This threat report summarizes various network threats detected over a period of time, including vulnerability exploits, spyware activity, and brute force attacks. The most common threats were Microsoft remote desktop connection attempts, Morto RDP traffic, and Windows SMB requests. The highest severity threats included MS-RDP brute force attempts and ZeroAccess command and control traffic, which were flagged for dropping all packets.

1. Threat Report
MOI-PAN01 : 2013/04/22 22:14:37 - 2013/04/23 10:14:36
Threat/Content Name ID Threat/Content Type Severity Action IP Protocol Repeat Count
Microsoft remote desktop connect initial attempt 33020 vulnerability informational alert tcp 7.34 k
Morto RDP Request Traffic 13274 spyware low alert tcp 7.27 k
Microsoft Windows SMB Negotiate Request 35364 vulnerability informational alert tcp 4.31 k
Windows SMB Login Attempt 31696 vulnerability informational alert tcp 4.21 k
MS-RDP Brute-force Attempt 40021 vulnerability high drop-all-packets tcp 3.31 k
ZeroAccess.Gen Command and Control Traffic 13235 spyware critical drop-all-packets udp 3.12 k
MSSQL DB Login Authentication Failed 31753 vulnerability informational alert tcp 2.56 k
HTTP Unauthorized Error 34556 vulnerability informational alert tcp 1.79 k
HTTP WWW-Authentication Failed 31708 vulnerability informational alert tcp 1.78 k
HTTP OPTIONS Method 30520 vulnerability informational alert tcp 1.09 k
Bot: Torpig Phone Home DNS request 12657 spyware medium drop-all-packets udp 997
HTTP Request ACE Encoded Domain Name Access 31298 vulnerability informational alert tcp 641
SSL Renegotiation Denial of Service Vulnerability 33862 vulnerability low alert tcp 621
SMB: User Password Brute-force Attempt 40004 vulnerability high drop-all-packets tcp 367
Microsoft SQL Server User Authentication Brute-force Attempt 40010 vulnerability high drop-all-packets tcp 347
Microsoft Windows Server Service Remote Stack Overflow Vulnerability 31922 vulnerability critical drop-all-packets tcp 306
Windows Server Service NetrpPathCanonicalize access 30859 vulnerability low alert tcp 306
NetBIOS nbtstat query 31707 vulnerability informational alert udp 283
Suspicious or malformed HTTP Referer field 35554 vulnerability informational alert tcp 271
Microsoft ASP.Net Information Leak Vulnerability 33435 vulnerability low alert tcp 234
SSH2 Login Attempt 31914 vulnerability informational alert tcp 190
Suspicious user-agent strings 10004 spyware medium drop-all-packets tcp 145
MySQL Login Authentication Failed 31719 vulnerability informational alert tcp 138
SIP Register Request Attempt 33592 vulnerability low alert udp 136
Generic GET Method Buffer Overflow Vulnerability 34267 vulnerability informational alert tcp 86
http://www.paloaltonetworks.com