Score: 1.3 (>= 0.8) Infected Target: 130.107.247.189 Infector List: 113.252.241.214 Egg Source List: 69.31.121.50, 113.252.241.214 C & C List: Peer Coord. List: Resource List: Observed Start: 09/22/2009 22:44:00.781 PDT Report End: 09/22/2009 22:44:44.012 PDT Gen. Time: 09/22/2009 22:50:11.535 PDT INBOUND SCAN EXPLOIT 113.252.241.214 (22:44:00.781 PDT) event=1:299913 {tcp} E2[rb] SHELLCODE x86 0x90 unicode NOOP 135<-31425 (22:44:00.781 PDT) EXPLOIT (slade) EGG DOWNLOAD 69.31.121.50 (22:50:11.535 PDT) event=1:2002986 {tcp} E3[rb] ET POLICY ICQ Install Direct download - Not normal mode of install 1034->80 (22:50:11.535 PDT) 113.252.241.214 (24) (22:44:05.007 PDT-22:44:44.012 PDT) event=1:1444 (8) {udp} E3[rb] TFTP GET from external source 8: 1488->69 (22:44:05.007 PDT-22:44:44.012 PDT) ------------------------- event=1:2008120 (8) {udp} E3[rb] ET POLICY Outbound TFTP Read Request 8: 1488->69 (22:44:05.007 PDT-22:44:44.012 PDT) ------------------------- event=1:3001441 (8) {udp} E3[rb] TFTP GET .exe from external source 8: 1488->69 (22:44:05.007 PDT-22:44:44.012 PDT) C and C TRAFFIC PEER COORDINATION OUTBOUND SCAN 113.252.241.214 (22:44:01.399 PDT) event=1:52123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner 1475->707 (22:44:01.399 PDT) ATTACK PREP DECLARE BOT tcpslice 1253684640.781 1253684684.013 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 130.107.247.189' ============================== SEPARATOR ================================