Logs: 02-26-02

To: jsage@finchhaven.com
Cc: root@sparky.finchhaven.net
From: toot@finchhaven.com
Subject: [Logs] at FinchHaven for 02/26/2002

Logs at FinchHaven for 02/26/2002 extracted from /var/log/messages
Report generated 04:01:00 (TZ -08:00) 02/27/2002

+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Context: dialup to access.att.net, dynamic IP in AT&T's 12.82.x.x class A
Connect time this date: +- 20 hours
Timestamps: US Pacific standard, GMT -08:00, synch by xntpd
Tools: snort 1.8.2, ipchains, logcheck, portsentry
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=ver.7
In /var/log/messages:  Probes to port 21 ftp:        0
                       Probes to port 22 ssh:        0
                    Probes to port 23 telnet:        0
                       Probes to port 53 dns:        9
                      Probes to port 80 http:       19
                   Probes to port 111 sunrpc:        1
               Probes to port 137 netbios-ns:        0
              Probes to port 139 netbios-ssn:        0
                    Probes to port 445 ms-ds:        0
                      Probes to port 515 lpr:        0
                  Total, probes to all ports:       32
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

Feb 26 08:56:04 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.100.138.244   Source port: 4631 
Source host: 244.muca.akrn.chcgil24.dsl.att.net
  Target IP: 12.82.131.103   Target port: 80   Proto: TCP 
Target host: 103.seattle-08-09rs.wa.dial-access.att.net

Feb 26 08:56:07 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.100.138.244   Source port: 4631 
Source host: 244.muca.akrn.chcgil24.dsl.att.net
  Target IP: 12.82.131.103   Target port: 80   Proto: TCP 
Target host: 103.seattle-08-09rs.wa.dial-access.att.net



Feb 26 10:41:00 - snort [1:0:0] TCP to 53 domain 
  Source IP: 200.171.2.25   Source port: 2502 
Source host: 200-171-2-25.dsl.telesp.net.br
  Target IP: 12.82.131.103   Target port: 53   Proto: TCP 
Target host: 103.seattle-08-09rs.wa.dial-access.att.net

Feb 26 10:41:04 - snort [1:0:0] TCP to 53 domain 
  Source IP: 200.171.2.25   Source port: 2502 
Source host: 200-171-2-25.dsl.telesp.net.br
  Target IP: 12.82.131.103   Target port: 53   Proto: TCP 
Target host: 103.seattle-08-09rs.wa.dial-access.att.net

Feb 26 10:41:10 - snort [1:0:0] TCP to 53 domain 
  Source IP: 200.171.2.25   Source port: 2502 
Source host: 200-171-2-25.dsl.telesp.net.br
  Target IP: 12.82.131.103   Target port: 53   Proto: TCP 
Target host: 103.seattle-08-09rs.wa.dial-access.att.net



Feb 26 11:19:09 - snort [1:0:0] TCP to 111 sunrpc 
  Source IP: 205.127.67.10   Source port: 4827 
Source host: 205.127.67.10
  Target IP: 12.82.131.103   Target port: 111   Proto: TCP 
Target host: 103.seattle-08-09rs.wa.dial-access.att.net



Feb 26 11:47:16 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.248.28.72   Source port: 4120 
Source host: 12-248-28-72.client.attbi.com
  Target IP: 12.82.131.103   Target port: 80   Proto: TCP 
Target host: 103.seattle-08-09rs.wa.dial-access.att.net

Feb 26 11:47:20 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.248.28.72   Source port: 4120 
Source host: 12-248-28-72.client.attbi.com
  Target IP: 12.82.131.103   Target port: 80   Proto: TCP 
Target host: 103.seattle-08-09rs.wa.dial-access.att.net



Feb 26 12:49:38 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.154.4   Source port: 2758 
Source host: 4.seattle06rh15rt.wa.dial-access.att.net
  Target IP: 12.82.131.103   Target port: 80   Proto: TCP 
Target host: 103.seattle-08-09rs.wa.dial-access.att.net

