Logs: 02-28-02
To: jsage@finchhaven.com
From: toot@finchhaven.com
Subject: [Logs] at FinchHaven for 02/28/2002
Logs at FinchHaven for 02/28/2002 extracted from /var/log/messages
Report generated 04:01:00 (TZ -08:00) 03/01/2002
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Context: dialup to access.att.net, dynamic IP in AT&T's 12.82.x.x class A
Connect time this date: +- 20 hours
Timestamps: US Pacific standard, GMT -08:00, synch by xntpd
Tools: snort 1.8.2, ipchains, logcheck, portsentry
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=ver.7
In /var/log/messages: Probes to port 21 ftp: 1
Probes to port 22 ssh: 2
Probes to port 23 telnet: 0
Probes to port 53 dns: 6
Probes to port 80 http: 51
Probes to port 111 sunrpc: 0
Probes to port 137 netbios-ns: 0
Probes to port 139 netbios-ssn: 0
Probes to port 445 ms-ds: 0
Probes to port 515 lpr: 0
Total, probes to all ports: 71
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Feb 28 06:47:20 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.240.123 Source port: 4091
Source host: 123.houston-09rh15rt.tx.dial-access.att.net
Target IP: 12.82.128.22 Target port: 80 Proto: TCP
Target host: 22.seattle-01-02rs.wa.dial-access.att.net
Feb 28 06:47:23 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.240.123 Source port: 4091
Source host: 123.houston-09rh15rt.tx.dial-access.att.net
Target IP: 12.82.128.22 Target port: 80 Proto: TCP
Target host: 22.seattle-01-02rs.wa.dial-access.att.net
Feb 28 07:17:08 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.240.123 Source port: 3847
Source host: 123.houston-09rh15rt.tx.dial-access.att.net
Target IP: 12.82.128.22 Target port: 80 Proto: TCP
Target host: 22.seattle-01-02rs.wa.dial-access.att.net
Feb 28 07:17:11 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.240.123 Source port: 3847
Source host: 123.houston-09rh15rt.tx.dial-access.att.net
Target IP: 12.82.128.22 Target port: 80 Proto: TCP
Target host: 22.seattle-01-02rs.wa.dial-access.att.net
Feb 28 07:22:49 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.240.123 Source port: 3639
Source host: 123.houston-09rh15rt.tx.dial-access.att.net
Target IP: 12.82.128.22 Target port: 80 Proto: TCP
Target host: 22.seattle-01-02rs.wa.dial-access.att.net
Feb 28 07:22:52 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.240.123 Source port: 3639
Source host: 123.houston-09rh15rt.tx.dial-access.att.net
Target IP: 12.82.128.22 Target port: 80 Proto: TCP
Target host: 22.seattle-01-02rs.wa.dial-access.att.net
Feb 28 09:19:28 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.240.123 Source port: 3128
Source host: 123.houston-09rh15rt.tx.dial-access.att.net
Target IP: 12.82.128.22 Target port: 80 Proto: TCP
Target host: 22.seattle-01-02rs.wa.dial-access.att.net
Feb 28 09:19:31 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.240.123 Source port: 3128
Source host: 123.houston-09rh15rt.tx.dial-access.att.net
Target IP: 12.82.128.22 Target port: 80 Proto: TCP
Target host: 22.seattle-01-02rs.wa.dial-access.att.net
Feb 28 09:20:29 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.240.123 Source port: 3721
Source host: 123.houston-09rh15rt.tx.dial-access.att.net
Target IP: 12.82.128.22 Target port: 80 Proto: TCP
Target host: 22.seattle-01-02rs.wa.dial-access.att.net
Feb 28 09:20:32 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.240.123 Source port: 3721
Source host: 123.houston-09rh15rt.tx.dial-access.att.net
Target IP: 12.82.128.22 Target port: 80 Proto: TCP
Target host: 22.seattle-01-02rs.wa.dial-access.att.net
Feb 28 10:30:20 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.228.157 Source port: 4186
Source host: 157.houston-03rh15rt.tx.dial-access.att.net
Target IP: 12.82.128.22 Target port: 80 Proto: TCP
Target host: 22.seattle-01-02rs.wa.dial-access.att.net
Feb 28 10:30:23 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.228.157 Source port: 4186
Source host: 157.houston-03rh15rt.tx.dial-access.att.net
Target IP: 12.82.128.22 Target port: 80 Proto: TCP
Target host: 22.seattle-01-02rs.wa.dial-access.att.net
Feb 28 10:32:17 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.228.157 Source port: 1215
