Incident: 03-13-02 tcp:123
To: jsage@finchhaven.com
From: toot@finchhaven.com
Subject: [Logs] at FinchHaven for 03/13/2002
Logs at FinchHaven for 03/13/2002 extracted from /var/log/messages
Report generated 04:01:00 (TZ -08:00) 03/14/2002
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Context: dialup to access.att.net, dynamic IP in AT&T's 12.82.x.x class A
Connect time this date: +- 20 hours
Timestamps: US Pacific standard, GMT -08:00, synch by xntpd
Tools: snort 1.8.2, ipchains, logcheck, portsentry
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=ver.7
In /var/log/messages: Probes to port 21 ftp: 0
Probes to port 22 ssh: 0
Probes to port 23 telnet: 0
Probes to port 53 dns: 0
Probes to port 80 http: 16
Probes to port 111 sunrpc: 1
Probes to port 137 netbios-ns: 3
Probes to port 139 netbios-ssn: 0
Probes to port 445 ms-ds: 0
Probes to port 515 lpr: 0
Total, probes to all ports: 32
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Mar 13 05:46:26 - snort [1:0:0] ICMP echo request
Source IP: 217.128.217.41 Source port: -N/A-
Source host: ALagny-103-1-1-41.abo.wanadoo.fr
Target IP: 12.82.140.64 Target port: -N/A- Proto: ICMP
Target host: 64.seattle-05-10rs.wa.dial-access.att.net
Mar 13 10:39:39 - snort [1:0:0] TCP to 111 sunrpc
Source IP: 66.13.140.90 Source port: 2900
Source host: bdsl.66.13.140.90.gte.net
Target IP: 12.82.128.12 Target port: 111 Proto: TCP
Target host: 12.seattle-01-02rs.wa.dial-access.att.net
Mar 13 12:15:20 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.236.44 Source port: 2219
Source host: 44.houston-07rh15rt.tx.dial-access.att.net
Target IP: 12.82.128.12 Target port: 80 Proto: TCP
Target host: 12.seattle-01-02rs.wa.dial-access.att.net
Mar 13 12:15:23 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.236.44 Source port: 2219
Source host: 44.houston-07rh15rt.tx.dial-access.att.net
Target IP: 12.82.128.12 Target port: 80 Proto: TCP
Target host: 12.seattle-01-02rs.wa.dial-access.att.net
Mar 13 12:26:44 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.236.44 Source port: 2131
Source host: 44.houston-07rh15rt.tx.dial-access.att.net
Target IP: 12.82.128.12 Target port: 80 Proto: TCP
Target host: 12.seattle-01-02rs.wa.dial-access.att.net
Mar 13 12:26:47 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.236.44 Source port: 2131
Source host: 44.houston-07rh15rt.tx.dial-access.att.net
Target IP: 12.82.128.12 Target port: 80 Proto: TCP
Target host: 12.seattle-01-02rs.wa.dial-access.att.net
Mar 13 19:41:00 - snort [1:0:0] TCP to 27374 SubSeven
Source IP: 67.208.176.226 Source port: 3140
Source host: 1Cust226.tnt2.wilmington.de.da.uu.net
Target IP: 12.82.135.131 Target port: 27374 Proto: TCP
Target host: 131.seattle-18-19rs.wa.dial-access.att.net
Mar 13 19:41:03 - snort [1:0:0] TCP to 27374 SubSeven
Source IP: 67.208.176.226 Source port: 3140
Source host: 1Cust226.tnt2.wilmington.de.da.uu.net
Target IP: 12.82.135.131 Target port: 27374 Proto: TCP
Target host: 131.seattle-18-19rs.wa.dial-access.att.net
Mar 13 19:41:09 - snort [1:0:0] TCP to 27374 SubSeven
Source IP: 67.208.176.226 Source port: 3140
Source host: 1Cust226.tnt2.wilmington.de.da.uu.net
Target IP: 12.82.135.131 Target port: 27374 Proto: TCP
Target host: 131.seattle-18-19rs.wa.dial-access.att.net
Mar 13 19:58:38 - snort [1:0:0] UDP to 137 netBIOS ns
Source IP: 204.118.20.106 Source port: 137
Source host: 204.118.20.106
Target IP: 12.82.129.38 Target port: 137 Proto: UDP
Target host: 38.seattle-03-04rs.wa.dial-access.att.net
Mar 13 19:58:39 - snort [1:0:0] UDP to 137 netBIOS ns
Source IP: 204.118.20.106 Source port: 137
Source host: 204.118.20.106
Target IP: 12.82.129.38 Target port: 137 Proto: UDP
Target host: 38.seattle-03-04rs.wa.dial-access.att.net
Mar 13 19:58:41 - snort [1:0:0] UDP to 137 netBIOS ns
Source IP: 204.118.20.106 Source port: 137
Source host: 204.118.20.106
Target IP: 12.82.129.38 Target port: 137 Proto: UDP
Target host: 38.seattle-03-04rs.wa.dial-access.att.net
Mar 13 20:02:51 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.141.115 Source port: 1566
Source host: 115.seattle-15-20rs.wa.dial-access.att.net
Target IP: 12.82.129.38 Target port: 80 Proto: TCP
Target host: 38.seattle-03-04rs.wa.dial-access.att.net
Mar 13 20:02:54 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.141.115 Source port: 1566
Source host: 115.seattle-15-20rs.wa.dial-access.att.net
Target IP: 12.82.129.38 Target port: 80 Proto: TCP
Target host: 38.seattle-03-04rs.wa.dial-access.att.net
Mar 13 20:58:53 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.247.22.86 Source port: 3202
