Scribd Logo
Carica

Benvenuto in Scribd!

  • botHunterResults 20140717 113809

    Caricato da

    leloiboi
    28 visualizzazioni7 pagine
    gsd

    Titolo originale

    botHunterResults_20140717_113809

    Copyright

    © © All Rights Reserved

    Formati disponibili

    TXT, PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    gsd

    Copyright:

    © All Rights Reserved
    Scarica in formato TXT, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    28 visualizzazioni7 pagine

    botHunterResults 20140717 113809

    Caricato da

    leloiboi
    gsd

    Copyright:

    © All Rights Reserved
    Scarica in formato TXT, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 7

    Score:

    Infected Target:
    Infector List:
    Egg Source List:
    C & C List:
    Peer Coord. List:
    Resource List:
    Observed Start:
    Gen. Time:

    0.9 (>= 0.8)


    129.173.67.123
    46.29.152.74
    <unobserved>
    <unobserved>
    <unobserved>
    <unobserved>
    07/17/2014 11:38:18.693 ADT
    07/17/2014 11:38:18.714 ADT

    INBOUND SCAN
    <unobserved>
    EXPLOIT
    46.29.152.74 (11:38:18.714 ADT)
    event=1:2013497 {tcp} E2[rb] ET TROJAN MS Terminal Server User A Login, p
    ossible Morto inbound, [] MAC_Dst: 00:1E:8C:F5:62:6F
    3389<-30706 (11:38:18.714 ADT)
    EXPLOIT MALWARE DNS
    <unobserved>
    EGG DOWNLOAD
    <unobserved>
    C and C TRAFFIC
    <unobserved>
    C and C TRAFFIC (RBN)
    <unobserved>
    C and C DNS CHECK-IN
    <unobserved>
    OUTBOUND SKYPE CANDIDATE
    <unobserved>
    OUTBOUND SCAN (spp)
    <unobserved>
    OUTBOUND SCAN
    <unobserved>
    ATTACK PREP
    <unobserved>
    PEER COORDINATION Info
    <unobserved>
    PEER COORDINATION
    <unobserved>
    DECLARE BOT Standard Port
    5.45.179.132 (11:38:18.693 ADT)
    event=1:9920009 {tcp} E8[std] ET ShadowServer confirmed botnet control se
    rver on standard port, [] MAC_Src: 00:1E:8C:F5:62:6F
    58452->80 (11:38:18.693 ADT)
    DECLARE BOT Non-standard Port
    <unobserved>

    DECLARE BOT
    <unobserved>
    OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    tcpslice 1405607898.693 1405607898.694 inputFile.tcpd | tcpdump -r - -w outputFi
    le.tcpd 'host 129.173.67.123'
    ============================== SEPARATOR ================================
    Score:
    Infected Target:
    Infector List:
    Egg Source List:
    C & C List:
    Peer Coord. List:
    Resource List:
    Observed Start:
    Report End:
    Gen. Time:

    0.9 (>= 0.8)


    129.173.67.123
    46.29.152.74
    <unobserved>
    <unobserved>
    <unobserved>
    <unobserved>
    07/17/2014 11:38:18.693 ADT
    07/17/2014 11:38:22.959 ADT
    07/17/2014 11:38:22.959 ADT

    INBOUND SCAN
    <unobserved>
    EXPLOIT
    46.29.152.74 (15) (11:38:18.714 ADT-11:38:22.959 ADT)
    event=1:2013497 (15) {tcp} E2[rb] ET TROJAN MS Terminal Server User A Log
    in, possible Morto inbound, [] MAC_Dst: 00:1E:8C:F5:62:6F
    5: 3389<-61036 (11:38:19.089 ADT-11:38:22.707 ADT)
    5: 3389<-18516 (11:38:19.341 ADT-11:38:22.959 ADT)
    5: 3389<-30706 (11:38:18.714 ADT-11:38:22.332 ADT)
    EXPLOIT MALWARE DNS
    <unobserved>
    EGG DOWNLOAD
    <unobserved>
    C and C TRAFFIC
    <unobserved>
    C and C TRAFFIC (RBN)
    <unobserved>
    C and C DNS CHECK-IN
    <unobserved>
    OUTBOUND SKYPE CANDIDATE
    <unobserved>
    OUTBOUND SCAN (spp)
    <unobserved>
    OUTBOUND SCAN
    <unobserved>
    ATTACK PREP
    <unobserved>

