Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/16/2013 14:00:09.178 PST Gen. Time: 11/16/2013 14:00:41.474 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 204.8.155.227 (14:00:29.334 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 34832->22 (14:00:29.334 PST) 128.10.19.53 (14:00:09.178 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52235->22 (14:00:09.178 PST) 129.82.12.188 (14:00:18.189 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55833->22 (14:00:18.189 PST) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.8.126.111 (14:00:41.474 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (14 /24s) (# pkts S/M/O/I=0/20/1/0): 22:20, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (14:00:41.474 PST) tcpslice 1384639209.178 1384639209.179 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/16/2013 14:00:09.178 PST Gen. Time: 11/16/2013 14:08:44.177 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.10.19.53 (2) (14:00:09.178 PST) event=1:2003068 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52235->22 (14:00:09.178 PST) 52818->22 (14:01:48.944 PST) 128.10.19.52 (14:01:39.034 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 33692->22 (14:01:39.034 PST) 165.91.55.9 (2) (14:01:57.807 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 47604->22 (14:01:57.807 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47604->22 (14:01:57.807 PST) 13.7.64.22 (2) (14:01:21.905 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 59659->22 (14:01:21.905 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 59659->22 (14:01:21.905 PST) 131.193.34.38 (14:01:02.429 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 40288->22 (14:01:02.429 PST) 198.133.224.149 (2) (14:00:41.474 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 53053->22 (14:00:41.474 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 53053->22 (14:00:41.474 PST) 204.8.155.227 (14:00:29.334 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 34832->22 (14:00:29.334 PST) 129.82.12.188 (2) (14:00:18.189 PST) event=1:2003068 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55833->22 (14:00:18.189 PST) 56528->22 (14:02:17.080 PST) 204.123.28.55 (14:02:08.527 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 33026->22 (14:02:08.527 PST) 128.8.126.98 (14:01:09.427 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48478->22 (14:01:09.427 PST) 128.208.4.198 (14:01:28.914 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 39566->22 (14:01:28.914 PST) 130.127.39.152 (14:01:14.932 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 56150->22 (14:01:14.932 PST) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.8.126.111 (4) (14:00:41.474 PST-14:05:12.046 PST) event=777:7777008 (4) {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (25 /24s) (# pkts S/M/O/I=0/40/1/0): 22:40, [] MAC_Src: 00:21:1C:EE:14:00 3: 0->0 (14:02:11.934 PST-14:05:12.046 PST) 0->0 (14:00:41.474 PST) tcpslice 1384639209.178 1384639512.047 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/16/2013 15:06:26.707 PST Gen. Time: 11/16/2013 15:08:51.550 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (15:07:12.212 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 46278->22 (15:07:12.212 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 46278->22 (15:07:12.212 PST) 128.208.4.197 (15:07:59.311 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52054->22 (15:07:59.311 PST) 128.10.19.53 (15:07:26.263 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42421->22 (15:07:26.263 PST) 131.179.150.72 (15:06:26.707 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 53750->22 (15:06:26.707 PST) 131.179.150.70 (15:07:29.284 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 40660->22 (15:07:29.284 PST) 13.7.64.22 (15:07:49.806 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49562->22 (15:07:49.806 PST) 128.42.142.45 (15:06:41.741 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 40198->22 (15:06:41.741 PST) 204.8.155.227 (15:07:02.354 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52973->22 (15:07:02.354 PST) 192.91.235.230 (15:07:19.494 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49639->22 (15:07:19.494 PST) 129.82.12.188 (2) (15:07:38.363 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 46035->22 (15:07:38.363 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 46035->22 (15:07:38.363 PST) 141.212.113.180 (15:07:09.053 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47236->22 (15:07:09.053 PST) 141.212.113.179 (15:07:45.245 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 37390->22 (15:07:45.245 PST) 128.111.52.59 (2) (15:08:02.204 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 52109->22 (15:08:02.204 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52109->22 (15:08:02.204 PST) 130.127.39.152 (15:06:54.716 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 45745->22 (15:06:54.716 PST) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 131.179.150.70 (15:08:51.550 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (15:08:51.550 PST) tcpslice 1384643186.707 1384643186.708 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/16/2013 15:06:26.707 PST Gen. Time: 11/16/2013 15:14:55.810 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (15:07:12.212 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 46278->22 (15:07:12.212 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 46278->22 (15:07:12.212 PST) 128.208.4.197 (15:07:59.311 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52054->22 (15:07:59.311 PST) 128.10.19.53 (15:07:26.263 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42421->22 (15:07:26.263 PST) 131.179.150.72 (15:06:26.707 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 53750->22 (15:06:26.707 PST) 131.179.150.70 (15:07:29.284 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 40660->22 (15:07:29.284 PST) 13.7.64.22 (15:07:49.806 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49562->22 (15:07:49.806 PST) 128.42.142.45 (15:06:41.741 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 40198->22 (15:06:41.741 PST) 204.8.155.227 (15:07:02.354 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52973->22 (15:07:02.354 PST) 192.91.235.230 (15:07:19.494 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49639->22 (15:07:19.494 PST) 129.82.12.188 (2) (15:07:38.363 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 46035->22 (15:07:38.363 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 46035->22 (15:07:38.363 PST) 141.212.113.180 (15:07:09.053 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47236->22 (15:07:09.053 PST) 141.212.113.179 (15:07:45.245 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 37390->22 (15:07:45.245 PST) 128.111.52.59 (2) (15:08:02.204 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 52109->22 (15:08:02.204 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52109->22 (15:08:02.204 PST) 130.127.39.152 (15:06:54.716 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 45745->22 (15:06:54.716 PST) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 131.179.150.70 (2) (15:08:51.550 PST) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (15:08:51.550 PST) 0->0 (15:10:22.658 PST) tcpslice 1384643186.707 1384643186.708 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/16/2013 15:11:07.794 PST Gen. Time: 11/16/2013 15:11:07.794 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 165.91.55.9 (15:11:07.794 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 40 IPs (24 /24s) (# pkts S/M/O/I=0/40/0/0): 22:40, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (15:11:07.794 PST) tcpslice 1384643467.794 1384643467.795 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/16/2013 15:26:51.885 PST Gen. Time: 11/16/2013 15:29:15.788 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (15:27:41.583 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 46999->22 (15:27:41.583 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 46999->22 (15:27:41.583 