Logs: 02-22-02
To: jsage@finchhaven.com
From: toot@finchhaven.com
Subject: [Logs] at FinchHaven for 02/22/2002
Logs at FinchHaven for 02/22/2002 extracted from /var/log/messages
Report generated 04:01:00 (TZ -08:00) 02/23/2002
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Context: dialup to access.att.net, dynamic IP in AT&T's 12.82.x.x class A
Connect time this date: +- 20 hours
Timestamps: US Pacific standard, GMT -08:00, synch by xntpd
Tools: snort 1.8.2, ipchains, logcheck, portsentry
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=ver.7
In /var/log/messages: Probes to port 21 ftp: 0
Probes to port 22 ssh: 0
Probes to port 23 telnet: 0
Probes to port 53 dns: 6
Probes to port 80 http: 54
Probes to port 111 sunrpc: 0
Probes to port 137 netbios-ns: 0
Probes to port 139 netbios-ssn: 0
Probes to port 445 ms-ds: 0
Probes to port 515 lpr: 0
Total, probes to all ports: 60
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Feb 22 04:48:56 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.224.191.29 Source port: 4310
Source host: 12-224-191-29.client.attbi.com
Target IP: 12.82.128.33 Target port: 80 Proto: TCP
Target host: 33.seattle-01-02rs.wa.dial-access.att.net
Feb 22 04:48:58 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.224.191.29 Source port: 4310
Source host: 12-224-191-29.client.attbi.com
Target IP: 12.82.128.33 Target port: 80 Proto: TCP
Target host: 33.seattle-01-02rs.wa.dial-access.att.net
Feb 22 06:42:37 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.226.6.81 Source port: 3833
Source host: 12-226-6-81.client.attbi.com
Target IP: 12.82.128.33 Target port: 80 Proto: TCP
Target host: 33.seattle-01-02rs.wa.dial-access.att.net
Feb 22 06:42:40 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.226.6.81 Source port: 3833
Source host: 12-226-6-81.client.attbi.com
Target IP: 12.82.128.33 Target port: 80 Proto: TCP
Target host: 33.seattle-01-02rs.wa.dial-access.att.net
Feb 22 07:13:11 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.246.66.159 Source port: 3869
Source host: 12-246-66-159.client.attbi.com
Target IP: 12.82.128.33 Target port: 80 Proto: TCP
Target host: 33.seattle-01-02rs.wa.dial-access.att.net
Feb 22 07:13:14 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.246.66.159 Source port: 3869
Source host: 12-246-66-159.client.attbi.com
Target IP: 12.82.128.33 Target port: 80 Proto: TCP
Target host: 33.seattle-01-02rs.wa.dial-access.att.net
Feb 22 07:40:54 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.234.92.135 Source port: 2387
Source host: 12-234-92-135.client.attbi.com
Target IP: 12.82.128.33 Target port: 80 Proto: TCP
Target host: 33.seattle-01-02rs.wa.dial-access.att.net
Feb 22 07:40:56 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.234.92.135 Source port: 2387
Source host: 12-234-92-135.client.attbi.com
Target IP: 12.82.128.33 Target port: 80 Proto: TCP
Target host: 33.seattle-01-02rs.wa.dial-access.att.net
Feb 22 09:30:18 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.142.21 Source port: 3867
Source host: 21.seattle-25-30rs.wa.dial-access.att.net
Target IP: 12.82.128.33 Target port: 80 Proto: TCP
Target host: 33.seattle-01-02rs.wa.dial-access.att.net
Feb 22 09:30:22 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.142.21 Source port: 3867
Source host: 21.seattle-25-30rs.wa.dial-access.att.net
Target IP: 12.82.128.33 Target port: 80 Proto: TCP
Target host: 33.seattle-01-02rs.wa.dial-access.att.net
Feb 22 12:27:48 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.142.16 Source port: 2259
Source host: 16.seattle-25-30rs.wa.dial-access.att.net
Target IP: 12.82.137.78 Target port: 80 Proto: TCP
Target host: 78.seattle-23-24rs.wa.dial-access.att.net