Feb 26 12:49:40 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.154.4   Source port: 2758 
Source host: 4.seattle06rh15rt.wa.dial-access.att.net
  Target IP: 12.82.131.103   Target port: 80   Proto: TCP 
Target host: 103.seattle-08-09rs.wa.dial-access.att.net



Feb 26 13:20:42 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.248.28.72   Source port: 3511 
Source host: 12-248-28-72.client.attbi.com
  Target IP: 12.82.131.103   Target port: 80   Proto: TCP 
Target host: 103.seattle-08-09rs.wa.dial-access.att.net



Feb 26 14:29:10 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.137.233   Source port: 1455 
Source host: 233.seattle-23-24rs.wa.dial-access.att.net
  Target IP: 12.82.131.103   Target port: 80   Proto: TCP 
Target host: 103.seattle-08-09rs.wa.dial-access.att.net

Feb 26 14:29:12 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.137.233   Source port: 1455 
Source host: 233.seattle-23-24rs.wa.dial-access.att.net
  Target IP: 12.82.131.103   Target port: 80   Proto: TCP 
Target host: 103.seattle-08-09rs.wa.dial-access.att.net


Feb 26 14:32:01 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.137.233   Source port: 4721 
Source host: 233.seattle-23-24rs.wa.dial-access.att.net
  Target IP: 12.82.131.103   Target port: 80   Proto: TCP 
Target host: 103.seattle-08-09rs.wa.dial-access.att.net

Feb 26 14:32:04 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.137.233   Source port: 4721 
Source host: 233.seattle-23-24rs.wa.dial-access.att.net
  Target IP: 12.82.131.103   Target port: 80   Proto: TCP 
Target host: 103.seattle-08-09rs.wa.dial-access.att.net


Feb 26 14:32:54 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.137.233   Source port: 2717 
Source host: 233.seattle-23-24rs.wa.dial-access.att.net
  Target IP: 12.82.131.103   Target port: 80   Proto: TCP 
Target host: 103.seattle-08-09rs.wa.dial-access.att.net

Feb 26 14:32:57 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.137.233   Source port: 2717 
Source host: 233.seattle-23-24rs.wa.dial-access.att.net
  Target IP: 12.82.131.103   Target port: 80   Proto: TCP 
Target host: 103.seattle-08-09rs.wa.dial-access.att.net


Feb 26 14:40:14 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.137.233   Source port: 1768 
Source host: 233.seattle-23-24rs.wa.dial-access.att.net
  Target IP: 12.82.131.103   Target port: 80   Proto: TCP 
Target host: 103.seattle-08-09rs.wa.dial-access.att.net

Feb 26 14:40:17 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.137.233   Source port: 1768 
Source host: 233.seattle-23-24rs.wa.dial-access.att.net
  Target IP: 12.82.131.103   Target port: 80   Proto: TCP 
Target host: 103.seattle-08-09rs.wa.dial-access.att.net




Feb 27 01:25:00 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.102.164.130   Source port: 1966 
Source host: 130.mueb.rlmd.cgcil01r18.dsl.att.net
  Target IP: 12.82.130.15   Target port: 80   Proto: TCP 
Target host: 15.seattle-06-07rs.wa.dial-access.att.net

Feb 27 01:25:03 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.102.164.130   Source port: 1966 
Source host: 130.mueb.rlmd.cgcil01r18.dsl.att.net
  Target IP: 12.82.130.15   Target port: 80   Proto: TCP 
Target host: 15.seattle-06-07rs.wa.dial-access.att.net



This report generated 02/27/2002 at 04:01:00 
by a perl script written by John Sage at FinchHaven.com, 
based upon the work of Dan Swan in his script snort2html.pl
jsage@finchhaven.com
Last modified: Thu Feb 28 06:56:14 2002