PST) 128.208.4.197 (15:28:31.718 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52529->22 (15:28:31.718 PST) 128.10.19.53 (15:27:56.995 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43062->22 (15:27:56.995 PST) 131.179.150.72 (15:26:51.885 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54712->22 (15:26:51.885 PST) 131.179.150.70 (15:28:00.077 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 41286->22 (15:28:00.077 PST) 13.7.64.22 (15:28:23.129 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50078->22 (15:28:23.129 PST) 128.42.142.45 (15:27:07.003 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 41084->22 (15:27:07.003 PST) 204.8.155.227 (15:27:31.038 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 53748->22 (15:27:31.038 PST) 192.91.235.230 (15:27:50.022 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50319->22 (15:27:50.022 PST) 129.82.12.188 (2) (15:28:10.562 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 46609->22 (15:28:10.562 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 46609->22 (15:28:10.562 PST) 141.212.113.180 (15:27:38.109 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47971->22 (15:27:38.109 PST) 141.212.113.179 (15:28:18.541 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 37923->22 (15:28:18.541 PST) 128.111.52.59 (2) (15:28:34.755 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 52567->22 (15:28:34.755 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52567->22 (15:28:34.755 PST) 130.127.39.152 (15:27:23.064 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 46563->22 (15:27:23.064 PST) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.208.4.197 (15:29:15.788 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/19/2/0): 22:19, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (15:29:15.788 PST) tcpslice 1384644411.885 1384644411.886 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/16/2013 15:26:51.885 PST Gen. Time: 11/16/2013 15:34:37.474 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (15:27:41.583 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 46999->22 (15:27:41.583 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 46999->22 (15:27:41.583 PST) 128.208.4.197 (15:28:31.718 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52529->22 (15:28:31.718 PST) 128.10.19.53 (15:27:56.995 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43062->22 (15:27:56.995 PST) 131.179.150.72 (15:26:51.885 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54712->22 (15:26:51.885 PST) 131.179.150.70 (15:28:00.077 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 41286->22 (15:28:00.077 PST) 13.7.64.22 (15:28:23.129 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50078->22 (15:28:23.129 PST) 128.42.142.45 (15:27:07.003 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 41084->22 (15:27:07.003 PST) 204.8.155.227 (15:27:31.038 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 53748->22 (15:27:31.038 PST) 192.91.235.230 (15:27:50.022 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50319->22 (15:27:50.022 PST) 129.82.12.188 (2) (15:28:10.562 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 46609->22 (15:28:10.562 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 46609->22 (15:28:10.562 PST) 141.212.113.180 (15:27:38.109 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47971->22 (15:27:38.109 PST) 141.212.113.179 (15:28:18.541 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 37923->22 (15:28:18.541 PST) 128.111.52.59 (2) (15:28:34.755 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 52567->22 (15:28:34.755 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52567->22 (15:28:34.755 PST) 130.127.39.152 (15:27:23.064 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 46563->22 (15:27:23.064 PST) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.208.4.197 (2) (15:29:15.788 PST) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/19/2/0): 22:19, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (15:29:15.788 PST) 0->0 (15:30:46.103 PST) tcpslice 1384644411.885 1384644411.886 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/16/2013 15:32:12.725 PST Gen. Time: 11/16/2013 15:32:12.725 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.208.4.197 (15:32:12.725 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 42 IPs (26 /24s) (# pkts S/M/O/I=0/40/2/0): 22:40, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (15:32:12.725 PST) tcpslice 1384644732.725 1384644732.726 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/16/2013 15:47:59.327 PST Gen. Time: 11/16/2013 15:50:23.378 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (15:48:46.567 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 47210->22 (15:48:46.567 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47212->22 (15:48:47.496 PST) 128.208.4.197 (15:49:30.915 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52739->22 (15:49:30.915 PST) 128.10.19.53 (15:49:05.879 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43275->22 (15:49:05.879 PST) 131.179.150.72 (15:47:59.327 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54925->22 (15:47:59.327 PST) 131.179.150.70 (15:49:08.915 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 41499->22 (15:49:08.915 PST) 13.7.64.22 (15:49:26.335 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50288->22 (15:49:26.335 PST) 128.42.142.45 (15:48:16.153 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 41297->22 (15:48:16.153 PST) 204.8.155.227 (15:48:37.491 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 53961->22 (15:48:37.491 PST) 192.91.235.230 (15:48:58.999 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50532->22 (15:48:58.999 PST) 129.82.12.188 (2) (15:49:12.457 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 46820->22 (15:49:12.457 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 46822->22 (15:49:15.310 PST) 141.212.113.180 (15:48:44.437 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48184->22 (15:48:44.437 PST) 141.212.113.179 (15:49:22.028 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38136->22 (15:49:22.028 PST) 128.111.52.59 (2) (15:49:34.074 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 52775->22 (15:49:34.074 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52777->22 (15:49:35.123 PST) 130.127.39.152 (15:48:29.081 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 46776->22 (15:48:29.081 PST) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 131.179.150.72 (15:50:23.378 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/20/1/0): 22:20, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:50:23.378 PST) tcpslice 1384645679.327 1384645679.328 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/16/2013 15:47:59.327 PST Gen. Time: 11/16/2013 15:57:10.708 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (15:48:46.567 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 47210->22 (15:48:46.567 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47212->22 (15:48:47.496 PST) 128.208.4.197 (15:49:30.915 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52739->22 (15:49:30.915 PST) 128.10.19.53 (15:49:05.879 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43275->22 (15:49:05.879 PST) 131.179.150.72 (15:47:59.327 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54925->22 (15:47:59.327 PST) 131.179.150.70 (15:49:08.915 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 41499->22 (15:49:08.915 PST) 13.7.64.22 (15:49:26.335 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50288->22 (15:49:26.335 PST) 128.42.142.45 (15:48:16.153 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 41297->22 (15:48:16.153 PST) 204.8.155.227 (15:48:37.491 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 53961->22 (15:48:37.491 PST) 192.91.235.230 (15:48:58.999 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50532->22 (15:48:58.999 PST) 129.82.12.188 (2) (15:49:12.457 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 46820->22 (15:49:12.457 