To: jsage@finchhaven.com
From: toot@finchhaven.com
Subject: [Logs] at FinchHaven for 03/7/2002
Logs at FinchHaven for 03/7/2002 extracted from /var/log/messages
Report generated 04:01:01 (TZ -08:00) 03/ 8/2002
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Context: dialup to access.att.net, dynamic IP in AT&T's 12.82.x.x class A
Connect time this date: +- 20 hours
Timestamps: US Pacific standard, GMT -08:00, synch by xntpd
Tools: snort 1.8.2, ipchains, logcheck, portsentry
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=ver.7
In /var/log/messages: Probes to port 21 ftp: 0
Probes to port 22 ssh: 0
Probes to port 23 telnet: 0
Probes to port 53 dns: 38
Probes to port 80 http: 20
Probes to port 111 sunrpc: 0
Probes to port 137 netbios-ns: 0
Probes to port 139 netbios-ssn: 4
Probes to port 445 ms-ds: 0
Probes to port 515 lpr: 0
Total, probes to all ports: 109
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Mar 7 06:48:07 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.239.148 Source port: 4371
Source host: 148.houston-08rh16rt.tx.dial-access.att.net
Target IP: 12.82.129.123 Target port: 80 Proto: TCP
Target host: 123.seattle-03-04rs.wa.dial-access.att.net
Mar 7 06:48:10 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.239.148 Source port: 4371
Source host: 148.houston-08rh16rt.tx.dial-access.att.net
Target IP: 12.82.129.123 Target port: 80 Proto: TCP
Target host: 123.seattle-03-04rs.wa.dial-access.att.net
Mar 7 19:22:56 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.102.78.35 Source port: 3709
Source host: 35.muaag.lsan.la6ca01r1.dsl.att.net
Target IP: 12.82.128.53 Target port: 80 Proto: TCP
Target host: 53.seattle-01-02rs.wa.dial-access.att.net
Mar 7 19:22:59 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.102.78.35 Source port: 3709
Source host: 35.muaag.lsan.la6ca01r1.dsl.att.net
Target IP: 12.82.128.53 Target port: 80 Proto: TCP
Target host: 53.seattle-01-02rs.wa.dial-access.att.net
Mar 7 19:26:37 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 208.23.74.13 Source port: 3778
Source host: 208.23.74.13
Target IP: 12.82.128.53 Target port: 80 Proto: TCP
Target host: 53.seattle-01-02rs.wa.dial-access.att.net
Mar 7 19:26:40 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 208.23.74.13 Source port: 3778
Source host: 208.23.74.13
Target IP: 12.82.128.53 Target port: 80 Proto: TCP
Target host: 53.seattle-01-02rs.wa.dial-access.att.net
Mar 7 19:26:46 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 208.23.74.13 Source port: 3778
Source host: 208.23.74.13
Target IP: 12.82.128.53 Target port: 80 Proto: TCP
Target host: 53.seattle-01-02rs.wa.dial-access.att.net
Mar 7 20:00:24 - snort [1:0:0] TCP to 139 netBIOS ss
Source IP: 194.65.158.24 Source port: 1267
Source host: 194.65.158.24
Target IP: 12.82.128.53 Target port: 139 Proto: TCP
Target host: 53.seattle-01-02rs.wa.dial-access.att.net
Mar 7 20:00:28 - snort [1:0:0] TCP to 139 netBIOS ss
Source IP: 194.65.158.24 Source port: 1267
Source host: 194.65.158.24
Target IP: 12.82.128.53 Target port: 139 Proto: TCP
Target host: 53.seattle-01-02rs.wa.dial-access.att.net
Mar 7 20:00:34 - snort [1:0:0] TCP to 139 netBIOS ss
Source IP: 194.65.158.24 Source port: 1267
Source host: 194.65.158.24
Target IP: 12.82.128.53 Target port: 139 Proto: TCP
Target host: 53.seattle-01-02rs.wa.dial-access.att.net
Mar 7 20:00:47 - snort [1:0:0] TCP to 139 netBIOS ss
Source IP: 194.65.158.24 Source port: 1267
Source host: 194.65.158.24
Target IP: 12.82.128.53 Target port: 139 Proto: TCP
Target host: 53.seattle-01-02rs.wa.dial-access.att.net
Mar 7 20:14:23 - snort [1:0:0] ICMP echo request
Source IP: 65.114.157.130 Source port: -N/A-
Source host: 65.114.157.130
Target IP: 12.82.128.53 Target port: -N/A- Proto: ICMP
Target host: 53.seattle-01-02rs.wa.dial-access.att.net
Got a sh*tload of these, so let's delete 'em..
<snip>
Mar 7 20:14:52 - snort [1:0:0] UDP to 53 domain Source IP: 65.114.157.130 Source port: 32193 Source host: 65.114.157.130 Target IP: 12.82.128.53 Target port: 53 Proto: UDP Target host: 53.seattle-01-02rs.wa.dial-access.att.net
And got a sh*tload of these, so delete 'em...
<snip>
And more...
