Logs: 02-17-02
Date: Mon, 18 Feb 2002 04:01:01 -0800
To: jsage@finchhaven.com
Subject: [Logs] at FinchHaven for 02/17/2002
Logs at FinchHaven for 02/17/2002 extracted from /var/log/messages
Report generated 04:01:01 (TZ -08:00) 02/18/2002
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Context: dialup to access.att.net, dynamic IP in AT&T's 12.82.x.x class A
Connect time this date: +- 20 hours
Timestamps: US Pacific standard, GMT -08:00, synch by xntpd
Tools: snort 1.8.2, ipchains, logcheck, portsentry
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=ver.7
In /var/log/messages: Probes to port 21 ftp: 0
Probes to port 22 ssh: 2
Probes to port 23 telnet: 0
Probes to port 53 dns: 0
Probes to port 80 http: 17
Probes to port 111 sunrpc: 1
Probes to port 137 netbios-ns: 3
Probes to port 139 netbios-ssn: 4
Probes to port 445 ms-ds: 0
Probes to port 515 lpr: 1
Total, probes to all ports: 40
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Feb 17 09:10:34 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.225.174.22 Source port: 4458
Source host: 12-225-174-22.client.attbi.com
Target IP: 12.82.132.164 Target port: 80 Proto: TCP
Target host: 164.seattle-11-12rs.wa.dial-access.att.net
Feb 17 09:10:37 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.225.174.22 Source port: 4458
Source host: 12-225-174-22.client.attbi.com
Target IP: 12.82.132.164 Target port: 80 Proto: TCP
Target host: 164.seattle-11-12rs.wa.dial-access.att.net
Feb 17 09:13:47 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.248.146.124 Source port: 2197
Source host: 12-248-146-124.client.attbi.com
Target IP: 12.82.132.164 Target port: 80 Proto: TCP
Target host: 164.seattle-11-12rs.wa.dial-access.att.net
Feb 17 09:13:50 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.248.146.124 Source port: 2197
Source host: 12-248-146-124.client.attbi.com
Target IP: 12.82.132.164 Target port: 80 Proto: TCP
Target host: 164.seattle-11-12rs.wa.dial-access.att.net
Feb 17 10:14:53 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.140.115 Source port: 3801
Source host: 115.seattle-05-10rs.wa.dial-access.att.net
Target IP: 12.82.132.164 Target port: 80 Proto: TCP
Target host: 164.seattle-11-12rs.wa.dial-access.att.net
Feb 17 10:14:56 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.140.115 Source port: 3801
Source host: 115.seattle-05-10rs.wa.dial-access.att.net
Target IP: 12.82.132.164 Target port: 80 Proto: TCP
Target host: 164.seattle-11-12rs.wa.dial-access.att.net
Feb 17 14:57:51 - snort [1:0:0] TCP to 22 ssh
Source IP: 210.97.51.3 Source port: 4076
Source host: 210.97.51.3
Target IP: 12.82.132.164 Target port: 22 Proto: TCP
Target host: 164.seattle-11-12rs.wa.dial-access.att.net
Feb 17 14:57:54 - snort [1:0:0] TCP to 22 ssh
Source IP: 210.97.51.3 Source port: 4076
Source host: 210.97.51.3
Target IP: 12.82.132.164 Target port: 22 Proto: TCP
Target host: 164.seattle-11-12rs.wa.dial-access.att.net
Feb 17 15:00:18 - snort [1:0:0] UDP to 137 netBIOS ns
Source IP: 204.118.20.101 Source port: 137
Source host: 204.118.20.101
Target IP: 12.82.132.164 Target port: 137 Proto: UDP
Target host: 164.seattle-11-12rs.wa.dial-access.att.net
Feb 17 15:00:20 - snort [1:0:0] UDP to 137 netBIOS ns
Source IP: 204.118.20.101 Source port: 137
Source host: 204.118.20.101
Target IP: 12.82.132.164 Target port: 137 Proto: UDP
Target host: 164.seattle-11-12rs.wa.dial-access.att.net
Feb 17 15:00:21 - snort [1:0:0] UDP to 137 netBIOS ns
Source IP: 204.118.20.101 Source port: 137
Source host: 204.118.20.101
Target IP: 12.82.132.164 Target port: 137 Proto: UDP
Target host: 164.seattle-11-12rs.wa.dial-access.att.net
Feb 17 15:01:53 - snort [1:0:0] TCP to 515 lpr
Source IP: 64.238.109.77 Source port: 3615
Source host: 64.238.109.77
Target IP: 12.82.132.164 Target port: 515 Proto: TCP
Target host: 164.seattle-11-12rs.wa.dial-access.att.net
Feb 17 15:02:35 - snort [1:0:0] TCP to 111 sunrpc
Source IP: 210.97.51.3 Source port: 3139
Source host: 210.97.51.3
Target IP: 12.82.132.164 Target port: 111 Proto: TCP
Target host: 164.seattle-11-12rs.wa.dial-access.att.net
Feb 17 20:00:27 - snort [1:0:0] TCP to 139 netBIOS ss
Source IP: 194.65.158.24 Source port: 3702
Source host: 194.65.158.24
Target IP: 12.82.128.197 Target port: 139 Proto: TCP
Target host: 197.seattle-01-02rs.wa.dial-access.att.net
Feb 17 20:00:30 - snort [1:0:0] TCP to 139 netBIOS ss
Source IP: 194.65.158.24 Source port: 3702
Source host: 194.65.158.24
Target IP: 12.82.128.197 Target port: 139 Proto: TCP
Target host: 197.seattle-01-02rs.wa.dial-access.att.net