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 46822->22 (15:49:15.310 PST) 141.212.113.180 (15:48:44.437 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48184->22 (15:48:44.437 PST) 141.212.113.179 (15:49:22.028 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38136->22 (15:49:22.028 PST) 128.111.52.59 (2) (15:49:34.074 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 52775->22 (15:49:34.074 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52777->22 (15:49:35.123 PST) 130.127.39.152 (15:48:29.081 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 46776->22 (15:48:29.081 PST) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 131.179.150.72 (15:50:23.378 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/20/1/0): 22:20, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:50:23.378 PST) 198.133.224.147 (15:51:53.760 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 33 IPs (23 /24s) (# pkts S/M/O/I=0/32/1/0): 22:32, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:51:53.760 PST) tcpslice 1384645679.327 1384645679.328 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/16/2013 16:01:24.741 PST Gen. Time: 11/16/2013 16:01:24.741 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 198.133.224.147 (16:01:24.741 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (25 /24s) (# pkts S/M/O/I=0/40/1/0): 22:40, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:01:24.741 PST) tcpslice 1384646484.741 1384646484.742 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/16/2013 16:04:33.128 PST Gen. Time: 11/16/2013 16:04:33.128 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 198.133.224.147 (16:04:33.128 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (25 /24s) (# pkts S/M/O/I=0/40/1/0): 22:40, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:04:33.128 PST) tcpslice 1384646673.128 1384646673.129 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/16/2013 16:08:17.809 PST Gen. Time: 11/16/2013 16:08:17.809 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 198.133.224.147 (16:08:17.809 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (25 /24s) (# pkts S/M/O/I=0/40/1/0): 22:40, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:08:17.809 PST) tcpslice 1384646897.809 1384646897.810 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/16/2013 16:08:17.809 PST Gen. Time: 11/16/2013 16:17:25.142 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (16:09:24.735 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 47422->22 (16:09:24.735 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47422->22 (16:09:24.735 PST) 128.208.4.197 (16:10:13.019 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52949->22 (16:10:13.019 PST) 128.10.19.53 (16:09:41.035 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43485->22 (16:09:41.035 PST) 131.179.150.72 (16:08:39.113 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55135->22 (16:08:39.113 PST) 131.179.150.70 (16:09:44.454 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 41709->22 (16:09:44.454 PST) 13.7.64.22 (16:10:07.132 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50498->22 (16:10:07.132 PST) 128.42.142.45 (16:08:54.293 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 41507->22 (16:08:54.293 PST) 204.8.155.227 (16:09:14.539 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54171->22 (16:09:14.539 PST) 192.91.235.230 (16:09:32.731 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50742->22 (16:09:32.731 PST) 129.82.12.188 (2) (16:09:54.995 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 47032->22 (16:09:54.995 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47032->22 (16:09:54.995 PST) 141.212.113.180 (16:09:21.563 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48394->22 (16:09:21.563 PST) 141.212.113.179 (16:10:02.468 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38346->22 (16:10:02.468 PST) 128.111.52.59 (2) (16:10:16.163 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 52987->22 (16:10:16.163 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52987->22 (16:10:16.163 PST) 130.127.39.152 (16:09:05.745 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 46986->22 (16:09:05.745 PST) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 198.133.224.147 (6) (16:08:17.809 PST-16:16:46.311 PST) event=777:7777008 (6) {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (25 /24s) (# pkts S/M/O/I=0/40/1/0): 22:40, [] MAC_Src: 00:21:1C:EE:14:00 6: 0->0 (16:08:17.809 PST-16:16:46.311 PST) tcpslice 1384646897.809 1384647406.312 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/16/2013 16:29:27.708 PST Gen. Time: 11/16/2013 16:32:02.739 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (16:30:17.000 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 47632->22 (16:30:17.000 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47632->22 (16:30:17.000 PST) 128.208.4.197 (16:31:05.424 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 53159->22 (16:31:05.424 PST) 128.10.19.53 (16:30:37.252 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43695->22 (16:30:37.252 PST) 131.179.150.72 (16:29:27.708 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55345->22 (16:29:27.708 PST) 131.179.150.70 (16:30:40.692 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 41919->22 (16:30:40.692 PST) 13.7.64.22 (16:31:00.498 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50708->22 (16:31:00.498 PST) 128.42.142.45 (16:29:42.722 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 41717->22 (16:29:42.722 PST) 204.8.155.227 (16:30:07.046 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54381->22 (16:30:07.046 PST) 192.91.235.230 (16:30:29.538 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50952->22 (16:30:29.538 PST) 129.82.12.188 (2) (16:30:48.865 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 47242->22 (16:30:48.865 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47242->22 (16:30:48.865 PST) 141.212.113.180 (16:30:13.748 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48604->22 (16:30:13.748 PST) 141.212.113.179 (16:30:56.057 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38556->22 (16:30:56.057 PST) 128.111.52.59 (2) (16:31:08.430 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 53197->22 (16:31:08.430 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 53197->22 (16:31:08.430 PST) 130.127.39.152 (16:29:59.316 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47196->22 (16:29:59.316 PST) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 129.82.12.188 (16:32:02.739 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (16:32:02.739 PST) tcpslice 1384648167.708 1384648167.709 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/16/2013 16:29:27.708 PST Gen. Time: 11/16/2013 16:36:35.393 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (16:30:17.000 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 47632->22 (16:30:17.000 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47632->22 (16:30:17.000 PST) 128.208.4.197 (16:31:05.424 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 53159->22 (16:31:05.424 PST) 128.10.19.53 (16:30:37.252 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43695->22 (16:30:37.252 PST) 131.179.150.72 (16:29:27.708 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55345->22 (16:29:27.708 PST) 131.179.150.70 (16:30:40.692 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 41919->22 (16:30:40.692 PST) 13.7.64.22 (16:31:00.498 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50708->22 (16:31:00.498 PST) 128.42.142.45 (16:29:42.722 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 41717->22 (16:29:42.722 PST) 204.8.155.227 (16:30:07.046 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54381->22 (16:30:07.046 PST) 192.91.235.230 (16:30:29.538 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50952->22 (16:30:29.538 PST) 129.82.12.188 (2) (16:30:48.865 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 47242->22 (16:30:48.865 