Feb 22 12:27:51 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.142.16 Source port: 2259
Source host: 16.seattle-25-30rs.wa.dial-access.att.net
Target IP: 12.82.137.78 Target port: 80 Proto: TCP
Target host: 78.seattle-23-24rs.wa.dial-access.att.net
Feb 22 12:33:26 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.142.16 Source port: 4933
Source host: 16.seattle-25-30rs.wa.dial-access.att.net
Target IP: 12.82.137.78 Target port: 80 Proto: TCP
Target host: 78.seattle-23-24rs.wa.dial-access.att.net
Feb 22 12:33:29 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.142.16 Source port: 4933
Source host: 16.seattle-25-30rs.wa.dial-access.att.net
Target IP: 12.82.137.78 Target port: 80 Proto: TCP
Target host: 78.seattle-23-24rs.wa.dial-access.att.net
Feb 22 12:48:18 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.142.16 Source port: 1923
Source host: 16.seattle-25-30rs.wa.dial-access.att.net
Target IP: 12.82.137.78 Target port: 80 Proto: TCP
Target host: 78.seattle-23-24rs.wa.dial-access.att.net
Feb 22 12:48:21 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.142.16 Source port: 1923
Source host: 16.seattle-25-30rs.wa.dial-access.att.net
Target IP: 12.82.137.78 Target port: 80 Proto: TCP
Target host: 78.seattle-23-24rs.wa.dial-access.att.net
Feb 22 13:01:30 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.142.16 Source port: 3617
Source host: 16.seattle-25-30rs.wa.dial-access.att.net
Target IP: 12.82.137.78 Target port: 80 Proto: TCP
Target host: 78.seattle-23-24rs.wa.dial-access.att.net
Feb 22 13:01:33 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.142.16 Source port: 3617
Source host: 16.seattle-25-30rs.wa.dial-access.att.net
Target IP: 12.82.137.78 Target port: 80 Proto: TCP
Target host: 78.seattle-23-24rs.wa.dial-access.att.net
Feb 22 13:31:21 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.142.16 Source port: 3917
Source host: 16.seattle-25-30rs.wa.dial-access.att.net
Target IP: 12.82.137.78 Target port: 80 Proto: TCP
Target host: 78.seattle-23-24rs.wa.dial-access.att.net
Feb 22 13:31:24 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.142.16 Source port: 3917
Source host: 16.seattle-25-30rs.wa.dial-access.att.net
Target IP: 12.82.137.78 Target port: 80 Proto: TCP
Target host: 78.seattle-23-24rs.wa.dial-access.att.net
Feb 22 14:37:41 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.142.16 Source port: 3144
Source host: 16.seattle-25-30rs.wa.dial-access.att.net
Target IP: 12.82.137.78 Target port: 80 Proto: TCP
Target host: 78.seattle-23-24rs.wa.dial-access.att.net
Feb 22 14:37:44 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.142.16 Source port: 3144
Source host: 16.seattle-25-30rs.wa.dial-access.att.net
Target IP: 12.82.137.78 Target port: 80 Proto: TCP
Target host: 78.seattle-23-24rs.wa.dial-access.att.net
Feb 22 15:09:25 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.142.16 Source port: 4492
Source host: 16.seattle-25-30rs.wa.dial-access.att.net
Target IP: 12.82.137.78 Target port: 80 Proto: TCP
Target host: 78.seattle-23-24rs.wa.dial-access.att.net
Feb 22 15:09:28 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.142.16 Source port: 4492
Source host: 16.seattle-25-30rs.wa.dial-access.att.net
Target IP: 12.82.137.78 Target port: 80 Proto: TCP
Target host: 78.seattle-23-24rs.wa.dial-access.att.net
Feb 22 15:37:54 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.238.128.154 Source port: 4073
Source host: 12-238-128-154.client.attbi.com
Target IP: 12.82.137.78 Target port: 80 Proto: TCP
Target host: 78.seattle-23-24rs.wa.dial-access.att.net
Feb 22 16:02:13 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.136.219 Source port: 2684
Source host: 219.seattle-21-22rs.wa.dial-access.att.net
Target IP: 12.82.137.78 Target port: 80 Proto: TCP
