Score: 0.8 (>= 0.8) Infected Target: 130.107.236.201 Infector List: 88.7.206.184 Egg Source List: C & C List: 85.114.137.60 (2), 217.170.244.2 (6) Peer Coord. List: Resource List: Observed Start: 05/02/2008 16:05:20.808 PDT Report End: 05/02/2008 16:06:01.901 PDT Gen. Time: 05/02/2008 16:06:01.901 PDT INBOUND SCAN EXPLOIT 88.7.206.184 (10) (16:05:20.808 PDT-16:05:22.024 PDT) event=1:2000032 (3) {tcp} E2[rb] BLEEDING-EDGE EXPLOIT LSA exploit 3: 445<-24036 (16:05:21.991 PDT-16:05:22.024 PDT) ------------------------- event=1:2000046 {tcp} E2[rb] BLEEDING-EDGE EXPLOIT MS04011 Lsasrv.dll RPC exploit (Win2k) 445<-24036 (16:05:22.024 PDT) ------------------------- event=1:2466 {tcp} E2[rb] NETBIOS SMB-DS IPC$ unicode share access 445<-24036 (16:05:20.808 PDT) ------------------------- event=1:99906 (5) {tcp} E2[rb] SHELLCODE x86 0x90 unicode NOOP 5: 445<-24036 (16:05:21.578 PDT-16:05:21.991 PDT) EXPLOIT (slade) EGG DOWNLOAD C and C TRAFFIC 85.114.137.60 (2) (16:05:22.246 PDT) event=1:2000345 {tcp} E4[rb] BLEEDING-EDGE ATTACK RESPONSE IRC - Nick change on non-std port 1058->65520 (16:05:22.246 PDT) ------------------------- event=1:2002024 {tcp} E4[rb] BLEEDING-EDGE TROJAN IRC NICK command 1058->65520 (16:05:22.246 PDT) 217.170.244.2 (6) (16:05:22.614 PDT-16:06:01.901 PDT) event=1:2000345 (3) {tcp} E4[rb] BLEEDING-EDGE ATTACK RESPONSE IRC - Nick change on non-std port 3: 1056->443 (16:05:22.614 PDT-16:06:01.901 PDT) ------------------------- event=1:2002024 (3) {tcp} E4[rb] BLEEDING-EDGE TROJAN IRC NICK command 3: 1056->443 (16:05:22.614 PDT-16:06:01.901 PDT) PEER COORDINATION OUTBOUND SCAN ATTACK PREP DECLARE BOT tcpslice 1209769520.808 1209769561.902 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 130.107.236.201' ============================== SEPARATOR ================================