 08:33:17.970 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (08:33:17.970 PST) event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-50442 (08:33:17.970 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1384273997.970 1384273997.971 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/12/2013 08:33:17.970 PST Gen. Time: 11/12/2013 08:37:38.002 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (4) (08:33:17.970 PST) event=1:92009714 (3) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/servlet/webacc?User.lang=] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-50691 (08:34:11.492 PST) 80<-50701 (08:34:14.516 PST) 80<-50710 (08:34:16.538 PST) ------------------------- event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-50442 (08:33:17.970 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1384273997.970 1384273997.971 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/12/2013 08:38:29.304 PST Gen. Time: 11/12/2013 08:38:29.304 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (08:38:29.304 PST) event=1:92009714 {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/WebID/IISWebAgentIF.dll?postdata=">] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-52448 (08:38:29.304 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1384274309.304 1384274309.305 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/12/2013 08:38:29.304 PST Gen. Time: 11/12/2013 08:44:13.528 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (16) (08:38:29.304 PST) event=1:92009714 (10) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/WebID/IISWebAgentIF.dll?postdata=">] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-52448 (08:38:29.304 PST) 80<-53202 (08:40:03.563 PST) 80<-53206 (08:40:03.606 PST) 80<-53210 (08:40:03.660 PST) 80<-53218 (08:40:03.771 PST) 80<-53218 (08:40:03.774 PST) 80<-53234 (08:40:03.967 PST) 80<-53243 (08:40:04.054 PST) 80<-53269 (08:40:04.355 PST) 80<-53273 (08:40:04.402 PST) ------------------------- event=1:92016184 (3) {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/index.cfm] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-53189 (08:40:03.375 PST) 80<-53230 (08:40:03.934 PST) 80<-53400 (08:40:06.059 PST) ------------------------- event=1:92016977 {tcp} E2[irb] ET WEB_SERVER allow_url_include PHP config option in uri, [] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-53330 (08:40:05.232 PST) ------------------------- event=1:92016979 {tcp} E2[irb] ET WEB_SERVER suhosin.simulation PHP config option in uri, [/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d ] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-53330 (08:40:05.232 PST) ------------------------- event=1:92016980 {tcp} E2[irb] ET WEB_SERVER disable_functions PHP config option in uri, [] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-53330 (08:40:05.232 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1384274309.304 1384274309.305 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: 1.177.231.147, 190.134.48.131, 59.72.84.23, 190.24.251.74 Resource List: Observed Start: 11/12/2013 15:57:58.684 PST Gen. Time: 11/12/2013 16:01:06.860 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (16:01:06.860 PST) event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 00:21:5A:08:EC:40 80<-56999 (16:01:06.860 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info 1.177.231.147 (15:57:58.684 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->41611 (15:57:58.684 PST) 190.134.48.131 (16:00:02.979 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->18873 (16:00:02.979 PST) 59.72.84.23 (15:58:58.942 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->63311 (15:58:58.942 PST) 190.24.251.74 (16:01:02.049 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->10001 (16:01:02.049 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1384300678.684 1384300678.685 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: 1.177.231.147, 76.217.27.237, 190.134.48.131, 59.72.84.23, 190.24.251.74, 180.242.169.158, 173.57.25.75 Resource List: Observed Start: 11/12/2013 15:57:58.684 PST Gen. Time: 11/12/2013 16:04:21.225 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (8) (16:01:06.860 PST) event=1:92009714 (7) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/launch.jsp?NFuse_Application=>alert(document.cookie);] MAC_Dst: 00:21:5A:08:EC:40 80<-57289 (16:01:19.710 PST) 80<-57292 (16:01:19.765 PST) 80<-57296 (16:01:19.902 PST) 80<-57308 (16:01:20.500 PST) 80<-57312 (16:01:20.776 PST) 80<-57319 (16:01:20.903 PST) 80<-57320 (16:01:20.924 PST) ------------------------- event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 00:21:5A:08:EC:40 80<-56999 (16:01:06.860 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info 1.177.231.147 (15:57:58.684 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->41611 (15:57:58.684 PST) 76.217.27.237 (16:03:18.819 