Logs: 03-01-02
To: jsage@finchhaven.com
Cc: root@sparky.finchhaven.net
From: toot@finchhaven.com
Subject: [Logs] at FinchHaven for 03/1/2002
Logs at FinchHaven for 03/1/2002 extracted from /var/log/messages
Report generated 04:01:01 (TZ -08:00) 03/ 2/2002
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Context: dialup to access.att.net, dynamic IP in AT&T's 12.82.x.x class A
Connect time this date: +- 20 hours
Timestamps: US Pacific standard, GMT -08:00, synch by xntpd
Tools: snort 1.8.2, ipchains, logcheck, portsentry
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=ver.7
In /var/log/messages: Probes to port 21 ftp: 2
Probes to port 22 ssh: 0
Probes to port 23 telnet: 0
Probes to port 53 dns: 6
Probes to port 80 http: 20
Probes to port 111 sunrpc: 0
Probes to port 137 netbios-ns: 6
Probes to port 139 netbios-ssn: 0
Probes to port 445 ms-ds: 0
Probes to port 515 lpr: 0
Total, probes to all ports: 39
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Mar 1 07:46:20 - snort [1:0:0] UDP to 137 netBIOS ns
Source IP: 209.85.219.50 Source port: 53128
Source host: 209.85.219.50
Target IP: 12.82.128.101 Target port: 137 Proto: UDP
Target host: 101.seattle-01-02rs.wa.dial-access.att.net
Mar 1 07:46:21 - snort [1:0:0] UDP to 137 netBIOS ns
Source IP: 209.85.219.50 Source port: 53128
Source host: 209.85.219.50
Target IP: 12.82.128.101 Target port: 137 Proto: UDP
Target host: 101.seattle-01-02rs.wa.dial-access.att.net
Mar 1 07:46:23 - snort [1:0:0] UDP to 137 netBIOS ns
Source IP: 209.85.219.50 Source port: 53128
Source host: 209.85.219.50
Target IP: 12.82.128.101 Target port: 137 Proto: UDP
Target host: 101.seattle-01-02rs.wa.dial-access.att.net
Mar 1 08:52:41 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.228.95.50 Source port: 4911
Source host: 12-228-95-50.client.attbi.com
Target IP: 12.82.128.101 Target port: 80 Proto: TCP
Target host: 101.seattle-01-02rs.wa.dial-access.att.net
Mar 1 10:47:55 - snort [1:0:0] TCP to 21 ftp
Source IP: 203.73.184.189 Source port: 21
Source host: 203.73.184.189
Target IP: 12.82.128.101 Target port: 21 Proto: TCP
Target host: 101.seattle-01-02rs.wa.dial-access.att.net
Mar 1 10:57:20 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.237.85 Source port: 3782
Source host: 85.houston-07rh16rt.tx.dial-access.att.net
Target IP: 12.82.128.101 Target port: 80 Proto: TCP
Target host: 101.seattle-01-02rs.wa.dial-access.att.net
Mar 1 10:57:23 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.237.85 Source port: 3782
Source host: 85.houston-07rh16rt.tx.dial-access.att.net
Target IP: 12.82.128.101 Target port: 80 Proto: TCP
Target host: 101.seattle-01-02rs.wa.dial-access.att.net
Mar 1 11:10:35 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.237.85 Source port: 1065
Source host: 85.houston-07rh16rt.tx.dial-access.att.net
Target IP: 12.82.128.101 Target port: 80 Proto: TCP
Target host: 101.seattle-01-02rs.wa.dial-access.att.net
Mar 1 11:10:37 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.237.85 Source port: 1065
Source host: 85.houston-07rh16rt.tx.dial-access.att.net
Target IP: 12.82.128.101 Target port: 80 Proto: TCP
Target host: 101.seattle-01-02rs.wa.dial-access.att.net
Mar 1 11:20:39 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.234.81.150 Source port: 4556
Source host: 12-234-81-150.client.attbi.com