Target host: 78.seattle-23-24rs.wa.dial-access.att.net
Feb 22 16:02:16 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.136.219 Source port: 2684
Source host: 219.seattle-21-22rs.wa.dial-access.att.net
Target IP: 12.82.137.78 Target port: 80 Proto: TCP
Target host: 78.seattle-23-24rs.wa.dial-access.att.net
Feb 22 16:46:38 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.151.209 Source port: 2985
Source host: 209.seattle04rh16rt.wa.dial-access.att.net
Target IP: 12.82.137.78 Target port: 80 Proto: TCP
Target host: 78.seattle-23-24rs.wa.dial-access.att.net
Feb 22 16:46:40 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.151.209 Source port: 2985
Source host: 209.seattle04rh16rt.wa.dial-access.att.net
Target IP: 12.82.137.78 Target port: 80 Proto: TCP
Target host: 78.seattle-23-24rs.wa.dial-access.att.net
Feb 22 17:00:23 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.142.16 Source port: 2795
Source host: 16.seattle-25-30rs.wa.dial-access.att.net
Target IP: 12.82.137.78 Target port: 80 Proto: TCP
Target host: 78.seattle-23-24rs.wa.dial-access.att.net
Feb 22 17:00:26 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.142.16 Source port: 2795
Source host: 16.seattle-25-30rs.wa.dial-access.att.net
Target IP: 12.82.137.78 Target port: 80 Proto: TCP
Target host: 78.seattle-23-24rs.wa.dial-access.att.net
Feb 22 17:07:15 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.151.209 Source port: 2469
Source host: 209.seattle04rh16rt.wa.dial-access.att.net
Target IP: 12.82.137.78 Target port: 80 Proto: TCP
Target host: 78.seattle-23-24rs.wa.dial-access.att.net
Feb 22 17:07:17 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.151.209 Source port: 2469
Source host: 209.seattle04rh16rt.wa.dial-access.att.net
Target IP: 12.82.137.78 Target port: 80 Proto: TCP
Target host: 78.seattle-23-24rs.wa.dial-access.att.net
Feb 22 17:09:18 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.160.228 Source port: 3405
Source host: 228.seattle09rh15rt.wa.dial-access.att.net
Target IP: 12.82.137.78 Target port: 80 Proto: TCP
Target host: 78.seattle-23-24rs.wa.dial-access.att.net
Feb 22 17:09:21 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.160.228 Source port: 3405
Source host: 228.seattle09rh15rt.wa.dial-access.att.net
Target IP: 12.82.137.78 Target port: 80 Proto: TCP
Target host: 78.seattle-23-24rs.wa.dial-access.att.net
Feb 22 17:24:46 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.249.122.29 Source port: 1202
Source host: 12-249-122-29.client.attbi.com
Target IP: 12.82.137.78 Target port: 80 Proto: TCP
Target host: 78.seattle-23-24rs.wa.dial-access.att.net
Feb 22 17:32:24 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.151.209 Source port: 2156
Source host: 209.seattle04rh16rt.wa.dial-access.att.net
Target IP: 12.82.137.78 Target port: 80 Proto: TCP
Target host: 78.seattle-23-24rs.wa.dial-access.att.net
Feb 22 17:32:26 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.151.209 Source port: 2156
Source host: 209.seattle04rh16rt.wa.dial-access.att.net
Target IP: 12.82.137.78 Target port: 80 Proto: TCP
Target host: 78.seattle-23-24rs.wa.dial-access.att.net
Feb 22 17:33:10 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.142.16 Source port: 1127
Source host: 16.seattle-25-30rs.wa.dial-access.att.net
Target IP: 12.82.137.78 Target port: 80 Proto: TCP
Target host: 78.seattle-23-24rs.wa.dial-access.att.net
Feb 22 17:33:13 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.142.16 Source port: 1127
Source host: 16.seattle-25-30rs.wa.dial-access.att.net
Target IP: 12.82.137.78 Target port: 80 Proto: TCP
Target host: 78.seattle-23-24rs.wa.dial-access.att.net
Feb 22 18:12:01 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.160.228 Source port: 4765