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->42276 (16:03:18.819 PST) 190.134.48.131 (16:00:02.979 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->18873 (16:00:02.979 PST) 59.72.84.23 (15:58:58.942 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->63311 (15:58:58.942 PST) 190.24.251.74 (16:01:02.049 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->10001 (16:01:02.049 PST) 180.242.169.158 (16:04:18.820 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->11678 (16:04:18.820 PST) 173.57.25.75 (16:02:18.759 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->46311 (16:02:18.759 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1384300678.684 1384300678.685 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: 130.237.50.92, 178.164.143.219, 169.229.50.9 Resource List: Observed Start: 11/12/2013 16:05:25.272 PST Gen. Time: 11/12/2013 16:07:34.776 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (16:07:34.776 PST) event=1:92009714 {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/WebID/IISWebAgentIF.dll?postdata=">] MAC_Dst: 00:21:5A:08:EC:40 80<-59553 (16:07:34.776 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info 130.237.50.92 (16:06:50.782 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:EC:40 45151->6969 (16:06:50.782 PST) 178.164.143.219 (16:05:25.272 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->41877 (16:05:25.272 PST) 169.229.50.9 (16:06:50.977 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:EC:40 55726->6881 (16:06:50.977 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1384301125.272 1384301125.273 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: 130.237.50.92, 178.164.143.219, 76.170.75.134, 71.28.96.18, 169.229.50.9 Resource List: Observed Start: 11/12/2013 16:05:25.272 PST Gen. Time: 11/12/2013 16:12:38.238 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (3) (16:07:34.776 PST) event=1:92009714 (3) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/WebID/IISWebAgentIF.dll?postdata=">] MAC_Dst: 00:21:5A:08:EC:40 80<-59553 (16:07:34.776 PST) 80<-60918 (16:09:33.203 PST) 80<-60919 (16:09:33.206 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info 130.237.50.92 (16:06:50.782 PST) event=1:1100018 {tcp} E7[info] P2P torrent announce tracker request, [] MAC_Src: 00:21:5A:08:EC:40 45151->6969 (16:06:50.782 PST) 178.164.143.219 (16:05:25.272 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->41877 (16:05:25.272 PST) 76.170.75.134 (16:11:04.697 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->13538 (16:11:04.697 PST) 71.28.96.18 (16:12:07.849 PST) event=1:1100013 {udp} E7[info] P2P torrent DHT ping, [] MAC_Src: 00:21:5A:08:EC:40 6881->51413 (16:12:07.849 PST) 169.229.50.9 (16:06:50.977 PST) event=1:1100012 {tcp} E7[info] P2P BitTorrent handshake, [] MAC_Src: 00:21:5A:08:EC:40 55726->6881 (16:06:50.977 PST) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1384301125.272 1384301125.273 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/12/2013 16:25:29.768 PST Gen. Time: 11/12/2013 16:25:29.768 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (16:25:29.768 PST) event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/index.cfm] MAC_Dst: 00:21:5A:08:EC:40 80<-37938 (16:25:29.768 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1384302329.768 1384302329.769 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/12/2013 16:25:29.768 PST Gen. Time: 11/12/2013 16:29:32.126 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (16) (16:25:29.768 PST) event=1:92009714 (10) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/_mem_bin/formslogin.asp?url=>] MAC_Dst: 00:21:5A:08:EC:40 80<-37948 (16:25:30.049 PST) 80<-37961 (16:25:30.553 PST) 80<-37964 (16:25:30.599 PST) 80<-37973 (16:25:30.964 PST) 80<-37984 (16:25:31.352 PST) 80<-37986 (16:25:31.391 PST) 80<-38005 (16:25:32.133 PST) 80<-38018 (16:25:32.472 PST) 80<-38055 (16:25:33.802 PST) 80<-38064 (16:25:34.035 PST) ------------------------- event=1:92016184 (3) {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/index.cfm] MAC_Dst: 00:21:5A:08:EC:40 80<-37938 (16:25:29.768 PST) 80<-38004 (16:25:32.130 PST) 80<-38247 (16:25:41.398 PST) ------------------------- event=1:92016977 {tcp} E2[irb] ET WEB_SERVER allow_url_include PHP config option in uri, [] MAC_Dst: 00:21:5A:08:EC:40 80<-38143 (16:25:37.008 PST) ------------------------- event=1:92016979 {tcp} E2[irb] ET WEB_SERVER suhosin.simulation PHP config option in uri, [/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d ] MAC_Dst: 00:21:5A:08:EC:40 80<-38143 (16:25:37.008 PST) ------------------------- event=1:92016980 {tcp} E2[irb] ET WEB_SERVER disable_functions PHP config option in uri, [] MAC_Dst: 00:21:5A:08:EC:40 80<-38143 (16:25:37.008 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1384302329.768 1384302329.769 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================