Target IP: 12.82.128.101 Target port: 80 Proto: TCP
Target host: 101.seattle-01-02rs.wa.dial-access.att.net
Mar 1 11:20:41 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.234.81.150 Source port: 4556
Source host: 12-234-81-150.client.attbi.com
Target IP: 12.82.128.101 Target port: 80 Proto: TCP
Target host: 101.seattle-01-02rs.wa.dial-access.att.net
Mar 1 12:34:59 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 61.128.97.194 Source port: 59512
Source host: 61.128.97.194
Target IP: 12.82.128.101 Target port: 80 Proto: TCP
Target host: 101.seattle-01-02rs.wa.dial-access.att.net
Mar 1 12:35:03 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 61.128.97.194 Source port: 59512
Source host: 61.128.97.194
Target IP: 12.82.128.101 Target port: 80 Proto: TCP
Target host: 101.seattle-01-02rs.wa.dial-access.att.net
Mar 1 12:35:03 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 61.128.97.194 Source port: 59512
Source host: 61.128.97.194
Target IP: 12.82.128.101 Target port: 80 Proto: TCP
Target host: 101.seattle-01-02rs.wa.dial-access.att.net
Mar 1 13:22:46 - snort [1:0:0] UDP to 137 netBIOS ns
Source IP: 64.78.224.29 Source port: 137
Source host: 64.78.224.29
Target IP: 12.82.128.101 Target port: 137 Proto: UDP
Target host: 101.seattle-01-02rs.wa.dial-access.att.net
Mar 1 13:22:48 - snort [1:0:0] UDP to 137 netBIOS ns
Source IP: 64.78.224.29 Source port: 137
Source host: 64.78.224.29
Target IP: 12.82.128.101 Target port: 137 Proto: UDP
Target host: 101.seattle-01-02rs.wa.dial-access.att.net
Mar 1 13:22:49 - snort [1:0:0] UDP to 137 netBIOS ns
Source IP: 64.78.224.29 Source port: 137
Source host: 64.78.224.29
Target IP: 12.82.128.101 Target port: 137 Proto: UDP
Target host: 101.seattle-01-02rs.wa.dial-access.att.net
Mar 1 19:54:23 - snort [1:0:0] ICMP echo request
Source IP: 12.82.131.240 Source port: -N/A-
Source host: 240.seattle-08-09rs.wa.dial-access.att.net
Target IP: 12.82.133.52 Target port: -N/A- Proto: ICMP
Target host: 52.seattle-13-14rs.wa.dial-access.att.net
Mar 1 20:19:43 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.99.182.130 Source port: 3816
Source host: 12.99.182.130
Target IP: 12.82.133.52 Target port: 80 Proto: TCP
Target host: 52.seattle-13-14rs.wa.dial-access.att.net
Mar 1 20:19:46 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.99.182.130 Source port: 3816
Source host: 12.99.182.130
Target IP: 12.82.133.52 Target port: 80 Proto: TCP
Target host: 52.seattle-13-14rs.wa.dial-access.att.net
Mar 1 20:40:15 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.128.232 Source port: 4956
Source host: 232.seattle-01-02rs.wa.dial-access.att.net
Target IP: 12.82.133.52 Target port: 80 Proto: TCP
Target host: 52.seattle-13-14rs.wa.dial-access.att.net
Mar 1 20:40:18 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.128.232 Source port: 4956
Source host: 232.seattle-01-02rs.wa.dial-access.att.net
Target IP: 12.82.133.52 Target port: 80 Proto: TCP
Target host: 52.seattle-13-14rs.wa.dial-access.att.net
Mar 1 21:07:23 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.128.232 Source port: 3287
Source host: 232.seattle-01-02rs.wa.dial-access.att.net
Target IP: 12.82.133.52 Target port: 80 Proto: TCP
Target host: 52.seattle-13-14rs.wa.dial-access.att.net
Mar 1 21:07:26 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.128.232 Source port: 3287
