Score: 0.8 (>= 0.8) Infected Target: 192.168.1.168 Infector List: 112.202.226.9 Egg Source List: 112.202.226.9 C & C List: Peer Coord. List: Resource List: Observed Start: 09/25/2009 02:06:52.745 PDT Report End: 09/25/2009 02:06:52.884 PDT Gen. Time: 09/25/2009 02:06:57.084 PDT INBOUND SCAN EXPLOIT 112.202.226.9 (4) (02:06:52.815 PDT-02:06:52.884 PDT) event=1:21390 (2) {tcp} E2[rb] REGISTERED FREE SHELLCODE x86 inc ebx NOOP 2: 445<-3989 (02:06:52.815 PDT-02:06:52.884 PDT) ------------------------- event=1:299998 (2) {tcp} E2[rb] SHELLCODE x86 inc ebx NOOP 2: 445<-3989 (02:06:52.815 PDT-02:06:52.884 PDT) EXPLOIT (slade) EGG DOWNLOAD 112.202.226.9 (3) (02:06:52.745 PDT) event=1:2000427 {tcp} E3[rb] ET POLICY PE EXE Install Windows file download 68<-4041 (02:06:57.084 PDT) ------------------------- event=1:2007726 {tcp} E3[rb] ET ATTACK RESPONSE Unusual FTP Server Banner on High Port (StnyFtpd) 1027<-10966 (02:06:53.921 PDT) ------------------------- event=1:3000006 {tcp} E3[rb] BotHunter MALWARE executable upload 445<-3989 (02:06:52.745 PDT) C and C TRAFFIC PEER COORDINATION OUTBOUND SCAN ATTACK PREP DECLARE BOT tcpslice 1253869612.745 1253869612.885 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.168' ============================== SEPARATOR ================================