Similar Events:
- ETPRO CURRENT_EVENTS Possible Evil Redirector Leading to EK EITest Jun 10 2016
- ET CURRENT_EVENTS EITest Flash Redirect Aug 09 2016
- ETPRO CURRENT_EVENTS Possible Evil Redirector Leading to EK EITest Feb 29
- ET CURRENT_EVENTS SUSPICIOUS Likely Neutrino EK or other EK IE Flash request to DYNDNS set non-standard filename
- ET CURRENT_EVENTS RIG Landing URI Struct March 20 2015
IP Address | Port | Hostname | |
---|---|---|---|
Source | (local) | 49247 | |
Destination | 85.93.0.13 (Romania) | http (80) | vucid.xyz |
Description:
- See the following for details:
- Someone walked into an Exploit Kit. This is the chain of associated events.
- It looks like they test for flash, decide that it is current, so no exploit possible.
False Positive:
- NO
- These events all indicate that someone walked into an Exploit Kit.
- This can happen as part of regular browsing when one hits a compromised host.
- Some checks are done to determine if the user is exploitable (flash in this case) and either delivers an exploit/payload or stops.
- It looks like the user had the latest version of flash and wasn't exploited.
Action:
- Some suspicious before and after behavior associated with this. While it doesn't look like it landed, this system should be scanned.
- Alarm.
Comments