    PEER COORDINATION Info


    <unobserved>
    PEER COORDINATION
    <unobserved>
    DECLARE BOT Standard Port
    5.45.179.132 (11:38:18.693 ADT)
    event=1:9920009 {tcp} E8[std] ET ShadowServer confirmed botnet control se
    rver on standard port, [] MAC_Src: 00:1E:8C:F5:62:6F
    58452->80 (11:38:18.693 ADT)
    DECLARE BOT Non-standard Port
    <unobserved>
    DECLARE BOT
    <unobserved>
    OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    tcpslice 1405607898.693 1405607902.960 inputFile.tcpd | tcpdump -r - -w outputFi
    le.tcpd 'host 129.173.67.123'
    ============================== SEPARATOR ================================
    Score:
    Infected Target:
    Infector List:
    Egg Source List:
    C & C List:
    Peer Coord. List:
    Resource List:
    Observed Start:
    Report End:
    Gen. Time:

    0.9 (>= 0.8)


    129.173.67.123
    46.29.152.74
    <unobserved>
    <unobserved>
    <unobserved>
    <unobserved>
    07/17/2014 11:38:23.236 ADT
    07/17/2014 11:38:27.481 ADT
    07/17/2014 11:50:33.632 ADT

    INBOUND SCAN
    <unobserved>
    EXPLOIT
    46.29.152.74 (15) (11:38:23.236 ADT-11:38:27.481 ADT)
    event=1:2013497 (15) {tcp} E2[rb] ET TROJAN MS Terminal Server User A Log
    in, possible Morto inbound, [] MAC_Dst: 00:1E:8C:F5:62:6F
    5: 3389<-61036 (11:38:23.612 ADT-11:38:27.230 ADT)
    5: 3389<-18516 (11:38:23.864 ADT-11:38:27.481 ADT)
    5: 3389<-30706 (11:38:23.236 ADT-11:38:26.854 ADT)
    EXPLOIT MALWARE DNS
    <unobserved>
    EGG DOWNLOAD
    <unobserved>
    C and C TRAFFIC
    <unobserved>
    C and C TRAFFIC (RBN)
    <unobserved>

    C and C DNS CHECK-IN


    <unobserved>
    OUTBOUND SKYPE CANDIDATE
    <unobserved>
    OUTBOUND SCAN (spp)
    <unobserved>
    OUTBOUND SCAN
    <unobserved>
    ATTACK PREP
    <unobserved>
    PEER COORDINATION Info
    <unobserved>
    PEER COORDINATION
    <unobserved>
    DECLARE BOT Standard Port
    109.70.26.36 (11:50:33.632 ADT)
    event=1:9920003 {tcp} E8[std] BotHunter MTC confirmed botnet control serv
    er on standard port, [] MAC_Src: 00:1E:8C:F5:62:6F
    49960->80 (11:50:33.632 ADT)
    DECLARE BOT Non-standard Port
    <unobserved>
    DECLARE BOT
    <unobserved>
    OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    tcpslice 1405607903.236 1405607907.482 inputFile.tcpd | tcpdump -r - -w outputFi
    le.tcpd 'host 129.173.67.123'
    ============================== SEPARATOR ================================
    Score:
    Infected Target:
    Infector List:
    Egg Source List:
    C & C List:
    Peer Coord. List:
    Resource List:
    Observed Start:
    Gen. Time:

    0.9 (>= 0.8)


    129.173.67.123
    212.72.216.33
    <unobserved>
    <unobserved>
    <unobserved>
    <unobserved>
    07/17/2014 11:50:38.922 ADT
    07/17/2014 11:50:40.174 ADT

    INBOUND SCAN
    <unobserved>
    EXPLOIT
    212.72.216.33 (11:50:38.922 ADT)
    event=1:2013497 {tcp} E2[rb] ET TROJAN MS Terminal Server User A Login, p
    ossible Morto inbound, [] MAC_Dst: 00:1E:8C:F5:62:6F
    3389<-56224 (11:50:38.922 ADT)