Source host: 157.houston-03rh15rt.tx.dial-access.att.net
Target IP: 12.82.128.22 Target port: 80 Proto: TCP
Target host: 22.seattle-01-02rs.wa.dial-access.att.net
Feb 28 10:32:20 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.228.157 Source port: 1215
Source host: 157.houston-03rh15rt.tx.dial-access.att.net
Target IP: 12.82.128.22 Target port: 80 Proto: TCP
Target host: 22.seattle-01-02rs.wa.dial-access.att.net
Feb 28 11:25:38 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.235.45.119 Source port: 3693
Source host: 12-235-45-119.client.attbi.com
Target IP: 12.82.128.22 Target port: 80 Proto: TCP
Target host: 22.seattle-01-02rs.wa.dial-access.att.net
Feb 28 11:25:41 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.235.45.119 Source port: 3693
Source host: 12-235-45-119.client.attbi.com
Target IP: 12.82.128.22 Target port: 80 Proto: TCP
Target host: 22.seattle-01-02rs.wa.dial-access.att.net
Feb 28 11:45:15 - snort [1:0:0] TCP to 22 ssh
Source IP: 203.56.45.138 Source port: 2915
Source host: 203.56.45.138
Target IP: 12.82.128.22 Target port: 22 Proto: TCP
Target host: 22.seattle-01-02rs.wa.dial-access.att.net
Feb 28 11:45:18 - snort [1:0:0] TCP to 22 ssh
Source IP: 203.56.45.138 Source port: 2915
Source host: 203.56.45.138
Target IP: 12.82.128.22 Target port: 22 Proto: TCP
Target host: 22.seattle-01-02rs.wa.dial-access.att.net
Feb 28 11:47:20 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.163.97 Source port: 3633
Source host: 97.seattle10rh16rt.wa.dial-access.att.net
Target IP: 12.82.128.22 Target port: 80 Proto: TCP
Target host: 22.seattle-01-02rs.wa.dial-access.att.net
Feb 28 11:47:23 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.163.97 Source port: 3633
Source host: 97.seattle10rh16rt.wa.dial-access.att.net
Target IP: 12.82.128.22 Target port: 80 Proto: TCP
Target host: 22.seattle-01-02rs.wa.dial-access.att.net
Feb 28 12:14:47 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.140.36 Source port: 2025
Source host: 36.seattle-05-10rs.wa.dial-access.att.net
Target IP: 12.82.128.22 Target port: 80 Proto: TCP
Target host: 22.seattle-01-02rs.wa.dial-access.att.net
Feb 28 12:14:50 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.140.36 Source port: 2025
Source host: 36.seattle-05-10rs.wa.dial-access.att.net
Target IP: 12.82.128.22 Target port: 80 Proto: TCP
Target host: 22.seattle-01-02rs.wa.dial-access.att.net
Feb 28 12:50:48 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.163.97 Source port: 3774
Source host: 97.seattle10rh16rt.wa.dial-access.att.net
Target IP: 12.82.128.22 Target port: 80 Proto: TCP
Target host: 22.seattle-01-02rs.wa.dial-access.att.net
Feb 28 12:50:51 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.163.97 Source port: 3774
Source host: 97.seattle10rh16rt.wa.dial-access.att.net
Target IP: 12.82.128.22 Target port: 80 Proto: TCP
Target host: 22.seattle-01-02rs.wa.dial-access.att.net
Feb 28 13:04:53 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.163.97 Source port: 2774
Source host: 97.seattle10rh16rt.wa.dial-access.att.net
Target IP: 12.82.128.22 Target port: 80 Proto: TCP
Target host: 22.seattle-01-02rs.wa.dial-access.att.net
Feb 28 13:04:56 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.163.97 Source port: 2774
Source host: 97.seattle10rh16rt.wa.dial-access.att.net
Target IP: 12.82.128.22 Target port: 80 Proto: TCP
Target host: 22.seattle-01-02rs.wa.dial-access.att.net
Feb 28 13:12:49 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.240.123 Source port: 4713
Source host: 123.houston-09rh15rt.tx.dial-access.att.net
Target IP: 12.82.128.22 Target port: 80 Proto: TCP
Target host: 22.seattle-01-02rs.wa.dial-access.att.net
Feb 28 13:12:52 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.240.123 Source port: 4713
Source host: 123.houston-09rh15rt.tx.dial-access.att.net
Target IP: 12.82.128.22 Target port: 80 Proto: TCP
Target host: 22.seattle-01-02rs.wa.dial-access.att.net
Feb 28 13:21:12 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.240.123 Source port: 4557
Source host: 123.houston-09rh15rt.tx.dial-access.att.net
