Score: 1.3 (>= 0.8) Infected Target: 130.107.160.60 Infector List: 4.247.140.38 Egg Source List: 4.247.140.38 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2008 11:04:14.577 PDT Report End: 05/08/2008 11:06:59.005 PDT Gen. Time: 05/08/2008 11:13:48.750 PDT INBOUND SCAN EXPLOIT 4.247.140.38 (7) (11:04:14.577 PDT-11:04:46.478 PDT) event=1:2000032 (3) {tcp} E2[rb] BLEEDING-EDGE EXPLOIT LSA exploit 3: 445<-3850 (11:04:46.478 PDT-11:04:46.478 PDT) ------------------------- event=1:2000033 {tcp} E2[rb] BLEEDING-EDGE EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP) 445<-3850 (11:04:46.478 PDT) ------------------------- event=1:2466 {tcp} E2[rb] NETBIOS SMB-DS IPC$ unicode share access 445<-3850 (11:04:14.577 PDT) ------------------------- event=1:99913 (2) {tcp} E2[rb] SHELLCODE x86 0x90 unicode NOOP 2: 445<-3850 (11:04:46.477 PDT-11:04:46.478 PDT) EXPLOIT (slade) EGG DOWNLOAD 4.247.140.38 (6) (11:05:13.817 PDT-11:06:59.005 PDT) event=1:2001683 (2) {tcp} E3[rb] BLEEDING-EDGE Malware Windows executable sent from remote host 2: 73<-1313 (11:06:48.762 PDT-11:06:59.005 PDT) ------------------------- event=1:3000004 (2) {tcp} E3[rb] BotHunter Scrip-based Windows egg download .exe 2: 44445->3529 (11:05:13.817 PDT-11:05:19.131 PDT) ------------------------- event=1:5001684 (2) {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host 2: 73<-1313 (11:06:48.762 PDT-11:06:59.005 PDT) C and C TRAFFIC PEER COORDINATION OUTBOUND SCAN 4.247.140.38 (11:13:48.750 PDT) event=555:5555005 {tcp} E5[sc] scade detected scanning of 2 IPs (fail ratio=0:5/2): 0->0 (11:13:48.750 PDT) ATTACK PREP DECLARE BOT tcpslice 1210269854.577 1210270019.006 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 130.107.160.60' ============================== SEPARATOR ================================