Logs: 03-15-02
To: jsage@finchhaven.com
From: toot@finchhaven.com
Subject: [Logs] at FinchHaven for 03/15/2002
Logs at FinchHaven for 03/15/2002 extracted from /var/log/messages
Report generated 04:01:00 (TZ -08:00) 03/16/2002
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Context: dialup to access.att.net, dynamic IP in AT&T's 12.82.x.x class A
Connect time this date: +- 20 hours
Timestamps: US Pacific standard, GMT -08:00, synch by xntpd
Tools: snort 1.8.2, ipchains, logcheck, portsentry
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=ver.7
In /var/log/messages: Probes to port 21 ftp: 3
Probes to port 22 ssh: 0
Probes to port 23 telnet: 0
Probes to port 53 dns: 8
Probes to port 80 http: 12
Probes to port 111 sunrpc: 1
Probes to port 137 netbios-ns: 2
Probes to port 139 netbios-ssn: 4
Probes to port 445 ms-ds: 0
Probes to port 515 lpr: 2
Total, probes to all ports: 34
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Mar 15 05:10:21 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 61.133.1.116 Source port: 4767
Source host: 61.133.1.116
Target IP: 12.82.128.204 Target port: 80 Proto: TCP
Target host: 204.seattle-01-02rs.wa.dial-access.att.net
Mar 15 05:10:24 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 61.133.1.116 Source port: 4767
Source host: 61.133.1.116
Target IP: 12.82.128.204 Target port: 80 Proto: TCP
Target host: 204.seattle-01-02rs.wa.dial-access.att.net
Mar 15 05:10:31 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 61.133.1.116 Source port: 4767
Source host: 61.133.1.116
Target IP: 12.82.128.204 Target port: 80 Proto: TCP
Target host: 204.seattle-01-02rs.wa.dial-access.att.net
Mar 15 06:27:10 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.247.1.3 Source port: 2902
Source host: 12-247-1-3.client.attbi.com
Target IP: 12.82.129.58 Target port: 80 Proto: TCP
Target host: 58.seattle-03-04rs.wa.dial-access.att.net
Mar 15 06:27:13 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.247.1.3 Source port: 2902
Source host: 12-247-1-3.client.attbi.com
Target IP: 12.82.129.58 Target port: 80 Proto: TCP
Target host: 58.seattle-03-04rs.wa.dial-access.att.net
Mar 15 07:06:12 - snort [1:0:0] UDP to 137 netBIOS ns
Source IP: 12.82.129.171 Source port: 1055
Source host: 171.seattle-03-04rs.wa.dial-access.att.net
Target IP: 12.82.129.58 Target port: 137 Proto: UDP
Target host: 58.seattle-03-04rs.wa.dial-access.att.net
Mar 15 07:34:13 - snort [1:0:0] UDP to 137 netBIOS ns
Source IP: 12.82.129.245 Source port: 1075
Source host: 245.seattle-03-04rs.wa.dial-access.att.net
Target IP: 12.82.129.58 Target port: 137 Proto: UDP
Target host: 58.seattle-03-04rs.wa.dial-access.att.net
Mar 15 12:20:56 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 217.235.50.236 Source port: 62626
Source host: pD9EB32EC.dip.t-dialin.net
Target IP: 12.82.129.58 Target port: 80 Proto: TCP
Target host: 58.seattle-03-04rs.wa.dial-access.att.net
Mar 15 12:20:59 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 217.235.50.236 Source port: 62626
Source host: pD9EB32EC.dip.t-dialin.net
Target IP: 12.82.129.58 Target port: 80 Proto: TCP
Target host: 58.seattle-03-04rs.wa.dial-access.att.net
Mar 15 12:21:05 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 217.235.50.236 Source port: 62626
Source host: pD9EB32EC.dip.t-dialin.net
Target IP: 12.82.129.58 Target port: 80 Proto: TCP
Target host: 58.seattle-03-04rs.wa.dial-access.att.net
Mar 15 14:12:45 - snort [1:0:0] TCP to 111 sunrpc
Source IP: 200.56.98.93 Source port: 25247
Source host: red-corpb23-93.telnor.net
Target IP: 12.82.129.58 Target port: 111 Proto: TCP
Target host: 58.seattle-03-04rs.wa.dial-access.att.net
Mar 15 20:02:56 - snort [1:0:0] UDP to 53 domain
Source IP: 64.70.2.15 Source port: 55555
Source host: 64.70.2.15
Target IP: 12.82.128.79 Target port: 53 Proto: UDP
