The Darkness DDoS Malware Botnet Traffic Analysis PCAP Sample

By | January 29, 2016

Download Darkness DDoS PCAP Sample here : darknessddos.pcap

 

2011-01-17 15:39:22.291158 IP 172.16.3.27.1040 > 195.189.226.193.80: Flags [P.], seq 1376765198:1376765351, ack 1691404056, win 65535, length 153: HTTP: GET /index.php?uid=587609&ver=8g%20XP HTTP/1.0
E…..@…………….PR…d…P…. ..GET /index.php?uid=587609&ver=8g%20XP HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Host: vkotalke.info
Pragma: no-cache
2011-01-17 15:39:23.214052 IP 195.189.226.193.80 > 172.16.3.27.1040: Flags [P.], seq 1:521, ack 153, win 6432, length 520: HTTP: HTTP/1.1 200 OK
E..0@.@.6..}………P..d…R…P.. .K..HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Mon, 17 Jan 2011 20:39:23 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.3-1ubuntu9.3
Vary: Accept-Encoding
Content-Length: 318

d3Rm<script> </script><!– uy7gdr5332rkmn –>
2011-01-17 15:39:54.962564 IP 172.16.3.27.1041 > 195.189.226.193.80: Flags [P.], seq 176083078:176083229, ack 2195977978, win 65535, length 151: HTTP: GET /index.php?uid=587609&ver=8g*XP HTTP/1.0
E…..@…………….P
~……P…-`..GET /index.php?uid=587609&ver=8g*XP HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Host: vkotalke.info
Pragma: no-cache
2011-01-17 15:39:55.759332 IP 195.189.226.193.80 > 172.16.3.27.1041: Flags [P.], seq 1:517, ack 151, win 6432, length 516: HTTP: HTTP/1.1 200 OK
E..,b.@.6..p………P……
~..P.. !…HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Mon, 17 Jan 2011 20:39:56 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.3-1ubuntu9.3
Vary: Accept-Encoding
Content-Length: 314

<script> </script><!– uy7gdr5332rkmn –>
2011-01-17 15:40:26.115943 IP 172.16.3.27.1042 > 195.189.226.193.80: Flags [P.], seq 2963602688:2963602839, ack 2697242737, win 65535, length 151: HTTP: GET /index.php?uid=587609&ver=8g*XP HTTP/1.0
E…
.@…………….P…….qP….f..GET /index.php?uid=587609&ver=8g*XP HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Host: vkotalke.info
Pragma: no-cache
2011-01-17 15:40:26.509388 IP 195.189.226.193.80 > 172.16.3.27.1042: Flags [P.], seq 1:517, ack 151, win 6432, length 516: HTTP: HTTP/1.1 200 OK
E..,..@.6…………P…..q….P.. ….HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Mon, 17 Jan 2011 20:40:27 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.3-1ubuntu9.3
Vary: Accept-Encoding
Content-Length: 314

<script> </script><!– uy7gdr5332rkmn –>

2011-01-17 15:40:57.100620 IP 172.16.3.27.1043 > 195.189.226.193.80: Flags [P.], seq 3885989452:3885989603, ack 3183627504, win 65535, length 151: HTTP: GET /index.php?uid=587609&ver=8g*XP HTTP/1.0
E…._@…./………..P..~L..L.P…….GET /index.php?uid=587609&ver=8g*XP HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Host: vkotalke.info
Pragma: no-cache
2011-01-17 15:40:57.842892 IP 195.189.226.193.80 > 172.16.3.27.1043: Flags [P.], seq 1:517, ack 151, win 6432, length 516: HTTP: HTTP/1.1 200 OK
E..,.a@.6…………P….L…~.P.. .U..HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Mon, 17 Jan 2011 20:40:58 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.3-1ubuntu9.3
Vary: Accept-Encoding
Content-Length: 314

<script> </script><!– uy7gdr5332rkmn –>
2011-01-17 15:41:28.380972 IP 172.16.3.27.1044 > 195.189.226.193.80: Flags [P.], seq 291733756:291733907, ack 3685198464, win 65535, length 151: HTTP: GET /index.php?uid=587609&ver=8g*XP HTTP/1.0
E…..@…………….P.c……P…i…GET /index.php?uid=587609&ver=8g*XP HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Host: vkotalke.info
Pragma: no-cache
2011-01-17 15:41:29.096378 IP 195.189.226.193.80 > 172.16.3.27.1044: Flags [P.], seq 1:517, ack 151, win 6432, length 516: HTTP: HTTP/1.1 200 OK
E..,.J@.6…………P…….c..P.. hj..HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Mon, 17 Jan 2011 20:41:29 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.3-1ubuntu9.3
Vary: Accept-Encoding
Content-Length: 314

<script> </script><!– uy7gdr5332rkmn –>
2011-01-17 15:41:59.580233 IP 172.16.3.27.1045 > 195.189.226.193.80: Flags [P.], seq 3306650630:3306650781, ack 4161845330, win 65535, length 151: HTTP: GET /index.php?uid=587609&ver=8g*XP HTTP/1.0
E….
@…………….P..|….RP…….GET /index.php?uid=587609&ver=8g*XP HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Host: vkotalke.info
Pragma: no-cache
2011-01-17 15:42:00.159343 IP 195.189.226.193.80 > 172.16.3.27.1045: Flags [P.], seq 1:517, ack 151, win 6432, length 516: HTTP: HTTP/1.1 200 OK
E..,|.@.6.pu………P…..R..|.P.. .x..HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Mon, 17 Jan 2011 20:42:00 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.3-1ubuntu9.3
Vary: Accept-Encoding
Content-Length: 314

<script> </script><!– uy7gdr5332rkmn –>

Share Button