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47242->22 (16:30:48.865 PST) 141.212.113.180 (16:30:13.748 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48604->22 (16:30:13.748 PST) 141.212.113.179 (16:30:56.057 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38556->22 (16:30:56.057 PST) 128.111.52.59 (2) (16:31:08.430 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 53197->22 (16:31:08.430 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 53197->22 (16:31:08.430 PST) 130.127.39.152 (16:29:59.316 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47196->22 (16:29:59.316 PST) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 198.133.224.149 (16:33:32.784 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 33 IPs (22 /24s) (# pkts S/M/O/I=0/33/0/0): 22:33, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (16:33:32.784 PST) 129.82.12.188 (16:32:02.739 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (16:32:02.739 PST) tcpslice 1384648167.708 1384648167.709 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/16/2013 16:34:19.780 PST Gen. Time: 11/16/2013 16:34:19.780 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.36.233.153 (16:34:19.780 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 40 IPs (24 /24s) (# pkts S/M/O/I=0/40/0/0): 22:40, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (16:34:19.780 PST) tcpslice 1384648459.780 1384648459.781 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/16/2013 16:50:05.827 PST Gen. Time: 11/16/2013 16:52:38.160 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (16:50:53.806 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 47842->22 (16:50:53.806 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47842->22 (16:50:53.806 PST) 128.208.4.197 (16:51:40.280 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 53369->22 (16:51:40.280 PST) 128.10.19.53 (16:51:10.536 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43905->22 (16:51:10.536 PST) 131.179.150.72 (16:50:05.827 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55555->22 (16:50:05.827 PST) 131.179.150.70 (16:51:14.515 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42129->22 (16:51:14.515 PST) 13.7.64.22 (16:51:35.217 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50918->22 (16:51:35.217 PST) 128.42.142.45 (16:50:20.953 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 41927->22 (16:50:20.953 PST) 204.8.155.227 (16:50:43.728 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54591->22 (16:50:43.728 PST) 192.91.235.230 (16:51:03.549 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51162->22 (16:51:03.549 PST) 129.82.12.188 (2) (16:51:23.683 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 47452->22 (16:51:23.683 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47452->22 (16:51:23.683 PST) 141.212.113.180 (16:50:50.604 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48814->22 (16:50:50.604 PST) 141.212.113.179 (16:51:30.731 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38766->22 (16:51:30.731 PST) 128.111.52.59 (2) (16:51:43.098 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 53407->22 (16:51:43.098 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 53407->22 (16:51:43.098 PST) 130.127.39.152 (16:50:36.029 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47406->22 (16:50:36.029 PST) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 141.212.113.180 (16:52:38.160 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (16:52:38.160 PST) tcpslice 1384649405.827 1384649405.828 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/16/2013 16:50:05.827 PST Gen. Time: 11/16/2013 16:59:42.802 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (16:50:53.806 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 47842->22 (16:50:53.806 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47842->22 (16:50:53.806 PST) 128.208.4.197 (16:51:40.280 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 53369->22 (16:51:40.280 PST) 128.10.19.53 (16:51:10.536 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43905->22 (16:51:10.536 PST) 131.179.150.72 (16:50:05.827 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55555->22 (16:50:05.827 PST) 131.179.150.70 (16:51:14.515 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42129->22 (16:51:14.515 PST) 13.7.64.22 (16:51:35.217 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50918->22 (16:51:35.217 PST) 128.42.142.45 (16:50:20.953 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 41927->22 (16:50:20.953 PST) 204.8.155.227 (16:50:43.728 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54591->22 (16:50:43.728 PST) 192.91.235.230 (16:51:03.549 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51162->22 (16:51:03.549 PST) 129.82.12.188 (2) (16:51:23.683 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 47452->22 (16:51:23.683 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47452->22 (16:51:23.683 PST) 141.212.113.180 (16:50:50.604 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48814->22 (16:50:50.604 PST) 141.212.113.179 (16:51:30.731 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38766->22 (16:51:30.731 PST) 128.111.52.59 (2) (16:51:43.098 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 53407->22 (16:51:43.098 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 53407->22 (16:51:43.098 PST) 130.127.39.152 (16:50:36.029 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47406->22 (16:50:36.029 PST) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 141.212.113.180 (2) (16:52:38.160 PST) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (16:52:38.160 PST) 0->0 (16:54:08.035 PST) tcpslice 1384649405.827 1384649405.828 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/16/2013 16:54:58.945 PST Gen. Time: 11/16/2013 16:54:58.945 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 141.212.113.180 (16:54:58.945 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 40 IPs (24 /24s) (# pkts S/M/O/I=0/40/0/0): 22:40, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (16:54:58.945 PST) tcpslice 1384649698.945 1384649698.946 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/16/2013 17:10:44.453 PST Gen. Time: 11/16/2013 17:13:15.267 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (17:11:28.310 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48053->22 (17:11:28.310 PST) 128.208.4.197 (17:12:14.266 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 53580->22 (17:12:14.266 PST) 128.10.19.53 (17:11:44.704 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 44116->22 (17:11:44.704 PST) 131.179.150.72 (17:10:44.453 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55766->22 (17:10:44.453 PST) 131.179.150.70 (17:11:47.763 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42340->22 (17:11:47.763 PST) 155.246.12.164 (17:12:17.596 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 54288->22 (17:12:17.596 PST) 13.7.64.22 (17:12:09.763 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51129->22 (17:12:09.763 PST) 128.42.142.45 (17:10:49.509 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42138->22 (17:10:49.509 PST) 204.8.155.227 (17:11:16.351 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54802->22 (17:11:16.351 PST) 192.91.235.230 (2) (17:11:28.783 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 51369->22 (17:11:28.783 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51373->22 (17:11:37.475 PST) 129.82.12.188 (17:11:57.401 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47663->22 (17:11:57.401 PST) 141.212.113.180 (17:11:25.068 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49025->22 (17:11:25.068 PST) 141.212.113.179 (2) (17:11:59.233 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 38973->22 (17:11:59.233 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38977->22 (17:12:05.196 PST) 128.111.52.59 (17:12:17.109 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 53618->22 (17:12:17.109 PST) 130.127.39.152 (17:11:08.349 