Target host: 79.seattle-01-02rs.wa.dial-access.att.net
Mar 15 20:02:56 - snort [1:0:0] UDP to 53 domain
Source IP: 64.70.2.15 Source port: 55555
Source host: 64.70.2.15
Target IP: 12.82.128.79 Target port: 53 Proto: UDP
Target host: 79.seattle-01-02rs.wa.dial-access.att.net
Mar 15 20:24:23 - snort [1:0:0] TCP to 139 netBIOS ss
Source IP: 194.65.158.24 Source port: 3115
Source host: 194.65.158.24
Target IP: 12.82.128.79 Target port: 139 Proto: TCP
Target host: 79.seattle-01-02rs.wa.dial-access.att.net
Mar 15 20:24:26 - snort [1:0:0] TCP to 139 netBIOS ss
Source IP: 194.65.158.24 Source port: 3115
Source host: 194.65.158.24
Target IP: 12.82.128.79 Target port: 139 Proto: TCP
Target host: 79.seattle-01-02rs.wa.dial-access.att.net
Mar 15 20:24:32 - snort [1:0:0] TCP to 139 netBIOS ss
Source IP: 194.65.158.24 Source port: 3115
Source host: 194.65.158.24
Target IP: 12.82.128.79 Target port: 139 Proto: TCP
Target host: 79.seattle-01-02rs.wa.dial-access.att.net
Mar 15 20:24:45 - snort [1:0:0] TCP to 139 netBIOS ss
Source IP: 194.65.158.24 Source port: 3115
Source host: 194.65.158.24
Target IP: 12.82.128.79 Target port: 139 Proto: TCP
Target host: 79.seattle-01-02rs.wa.dial-access.att.net
Mar 15 20:25:42 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.142.39 Source port: 2187
Source host: 39.seattle-25-30rs.wa.dial-access.att.net
Target IP: 12.82.128.79 Target port: 80 Proto: TCP
Target host: 79.seattle-01-02rs.wa.dial-access.att.net
Mar 15 20:25:45 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.142.39 Source port: 2187
Source host: 39.seattle-25-30rs.wa.dial-access.att.net
Target IP: 12.82.128.79 Target port: 80 Proto: TCP
Target host: 79.seattle-01-02rs.wa.dial-access.att.net
Mar 15 21:09:35 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.130.177 Source port: 2049
Source host: 177.seattle-06-07rs.wa.dial-access.att.net
Target IP: 12.82.128.79 Target port: 80 Proto: TCP
Target host: 79.seattle-01-02rs.wa.dial-access.att.net
Mar 15 21:09:38 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.130.177 Source port: 2049
Source host: 177.seattle-06-07rs.wa.dial-access.att.net
Target IP: 12.82.128.79 Target port: 80 Proto: TCP
Target host: 79.seattle-01-02rs.wa.dial-access.att.net
Mar 15 21:25:46 - snort [1:0:0] TCP to 21 ftp
Source IP: 217.226.184.12 Source port: 2732
Source host: pD9E2B80C.dip.t-dialin.net
Target IP: 12.82.128.79 Target port: 21 Proto: TCP
Target host: 79.seattle-01-02rs.wa.dial-access.att.net
Mar 15 21:25:49 - snort [1:0:0] TCP to 21 ftp
Source IP: 217.226.184.12 Source port: 2732
Source host: pD9E2B80C.dip.t-dialin.net
Target IP: 12.82.128.79 Target port: 21 Proto: TCP
Target host: 79.seattle-01-02rs.wa.dial-access.att.net
Mar 15 21:25:55 - snort [1:0:0] TCP to 21 ftp
Source IP: 217.226.184.12 Source port: 2732
Source host: pD9E2B80C.dip.t-dialin.net
Target IP: 12.82.128.79 Target port: 21 Proto: TCP
Target host: 79.seattle-01-02rs.wa.dial-access.att.net
Mar 15 23:12:53 - snort [1:0:0] TCP to 515 lpr
Source IP: 200.68.13.210 Source port: 4661
Source host: 200.68.13.210
Target IP: 12.82.128.79 Target port: 515 Proto: TCP
Target host: 79.seattle-01-02rs.wa.dial-access.att.net
Mar 15 23:12:56 - snort [1:0:0] TCP to 515 lpr
Source IP: 200.68.13.210 Source port: 4661
Source host: 200.68.13.210
Target IP: 12.82.128.79 Target port: 515 Proto: TCP
Target host: 79.seattle-01-02rs.wa.dial-access.att.net
Mar 16 00:12:40 - snort [1:0:0] TCP to 1080 socks
Source IP: 12.251.95.152 Source port: 2863
Source host: 12-251-95-152.client.attbi.com
Target IP: 12.82.128.79 Target port: 1080 Proto: TCP
Target host: 79.seattle-01-02rs.wa.dial-access.att.net
This report generated 03/16/2002 at 04:01:00
by a perl script written by John Sage at FinchHaven.com,
based upon the work of Dan Swan in his script snort2html.pl
jsage@finchhaven.com
Last modified: Wed Mar 20 21:17:51 2002