On this page... (hide)
Introduction
The Compromised Host Report has an unusual combination of information. There are many times three IP's listed in the report because we will have the Command and Control that is controlling the systems, the Attacking IP address, and finally the Compromised IP address. Some of the botnets will have the individual bots report back what other IP addresses they successfully compromised. It is an interesting mapping to see the three parts work together and be reported.
Note that all timestamps are GMT+0.
Fields
| Field | Description |
| Date | Date of the event in UTC+0 |
| Time | Time of the event in UTC+0 |
| C&C | The IP address of the Command and Control system that the Compromised Host was seen in. |
| C&C Port | The port of the C&C |
| C&C ASN | ASN of the C&C |
| C&C Geo | Country that the C&C resides in |
| C&C DNS | Reverse DNS for the C&C |
| ATK | The Ip of the Attacking host |
| ATK ASN | ASN of the Attacking host |
| ATK Geo | Country location of teh Attacking host |
| ATK DNS | Reverse DNS of the Attacking host |
| TGT | The Target IP that was compromised |
| TGT ASN | ASN of the Compromised Host |
| TGT Geo | Country location of the Compromised host |
| TGT DNS | Reverse DNS for the compromised host |
Sample
"Date","Time","C&C","C&C Port","C&C ASN","C&C Geo","C&C DNS","ATK","ATK ASN","ATK Geo","ATK DNS","TGT","TGT ASN","TGT Geo","TGT DNS" "2008-11-03","00:24:56","194.78.209.104",789,5432,"BE","104.209-78-194.adsl-fix.skynet.be","0.0.0.0","","","","193.1.1.242",1213,"IE","" "2008-11-03","00:28:07","194.78.209.104",789,5432,"BE","104.209-78-194.adsl-fix.skynet.be","0.0.0.0","","","","172.16.30.19","","-","" "2008-11-03","00:37:35","194.78.209.104",789,5432,"BE","104.209-78-194.adsl-fix.skynet.be","0.0.0.0","","","","193.1.1.119",1213,"IE","" "2008-11-03","01:00:08","194.78.209.104",789,5432,"BE","104.209-78-194.adsl-fix.skynet.be","0.0.0.0","","","","172.16.30.19","","-","" "2008-11-03","01:01:01","194.78.209.104",789,5432,"BE","104.209-78-194.adsl-fix.skynet.be","0.0.0.0","","","","193.1.1.208",1213,"IE","" "2008-11-03","02:08:14","194.78.209.104",789,5432,"BE","104.209-78-194.adsl-fix.skynet.be","0.0.0.0","","","","193.1.1.208",1213,"IE","" "2008-11-03","02:12:05","194.78.209.104",789,5432,"BE","104.209-78-194.adsl-fix.skynet.be","0.0.0.0","","","","193.1.1.242",1213,"IE","" "2008-11-03","02:23:17","194.78.209.104",789,5432,"BE","104.209-78-194.adsl-fix.skynet.be","0.0.0.0","","","","193.1.1.119",1213,"IE","" "2008-11-03","02:34:49","194.78.209.104",789,5432,"BE","104.209-78-194.adsl-fix.skynet.be","0.0.0.0","","","","172.16.30.19","","-","" "2008-11-03","03:16:30","194.78.209.104",789,5432,"BE","104.209-78-194.adsl-fix.skynet.be","0.0.0.0","","","","193.1.1.119",1213,"IE",""
<< | Reports | >>
