Logs: 02-18-02
Date: Tue, 19 Feb 2002 04:01:01 -0800
To: jsage@finchhaven.com
Subject: [Logs] at FinchHaven for 02/18/2002
Logs at FinchHaven for 02/18/2002 extracted from /var/log/messages
Report generated 04:01:00 (TZ -08:00) 02/19/2002
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Context: dialup to access.att.net, dynamic IP in AT&T's 12.82.x.x class A
Connect time this date: +- 20 hours
Timestamps: US Pacific standard, GMT -08:00, synch by xntpd
Tools: snort 1.8.2, ipchains, logcheck, portsentry
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=ver.7
In /var/log/messages: Probes to port 21 ftp: 1
Probes to port 22 ssh: 2
Probes to port 23 telnet: 0
Probes to port 53 dns: 6
Probes to port 80 http: 42
Probes to port 111 sunrpc: 2
Probes to port 137 netbios-ns: 3
Probes to port 139 netbios-ssn: 0
Probes to port 445 ms-ds: 0
Probes to port 515 lpr: 0
Total, probes to all ports: 70
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Feb 18 09:27:33 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.145.131 Source port: 1425
Source host: 131.seattle01rh16rt.wa.dial-access.att.net
Target IP: 12.82.142.34 Target port: 80 Proto: TCP
Target host: 34.seattle-25-30rs.wa.dial-access.att.net
Feb 18 09:27:36 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.145.131 Source port: 1425
Source host: 131.seattle01rh16rt.wa.dial-access.att.net
Target IP: 12.82.142.34 Target port: 80 Proto: TCP
Target host: 34.seattle-25-30rs.wa.dial-access.att.net
Feb 18 09:48:02 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.145.131 Source port: 3164
Source host: 131.seattle01rh16rt.wa.dial-access.att.net
Target IP: 12.82.142.34 Target port: 80 Proto: TCP
Target host: 34.seattle-25-30rs.wa.dial-access.att.net
Feb 18 09:48:05 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.145.131 Source port: 3164
Source host: 131.seattle01rh16rt.wa.dial-access.att.net
Target IP: 12.82.142.34 Target port: 80 Proto: TCP
Target host: 34.seattle-25-30rs.wa.dial-access.att.net
Feb 18 10:21:01 - snort [1:0:0] UDP to range 1026-60999
Source IP: 139.92.138.146 Source port: 1133
Source host: slip139-92-138-146.mos.ru.prserv.net
Target IP: 12.82.142.34 Target port: 6767 Proto: UDP
Target host: 34.seattle-25-30rs.wa.dial-access.att.net
Feb 18 10:44:36 - snort [1:0:0] TCP to 111 sunrpc
Source IP: 63.66.22.142 Source port: 4936
Source host: 63.66.22.142
Target IP: 12.82.142.34 Target port: 111 Proto: TCP
Target host: 34.seattle-25-30rs.wa.dial-access.att.net
Feb 18 10:44:39 - snort [1:0:0] TCP to 111 sunrpc
Source IP: 63.66.22.142 Source port: 4936
Source host: 63.66.22.142
Target IP: 12.82.142.34 Target port: 111 Proto: TCP
Target host: 34.seattle-25-30rs.wa.dial-access.att.net
Feb 18 11:54:41 - snort [1:0:0] TCP to 22 ssh
Source IP: 209.208.253.181 Source port: 4183
Source host: nystaging.shortpath.com
Target IP: 12.82.142.34 Target port: 22 Proto: TCP
Target host: 34.seattle-25-30rs.wa.dial-access.att.net
Feb 18 11:54:44 - snort [1:0:0] TCP to 22 ssh
Source IP: 209.208.253.181 Source port: 4183
Source host: nystaging.shortpath.com
Target IP: 12.82.142.34 Target port: 22 Proto: TCP
Target host: 34.seattle-25-30rs.wa.dial-access.att.net
Feb 18 13:28:58 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.155.101 Source port: 2591
Source host: 101.seattle06rh16rt.wa.dial-access.att.net
Target IP: 12.82.142.34 Target port: 80 Proto: TCP
Target host: 34.seattle-25-30rs.wa.dial-access.att.net
