Logs: 03-16-02
To: jsage@finchhaven.com
From: toot@finchhaven.com
Subject: [Logs] at FinchHaven for 03/16/2002
Logs at FinchHaven for 03/16/2002 extracted from /var/log/messages
Report generated 04:01:01 (TZ -08:00) 03/17/2002
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Context: dialup to access.att.net, dynamic IP in AT&T's 12.82.x.x class A
Connect time this date: +- 20 hours
Timestamps: US Pacific standard, GMT -08:00, synch by xntpd
Tools: snort 1.8.2, ipchains, logcheck, portsentry
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=ver.7
In /var/log/messages: Probes to port 21 ftp: 0
Probes to port 22 ssh: 2
Probes to port 23 telnet: 0
Probes to port 53 dns: 12
Probes to port 80 http: 20
Probes to port 111 sunrpc: 1
Probes to port 137 netbios-ns: 3
Probes to port 139 netbios-ssn: 0
Probes to port 445 ms-ds: 0
Probes to port 515 lpr: 0
Total, probes to all ports: 54
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Mar 16 07:03:31 - snort [1:0:0] TCP to range 1025-60999
Source IP: 64.232.114.131 Source port: 80
Source host: ATHM-64-232-xxx-131.newedgenetworks.com
Target IP: 12.82.128.45 Target port: 1556 Proto: TCP
Target host: 45.seattle-01-02rs.wa.dial-access.att.net
Mar 16 07:04:31 - snort [1:0:0] TCP to range 1025-60999
Source IP: 64.232.114.131 Source port: 80
Source host: ATHM-64-232-xxx-131.newedgenetworks.com
Target IP: 12.82.128.45 Target port: 1556 Proto: TCP
Target host: 45.seattle-01-02rs.wa.dial-access.att.net
Mar 16 07:05:31 - snort [1:0:0] TCP to range 1025-60999
Source IP: 64.232.114.131 Source port: 80
Source host: ATHM-64-232-xxx-131.newedgenetworks.com
Target IP: 12.82.128.45 Target port: 1556 Proto: TCP
Target host: 45.seattle-01-02rs.wa.dial-access.att.net
Mar 16 07:14:06 - snort [1:0:0] UDP to 137 netBIOS ns
Source IP: 12.82.128.83 Source port: 1056
Source host: 83.seattle-01-02rs.wa.dial-access.att.net
Target IP: 12.82.128.45 Target port: 137 Proto: UDP
Target host: 45.seattle-01-02rs.wa.dial-access.att.net
Mar 16 07:56:22 - snort [1:0:0] TCP to 111 sunrpc
Source IP: 200.15.13.39 Source port: 40587
Source host: 200.15.13.39
Target IP: 12.82.128.45 Target port: 111 Proto: TCP
Target host: 45.seattle-01-02rs.wa.dial-access.att.net
Mar 16 12:47:32 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.142.192 Source port: 4587
Source host: 192.seattle-25-30rs.wa.dial-access.att.net
Target IP: 12.82.128.45 Target port: 80 Proto: TCP
Target host: 45.seattle-01-02rs.wa.dial-access.att.net
Mar 16 12:47:35 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.142.192 Source port: 4587
Source host: 192.seattle-25-30rs.wa.dial-access.att.net
Target IP: 12.82.128.45 Target port: 80 Proto: TCP
Target host: 45.seattle-01-02rs.wa.dial-access.att.net
Mar 16 12:50:07 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 195.162.200.97 Source port: 4528
Source host: cable-195-162-200-97.customer.tvd.be
Target IP: 12.82.128.45 Target port: 80 Proto: TCP
Target host: 45.seattle-01-02rs.wa.dial-access.att.net
Mar 16 12:50:10 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 195.162.200.97 Source port: 4528
Source host: cable-195-162-200-97.customer.tvd.be
Target IP: 12.82.128.45 Target port: 80 Proto: TCP
Target host: 45.seattle-01-02rs.wa.dial-access.att.net
Mar 16 12:50:17 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 195.162.200.97 Source port: 4528
Source host: cable-195-162-200-97.customer.tvd.be
Target IP: 12.82.128.45 Target port: 80 Proto: TCP
Target host: 45.seattle-01-02rs.wa.dial-access.att.net
Mar 16 12:51:13 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.142.192 Source port: 2128
Source host: 192.seattle-25-30rs.wa.dial-access.att.net
Target IP: 12.82.128.45 Target port: 80 Proto: TCP
Target host: 45.seattle-01-02rs.wa.dial-access.att.net
Mar 16 12:51:16 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.142.192 Source port: 2128
Source host: 192.seattle-25-30rs.wa.dial-access.att.net
Target IP: 12.82.128.45 Target port: 80 Proto: TCP
Target host: 45.seattle-01-02rs.wa.dial-access.att.net
Mar 16 14:32:55 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.12.197.156 Source port: 3542
Source host: 156.anchorage-01-04rs16rt.ak.dial-access.att.net
Target IP: 12.82.128.45 Target port: 80 Proto: TCP
Target host: 45.seattle-01-02rs.wa.dial-access.att.net
Mar 16 14:32:58 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.12.197.156 Source port: 3542