Source host: 232.seattle-01-02rs.wa.dial-access.att.net
Target IP: 12.82.133.52 Target port: 80 Proto: TCP
Target host: 52.seattle-13-14rs.wa.dial-access.att.net
Mar 1 21:28:01 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.245.236.184 Source port: 1231
Source host: 12-245-236-184.client.attbi.com
Target IP: 12.82.133.52 Target port: 80 Proto: TCP
Target host: 52.seattle-13-14rs.wa.dial-access.att.net
Mar 1 21:28:04 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.245.236.184 Source port: 1231
Source host: 12-245-236-184.client.attbi.com
Target IP: 12.82.133.52 Target port: 80 Proto: TCP
Target host: 52.seattle-13-14rs.wa.dial-access.att.net
Mar 1 21:30:33 - snort [1:0:0] TCP to 27374 SubSeven
Source IP: 63.104.113.85 Source port: 1784
Source host: 63.104.113.85
Target IP: 12.82.133.52 Target port: 27374 Proto: TCP
Target host: 52.seattle-13-14rs.wa.dial-access.att.net
Mar 1 21:30:36 - snort [1:0:0] TCP to 27374 SubSeven
Source IP: 63.104.113.85 Source port: 1784
Source host: 63.104.113.85
Target IP: 12.82.133.52 Target port: 27374 Proto: TCP
Target host: 52.seattle-13-14rs.wa.dial-access.att.net
Mar 1 21:30:42 - snort [1:0:0] TCP to 27374 SubSeven
Source IP: 63.104.113.85 Source port: 1784
Source host: 63.104.113.85
Target IP: 12.82.133.52 Target port: 27374 Proto: TCP
Target host: 52.seattle-13-14rs.wa.dial-access.att.net
Mar 1 22:02:12 - snort [1:0:0] TCP to 27374 SubSeven
Source IP: 68.41.113.212 Source port: 3968
Source host: bgp956615bgs.derbrh01.mi.comcast.net
Target IP: 12.82.140.53 Target port: 27374 Proto: TCP
Target host: 53.seattle-05-10rs.wa.dial-access.att.net
Mar 1 22:02:15 - snort [1:0:0] TCP to 27374 SubSeven
Source IP: 68.41.113.212 Source port: 3968
Source host: bgp956615bgs.derbrh01.mi.comcast.net
Target IP: 12.82.140.53 Target port: 27374 Proto: TCP
Target host: 53.seattle-05-10rs.wa.dial-access.att.net
Mar 1 22:02:21 - snort [1:0:0] TCP to 27374 SubSeven
Source IP: 68.41.113.212 Source port: 3968
Source host: bgp956615bgs.derbrh01.mi.comcast.net
Target IP: 12.82.140.53 Target port: 27374 Proto: TCP
Target host: 53.seattle-05-10rs.wa.dial-access.att.net
Mar 1 22:02:33 - snort [1:0:0] TCP to 27374 SubSeven
Source IP: 68.41.113.212 Source port: 3968
Source host: bgp956615bgs.derbrh01.mi.comcast.net
Target IP: 12.82.140.53 Target port: 27374 Proto: TCP
Target host: 53.seattle-05-10rs.wa.dial-access.att.net
Mar 1 22:49:50 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.128.232 Source port: 4284
Source host: 232.seattle-01-02rs.wa.dial-access.att.net
Target IP: 12.82.140.53 Target port: 80 Proto: TCP
Target host: 53.seattle-05-10rs.wa.dial-access.att.net
Mar 1 22:49:53 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.128.232 Source port: 4284
Source host: 232.seattle-01-02rs.wa.dial-access.att.net
Target IP: 12.82.140.53 Target port: 80 Proto: TCP
Target host: 53.seattle-05-10rs.wa.dial-access.att.net
Mar 2 02:54:39 - snort [1:0:0] TCP to 21 ftp
Source IP: 62.211.200.65 Source port: 21
Source host: 62.211.200.65
Target IP: 12.82.140.53 Target port: 21 Proto: TCP
Target host: 53.seattle-05-10rs.wa.dial-access.att.net
This report generated 03/ 2/2002 at 04:01:01
by a perl script written by John Sage at FinchHaven.com,
based upon the work of Dan Swan in his script snort2html.pl
jsage@finchhaven.com
Last modified: Sat Mar 2 09:28:20 2002