Mar 7 20:15:04 - snort [1:0:0] ICMP echo request Source IP: 208.225.197.194 Source port: -N/A- Source host: 208.225.197.194 Target IP: 12.82.128.53 Target port: -N/A- Proto: ICMP Target host: 53.seattle-01-02rs.wa.dial-access.att.net
And more...
Mar 7 20:15:43 - snort [1:0:0] UDP to 53 domain Source IP: 208.225.197.194 Source port: 11400 Source host: 208.225.197.194 Target IP: 12.82.128.53 Target port: 53 Proto: UDP Target host: 53.seattle-01-02rs.wa.dial-access.att.netMar 7 20:26:58 - snort [1:0:0] Potential CodeRed/Nimda probe Source IP: 12.82.246.105 Source port: 1995 Source host: 105.houston-12rh15rt.tx.dial-access.att.net Target IP: 12.82.128.53 Target port: 80 Proto: TCP Target host: 53.seattle-01-02rs.wa.dial-access.att.net Mar 7 20:27:01 - snort [1:0:0] Potential CodeRed/Nimda probe Source IP: 12.82.246.105 Source port: 1995 Source host: 105.houston-12rh15rt.tx.dial-access.att.net Target IP: 12.82.128.53 Target port: 80 Proto: TCP Target host: 53.seattle-01-02rs.wa.dial-access.att.net Mar 7 21:33:20 - snort [1:0:0] Potential CodeRed/Nimda probe Source IP: 12.82.246.105 Source port: 3366 Source host: 105.houston-12rh15rt.tx.dial-access.att.net Target IP: 12.82.128.53 Target port: 80 Proto: TCP Target host: 53.seattle-01-02rs.wa.dial-access.att.net Mar 7 21:33:22 - snort [1:0:0] Potential CodeRed/Nimda probe Source IP: 12.82.246.105 Source port: 3366 Source host: 105.houston-12rh15rt.tx.dial-access.att.net Target IP: 12.82.128.53 Target port: 80 Proto: TCP Target host: 53.seattle-01-02rs.wa.dial-access.att.net Mar 7 21:40:17 - snort [1:0:0] Potential CodeRed/Nimda probe Source IP: 12.65.216.227 Source port: 2964 Source host: slip-12-65-216-227.mis.prserv.net Target IP: 12.82.128.53 Target port: 80 Proto: TCP Target host: 53.seattle-01-02rs.wa.dial-access.att.net Mar 7 21:40:20 - snort [1:0:0] Potential CodeRed/Nimda probe Source IP: 12.65.216.227 Source port: 2964 Source host: slip-12-65-216-227.mis.prserv.net Target IP: 12.82.128.53 Target port: 80 Proto: TCP Target host: 53.seattle-01-02rs.wa.dial-access.att.net Mar 7 21:48:20 - snort [1:0:0] Potential CodeRed/Nimda probe Source IP: 12.230.74.40 Source port: 2578 Source host: 12-230-74-40.client.attbi.com Target IP: 12.82.128.53 Target port: 80 Proto: TCP Target host: 53.seattle-01-02rs.wa.dial-access.att.net Mar 7 21:48:23 - snort [1:0:0] Potential CodeRed/Nimda probe Source IP: 12.230.74.40 Source port: 2578 Source host: 12-230-74-40.client.attbi.com Target IP: 12.82.128.53 Target port: 80 Proto: TCP Target host: 53.seattle-01-02rs.wa.dial-access.att.net Mar 7 22:02:27 - snort [1:0:0] Potential CodeRed/Nimda probe Source IP: 12.228.50.13 Source port: 1557 Source host: 12-228-50-13.client.attbi.com Target IP: 12.82.128.53 Target port: 80 Proto: TCP Target host: 53.seattle-01-02rs.wa.dial-access.att.net Mar 7 22:02:30 - snort [1:0:0] Potential CodeRed/Nimda probe Source IP: 12.228.50.13 Source port: 1557 Source host: 12-228-50-13.client.attbi.com Target IP: 12.82.128.53 Target port: 80 Proto: TCP Target host: 53.seattle-01-02rs.wa.dial-access.att.net Mar 7 22:03:10 - snort [1:0:0] Potential CodeRed/Nimda probe Source IP: 12.230.74.40 Source port: 1042 Source host: 12-230-74-40.client.attbi.com Target IP: 12.82.128.53 Target port: 80 Proto: TCP Target host: 53.seattle-01-02rs.wa.dial-access.att.net Mar 7 22:03:13 - snort [1:0:0] Potential CodeRed/Nimda probe Source IP: 12.230.74.40 Source port: 1042 Source host: 12-230-74-40.client.attbi.com Target IP: 12.82.128.53 Target port: 80 Proto: TCP Target host: 53.seattle-01-02rs.wa.dial-access.att.net Mar 8 01:46:33 - snort [1:0:0] Potential CodeRed/Nimda probe Source IP: 12.228.124.34 Source port: 4795 Source host: 12-228-124-34.client.attbi.com Target IP: 12.82.128.53 Target port: 80 Proto: TCP Target host: 53.seattle-01-02rs.wa.dial-access.att.net This report generated 03/ 8/2002 at 04:01:01 by a perl script written by John Sage at FinchHaven.com, based upon the work of Dan Swan in his script snort2html.pl