Logs: 02-19-02
snort was down for at least part of the day :-(
From: John Sage
Subject: [Logs] at FinchHaven for 02/19/2002
Logs at FinchHaven for 02/19/2002 extracted from /var/log/messages
Report generated 04:01:00 (TZ -08:00) 02/20/2002
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Context: dialup to access.att.net, dynamic IP in AT&T's 12.82.x.x class A
Connect time this date: +- 20 hours
Timestamps: US Pacific standard, GMT -08:00, synch by xntpd
Tools: snort 1.8.2, ipchains, logcheck, portsentry
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=ver.7
In /var/log/messages: Probes to port 21 ftp: 1
Probes to port 22 ssh: 0
Probes to port 23 telnet: 0
Probes to port 53 dns: 6
Probes to port 80 http: 59
Probes to port 111 sunrpc: 0
Probes to port 137 netbios-ns: 0
Probes to port 139 netbios-ssn: 0
Probes to port 445 ms-ds: 0
Probes to port 515 lpr: 0
Total, probes to all ports: 46
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Feb 19 05:47:22 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 148.204.4.1 Source port: 3681
Source host: www.reynosa.decont.ipn.mx
Target IP: 12.82.133.142 Target port: 80 Proto: TCP
Target host: 142.seattle-13-14rs.wa.dial-access.att.net
Feb 19 05:47:26 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 148.204.4.1 Source port: 3681
Source host: www.reynosa.decont.ipn.mx
Target IP: 12.82.133.142 Target port: 80 Proto: TCP
Target host: 142.seattle-13-14rs.wa.dial-access.att.net
Feb 19 05:47:31 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 148.204.4.1 Source port: 3681
Source host: www.reynosa.decont.ipn.mx
Target IP: 12.82.133.142 Target port: 80 Proto: TCP
Target host: 142.seattle-13-14rs.wa.dial-access.att.net
Feb 19 13:39:13 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.144.41 Source port: 2628
Source host: 41.seattle01rh15rt.wa.dial-access.att.net
Target IP: 12.82.128.31 Target port: 80 Proto: TCP
Target host: 31.seattle-01-02rs.wa.dial-access.att.net
Feb 19 13:39:15 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.144.41 Source port: 2628
Source host: 41.seattle01rh15rt.wa.dial-access.att.net
Target IP: 12.82.128.31 Target port: 80 Proto: TCP
Target host: 31.seattle-01-02rs.wa.dial-access.att.net
Feb 19 14:12:53 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.155.147 Source port: 3079
Source host: 147.seattle06rh16rt.wa.dial-access.att.net
Target IP: 12.82.128.31 Target port: 80 Proto: TCP
Target host: 31.seattle-01-02rs.wa.dial-access.att.net
Feb 19 14:12:56 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.155.147 Source port: 3079
Source host: 147.seattle06rh16rt.wa.dial-access.att.net
Target IP: 12.82.128.31 Target port: 80 Proto: TCP
Target host: 31.seattle-01-02rs.wa.dial-access.att.net
Feb 19 17:08:18 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.142.71 Source port: 4876
Source host: 71.seattle-25-30rs.wa.dial-access.att.net
Target IP: 12.82.132.202 Target port: 80 Proto: TCP
Target host: 202.seattle-11-12rs.wa.dial-access.att.net
Feb 19 17:08:21 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.142.71 Source port: 4876
Source host: 71.seattle-25-30rs.wa.dial-access.att.net
Target IP: 12.82.132.202 Target port: 80 Proto: TCP
Target host: 202.seattle-11-12rs.wa.dial-access.att.net
Feb 19 17:38:08 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.142.71 Source port: 3430
Source host: 71.seattle-25-30rs.wa.dial-access.att.net
Target IP: 12.82.132.202 Target port: 80 Proto: TCP
Target host: 202.seattle-11-12rs.wa.dial-access.att.net
Feb 19 17:38:10 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.142.71 Source port: 3430
Source host: 71.seattle-25-30rs.wa.dial-access.att.net
Target IP: 12.82.132.202 Target port: 80 Proto: TCP
Target host: 202.seattle-11-12rs.wa.dial-access.att.net
Feb 19 17:55:05 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.142.71 Source port: 4048
Source host: 71.seattle-25-30rs.wa.dial-access.att.net
Target IP: 12.82.132.202 Target port: 80 Proto: TCP
Target host: 202.seattle-11-12rs.wa.dial-access.att.net