    EXPLOIT MALWARE DNS


    <unobserved>
    EGG DOWNLOAD
    <unobserved>
    C and C TRAFFIC
    <unobserved>
    C and C TRAFFIC (RBN)
    <unobserved>
    C and C DNS CHECK-IN
    <unobserved>
    OUTBOUND SKYPE CANDIDATE
    <unobserved>
    OUTBOUND SCAN (spp)
    <unobserved>
    OUTBOUND SCAN
    <unobserved>
    ATTACK PREP
    <unobserved>
    PEER COORDINATION Info
    <unobserved>
    PEER COORDINATION
    <unobserved>
    DECLARE BOT Standard Port
    50.63.202.42 (11:50:40.174 ADT)
    event=1:9920009 {tcp} E8[std] ET ShadowServer confirmed botnet control se
    rver on standard port, [] MAC_Src: 00:1E:8C:F5:62:6F
    53835->80 (11:50:40.174 ADT)
    DECLARE BOT Non-standard Port
    <unobserved>
    DECLARE BOT
    <unobserved>
    OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    tcpslice 1405608638.922 1405608638.923 inputFile.tcpd | tcpdump -r - -w outputFi
    le.tcpd 'host 129.173.67.123'
    ============================== SEPARATOR ================================
    Score:
    Infected Target:
    Infector List:
    Egg Source List:
    C & C List:
    Peer Coord. List:

    0.9 (>= 0.8)


    129.173.67.123
    31.214.144.152, 1.215.94.10, 211.144.68.191, 212.72.216.33
    <unobserved>
    <unobserved>
    <unobserved>

    Resource List:
    Observed Start:
    Gen. Time:

    <unobserved>
    07/17/2014 11:50:38.922 ADT
    07/17/2014 11:51:23.054 ADT

    INBOUND SCAN
    <unobserved>
    EXPLOIT
    31.214.144.152 (7) (11:50:55.351 ADT)
    event=1:2013497 (7) {tcp} E2[rb] ET TROJAN MS Terminal Server User A Logi
    n, possible Morto inbound, [] MAC_Dst: 00:1E:8C:F5:62:6F
    3389<-51875 (11:50:55.351 ADT)
    3389<-62252 (11:51:09.542 ADT)
    3389<-48809 (11:51:12.534 ADT)
    3389<-57935 (11:51:14.519 ADT)
    3389<-6697 (11:51:17.711 ADT)
    3389<-51404 (11:51:20.419 ADT)
    3389<-55647 (11:51:23.054 ADT)
    1.215.94.10 (3) (11:50:46.765 ADT)
    event=1:2013497 (3) {tcp} E2[rb] ET TROJAN MS Terminal Server User A Logi
    n, possible Morto inbound, [] MAC_Dst: 00:1E:8C:F5:62:6F
    3389<-55479 (11:50:46.765 ADT)
    3389<-4503 (11:51:09.350 ADT)
    3389<-58015 (11:51:19.887 ADT)
    211.144.68.191 (2) (11:50:57.336 ADT)
    event=1:2013497 (2) {tcp} E2[rb] ET TROJAN MS Terminal Server User A Logi
    n, possible Morto inbound, [] MAC_Dst: 00:1E:8C:F5:62:6F
    3389<-59841 (11:50:57.336 ADT)
    3389<-53858 (11:50:58.663 ADT)
    212.72.216.33 (2) (11:50:38.922 ADT)
    event=1:2013497 (2) {tcp} E2[rb] ET TROJAN MS Terminal Server User A Logi
    n, possible Morto inbound, [] MAC_Dst: 00:1E:8C:F5:62:6F
    3389<-56224 (11:50:38.922 ADT)
    3389<-58326 (11:50:57.257 ADT)
    EXPLOIT MALWARE DNS
    <unobserved>
    EGG DOWNLOAD
    <unobserved>
    C and C TRAFFIC
    <unobserved>
    C and C TRAFFIC (RBN)
    <unobserved>
    C and C DNS CHECK-IN
    <unobserved>
    OUTBOUND SKYPE CANDIDATE
    <unobserved>
    OUTBOUND SCAN (spp)
    <unobserved>
    OUTBOUND SCAN

    <unobserved>
    ATTACK PREP
    <unobserved>
    PEER COORDINATION Info
    <unobserved>
    PEER COORDINATION
    <unobserved>
    DECLARE BOT Standard Port
    50.63.202.42 (11:50:40.174 ADT)
    event=1:9920009 {tcp} E8[std] ET ShadowServer confirmed botnet control se
    rver on standard port, [] MAC_Src: 00:1E:8C:F5:62:6F
    53835->80 (11:50:40.174 ADT)
    DECLARE BOT Non-standard Port
    <unobserved>
    DECLARE BOT
    <unobserved>
    OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    tcpslice 1405608638.922 1405608638.923 inputFile.tcpd | tcpdump -r - -w outputFi
    le.tcpd 'host 129.173.67.123'
    ============================== SEPARATOR ================================

    Potrebbero piacerti anche