Score: 1.8 (>= 0.8) Infected Target: 130.107.146.209 Infector List: 190.208.76.59 Egg Source List: 190.208.76.59 C & C List: 143.225.93.198 (2) Peer Coord. List: Resource List: 143.225.93.198 Observed Start: 08/01/2010 12:50:36.565 PDT Gen. Time: 08/01/2010 12:53:56.690 PDT INBOUND SCAN EXPLOIT 190.208.76.59 (12:50:36.565 PDT) event=1:299913 {tcp} E2[rb] SHELLCODE x86 0x90 unicode NOOP 135<-1473 (12:50:36.565 PDT) EXPLOIT (slade) EGG DOWNLOAD 190.208.76.59 (3) (12:50:37.151 PDT) event=1:1444 {udp} E3[rb] TFTP GET from external source 1031->69 (12:50:37.151 PDT) ------------------------- event=1:2008120 {udp} E3[rb] ET POLICY Outbound TFTP Read Request 1031->69 (12:50:37.151 PDT) ------------------------- event=1:3001441 {udp} E3[rb] TFTP GET .exe from external source 1031->69 (12:50:37.151 PDT) C and C TRAFFIC 143.225.93.198 (2) (12:53:56.315 PDT) event=1:2000346 {tcp} E4[rb] ET ATTACK RESPONSE IRC - Name response on non-std port 1032<-65267 (12:53:56.690 PDT) ------------------------- event=1:2000356 {tcp} E4[rb] ET POLICY IRC connection 1032<-65267 (12:53:56.315 PDT) PEER COORDINATION OUTBOUND SCAN ATTACK PREP 143.225.93.198 (12:53:56.316 PDT) event=1:2000352 {tcp} E6[rb] ET ATTACK RESPONSE IRC - dns request on non-std port 1032->65267 (12:53:56.316 PDT) DECLARE BOT tcpslice 1280692236.565 1280692236.566 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 130.107.146.209' ============================== SEPARATOR ================================