Source host: 228.seattle09rh15rt.wa.dial-access.att.net
Target IP: 12.82.137.78 Target port: 80 Proto: TCP
Target host: 78.seattle-23-24rs.wa.dial-access.att.net
Feb 22 18:12:04 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.160.228 Source port: 4765
Source host: 228.seattle09rh15rt.wa.dial-access.att.net
Target IP: 12.82.137.78 Target port: 80 Proto: TCP
Target host: 78.seattle-23-24rs.wa.dial-access.att.net
Feb 22 18:43:36 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.160.228 Source port: 1861
Source host: 228.seattle09rh15rt.wa.dial-access.att.net
Target IP: 12.82.137.78 Target port: 80 Proto: TCP
Target host: 78.seattle-23-24rs.wa.dial-access.att.net
Feb 22 18:43:41 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.160.228 Source port: 1861
Source host: 228.seattle09rh15rt.wa.dial-access.att.net
Target IP: 12.82.137.78 Target port: 80 Proto: TCP
Target host: 78.seattle-23-24rs.wa.dial-access.att.net
Feb 22 18:47:21 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.160.228 Source port: 3220
Source host: 228.seattle09rh15rt.wa.dial-access.att.net
Target IP: 12.82.137.78 Target port: 80 Proto: TCP
Target host: 78.seattle-23-24rs.wa.dial-access.att.net
Feb 22 18:47:24 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.160.228 Source port: 3220
Source host: 228.seattle09rh15rt.wa.dial-access.att.net
Target IP: 12.82.137.78 Target port: 80 Proto: TCP
Target host: 78.seattle-23-24rs.wa.dial-access.att.net
Feb 22 22:12:38 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.232.254.216 Source port: 4777
Source host: 12-232-254-216.client.attbi.com
Target IP: 12.82.133.166 Target port: 80 Proto: TCP
Target host: 166.seattle-13-14rs.wa.dial-access.att.net
Feb 22 22:12:41 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.232.254.216 Source port: 4777
Source host: 12-232-254-216.client.attbi.com
Target IP: 12.82.133.166 Target port: 80 Proto: TCP
Target host: 166.seattle-13-14rs.wa.dial-access.att.net
Feb 23 00:28:28 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.142.184 Source port: 2216
Source host: 184.seattle-25-30rs.wa.dial-access.att.net
Target IP: 12.82.133.166 Target port: 80 Proto: TCP
Target host: 166.seattle-13-14rs.wa.dial-access.att.net
Feb 23 00:28:31 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.142.184 Source port: 2216
Source host: 184.seattle-25-30rs.wa.dial-access.att.net
Target IP: 12.82.133.166 Target port: 80 Proto: TCP
Target host: 166.seattle-13-14rs.wa.dial-access.att.net
Feb 23 01:02:20 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.153.244 Source port: 2383
Source host: 244.seattle05rh16rt.wa.dial-access.att.net
Target IP: 12.82.133.166 Target port: 80 Proto: TCP
Target host: 166.seattle-13-14rs.wa.dial-access.att.net
Feb 23 01:02:23 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.153.244 Source port: 2383
Source host: 244.seattle05rh16rt.wa.dial-access.att.net
Target IP: 12.82.133.166 Target port: 80 Proto: TCP
Target host: 166.seattle-13-14rs.wa.dial-access.att.net
Feb 23 02:02:31 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.234.141.6 Source port: 1543
Source host: 12-234-141-6.client.attbi.com
Target IP: 12.82.133.166 Target port: 80 Proto: TCP
Target host: 166.seattle-13-14rs.wa.dial-access.att.net
Feb 23 02:02:34 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.234.141.6 Source port: 1543
Source host: 12-234-141-6.client.attbi.com
Target IP: 12.82.133.166 Target port: 80 Proto: TCP
Target host: 166.seattle-13-14rs.wa.dial-access.att.net
This report generated 02/23/2002 at 04:01:00
by a perl script written by John Sage at FinchHaven.com,
based upon the work of Dan Swan in his script snort2html.pl
jsage@finchhaven.com
Last modified: Wed Feb 27 19:48:47 2002