Feb 18 13:29:01 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.155.101 Source port: 2591
Source host: 101.seattle06rh16rt.wa.dial-access.att.net
Target IP: 12.82.142.34 Target port: 80 Proto: TCP
Target host: 34.seattle-25-30rs.wa.dial-access.att.net
Feb 18 13:43:39 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.133.74 Source port: 2348
Source host: 74.seattle-13-14rs.wa.dial-access.att.net
Target IP: 12.82.142.34 Target port: 80 Proto: TCP
Target host: 34.seattle-25-30rs.wa.dial-access.att.net
Feb 18 13:43:42 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.133.74 Source port: 2348
Source host: 74.seattle-13-14rs.wa.dial-access.att.net
Target IP: 12.82.142.34 Target port: 80 Proto: TCP
Target host: 34.seattle-25-30rs.wa.dial-access.att.net
Feb 18 13:44:56 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.142.169 Source port: 2929
Source host: 169.seattle-25-30rs.wa.dial-access.att.net
Target IP: 12.82.142.34 Target port: 80 Proto: TCP
Target host: 34.seattle-25-30rs.wa.dial-access.att.net
Feb 18 13:44:58 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.142.169 Source port: 2929
Source host: 169.seattle-25-30rs.wa.dial-access.att.net
Target IP: 12.82.142.34 Target port: 80 Proto: TCP
Target host: 34.seattle-25-30rs.wa.dial-access.att.net
Feb 18 13:54:23 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.227.164 Source port: 1202
Source host: 164.houston-02rh16rt.tx.dial-access.att.net
Target IP: 12.82.142.34 Target port: 80 Proto: TCP
Target host: 34.seattle-25-30rs.wa.dial-access.att.net
Feb 18 13:54:26 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.227.164 Source port: 1202
Source host: 164.houston-02rh16rt.tx.dial-access.att.net
Target IP: 12.82.142.34 Target port: 80 Proto: TCP
Target host: 34.seattle-25-30rs.wa.dial-access.att.net
Feb 18 14:01:02 - snort [111:13:1] spp_stream4: STEALTH ACTIVITY (SYN FIN scan) detection
Source IP: 157.158.191.232 Source port: 21
Source host: gateway.piast.ds.polsl.gliwice.pl
Target IP: 12.82.142.34 Target port: 21 Proto: TCP
Target host: 34.seattle-25-30rs.wa.dial-access.att.net
Feb 18 14:38:04 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.142.169 Source port: 2389
Source host: 169.seattle-25-30rs.wa.dial-access.att.net
Target IP: 12.82.142.34 Target port: 80 Proto: TCP
Target host: 34.seattle-25-30rs.wa.dial-access.att.net
Feb 18 14:38:07 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.142.169 Source port: 2389
Source host: 169.seattle-25-30rs.wa.dial-access.att.net
Target IP: 12.82.142.34 Target port: 80 Proto: TCP
Target host: 34.seattle-25-30rs.wa.dial-access.att.net
Feb 18 14:43:07 - snort [1:0:0] UDP to 137 netBIOS ns
Source IP: 64.78.224.29 Source port: 137
Source host: 64.78.224.29
Target IP: 12.82.142.34 Target port: 137 Proto: UDP
Target host: 34.seattle-25-30rs.wa.dial-access.att.net
Feb 18 14:43:09 - snort [1:0:0] UDP to 137 netBIOS ns
Source IP: 64.78.224.29 Source port: 137
Source host: 64.78.224.29
Target IP: 12.82.142.34 Target port: 137 Proto: UDP
Target host: 34.seattle-25-30rs.wa.dial-access.att.net
Feb 18 14:43:10 - snort [1:0:0] UDP to 137 netBIOS ns
Source IP: 64.78.224.29 Source port: 137
Source host: 64.78.224.29
Target IP: 12.82.142.34 Target port: 137 Proto: UDP
Target host: 34.seattle-25-30rs.wa.dial-access.att.net
Feb 18 15:11:50 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.142.169 Source port: 2726
