Score:            1.3 (>= 0.8)
Infected Target:  130.107.236.135
Infector List:    89.123.134.245
Egg Source List:  89.123.134.245
C & C List:       <unobserved>
Peer Coord. List: <unobserved>
Resource List:    92.240.234.164 (2)
Observed Start:   11/03/2009 13:20:04.527 PST
Report End:       11/03/2009 13:21:45.221 PST
Gen. Time:        11/03/2009 13:21:53.086 PST

INBOUND SCAN
    <unobserved>

EXPLOIT
    89.123.134.245 (13:20:04.527 PST)
       event=1:299913 {tcp} E2[rb] SHELLCODE x86 0x90 unicode NOOP
          135<-56799 (13:20:04.527 PST)

EXPLOIT (slade)
    <unobserved>

EGG DOWNLOAD
    89.123.134.245 (3) (13:20:05.004 PST)
       event=1:1444 {udp} E3[rb] TFTP GET from external source
          1027->69 (13:20:05.004 PST)
       -------------------------
       event=1:2008120 {udp} E3[rb] ET POLICY Outbound TFTP Read Request
          1027->69 (13:20:05.004 PST)
       -------------------------
       event=1:3001441 {udp} E3[rb] TFTP GET .exe from external source
          1027->69 (13:20:05.004 PST)

C and C TRAFFIC
    <unobserved>

PEER COORDINATION
    <unobserved>

OUTBOUND SCAN
    <unobserved>

ATTACK PREP
    92.240.234.164 (2) (13:21:45.006 PST-13:21:45.221 PST)
       event=1:2000352 (2) {tcp} E6[rb] ET ATTACK RESPONSE IRC - dns request on non-std port
          2: 1031->3305 (13:21:45.006 PST-13:21:45.221 PST)

DECLARE BOT
    <unobserved>

tcpslice 1257283204.527 1257283305.222 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 130.107.236.135'

============================== SEPARATOR ================================