Target IP: 12.82.128.22 Target port: 80 Proto: TCP
Target host: 22.seattle-01-02rs.wa.dial-access.att.net
Feb 28 13:21:15 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.240.123 Source port: 4557
Source host: 123.houston-09rh15rt.tx.dial-access.att.net
Target IP: 12.82.128.22 Target port: 80 Proto: TCP
Target host: 22.seattle-01-02rs.wa.dial-access.att.net
Feb 28 13:46:18 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.237.245 Source port: 2642
Source host: 245.houston-07rh16rt.tx.dial-access.att.net
Target IP: 12.82.128.22 Target port: 80 Proto: TCP
Target host: 22.seattle-01-02rs.wa.dial-access.att.net
Feb 28 13:47:53 - snort [1:0:0] TCP to 21 ftp
Source IP: 137.250.65.90 Source port: 3907
Source host: pc-65-090.Phil.Uni-Augsburg.DE
Target IP: 12.82.128.22 Target port: 21 Proto: TCP
Target host: 22.seattle-01-02rs.wa.dial-access.att.net
Feb 28 13:50:06 - snort [1:0:0] ICMP echo request
Source IP: 137.250.1.254 Source port: -N/A-
Source host: dns1.RZ.Uni-Augsburg.DE
Target IP: 12.82.128.22 Target port: -N/A- Proto: ICMP
Target host: 22.seattle-01-02rs.wa.dial-access.att.net
Feb 28 13:50:38 - snort [1:0:0] ICMP echo request
Source IP: 137.250.1.254 Source port: -N/A-
Source host: dns1.RZ.Uni-Augsburg.DE
Target IP: 12.82.128.22 Target port: -N/A- Proto: ICMP
Target host: 22.seattle-01-02rs.wa.dial-access.att.net
Feb 28 13:55:00 - snort [1:0:0] ICMP echo request
Source IP: 137.250.111.4 Source port: -N/A-
Source host: dns2.RZ.Uni-Augsburg.DE
Target IP: 12.82.128.22 Target port: -N/A- Proto: ICMP
Target host: 22.seattle-01-02rs.wa.dial-access.att.net
Feb 28 13:55:23 - snort [1:0:0] ICMP echo request
Source IP: 137.250.111.4 Source port: -N/A-
Source host: dns2.RZ.Uni-Augsburg.DE
Target IP: 12.82.128.22 Target port: -N/A- Proto: ICMP
Target host: 22.seattle-01-02rs.wa.dial-access.att.net
Feb 28 14:00:00 - snort [1:0:0] ICMP echo request
Source IP: 137.250.1.254 Source port: -N/A-
Source host: dns1.RZ.Uni-Augsburg.DE
Target IP: 12.82.128.22 Target port: -N/A- Proto: ICMP
Target host: 22.seattle-01-02rs.wa.dial-access.att.net
Feb 28 14:00:38 - snort [1:0:0] ICMP echo request
Source IP: 137.250.1.254 Source port: -N/A-
Source host: dns1.RZ.Uni-Augsburg.DE
Target IP: 12.82.128.22 Target port: -N/A- Proto: ICMP
Target host: 22.seattle-01-02rs.wa.dial-access.att.net
Feb 28 14:22:36 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.90.5.183 Source port: 3739
Source host: 183.philadelphia-13-14rs.pa.dial-access.att.net
Target IP: 12.82.128.22 Target port: 80 Proto: TCP
Target host: 22.seattle-01-02rs.wa.dial-access.att.net
Feb 28 14:22:39 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.90.5.183 Source port: 3739
Source host: 183.philadelphia-13-14rs.pa.dial-access.att.net
Target IP: 12.82.128.22 Target port: 80 Proto: TCP
Target host: 22.seattle-01-02rs.wa.dial-access.att.net
Feb 28 19:54:43 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.153.163 Source port: 4981
Source host: 163.seattle05rh16rt.wa.dial-access.att.net
Target IP: 12.82.132.54 Target port: 80 Proto: TCP
Target host: 54.seattle-11-12rs.wa.dial-access.att.net
Feb 28 19:54:46 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.153.163 Source port: 4981
Source host: 163.seattle05rh16rt.wa.dial-access.att.net
Target IP: 12.82.132.54 Target port: 80 Proto: TCP
Target host: 54.seattle-11-12rs.wa.dial-access.att.net
Feb 28 20:04:02 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.153.163 Source port: 1845
Source host: 163.seattle05rh16rt.wa.dial-access.att.net
Target IP: 12.82.132.54 Target port: 80 Proto: TCP
Target host: 54.seattle-11-12rs.wa.dial-access.att.net
Feb 28 20:04:05 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.153.163 Source port: 1845
Source host: 163.seattle05rh16rt.wa.dial-access.att.net
Target IP: 12.82.132.54 Target port: 80 Proto: TCP
Target host: 54.seattle-11-12rs.wa.dial-access.att.net
Feb 28 20:17:05 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.153.163 Source port: 1104
Source host: 163.seattle05rh16rt.wa.dial-access.att.net
Target IP: 12.82.132.54 Target port: 80 Proto: TCP