Source host: 169.seattle-25-30rs.wa.dial-access.att.net
Target IP: 12.82.142.34 Target port: 80 Proto: TCP
Target host: 34.seattle-25-30rs.wa.dial-access.att.net
Feb 18 15:11:54 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.142.169 Source port: 2726
Source host: 169.seattle-25-30rs.wa.dial-access.att.net
Target IP: 12.82.142.34 Target port: 80 Proto: TCP
Target host: 34.seattle-25-30rs.wa.dial-access.att.net
Feb 18 15:59:02 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.248.28.72 Source port: 4720
Source host: 12-248-28-72.client.attbi.com
Target IP: 12.82.135.84 Target port: 80 Proto: TCP
Target host: 84.seattle-18-19rs.wa.dial-access.att.net
Feb 18 15:59:05 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.248.28.72 Source port: 4720
Source host: 12-248-28-72.client.attbi.com
Target IP: 12.82.135.84 Target port: 80 Proto: TCP
Target host: 84.seattle-18-19rs.wa.dial-access.att.net
Feb 18 16:00:36 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.133.74 Source port: 3025
Source host: 74.seattle-13-14rs.wa.dial-access.att.net
Target IP: 12.82.135.84 Target port: 80 Proto: TCP
Target host: 84.seattle-18-19rs.wa.dial-access.att.net
Feb 18 16:00:38 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.133.74 Source port: 3025
Source host: 74.seattle-13-14rs.wa.dial-access.att.net
Target IP: 12.82.135.84 Target port: 80 Proto: TCP
Target host: 84.seattle-18-19rs.wa.dial-access.att.net
Feb 18 16:36:52 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.237.56.100 Source port: 4995
Source host: 12-237-56-100.client.attbi.com
Target IP: 12.82.135.84 Target port: 80 Proto: TCP
Target host: 84.seattle-18-19rs.wa.dial-access.att.net
Feb 18 16:36:55 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.237.56.100 Source port: 4995
Source host: 12-237-56-100.client.attbi.com
Target IP: 12.82.135.84 Target port: 80 Proto: TCP
Target host: 84.seattle-18-19rs.wa.dial-access.att.net
Feb 18 16:51:54 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.133.74 Source port: 1673
Source host: 74.seattle-13-14rs.wa.dial-access.att.net
Target IP: 12.82.135.84 Target port: 80 Proto: TCP
Target host: 84.seattle-18-19rs.wa.dial-access.att.net
Feb 18 16:51:56 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.133.74 Source port: 1673
Source host: 74.seattle-13-14rs.wa.dial-access.att.net
Target IP: 12.82.135.84 Target port: 80 Proto: TCP
Target host: 84.seattle-18-19rs.wa.dial-access.att.net
Feb 18 16:55:29 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.242.100 Source port: 2067
Source host: 100.houston-10rh15rt.tx.dial-access.att.net
Target IP: 12.82.135.84 Target port: 80 Proto: TCP
Target host: 84.seattle-18-19rs.wa.dial-access.att.net
Feb 18 16:55:32 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.242.100 Source port: 2067
Source host: 100.houston-10rh15rt.tx.dial-access.att.net
Target IP: 12.82.135.84 Target port: 80 Proto: TCP
Target host: 84.seattle-18-19rs.wa.dial-access.att.net
Feb 18 17:04:40 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.133.74 Source port: 3709
Source host: 74.seattle-13-14rs.wa.dial-access.att.net
Target IP: 12.82.135.84 Target port: 80 Proto: TCP
Target host: 84.seattle-18-19rs.wa.dial-access.att.net
Feb 18 17:04:43 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.133.74 Source port: 3709
Source host: 74.seattle-13-14rs.wa.dial-access.att.net
Target IP: 12.82.135.84 Target port: 80 Proto: TCP