Feb 19 17:55:07 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.142.71 Source port: 4048
Source host: 71.seattle-25-30rs.wa.dial-access.att.net
Target IP: 12.82.132.202 Target port: 80 Proto: TCP
Target host: 202.seattle-11-12rs.wa.dial-access.att.net
Feb 19 18:02:32 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.142.71 Source port: 1438
Source host: 71.seattle-25-30rs.wa.dial-access.att.net
Target IP: 12.82.132.202 Target port: 80 Proto: TCP
Target host: 202.seattle-11-12rs.wa.dial-access.att.net
Feb 19 18:02:37 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.142.71 Source port: 1438
Source host: 71.seattle-25-30rs.wa.dial-access.att.net
Target IP: 12.82.132.202 Target port: 80 Proto: TCP
Target host: 202.seattle-11-12rs.wa.dial-access.att.net
Feb 19 19:23:13 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.136.195 Source port: 2246
Source host: 195.seattle-21-22rs.wa.dial-access.att.net
Target IP: 12.82.132.202 Target port: 80 Proto: TCP
Target host: 202.seattle-11-12rs.wa.dial-access.att.net
Feb 19 19:23:16 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.136.195 Source port: 2246
Source host: 195.seattle-21-22rs.wa.dial-access.att.net
Target IP: 12.82.132.202 Target port: 80 Proto: TCP
Target host: 202.seattle-11-12rs.wa.dial-access.att.net
Feb 19 19:44:47 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.161.12 Source port: 3381
Source host: 12.seattle09rh16rt.wa.dial-access.att.net
Target IP: 12.82.132.202 Target port: 80 Proto: TCP
Target host: 202.seattle-11-12rs.wa.dial-access.att.net
Feb 19 19:44:50 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.161.12 Source port: 3381
Source host: 12.seattle09rh16rt.wa.dial-access.att.net
Target IP: 12.82.132.202 Target port: 80 Proto: TCP
Target host: 202.seattle-11-12rs.wa.dial-access.att.net
Feb 19 20:15:16 - snort [1:0:0] TCP to 21 ftp
Source IP: 209.61.158.226 Source port: 65503
Source host: freenetca.com
Target IP: 12.82.132.202 Target port: 21 Proto: TCP
Target host: 202.seattle-11-12rs.wa.dial-access.att.net
Feb 19 20:44:33 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.136.195 Source port: 2363
Source host: 195.seattle-21-22rs.wa.dial-access.att.net
Target IP: 12.82.132.202 Target port: 80 Proto: TCP
Target host: 202.seattle-11-12rs.wa.dial-access.att.net
Feb 19 20:44:36 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.136.195 Source port: 2363
Source host: 195.seattle-21-22rs.wa.dial-access.att.net
Target IP: 12.82.132.202 Target port: 80 Proto: TCP
Target host: 202.seattle-11-12rs.wa.dial-access.att.net
Feb 19 20:55:44 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.162.30 Source port: 3535
Source host: 30.seattle10rh15rt.wa.dial-access.att.net
Target IP: 12.82.132.202 Target port: 80 Proto: TCP
Target host: 202.seattle-11-12rs.wa.dial-access.att.net
Feb 19 20:55:46 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.162.30 Source port: 3535
Source host: 30.seattle10rh15rt.wa.dial-access.att.net
Target IP: 12.82.132.202 Target port: 80 Proto: TCP
Target host: 202.seattle-11-12rs.wa.dial-access.att.net
Feb 19 20:57:39 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.136.195 Source port: 2660
Source host: 195.seattle-21-22rs.wa.dial-access.att.net
Target IP: 12.82.132.202 Target port: 80 Proto: TCP
Target host: 202.seattle-11-12rs.wa.dial-access.att.net
Feb 19 20:57:42 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.136.195 Source port: 2660
Source host: 195.seattle-21-22rs.wa.dial-access.att.net
Target IP: 12.82.132.202 Target port: 80 Proto: TCP
Target host: 202.seattle-11-12rs.wa.dial-access.att.net
Feb 19 21:08:58 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.136.195 Source port: 2398
Source host: 195.seattle-21-22rs.wa.dial-access.att.net
Target IP: 12.82.132.202 Target port: 80 Proto: TCP
Target host: 202.seattle-11-12rs.wa.dial-access.att.net
Feb 19 21:09:01 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.136.195 Source port: 2398
Source host: 195.seattle-21-22rs.wa.dial-access.att.net