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47617->22 (17:11:08.349 PST) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.111.52.59 (17:13:15.267 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (17:13:15.267 PST) tcpslice 1384650644.453 1384650644.454 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/16/2013 17:10:44.453 PST Gen. Time: 11/16/2013 17:17:22.216 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (17:11:28.310 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48053->22 (17:11:28.310 PST) 128.208.4.197 (17:12:14.266 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 53580->22 (17:12:14.266 PST) 128.10.19.53 (17:11:44.704 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 44116->22 (17:11:44.704 PST) 131.179.150.72 (17:10:44.453 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55766->22 (17:10:44.453 PST) 131.179.150.70 (17:11:47.763 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42340->22 (17:11:47.763 PST) 155.246.12.164 (17:12:17.596 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 54288->22 (17:12:17.596 PST) 13.7.64.22 (17:12:09.763 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51129->22 (17:12:09.763 PST) 128.42.142.45 (17:10:49.509 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42138->22 (17:10:49.509 PST) 204.8.155.227 (17:11:16.351 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54802->22 (17:11:16.351 PST) 192.91.235.230 (2) (17:11:28.783 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 51369->22 (17:11:28.783 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51373->22 (17:11:37.475 PST) 129.82.12.188 (17:11:57.401 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47663->22 (17:11:57.401 PST) 141.212.113.180 (17:11:25.068 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49025->22 (17:11:25.068 PST) 141.212.113.179 (2) (17:11:59.233 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 38973->22 (17:11:59.233 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38977->22 (17:12:05.196 PST) 128.111.52.59 (17:12:17.109 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 53618->22 (17:12:17.109 PST) 130.127.39.152 (17:11:08.349 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47617->22 (17:11:08.349 PST) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.111.52.59 (2) (17:13:15.267 PST) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (17:13:15.267 PST) 0->0 (17:14:45.614 PST) tcpslice 1384650644.453 1384650644.454 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/16/2013 17:15:39.364 PST Gen. Time: 11/16/2013 17:15:39.364 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.8.126.111 (17:15:39.364 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 40 IPs (24 /24s) (# pkts S/M/O/I=0/40/0/0): 22:40, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (17:15:39.364 PST) tcpslice 1384650939.364 1384650939.365 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/16/2013 20:00:12.452 PST Gen. Time: 11/16/2013 20:00:39.447 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 198.133.224.149 (2) (20:00:38.016 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 44985->22 (20:00:38.016 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 44985->22 (20:00:38.016 PST) 204.8.155.227 (20:00:28.967 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55057->22 (20:00:28.967 PST) 128.10.19.53 (20:00:12.452 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 44341->22 (20:00:12.452 PST) 129.82.12.188 (20:00:20.093 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47883->22 (20:00:20.093 PST) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.123.28.55 (20:00:39.447 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (14 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (20:00:39.447 PST) tcpslice 1384660812.452 1384660812.453 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/16/2013 20:00:12.452 PST Gen. Time: 11/16/2013 20:10:07.155 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.10.19.53 (2) (20:00:12.452 PST) event=1:2003068 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 44341->22 (20:00:12.452 PST) 44393->22 (20:01:45.453 PST) 128.10.19.52 (20:01:35.312 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 53548->22 (20:01:35.312 PST) 165.91.55.9 (2) (20:01:54.059 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 39129->22 (20:01:54.059 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 39129->22 (20:01:54.059 PST) 13.7.64.22 (2) (20:01:16.397 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 51371->22 (20:01:16.397 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51371->22 (20:01:16.397 PST) 131.193.34.38 (20:00:58.649 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 60341->22 (20:00:58.649 PST) 198.133.224.149 (2) (20:00:38.016 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 44985->22 (20:00:38.016 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 44985->22 (20:00:38.016 PST) 204.8.155.227 (20:00:28.967 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55057->22 (20:00:28.967 PST) 129.82.12.188 (2) (20:00:20.093 PST) event=1:2003068 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47883->22 (20:00:20.093 PST) 47945->22 (20:02:14.440 PST) 204.123.28.55 (20:02:05.265 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52729->22 (20:02:05.265 PST) 128.8.126.98 (20:01:04.663 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 40259->22 (20:01:04.663 PST) 128.208.4.198 (20:01:25.270 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 59474->22 (20:01:25.270 PST) 130.127.39.152 (20:01:10.310 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47899->22 (20:01:10.310 PST) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 72.36.112.78 (3) (20:02:09.023 PST-20:05:12.121 PST) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 40 IPs (24 /24s) (# pkts S/M/O/I=0/40/0/0): 22:40, [] MAC_Src: 1C:DF:0F:66:3D:B0 3: 0->0 (20:02:09.023 PST-20:05:12.121 PST) 204.123.28.55 (20:00:39.447 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (14 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (20:00:39.447 PST) tcpslice 1384660812.452 1384661112.122 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/16/2013 20:11:36.009 PST Gen. Time: 11/16/2013 20:11:36.009 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 72.36.112.78 (20:11:36.009 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (25 /24s) (# pkts S/M/O/I=0/40/1/0): 22:40, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (20:11:36.009 PST) tcpslice 1384661496.009 1384661496.010 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/16/2013 21:06:48.926 PST Gen. Time: 11/16/2013 21:09:33.131 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (21:07:38.535 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 48486->22 (21:07:38.535 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48486->22 (21:07:38.535 PST) 128.208.4.197 (21:08:33.016 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54013->22 (21:08:33.016 PST) 128.10.19.53 (21:07:52.199 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 44549->22 (21:07:52.199 PST) 131.179.150.72 (21:06:48.926 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 56199->22 (21:06:48.926 PST) 131.179.150.70 (21:07:55.403 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42773->22 (21:07:55.403 PST) 13.7.64.22 (21:08:28.231 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51562->22 (21:08:28.231 PST) 128.42.142.45 (21:07:04.193 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42571->22 (21:07:04.193 PST) 204.8.155.227 (21:07:28.447 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55235->22 (21:07:28.447 PST) 192.91.235.230 (21:07:45.826 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51806->22 (21:07:45.826 PST) 129.82.12.188 (2) (21:08:02.783 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 48096->22 (21:08:02.783 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48096->22 (21:08:02.783 PST) 141.212.113.180 (21:07:35.244 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49458->22 (21:07:35.244 PST) 