Feb 17 20:00:37 - snort [1:0:0] TCP to 139 netBIOS ss
Source IP: 194.65.158.24 Source port: 3702
Source host: 194.65.158.24
Target IP: 12.82.128.197 Target port: 139 Proto: TCP
Target host: 197.seattle-01-02rs.wa.dial-access.att.net
Feb 17 20:00:50 - snort [1:0:0] TCP to 139 netBIOS ss
Source IP: 194.65.158.24 Source port: 3702
Source host: 194.65.158.24
Target IP: 12.82.128.197 Target port: 139 Proto: TCP
Target host: 197.seattle-01-02rs.wa.dial-access.att.net
Feb 17 20:17:48 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.77.119 Source port: 4508
Source host: 119.minneapolis-07rh16rt.mn.dial-access.att.net
Target IP: 12.82.128.197 Target port: 80 Proto: TCP
Target host: 197.seattle-01-02rs.wa.dial-access.att.net
Feb 17 20:17:50 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.77.119 Source port: 4508
Source host: 119.minneapolis-07rh16rt.mn.dial-access.att.net
Target IP: 12.82.128.197 Target port: 80 Proto: TCP
Target host: 197.seattle-01-02rs.wa.dial-access.att.net
Feb 17 20:22:38 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.235.21.134 Source port: 4733
Source host: 12-235-21-134.client.attbi.com
Target IP: 12.82.128.197 Target port: 80 Proto: TCP
Target host: 197.seattle-01-02rs.wa.dial-access.att.net
Feb 17 20:22:41 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.235.21.134 Source port: 4733
Source host: 12-235-21-134.client.attbi.com
Target IP: 12.82.128.197 Target port: 80 Proto: TCP
Target host: 197.seattle-01-02rs.wa.dial-access.att.net
Feb 17 21:01:27 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 61.208.176.146 Source port: 4911
Source host: 61.208.176.146
Target IP: 12.82.128.197 Target port: 80 Proto: TCP
Target host: 197.seattle-01-02rs.wa.dial-access.att.net
Feb 17 21:01:30 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 61.208.176.146 Source port: 4911
Source host: 61.208.176.146
Target IP: 12.82.128.197 Target port: 80 Proto: TCP
Target host: 197.seattle-01-02rs.wa.dial-access.att.net
Feb 17 21:01:37 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 61.208.176.146 Source port: 4911
Source host: 61.208.176.146
Target IP: 12.82.128.197 Target port: 80 Proto: TCP
Target host: 197.seattle-01-02rs.wa.dial-access.att.net
Feb 17 22:58:20 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.128.185 Source port: 1540
Source host: 185.seattle-01-02rs.wa.dial-access.att.net
Target IP: 12.82.128.197 Target port: 80 Proto: TCP
Target host: 197.seattle-01-02rs.wa.dial-access.att.net
Feb 17 22:58:23 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.128.185 Source port: 1540
Source host: 185.seattle-01-02rs.wa.dial-access.att.net
Target IP: 12.82.128.197 Target port: 80 Proto: TCP
Target host: 197.seattle-01-02rs.wa.dial-access.att.net
Feb 17 23:17:10 - snort [1:0:0] TCP to 12345 NetBus Backdoor
Source IP: 12.82.128.130 Source port: 1240
Source host: 130.seattle-01-02rs.wa.dial-access.att.net
Target IP: 12.82.128.197 Target port: 12345 Proto: TCP
Target host: 197.seattle-01-02rs.wa.dial-access.att.net
Feb 17 23:17:13 - snort [1:0:0] TCP to 12345 NetBus Backdoor
Source IP: 12.82.128.130 Source port: 1240
Source host: 130.seattle-01-02rs.wa.dial-access.att.net
Target IP: 12.82.128.197 Target port: 12345 Proto: TCP
Target host: 197.seattle-01-02rs.wa.dial-access.att.net
Feb 17 23:17:19 - snort [1:0:0] TCP to 12345 NetBus Backdoor
Source IP: 12.82.128.130 Source port: 1240
Source host: 130.seattle-01-02rs.wa.dial-access.att.net
Target IP: 12.82.128.197 Target port: 12345 Proto: TCP
Target host: 197.seattle-01-02rs.wa.dial-access.att.net
Feb 17 23:17:31 - snort [1:0:0] TCP to 12345 NetBus Backdoor
Source IP: 12.82.128.130 Source port: 1240
Source host: 130.seattle-01-02rs.wa.dial-access.att.net
Target IP: 12.82.128.197 Target port: 12345 Proto: TCP
Target host: 197.seattle-01-02rs.wa.dial-access.att.net
Feb 17 23:31:59 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.128.185 Source port: 2918
Source host: 185.seattle-01-02rs.wa.dial-access.att.net
Target IP: 12.82.128.197 Target port: 80 Proto: TCP
Target host: 197.seattle-01-02rs.wa.dial-access.att.net
Feb 17 23:32:02 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.128.185 Source port: 2918
Source host: 185.seattle-01-02rs.wa.dial-access.att.net
Target IP: 12.82.128.197 Target port: 80 Proto: TCP
Target host: 197.seattle-01-02rs.wa.dial-access.att.net
This report generated 02/18/2002 at 04:01:01 by a perl script
written by John Sage at FinchHaven.com,
based upon the work of Dan Swan in his script snort2html.pl
This page last preened by Webmaster jsage@finchhaven.com on:
Last modified: Mon Feb 18 17:17:30 2002