Compromised Host Report

This report provides an extensive combination of information about a Compromised Host.

Many times, there are three IPs listed in the report, because we will have the Command and Control that is controlling the systems, the Attacking IP address, and finally the Compromised IP address.

Some of the botnets will have the individual bots report back what other IP addresses they have successfully compromised; it is an interesting mapping to see the three parts work together and be reported.

Note that all timestamps are GMT+0.

Fields

  • Date
    Date of the event in UTC+0
  • Time
    Time of the event in UTC+0
  • C&C
    The IP address of the Command and Control system that the Compromised Host was seen in
  • C&C Port
    The port of the C&C
  • C&C ASN
    ASN of the C&C
  • C&C Geo
    Country that the C&C resides in
  • C&C DNS
    Reverse DNS for the C&C
  • ATK
    The IP of the Attacking host
  • ATK ASN
    ASN of the Attacking host
  • ATK Geo
    Country location of the Attacking host
  • ATK DNS
    Reverse DNS of the Attacking host
  • TGT
    The Target IP that was compromised
  • TGT ASN
    ASN of the Compromised Host
  • TGT Geo
    Country location of the Compromised host
  • TGT DNS
    Reverse DNS for the compromised host

Sample

"Date","Time","C&C","C&C Port","C&C ASN","C&C Geo","C&C DNS","ATK","ATK ASN","ATK Geo","ATK DNS","TGT","TGT ASN","TGT Geo","TGT DNS"
"2008-11-03","00:24:56","194.78.209.104",789,5432,"BE","104.209-78-194.adsl-fix.skynet.be","0.0.0.0","","","","193.1.1.242",1213,"IE",""
"2008-11-03","00:28:07","194.78.209.104",789,5432,"BE","104.209-78-194.adsl-fix.skynet.be","0.0.0.0","","","","172.16.30.19","","-",""
"2008-11-03","00:37:35","194.78.209.104",789,5432,"BE","104.209-78-194.adsl-fix.skynet.be","0.0.0.0","","","","193.1.1.119",1213,"IE",""
"2008-11-03","01:00:08","194.78.209.104",789,5432,"BE","104.209-78-194.adsl-fix.skynet.be","0.0.0.0","","","","172.16.30.19","","-",""
"2008-11-03","01:01:01","194.78.209.104",789,5432,"BE","104.209-78-194.adsl-fix.skynet.be","0.0.0.0","","","","193.1.1.208",1213,"IE",""
"2008-11-03","02:08:14","194.78.209.104",789,5432,"BE","104.209-78-194.adsl-fix.skynet.be","0.0.0.0","","","","193.1.1.208",1213,"IE",""
"2008-11-03","02:12:05","194.78.209.104",789,5432,"BE","104.209-78-194.adsl-fix.skynet.be","0.0.0.0","","","","193.1.1.242",1213,"IE",""
"2008-11-03","02:23:17","194.78.209.104",789,5432,"BE","104.209-78-194.adsl-fix.skynet.be","0.0.0.0","","","","193.1.1.119",1213,"IE",""
"2008-11-03","02:34:49","194.78.209.104",789,5432,"BE","104.209-78-194.adsl-fix.skynet.be","0.0.0.0","","","","172.16.30.19","","-",""
"2008-11-03","03:16:30","194.78.209.104",789,5432,"BE","104.209-78-194.adsl-fix.skynet.be","0.0.0.0","","","","193.1.1.119",1213,"IE",""

Our 73 Report Types