141.212.113.179 (21:08:14.729 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 39410->22 (21:08:14.729 PST) 128.111.52.59 (2) (21:08:35.983 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 54051->22 (21:08:35.983 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54051->22 (21:08:35.983 PST) 130.127.39.152 (21:07:20.812 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48050->22 (21:07:20.812 PST) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 192.91.235.230 (21:09:33.131 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (21:09:33.131 PST) tcpslice 1384664808.926 1384664808.927 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/16/2013 21:06:48.926 PST Gen. Time: 11/16/2013 21:16:13.648 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (21:07:38.535 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 48486->22 (21:07:38.535 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48486->22 (21:07:38.535 PST) 128.208.4.197 (21:08:33.016 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54013->22 (21:08:33.016 PST) 128.10.19.53 (21:07:52.199 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 44549->22 (21:07:52.199 PST) 131.179.150.72 (21:06:48.926 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 56199->22 (21:06:48.926 PST) 131.179.150.70 (21:07:55.403 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42773->22 (21:07:55.403 PST) 13.7.64.22 (21:08:28.231 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51562->22 (21:08:28.231 PST) 128.42.142.45 (21:07:04.193 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42571->22 (21:07:04.193 PST) 204.8.155.227 (21:07:28.447 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55235->22 (21:07:28.447 PST) 192.91.235.230 (21:07:45.826 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51806->22 (21:07:45.826 PST) 129.82.12.188 (2) (21:08:02.783 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 48096->22 (21:08:02.783 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48096->22 (21:08:02.783 PST) 141.212.113.180 (21:07:35.244 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49458->22 (21:07:35.244 PST) 141.212.113.179 (21:08:14.729 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 39410->22 (21:08:14.729 PST) 128.111.52.59 (2) (21:08:35.983 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 54051->22 (21:08:35.983 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54051->22 (21:08:35.983 PST) 130.127.39.152 (21:07:20.812 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48050->22 (21:07:20.812 PST) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 13.7.64.20 (21:11:04.068 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 33 IPs (22 /24s) (# pkts S/M/O/I=0/33/0/0): 22:33, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (21:11:04.068 PST) 192.91.235.230 (21:09:33.131 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (21:09:33.131 PST) tcpslice 1384664808.926 1384664808.927 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/16/2013 21:11:52.664 PST Gen. Time: 11/16/2013 21:11:52.664 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 13.7.64.20 (21:11:52.664 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 40 IPs (24 /24s) (# pkts S/M/O/I=0/40/0/0): 22:40, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (21:11:52.664 PST) tcpslice 1384665112.664 1384665112.665 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/16/2013 21:27:46.032 PST Gen. Time: 11/16/2013 21:30:20.212 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (21:28:35.009 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 48696->22 (21:28:35.009 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48696->22 (21:28:35.009 PST) 128.208.4.197 (21:29:16.119 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54223->22 (21:29:16.119 PST) 128.10.19.53 (21:28:49.284 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 44759->22 (21:28:49.284 PST) 131.179.150.72 (21:27:46.032 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 56409->22 (21:27:46.032 PST) 131.179.150.70 (21:28:52.460 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42983->22 (21:28:52.460 PST) 13.7.64.22 (21:29:11.526 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51772->22 (21:29:11.526 PST) 128.42.142.45 (21:28:01.339 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42781->22 (21:28:01.339 PST) 204.8.155.227 (21:28:24.785 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55445->22 (21:28:24.785 PST) 192.91.235.230 (21:28:42.730 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52016->22 (21:28:42.730 PST) 129.82.12.188 (2) (21:28:58.751 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 48306->22 (21:28:58.751 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48306->22 (21:28:58.751 PST) 141.212.113.180 (21:28:31.540 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49668->22 (21:28:31.540 PST) 141.212.113.179 (21:29:06.343 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 39620->22 (21:29:06.343 PST) 128.111.52.59 (2) (21:29:19.028 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 54261->22 (21:29:19.028 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54261->22 (21:29:19.028 PST) 130.127.39.152 (21:28:16.996 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48260->22 (21:28:16.996 PST) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.10.19.53 (21:30:20.212 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (21:30:20.212 PST) tcpslice 1384666066.032 1384666066.033 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/16/2013 21:27:46.032 PST Gen. Time: 11/16/2013 21:35:24.310 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (21:28:35.009 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 48696->22 (21:28:35.009 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48696->22 (21:28:35.009 PST) 128.208.4.197 (21:29:16.119 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54223->22 (21:29:16.119 PST) 128.10.19.53 (21:28:49.284 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 44759->22 (21:28:49.284 PST) 131.179.150.72 (21:27:46.032 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 56409->22 (21:27:46.032 PST) 131.179.150.70 (21:28:52.460 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42983->22 (21:28:52.460 PST) 13.7.64.22 (21:29:11.526 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51772->22 (21:29:11.526 PST) 128.42.142.45 (21:28:01.339 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42781->22 (21:28:01.339 PST) 204.8.155.227 (21:28:24.785 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55445->22 (21:28:24.785 PST) 192.91.235.230 (21:28:42.730 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52016->22 (21:28:42.730 PST) 129.82.12.188 (2) (21:28:58.751 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 48306->22 (21:28:58.751 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48306->22 (21:28:58.751 PST) 141.212.113.180 (21:28:31.540 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49668->22 (21:28:31.540 PST) 141.212.113.179 (21:29:06.343 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 39620->22 (21:29:06.343 PST) 128.111.52.59 (2) (21:29:19.028 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 54261->22 (21:29:19.028 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54261->22 (21:29:19.028 PST) 130.127.39.152 (21:28:16.996 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48260->22 (21:28:16.996 PST) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.10.19.53 (2) (21:30:20.212 PST) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (21:30:20.212 PST) 0->0 (21:31:50.078 PST) tcpslice 1384666066.032 1384666066.033 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/16/2013 21:32:37.697 PST Gen. Time: 11/16/2013 21:32:37.697 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.10.19.53 (21:32:37.697 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 40 IPs (24 /24s) (# pkts S/M/O/I=0/40/0/0): 22:40, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (21:32:37.697 PST) tcpslice 1384666357.697 1384666357.698 