Score: 0.8 (>= 0.8) Infected Target: 192.168.1.240 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/12/2013 10:15:35.164 PST Gen. Time: 11/12/2013 10:15:35.164 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (10:15:35.164 PST) event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-56242 (10:15:35.164 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1384280135.164 1384280135.165 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.240' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.240 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/12/2013 10:15:35.164 PST Gen. Time: 11/12/2013 10:19:44.393 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (4) (10:15:35.164 PST) event=1:92009714 (3) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/servlet/webacc?User.lang=] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-56478 (10:16:31.498 PST) 80<-56489 (10:16:34.512 PST) 80<-56500 (10:16:36.523 PST) ------------------------- event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-56242 (10:15:35.164 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1384280135.164 1384280135.165 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.240' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.240 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/12/2013 10:21:41.933 PST Gen. Time: 11/12/2013 10:21:41.933 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (10:21:41.933 PST) event=1:92009714 {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/WebID/IISWebAgentIF.dll?postdata=">] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-59036 (10:21:41.933 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1384280501.933 1384280501.934 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.240' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.240 Infector List: 128.18.30.15 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/12/2013 10:21:41.933 PST Gen. Time: 11/12/2013 10:26:35.260 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) 128.18.30.15 (13) (10:21:41.933 PST) event=1:92009714 (10) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/WebID/IISWebAgentIF.dll?postdata=">] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-59036 (10:21:41.933 PST) 80<-60068 (10:23:33.992 PST) 80<-60069 (10:23:34.005 PST) 80<-60072 (10:23:34.032 PST) 80<-60075 (10:23:34.060 PST) 80<-60079 (10:23:34.072 PST) 80<-60087 (10:23:34.143 PST) 80<-60091 (10:23:34.179 PST) 80<-60104 (10:23:37.321 PST) 80<-60134 (10:23:37.329 PST) ------------------------- event=1:92016184 (3) {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/index.cfm] MAC_Dst: 1C:DF:0F:66:3D:B0 80<-60062 (10:23:33.935 PST) 80<-60083 (10:23:34.115 PST) 80<-60304 (10:23:57.848 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1384280501.933 1384280501.934 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.240' ============================== SEPARATOR ================================