Target host: 84.seattle-18-19rs.wa.dial-access.att.net
Feb 18 17:53:43 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.231.107 Source port: 4223
Source host: 107.houston-04rh16rt.tx.dial-access.att.net
Target IP: 12.82.135.84 Target port: 80 Proto: TCP
Target host: 84.seattle-18-19rs.wa.dial-access.att.net
Feb 18 17:53:46 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.231.107 Source port: 4223
Source host: 107.houston-04rh16rt.tx.dial-access.att.net
Target IP: 12.82.135.84 Target port: 80 Proto: TCP
Target host: 84.seattle-18-19rs.wa.dial-access.att.net
Feb 18 18:02:35 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.133.74 Source port: 4248
Source host: 74.seattle-13-14rs.wa.dial-access.att.net
Target IP: 12.82.135.84 Target port: 80 Proto: TCP
Target host: 84.seattle-18-19rs.wa.dial-access.att.net
Feb 18 18:02:37 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.133.74 Source port: 4248
Source host: 74.seattle-13-14rs.wa.dial-access.att.net
Target IP: 12.82.135.84 Target port: 80 Proto: TCP
Target host: 84.seattle-18-19rs.wa.dial-access.att.net
Feb 18 18:24:55 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.133.74 Source port: 3100
Source host: 74.seattle-13-14rs.wa.dial-access.att.net
Target IP: 12.82.135.84 Target port: 80 Proto: TCP
Target host: 84.seattle-18-19rs.wa.dial-access.att.net
Feb 18 18:24:58 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.133.74 Source port: 3100
Source host: 74.seattle-13-14rs.wa.dial-access.att.net
Target IP: 12.82.135.84 Target port: 80 Proto: TCP
Target host: 84.seattle-18-19rs.wa.dial-access.att.net
Feb 18 18:38:47 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.133.74 Source port: 3666
Source host: 74.seattle-13-14rs.wa.dial-access.att.net
Target IP: 12.82.135.84 Target port: 80 Proto: TCP
Target host: 84.seattle-18-19rs.wa.dial-access.att.net
Feb 18 18:38:50 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.133.74 Source port: 3666
Source host: 74.seattle-13-14rs.wa.dial-access.att.net
Target IP: 12.82.135.84 Target port: 80 Proto: TCP
Target host: 84.seattle-18-19rs.wa.dial-access.att.net
Feb 18 19:19:11 - snort [1:0:0] UDP to range 1026-60999
Source IP: 206.133.239.94 Source port: 27960
Source host: sdn-ar-005watacoP158.dialsprint.net
Target IP: 12.82.135.84 Target port: 27960 Proto: UDP
Target host: 84.seattle-18-19rs.wa.dial-access.att.net
Feb 18 19:19:13 - snort [1:0:0] UDP to range 1026-60999
Source IP: 206.133.239.94 Source port: 27960
Source host: sdn-ar-005watacoP158.dialsprint.net
Target IP: 12.82.135.84 Target port: 27960 Proto: UDP
Target host: 84.seattle-18-19rs.wa.dial-access.att.net
Feb 18 19:19:16 - snort [1:0:0] UDP to range 1026-60999
Source IP: 206.133.239.94 Source port: 27960
Source host: sdn-ar-005watacoP158.dialsprint.net
Target IP: 12.82.135.84 Target port: 27960 Proto: UDP
Target host: 84.seattle-18-19rs.wa.dial-access.att.net
Feb 18 19:19:19 - snort [1:0:0] UDP to range 1026-60999
Source IP: 206.133.239.94 Source port: 27960
Source host: sdn-ar-005watacoP158.dialsprint.net
Target IP: 12.82.135.84 Target port: 27960 Proto: UDP
Target host: 84.seattle-18-19rs.wa.dial-access.att.net
Feb 18 19:47:05 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.247.0.199 Source port: 4584
Source host: 12-247-0-199.client.attbi.com
Target IP: 12.82.135.84 Target port: 80 Proto: TCP
Target host: 84.seattle-18-19rs.wa.dial-access.att.net