Source host: 12-247-22-86.client.attbi.com
Target IP: 12.82.129.38 Target port: 80 Proto: TCP
Target host: 38.seattle-03-04rs.wa.dial-access.att.net
Mar 13 23:08:59 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.253.88.51 Source port: 2981
Source host: 12-253-88-51.client.attbi.com
Target IP: 12.82.129.38 Target port: 80 Proto: TCP
Target host: 38.seattle-03-04rs.wa.dial-access.att.net
Mar 13 23:09:02 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.253.88.51 Source port: 2981
Source host: 12-253-88-51.client.attbi.com
Target IP: 12.82.129.38 Target port: 80 Proto: TCP
Target host: 38.seattle-03-04rs.wa.dial-access.att.net
Mar 13 23:16:06 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.102.78.35 Source port: 2003
Source host: 35.muaag.lsan.la6ca01r1.dsl.att.net
Target IP: 12.82.129.38 Target port: 80 Proto: TCP
Target host: 38.seattle-03-04rs.wa.dial-access.att.net
Mar 13 23:16:09 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.102.78.35 Source port: 2003
Source host: 35.muaag.lsan.la6ca01r1.dsl.att.net
Target IP: 12.82.129.38 Target port: 80 Proto: TCP
Target host: 38.seattle-03-04rs.wa.dial-access.att.net
Mar 13 23:31:21 - snort [1:0:0] TCP to 27374 SubSeven
Source IP: 218.149.75.11 Source port: 3194
Source host: 218.149.75.11
Target IP: 12.82.129.38 Target port: 27374 Proto: TCP
Target host: 38.seattle-03-04rs.wa.dial-access.att.net
Mar 13 23:31:24 - snort [1:0:0] TCP to 27374 SubSeven
Source IP: 218.149.75.11 Source port: 3194
Source host: 218.149.75.11
Target IP: 12.82.129.38 Target port: 27374 Proto: TCP
Target host: 38.seattle-03-04rs.wa.dial-access.att.net
Mar 13 23:31:30 - snort [1:0:0] TCP to 27374 SubSeven
Source IP: 218.149.75.11 Source port: 3194
Source host: 218.149.75.11
Target IP: 12.82.129.38 Target port: 27374 Proto: TCP
Target host: 38.seattle-03-04rs.wa.dial-access.att.net
Mar 13 23:31:42 - snort [1:0:0] TCP to 27374 SubSeven
Source IP: 218.149.75.11 Source port: 3194
Source host: 218.149.75.11
Target IP: 12.82.129.38 Target port: 27374 Proto: TCP
Target host: 38.seattle-03-04rs.wa.dial-access.att.net
Mar 14 00:05:42 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.246.106.183 Source port: 4504
Source host: 12-246-106-183.client.attbi.com
Target IP: 12.82.129.38 Target port: 80 Proto: TCP
Target host: 38.seattle-03-04rs.wa.dial-access.att.net
Mar 14 00:05:45 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.246.106.183 Source port: 4504
Source host: 12-246-106-183.client.attbi.com
Target IP: 12.82.129.38 Target port: 80 Proto: TCP
Target host: 38.seattle-03-04rs.wa.dial-access.att.net
Mar 14 01:41:34 - snort [1:0:0] TCP to 1080 socks
Source IP: 12.251.95.152 Source port: 4851
Source host: 12-251-95-152.client.attbi.com
Target IP: 12.82.129.38 Target port: 1080 Proto: TCP
Target host: 38.seattle-03-04rs.wa.dial-access.att.net
Mar 14 02:04:15 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 212.220.29.170 Source port: 2251
Source host: 212.220.29.170
Target IP: 12.82.129.38 Target port: 80 Proto: TCP
Target host: 38.seattle-03-04rs.wa.dial-access.att.net
Mar 14 02:04:18 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 212.220.29.170 Source port: 2251
Source host: 212.220.29.170
Target IP: 12.82.129.38 Target port: 80 Proto: TCP
Target host: 38.seattle-03-04rs.wa.dial-access.att.net
Mar 14 02:04:24 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 212.220.29.170 Source port: 2251
Source host: 212.220.29.170
Target IP: 12.82.129.38 Target port: 80 Proto: TCP
Target host: 38.seattle-03-04rs.wa.dial-access.att.net
Mar 14 02:39:52 - snort [1:0:0] TCP to 27374 SubSeven
Source IP: 210.49.36.147 Source port: 2740
Source host: c17540.fitzg1.qld.optusnet.com.au
Target IP: 12.82.129.38 Target port: 27374 Proto: TCP
Target host: 38.seattle-03-04rs.wa.dial-access.att.net
Mar 14 02:39:55 - snort [1:0:0] TCP to 27374 SubSeven
Source IP: 210.49.36.147 Source port: 2740
Source host: c17540.fitzg1.qld.optusnet.com.au
Target IP: 12.82.129.38 Target port: 27374 Proto: TCP
Target host: 38.seattle-03-04rs.wa.dial-access.att.net
Mar 14 02:40:01 - snort [1:0:0] TCP to 27374 SubSeven
Source IP: 210.49.36.147 Source port: 2740
Source host: c17540.fitzg1.qld.optusnet.com.au
Target IP: 12.82.129.38 Target port: 27374 Proto: TCP
Target host: 38.seattle-03-04rs.wa.dial-access.att.net
This report generated 03/14/2002 at 04:01:00
by a perl script written by John Sage at FinchHaven.com,
based upon the work of Dan Swan in his script snort2html.pl
jsage@finchhaven.com
Last modified: Sat Mar 16 15:47:23 2002