Target host: 54.seattle-11-12rs.wa.dial-access.att.net
Feb 28 20:17:08 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.153.163 Source port: 1104
Source host: 163.seattle05rh16rt.wa.dial-access.att.net
Target IP: 12.82.132.54 Target port: 80 Proto: TCP
Target host: 54.seattle-11-12rs.wa.dial-access.att.net
Feb 28 21:00:23 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.237.196 Source port: 3890
Source host: 196.houston-07rh16rt.tx.dial-access.att.net
Target IP: 12.82.132.54 Target port: 80 Proto: TCP
Target host: 54.seattle-11-12rs.wa.dial-access.att.net
Feb 28 21:00:25 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.237.196 Source port: 3890
Source host: 196.houston-07rh16rt.tx.dial-access.att.net
Target IP: 12.82.132.54 Target port: 80 Proto: TCP
Target host: 54.seattle-11-12rs.wa.dial-access.att.net
Feb 28 21:28:58 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.163.8 Source port: 4200
Source host: 8.seattle10rh16rt.wa.dial-access.att.net
Target IP: 12.82.132.54 Target port: 80 Proto: TCP
Target host: 54.seattle-11-12rs.wa.dial-access.att.net
Feb 28 21:29:01 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.163.8 Source port: 4200
Source host: 8.seattle10rh16rt.wa.dial-access.att.net
Target IP: 12.82.132.54 Target port: 80 Proto: TCP
Target host: 54.seattle-11-12rs.wa.dial-access.att.net
Feb 28 21:53:14 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.163.8 Source port: 4193
Source host: 8.seattle10rh16rt.wa.dial-access.att.net
Target IP: 12.82.132.54 Target port: 80 Proto: TCP
Target host: 54.seattle-11-12rs.wa.dial-access.att.net
Feb 28 21:53:17 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.163.8 Source port: 4193
Source host: 8.seattle10rh16rt.wa.dial-access.att.net
Target IP: 12.82.132.54 Target port: 80 Proto: TCP
Target host: 54.seattle-11-12rs.wa.dial-access.att.net
Feb 28 21:57:34 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.232.98 Source port: 3682
Source host: 98.houston-05rh15rt.tx.dial-access.att.net
Target IP: 12.82.132.54 Target port: 80 Proto: TCP
Target host: 54.seattle-11-12rs.wa.dial-access.att.net
Feb 28 21:57:36 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.232.98 Source port: 3682
Source host: 98.houston-05rh15rt.tx.dial-access.att.net
Target IP: 12.82.132.54 Target port: 80 Proto: TCP
Target host: 54.seattle-11-12rs.wa.dial-access.att.net
Feb 28 22:49:15 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.139.67 Source port: 3387
Source host: 67.seattle-28-29rs.wa.dial-access.att.net
Target IP: 12.82.132.54 Target port: 80 Proto: TCP
Target host: 54.seattle-11-12rs.wa.dial-access.att.net
Feb 28 22:49:17 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.139.67 Source port: 3387
Source host: 67.seattle-28-29rs.wa.dial-access.att.net
Target IP: 12.82.132.54 Target port: 80 Proto: TCP
Target host: 54.seattle-11-12rs.wa.dial-access.att.net
Feb 28 23:05:47 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.154.238 Source port: 1858
Source host: 238.seattle06rh15rt.wa.dial-access.att.net
Target IP: 12.82.132.54 Target port: 80 Proto: TCP
Target host: 54.seattle-11-12rs.wa.dial-access.att.net
Feb 28 23:05:49 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.154.238 Source port: 1858
Source host: 238.seattle06rh15rt.wa.dial-access.att.net
Target IP: 12.82.132.54 Target port: 80 Proto: TCP
Target host: 54.seattle-11-12rs.wa.dial-access.att.net
Feb 28 23:33:54 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.224.242.126 Source port: 3303
Source host: 12-224-242-126.client.attbi.com
Target IP: 12.82.132.54 Target port: 80 Proto: TCP
Target host: 54.seattle-11-12rs.wa.dial-access.att.net
Feb 28 23:33:58 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.224.242.126 Source port: 3303
Source host: 12-224-242-126.client.attbi.com
Target IP: 12.82.132.54 Target port: 80 Proto: TCP
Target host: 54.seattle-11-12rs.wa.dial-access.att.net
This report generated 03/ 1/2002 at 04:01:00
by a perl script written by John Sage at FinchHaven.com,
based upon the work of Dan Swan in his script snort2html.pl
jsage@finchhaven.com
Last modified: Sat Mar 2 09:17:40 2002