Logs: 02-27-02
To: jsage@finchhaven.com
From: toot@finchhaven.com
Subject: [Logs] at FinchHaven for 02/27/2002
Logs at FinchHaven for 02/27/2002 extracted from /var/log/messages
Report generated 04:01:00 (TZ -08:00) 02/28/2002
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Context: dialup to access.att.net, dynamic IP in AT&T's 12.82.x.x class A
Connect time this date: +- 20 hours
Timestamps: US Pacific standard, GMT -08:00, synch by xntpd
Tools: snort 1.8.2, ipchains, logcheck, portsentry
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=ver.7
In /var/log/messages: Probes to port 21 ftp: 0
Probes to port 22 ssh: 0
Probes to port 23 telnet: 0
Probes to port 53 dns: 6
Probes to port 80 http: 26
Probes to port 111 sunrpc: 0
Probes to port 137 netbios-ns: 3
Probes to port 139 netbios-ssn: 0
Probes to port 445 ms-ds: 0
Probes to port 515 lpr: 0
Total, probes to all ports: 35
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Feb 27 05:54:27 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.224.240.143 Source port: 3207
Source host: 12-224-240-143.client.attbi.com
Target IP: 12.82.130.15 Target port: 80 Proto: TCP
Target host: 15.seattle-06-07rs.wa.dial-access.att.net
Feb 27 07:52:16 - snort [1:0:0] UDP to 137 netBIOS ns
Source IP: 206.204.202.21 Source port: 137
Source host: 206.204.202.21
Target IP: 12.82.140.105 Target port: 137 Proto: UDP
Target host: 105.seattle-05-10rs.wa.dial-access.att.net
Feb 27 07:52:17 - snort [1:0:0] UDP to 137 netBIOS ns
Source IP: 206.204.202.21 Source port: 137
Source host: 206.204.202.21
Target IP: 12.82.140.105 Target port: 137 Proto: UDP
Target host: 105.seattle-05-10rs.wa.dial-access.att.net
Feb 27 07:52:19 - snort [1:0:0] UDP to 137 netBIOS ns
Source IP: 206.204.202.21 Source port: 137
Source host: 206.204.202.21
Target IP: 12.82.140.105 Target port: 137 Proto: UDP
Target host: 105.seattle-05-10rs.wa.dial-access.att.net
Feb 27 11:02:57 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.163.232 Source port: 3620
Source host: 232.seattle10rh16rt.wa.dial-access.att.net
Target IP: 12.82.140.105 Target port: 80 Proto: TCP
Target host: 105.seattle-05-10rs.wa.dial-access.att.net
Feb 27 11:02:59 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.163.232 Source port: 3620
Source host: 232.seattle10rh16rt.wa.dial-access.att.net
Target IP: 12.82.140.105 Target port: 80 Proto: TCP
Target host: 105.seattle-05-10rs.wa.dial-access.att.net
Feb 27 11:36:34 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.160.91 Source port: 4002
Source host: 91.seattle09rh15rt.wa.dial-access.att.net
Target IP: 12.82.140.105 Target port: 80 Proto: TCP
Target host: 105.seattle-05-10rs.wa.dial-access.att.net
Feb 27 11:36:37 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.160.91 Source port: 4002
Source host: 91.seattle09rh15rt.wa.dial-access.att.net
Target IP: 12.82.140.105 Target port: 80 Proto: TCP
Target host: 105.seattle-05-10rs.wa.dial-access.att.net
Feb 27 12:52:45 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.2.81.50 Source port: 2141
Source host: 12.2.81.50
Target IP: 12.82.140.105 Target port: 80 Proto: TCP
Target host: 105.seattle-05-10rs.wa.dial-access.att.net
Feb 27 12:52:48 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.2.81.50 Source port: 2141
Source host: 12.2.81.50
Target IP: 12.82.140.105 Target port: 80 Proto: TCP
Target host: 105.seattle-05-10rs.wa.dial-access.att.net
Feb 27 19:04:41 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.235.84.202 Source port: 3616
Source host: 12-235-84-202.client.attbi.com
Target IP: 12.82.132.3 Target port: 80 Proto: TCP
Target host: 3.seattle-11-12rs.wa.dial-access.att.net
Feb 27 19:04:44 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.235.84.202 Source port: 3616
Source host: 12-235-84-202.client.attbi.com
Target IP: 12.82.132.3 Target port: 80 Proto: TCP
Target host: 3.seattle-11-12rs.wa.dial-access.att.net
Feb 27 19:20:31 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.139.243 Source port: 1194
Source host: 243.seattle-28-29rs.wa.dial-access.att.net
Target IP: 12.82.132.3 Target port: 80 Proto: TCP
Target host: 3.seattle-11-12rs.wa.dial-access.att.net