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/16/2013 21:48:26.653 PST Gen. Time: 11/16/2013 21:50:58.069 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (21:49:11.472 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 48906->22 (21:49:11.472 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48906->22 (21:49:11.472 PST) 128.208.4.197 (21:49:52.947 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54433->22 (21:49:52.947 PST) 128.10.19.53 (21:49:25.641 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 44969->22 (21:49:25.641 PST) 131.179.150.72 (21:48:26.653 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 56619->22 (21:48:26.653 PST) 131.179.150.70 (21:49:28.625 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43193->22 (21:49:28.625 PST) 13.7.64.22 (21:49:48.412 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51982->22 (21:49:48.412 PST) 128.42.142.45 (21:48:42.004 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42991->22 (21:48:42.004 PST) 204.8.155.227 (21:49:01.513 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55655->22 (21:49:01.513 PST) 192.91.235.230 (21:49:19.141 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52226->22 (21:49:19.141 PST) 129.82.12.188 (2) (21:49:36.219 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 48516->22 (21:49:36.219 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48516->22 (21:49:36.219 PST) 141.212.113.180 (21:49:08.390 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49878->22 (21:49:08.390 PST) 141.212.113.179 (21:49:43.870 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 39830->22 (21:49:43.870 PST) 128.111.52.59 (2) (21:49:55.678 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 54471->22 (21:49:55.678 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54471->22 (21:49:55.678 PST) 130.127.39.152 (21:48:54.071 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48470->22 (21:48:54.071 PST) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.252.19.19 (21:50:58.069 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (21:50:58.069 PST) tcpslice 1384667306.653 1384667306.654 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/16/2013 21:48:26.653 PST Gen. Time: 11/16/2013 21:56:30.610 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (21:49:11.472 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 48906->22 (21:49:11.472 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48906->22 (21:49:11.472 PST) 128.208.4.197 (21:49:52.947 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54433->22 (21:49:52.947 PST) 128.10.19.53 (21:49:25.641 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 44969->22 (21:49:25.641 PST) 131.179.150.72 (21:48:26.653 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 56619->22 (21:48:26.653 PST) 131.179.150.70 (21:49:28.625 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43193->22 (21:49:28.625 PST) 13.7.64.22 (21:49:48.412 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51982->22 (21:49:48.412 PST) 128.42.142.45 (21:48:42.004 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42991->22 (21:48:42.004 PST) 204.8.155.227 (21:49:01.513 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55655->22 (21:49:01.513 PST) 192.91.235.230 (21:49:19.141 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52226->22 (21:49:19.141 PST) 129.82.12.188 (2) (21:49:36.219 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 48516->22 (21:49:36.219 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48516->22 (21:49:36.219 PST) 141.212.113.180 (21:49:08.390 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49878->22 (21:49:08.390 PST) 141.212.113.179 (21:49:43.870 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 39830->22 (21:49:43.870 PST) 128.111.52.59 (2) (21:49:55.678 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 54471->22 (21:49:55.678 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54471->22 (21:49:55.678 PST) 130.127.39.152 (21:48:54.071 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48470->22 (21:48:54.071 PST) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.252.19.19 (2) (21:50:58.069 PST) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (21:50:58.069 PST) 0->0 (21:52:28.017 PST) tcpslice 1384667306.653 1384667306.654 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/16/2013 22:01:20.986 PST Gen. Time: 11/16/2013 22:01:20.986 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.252.19.19 (22:01:20.986 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 40 IPs (24 /24s) (# pkts S/M/O/I=0/40/0/0): 22:40, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (22:01:20.986 PST) tcpslice 1384668080.986 1384668080.987 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/16/2013 22:06:00.965 PST Gen. Time: 11/16/2013 22:06:00.965 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.252.19.19 (22:06:00.965 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 40 IPs (24 /24s) (# pkts S/M/O/I=0/40/0/0): 22:40, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (22:06:00.965 PST) tcpslice 1384668360.965 1384668360.966 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/16/2013 22:10:12.156 PST Gen. Time: 11/16/2013 22:11:19.420 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (22:11:05.424 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 49113->22 (22:11:05.424 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49116->22 (22:11:06.921 PST) 131.179.150.72 (22:10:12.156 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 56829->22 (22:10:12.156 PST) 204.8.155.227 (22:10:56.599 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55865->22 (22:10:56.599 PST) 128.42.142.45 (22:10:28.798 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43201->22 (22:10:28.798 PST) 130.127.39.152 (22:10:48.696 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48680->22 (22:10:48.696 PST) 141.212.113.180 (22:11:03.618 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50088->22 (22:11:03.618 PST) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.252.19.19 (22:11:19.420 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 40 IPs (24 /24s) (# pkts S/M/O/I=0/40/0/0): 22:40, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (22:11:19.420 PST) tcpslice 1384668612.156 1384668612.157 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/16/2013 22:10:12.156 PST Gen. Time: 11/16/2013 22:18:43.407 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (22:11:05.424 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 49113->22 (22:11:05.424 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49116->22 (22:11:06.921 PST) 128.208.4.197 (22:11:57.043 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54643->22 (22:11:57.043 PST) 128.10.19.53 (22:11:26.326 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 45179->22 (22:11:26.326 PST) 131.179.150.72 (22:10:12.156 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 56829->22 (22:10:12.156 PST) 131.179.150.70 (22:11:30.195 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43403->22 (22:11:30.195 PST) 13.7.64.22 (22:11:52.141 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52192->22 (22:11:52.141 PST) 128.42.142.45 (22:10:28.798 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43201->22 (22:10:28.798 PST) 204.8.155.227 (22:10:56.599 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55865->22 (22:10:56.599 PST) 192.91.235.230 (22:11:19.420 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52436->22 (22:11:19.420 PST) 129.82.12.188 (2) (22:11:32.765 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 48723->22 (22:11:32.765 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48726->22 (22:11:39.959 PST) 141.212.113.180 (22:11:03.618 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50088->22 (22:11:03.618 PST) 141.212.113.179 (22:11:47.493 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 40040->22 (22:11:47.493 PST) 128.111.52.59 (2) (22:11:58.498 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 54678->22 (22:11:58.498 