Target IP: 12.82.132.202 Target port: 80 Proto: TCP
Target host: 202.seattle-11-12rs.wa.dial-access.att.net
Feb 19 21:36:43 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.162.30 Source port: 4481
Source host: 30.seattle10rh15rt.wa.dial-access.att.net
Target IP: 12.82.132.202 Target port: 80 Proto: TCP
Target host: 202.seattle-11-12rs.wa.dial-access.att.net
Feb 19 21:36:46 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.162.30 Source port: 4481
Source host: 30.seattle10rh15rt.wa.dial-access.att.net
Target IP: 12.82.132.202 Target port: 80 Proto: TCP
Target host: 202.seattle-11-12rs.wa.dial-access.att.net
Feb 19 21:50:41 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.168.26 Source port: 2973
Source host: 26.seattle13rh15rt.wa.dial-access.att.net
Target IP: 12.82.132.202 Target port: 80 Proto: TCP
Target host: 202.seattle-11-12rs.wa.dial-access.att.net
Feb 19 22:47:57 - snort [1:0:0] ICMP echo request
Source IP: 194.203.119.46 Source port: -N/A-
Source host: 194.203.119.46
Target IP: 12.82.132.202 Target port: -N/A- Proto: ICMP
Target host: 202.seattle-11-12rs.wa.dial-access.att.net
Feb 19 22:50:45 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.22.2.4 Source port: 4648
Source host: 12.22.2.4
Target IP: 12.82.132.202 Target port: 80 Proto: TCP
Target host: 202.seattle-11-12rs.wa.dial-access.att.net
Feb 19 22:50:45 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.22.2.4 Source port: 4648
Source host: 12.22.2.4
Target IP: 12.82.132.202 Target port: 80 Proto: TCP
Target host: 202.seattle-11-12rs.wa.dial-access.att.net
Feb 19 22:50:48 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.22.2.4 Source port: 4648
Source host: 12.22.2.4
Target IP: 12.82.132.202 Target port: 80 Proto: TCP
Target host: 202.seattle-11-12rs.wa.dial-access.att.net
Feb 19 22:50:48 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.22.2.4 Source port: 4648
Source host: 12.22.2.4
Target IP: 12.82.132.202 Target port: 80 Proto: TCP
Target host: 202.seattle-11-12rs.wa.dial-access.att.net
Feb 19 23:15:09 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.136.195 Source port: 2949
Source host: 195.seattle-21-22rs.wa.dial-access.att.net
Target IP: 12.82.132.202 Target port: 80 Proto: TCP
Target host: 202.seattle-11-12rs.wa.dial-access.att.net
Feb 19 23:15:12 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.136.195 Source port: 2949
Source host: 195.seattle-21-22rs.wa.dial-access.att.net
Target IP: 12.82.132.202 Target port: 80 Proto: TCP
Target host: 202.seattle-11-12rs.wa.dial-access.att.net
Feb 19 23:55:00 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.98.96.164 Source port: 4165
Source host: 164.suaa.wash.washdctt.dsl.att.net
Target IP: 12.82.132.202 Target port: 80 Proto: TCP
Target host: 202.seattle-11-12rs.wa.dial-access.att.net
Feb 20 00:23:10 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.138.122 Source port: 4604
Source host: 122.seattle-26-27rs.wa.dial-access.att.net
Target IP: 12.82.132.202 Target port: 80 Proto: TCP
Target host: 202.seattle-11-12rs.wa.dial-access.att.net
Feb 20 00:23:13 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.138.122 Source port: 4604
Source host: 122.seattle-26-27rs.wa.dial-access.att.net
Target IP: 12.82.132.202 Target port: 80 Proto: TCP
Target host: 202.seattle-11-12rs.wa.dial-access.att.net
Feb 20 00:30:06 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.139.7 Source port: 1946
Source host: 7.seattle-28-29rs.wa.dial-access.att.net
Target IP: 12.82.132.202 Target port: 80 Proto: TCP
Target host: 202.seattle-11-12rs.wa.dial-access.att.net
Feb 20 00:30:08 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.139.7 Source port: 1946
Source host: 7.seattle-28-29rs.wa.dial-access.att.net
Target IP: 12.82.132.202 Target port: 80 Proto: TCP
Target host: 202.seattle-11-12rs.wa.dial-access.att.net
This report generated 02/20/2002 at 04:01:00 by a perl script
written by John Sage at FinchHaven.com,
based upon the work of Dan Swan in his script snort2html.pl
jsage@finchhaven.com
Last modified: Wed Feb 20 06:27:20 2002