Feb 27 19:20:34 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.139.243 Source port: 1194
Source host: 243.seattle-28-29rs.wa.dial-access.att.net
Target IP: 12.82.132.3 Target port: 80 Proto: TCP
Target host: 3.seattle-11-12rs.wa.dial-access.att.net
Feb 27 19:36:19 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.129.134 Source port: 3640
Source host: 134.seattle-03-04rs.wa.dial-access.att.net
Target IP: 12.82.132.3 Target port: 80 Proto: TCP
Target host: 3.seattle-11-12rs.wa.dial-access.att.net
Feb 27 20:50:51 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.2.81.50 Source port: 2785
Source host: 12.2.81.50
Target IP: 12.82.132.3 Target port: 80 Proto: TCP
Target host: 3.seattle-11-12rs.wa.dial-access.att.net
Feb 27 20:50:59 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.2.81.50 Source port: 2785
Source host: 12.2.81.50
Target IP: 12.82.132.3 Target port: 80 Proto: TCP
Target host: 3.seattle-11-12rs.wa.dial-access.att.net
Feb 27 21:43:28 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.45.203.80 Source port: 4325
Source host: 12.45.203.80
Target IP: 12.82.132.3 Target port: 80 Proto: TCP
Target host: 3.seattle-11-12rs.wa.dial-access.att.net
Feb 27 21:43:31 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.45.203.80 Source port: 4325
Source host: 12.45.203.80
Target IP: 12.82.132.3 Target port: 80 Proto: TCP
Target host: 3.seattle-11-12rs.wa.dial-access.att.net
Feb 27 22:11:08 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.31.218.179 Source port: 4813
Source host: 12.31.218.179
Target IP: 12.82.132.3 Target port: 80 Proto: TCP
Target host: 3.seattle-11-12rs.wa.dial-access.att.net
Feb 27 22:11:11 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.31.218.179 Source port: 4813
Source host: 12.31.218.179
Target IP: 12.82.132.3 Target port: 80 Proto: TCP
Target host: 3.seattle-11-12rs.wa.dial-access.att.net
Feb 27 22:38:20 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.231.44.194 Source port: 3061
Source host: 12-231-44-194.client.attbi.com
Target IP: 12.82.132.3 Target port: 80 Proto: TCP
Target host: 3.seattle-11-12rs.wa.dial-access.att.net
Feb 27 22:38:23 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.231.44.194 Source port: 3061
Source host: 12-231-44-194.client.attbi.com
Target IP: 12.82.132.3 Target port: 80 Proto: TCP
Target host: 3.seattle-11-12rs.wa.dial-access.att.net
Feb 28 01:39:29 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.153.106 Source port: 4350
Source host: 106.seattle05rh16rt.wa.dial-access.att.net
Target IP: 12.82.132.3 Target port: 80 Proto: TCP
Target host: 3.seattle-11-12rs.wa.dial-access.att.net
Feb 28 01:39:32 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.153.106 Source port: 4350
Source host: 106.seattle05rh16rt.wa.dial-access.att.net
Target IP: 12.82.132.3 Target port: 80 Proto: TCP
Target host: 3.seattle-11-12rs.wa.dial-access.att.net
Feb 28 01:56:26 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.153.106 Source port: 2026
Source host: 106.seattle05rh16rt.wa.dial-access.att.net
Target IP: 12.82.132.3 Target port: 80 Proto: TCP
Target host: 3.seattle-11-12rs.wa.dial-access.att.net
Feb 28 01:56:29 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.153.106 Source port: 2026
Source host: 106.seattle05rh16rt.wa.dial-access.att.net
Target IP: 12.82.132.3 Target port: 80 Proto: TCP
Target host: 3.seattle-11-12rs.wa.dial-access.att.net
Feb 28 02:41:13 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.153.106 Source port: 2175
Source host: 106.seattle05rh16rt.wa.dial-access.att.net
Target IP: 12.82.132.3 Target port: 80 Proto: TCP
Target host: 3.seattle-11-12rs.wa.dial-access.att.net
Feb 28 02:41:16 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.153.106 Source port: 2175
Source host: 106.seattle05rh16rt.wa.dial-access.att.net
Target IP: 12.82.132.3 Target port: 80 Proto: TCP
Target host: 3.seattle-11-12rs.wa.dial-access.att.net
This report generated 02/28/2002 at 04:01:00
by a perl script written by John Sage at FinchHaven.com,
based upon the work of Dan Swan in his script snort2html.pl
jsage@finchhaven.com
Last modified: Thu Feb 28 06:45:22 2002