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54681->22 (22:11:59.975 PST) 130.127.39.152 (22:10:48.696 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48680->22 (22:10:48.696 PST) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.252.19.19 (4) (22:11:19.420 PST-22:15:57.931 PST) event=777:7777008 (4) {tcp} E8[bh] Detected intense malware port scanning of 40 IPs (24 /24s) (# pkts S/M/O/I=0/40/0/0): 22:40, [] MAC_Src: 1C:DF:0F:66:3D:B0 4: 0->0 (22:11:19.420 PST-22:15:57.931 PST) tcpslice 1384668612.156 1384668957.932 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/16/2013 22:17:13.195 PST Gen. Time: 11/16/2013 22:17:13.195 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.252.19.19 (22:17:13.195 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 40 IPs (24 /24s) (# pkts S/M/O/I=0/40/0/0): 22:40, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (22:17:13.195 PST) tcpslice 1384669033.195 1384669033.196 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/16/2013 22:31:03.978 PST Gen. Time: 11/16/2013 22:33:49.912 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (22:32:00.846 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 49326->22 (22:32:00.846 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49326->22 (22:32:00.846 PST) 128.208.4.197 (22:32:45.824 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54853->22 (22:32:45.824 PST) 128.10.19.53 (22:32:16.207 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 45389->22 (22:32:16.207 PST) 131.179.150.72 (22:31:03.978 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 57039->22 (22:31:03.978 PST) 131.179.150.70 (22:32:19.086 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43613->22 (22:32:19.086 PST) 13.7.64.22 (22:32:41.161 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52402->22 (22:32:41.161 PST) 128.42.142.45 (22:31:19.577 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43411->22 (22:31:19.577 PST) 204.8.155.227 (22:31:50.780 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 56075->22 (22:31:50.780 PST) 192.91.235.230 (22:32:08.768 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52646->22 (22:32:08.768 PST) 129.82.12.188 (2) (22:32:29.015 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 48936->22 (22:32:29.015 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48936->22 (22:32:29.015 PST) 141.212.113.180 (22:31:57.682 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50298->22 (22:31:57.682 PST) 141.212.113.179 (22:32:36.662 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 40250->22 (22:32:36.662 PST) 128.111.52.59 (2) (22:32:48.771 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 54891->22 (22:32:48.771 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54891->22 (22:32:48.771 PST) 130.127.39.152 (22:31:43.221 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48890->22 (22:31:43.221 PST) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 129.82.12.188 (22:33:49.912 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (22:33:49.912 PST) tcpslice 1384669863.978 1384669863.979 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/16/2013 22:31:03.978 PST Gen. Time: 11/16/2013 22:40:09.257 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (22:32:00.846 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 49326->22 (22:32:00.846 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49326->22 (22:32:00.846 PST) 128.208.4.197 (22:32:45.824 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54853->22 (22:32:45.824 PST) 128.10.19.53 (22:32:16.207 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 45389->22 (22:32:16.207 PST) 131.179.150.72 (22:31:03.978 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 57039->22 (22:31:03.978 PST) 131.179.150.70 (22:32:19.086 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43613->22 (22:32:19.086 PST) 13.7.64.22 (22:32:41.161 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52402->22 (22:32:41.161 PST) 128.42.142.45 (22:31:19.577 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43411->22 (22:31:19.577 PST) 204.8.155.227 (22:31:50.780 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 56075->22 (22:31:50.780 PST) 192.91.235.230 (22:32:08.768 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52646->22 (22:32:08.768 PST) 129.82.12.188 (2) (22:32:29.015 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 48936->22 (22:32:29.015 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48936->22 (22:32:29.015 PST) 141.212.113.180 (22:31:57.682 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50298->22 (22:31:57.682 PST) 141.212.113.179 (22:32:36.662 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 40250->22 (22:32:36.662 PST) 128.111.52.59 (2) (22:32:48.771 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 54891->22 (22:32:48.771 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54891->22 (22:32:48.771 PST) 130.127.39.152 (22:31:43.221 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48890->22 (22:31:43.221 PST) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 129.82.12.188 (22:33:49.912 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (22:33:49.912 PST) 129.63.159.101 (22:35:19.244 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 33 IPs (22 /24s) (# pkts S/M/O/I=0/33/0/0): 22:33, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (22:35:19.244 PST) tcpslice 1384669863.978 1384669863.979 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/16/2013 22:36:14.183 PST Gen. Time: 11/16/2013 22:36:14.183 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 129.63.159.101 (22:36:14.183 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 40 IPs (24 /24s) (# pkts S/M/O/I=0/40/0/0): 22:40, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (22:36:14.183 PST) tcpslice 1384670174.183 1384670174.184 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/16/2013 22:51:59.089 PST Gen. Time: 11/16/2013 22:54:41.215 PST INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (22:52:49.555 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 49536->22 (22:52:49.555 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49536->22 (22:52:49.555 PST) 128.208.4.197 (22:53:40.686 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55063->22 (22:53:40.686 PST) 128.10.19.53 (22:53:03.596 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 45599->22 (22:53:03.596 PST) 131.179.150.72 (22:51:59.089 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 57249->22 (22:51:59.089 PST) 131.179.150.70 (22:53:07.501 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43823->22 (22:53:07.501 PST) 13.7.64.22 (22:53:35.933 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52612->22 (22:53:35.933 PST) 128.42.142.45 (22:52:14.616 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43621->22 (22:52:14.616 PST) 204.8.155.227 (22:52:39.452 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 56285->22 (22:52:39.452 PST) 192.91.235.230 (22:52:56.956 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52856->22 (22:52:56.956 PST) 129.82.12.188 (2) (22:53:23.918 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 49146->22 (22:53:23.918 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49146->22 (22:53:23.918 PST) 141.212.113.180 (22:52:46.464 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50508->22 (22:52:46.464 PST) 141.212.113.179 (22:53:31.295 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 40460->22 (22:53:31.295 PST) 128.111.52.59 (2) (22:53:43.652 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 55101->22 (22:53:43.652 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55101->22 (22:53:43.652 PST) 130.127.39.152 (22:52:30.641 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49100->22 (22:52:30.641 PST) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 72.36.112.78 (22:54:41.215 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (22:54:41.215 PST) tcpslice 1384671119.089 1384671119.090 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================