Feb 18 19:47:08 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.247.0.199 Source port: 4584
Source host: 12-247-0-199.client.attbi.com
Target IP: 12.82.135.84 Target port: 80 Proto: TCP
Target host: 84.seattle-18-19rs.wa.dial-access.att.net
Feb 18 21:15:07 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.159.89 Source port: 4185
Source host: 89.seattle08rh16rt.wa.dial-access.att.net
Target IP: 12.82.135.84 Target port: 80 Proto: TCP
Target host: 84.seattle-18-19rs.wa.dial-access.att.net
Feb 18 21:15:10 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.159.89 Source port: 4185
Source host: 89.seattle08rh16rt.wa.dial-access.att.net
Target IP: 12.82.135.84 Target port: 80 Proto: TCP
Target host: 84.seattle-18-19rs.wa.dial-access.att.net
Feb 18 21:22:32 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.159.89 Source port: 3691
Source host: 89.seattle08rh16rt.wa.dial-access.att.net
Target IP: 12.82.135.84 Target port: 80 Proto: TCP
Target host: 84.seattle-18-19rs.wa.dial-access.att.net
Feb 18 21:22:35 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.159.89 Source port: 3691
Source host: 89.seattle08rh16rt.wa.dial-access.att.net
Target IP: 12.82.135.84 Target port: 80 Proto: TCP
Target host: 84.seattle-18-19rs.wa.dial-access.att.net
Feb 18 21:42:59 - snort [1:0:0] TCP to range 1025-60999
Source IP: 204.192.116.243 Source port: 6112
Source host: 204.192.116.243
Target IP: 12.82.135.84 Target port: 6112 Proto: TCP
Target host: 84.seattle-18-19rs.wa.dial-access.att.net
Feb 18 22:17:10 - snort [1:0:0] TCP to 27374 SubSeven
Source IP: 172.141.44.226 Source port: 2242
Source host: AC8D2CE2.ipt.aol.com
Target IP: 12.82.135.84 Target port: 27374 Proto: TCP
Target host: 84.seattle-18-19rs.wa.dial-access.att.net
Feb 18 22:17:14 - snort [1:0:0] TCP to 27374 SubSeven
Source IP: 172.141.44.226 Source port: 2242
Source host: AC8D2CE2.ipt.aol.com
Target IP: 12.82.135.84 Target port: 27374 Proto: TCP
Target host: 84.seattle-18-19rs.wa.dial-access.att.net
Feb 18 22:17:20 - snort [1:0:0] TCP to 27374 SubSeven
Source IP: 172.141.44.226 Source port: 2242
Source host: AC8D2CE2.ipt.aol.com
Target IP: 12.82.135.84 Target port: 27374 Proto: TCP
Target host: 84.seattle-18-19rs.wa.dial-access.att.net
Feb 18 23:48:12 - snort [111:3:1] spp_stream4: Possible RETRANSMISSION detection
Source IP: 204.191.136.6 Source port: 80
Source host: home.istar.ca
Target IP: 12.82.133.142 Target port: 64241 Proto: TCP
Target host: 142.seattle-13-14rs.wa.dial-access.att.net
Feb 18 23:53:51 - snort [1:0:0] ICMP echo request
Source IP: 194.42.0.134 Source port: -N/A-
Source host: ns2.ucy.ac.cy
Target IP: 12.82.133.142 Target port: -N/A- Proto: ICMP
Target host: 142.seattle-13-14rs.wa.dial-access.att.net
Feb 18 23:53:58 - snort [1:0:0] ICMP echo request
Source IP: 194.42.0.134 Source port: -N/A-
Source host: ns2.ucy.ac.cy
Target IP: 12.82.133.142 Target port: -N/A- Proto: ICMP
Target host: 142.seattle-13-14rs.wa.dial-access.att.net
Feb 19 04:00:03 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.137.138 Source port: 2909
Source host: 138.seattle-23-24rs.wa.dial-access.att.net
Target IP: 12.82.133.142 Target port: 80 Proto: TCP
Target host: 142.seattle-13-14rs.wa.dial-access.att.net
This report generated 02/19/2002 at 04:01:00 by a perl script
written by John Sage at FinchHaven.com,
based upon the work of Dan Swan in his script snort2html.pl
jsage@finchhaven.com
Last modified: Tue Feb 19 06:33:45 2002