Source host: 156.anchorage-01-04rs16rt.ak.dial-access.att.net
Target IP: 12.82.128.45 Target port: 80 Proto: TCP
Target host: 45.seattle-01-02rs.wa.dial-access.att.net
Mar 16 14:47:23 - snort [1:0:0] UDP to 137 netBIOS ns
Source IP: 12.82.128.74 Source port: 1026
Source host: 74.seattle-01-02rs.wa.dial-access.att.net
Target IP: 12.82.128.45 Target port: 137 Proto: UDP
Target host: 45.seattle-01-02rs.wa.dial-access.att.net
Mar 16 16:01:21 - snort [1:0:0] TCP to 22 ssh
Source IP: 211.161.67.130 Source port: 1614
Source host: 211.161.67.130
Target IP: 12.82.133.124 Target port: 22 Proto: TCP
Target host: 124.seattle-13-14rs.wa.dial-access.att.net
Mar 16 16:01:24 - snort [1:0:0] TCP to 22 ssh
Source IP: 211.161.67.130 Source port: 1614
Source host: 211.161.67.130
Target IP: 12.82.133.124 Target port: 22 Proto: TCP
Target host: 124.seattle-13-14rs.wa.dial-access.att.net
Mar 16 16:07:45 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.238.88.71 Source port: 4233
Source host: 12-238-88-71.client.attbi.com
Target IP: 12.82.133.124 Target port: 80 Proto: TCP
Target host: 124.seattle-13-14rs.wa.dial-access.att.net
Mar 16 16:07:48 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.238.88.71 Source port: 4233
Source host: 12-238-88-71.client.attbi.com
Target IP: 12.82.133.124 Target port: 80 Proto: TCP
Target host: 124.seattle-13-14rs.wa.dial-access.att.net
Mar 16 16:10:03 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 193.252.196.155 Source port: 2032
Source host: APuteaux-103-1-1-155.abo.wanadoo.fr
Target IP: 12.82.133.124 Target port: 80 Proto: TCP
Target host: 124.seattle-13-14rs.wa.dial-access.att.net
Mar 16 16:53:17 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.92.218.66 Source port: 4192
Source host: 66.norcross-10rh15rt.ga.dial-access.att.net
Target IP: 12.82.133.124 Target port: 80 Proto: TCP
Target host: 124.seattle-13-14rs.wa.dial-access.att.net
Mar 16 16:53:20 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.92.218.66 Source port: 4192
Source host: 66.norcross-10rh15rt.ga.dial-access.att.net
Target IP: 12.82.133.124 Target port: 80 Proto: TCP
Target host: 124.seattle-13-14rs.wa.dial-access.att.net
Mar 16 17:12:21 - snort [1:0:0] UDP to 137 netBIOS ns
Source IP: 12.82.133.37 Source port: 1025
Source host: 37.seattle-13-14rs.wa.dial-access.att.net
Target IP: 12.82.133.124 Target port: 137 Proto: UDP
Target host: 124.seattle-13-14rs.wa.dial-access.att.net
Mar 16 18:47:35 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.161.191 Source port: 3704
Source host: 191.seattle09rh16rt.wa.dial-access.att.net
Target IP: 12.82.133.124 Target port: 80 Proto: TCP
Target host: 124.seattle-13-14rs.wa.dial-access.att.net
Mar 16 18:47:37 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.161.191 Source port: 3704
Source host: 191.seattle09rh16rt.wa.dial-access.att.net
Target IP: 12.82.133.124 Target port: 80 Proto: TCP
Target host: 124.seattle-13-14rs.wa.dial-access.att.net
Mar 16 19:28:13 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.235.103.84 Source port: 4515
Source host: 12-235-103-84.client.attbi.com
Target IP: 12.82.133.124 Target port: 80 Proto: TCP
Target host: 124.seattle-13-14rs.wa.dial-access.att.net
Mar 16 19:28:16 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.235.103.84 Source port: 4515
Source host: 12-235-103-84.client.attbi.com
Target IP: 12.82.133.124 Target port: 80 Proto: TCP
Target host: 124.seattle-13-14rs.wa.dial-access.att.net
Mar 16 20:01:50 - snort [1:0:0] TCP to range 1025-60999
Source IP: 128.103.101.17 Source port: 135
Source host: phys5.harvard.edu
Target IP: 12.82.133.124 Target port: 55745 Proto: TCP
Target host: 124.seattle-13-14rs.wa.dial-access.att.net
Mar 16 20:22:38 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.228.152.3 Source port: 1506
Source host: 12-228-152-3.client.attbi.com
Target IP: 12.82.133.124 Target port: 80 Proto: TCP
Target host: 124.seattle-13-14rs.wa.dial-access.att.net
Mar 16 20:22:40 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.228.152.3 Source port: 1506
Source host: 12-228-152-3.client.attbi.com
Target IP: 12.82.133.124 Target port: 80 Proto: TCP
Target host: 124.seattle-13-14rs.wa.dial-access.att.net
This report generated 03/17/2002 at 04:01:01
by a perl script written by John Sage at FinchHaven.com,
based upon the work of Dan Swan in his script snort2html.pl
jsage@finchhaven.com
Last modified: Thu Mar 21 04:47:48 2002