Logs: 03-17-02
To: jsage@finchhaven.com
From: toot@finchhaven.com
Subject: [Logs] at FinchHaven for 03/17/2002
Logs at FinchHaven for 03/17/2002 extracted from /var/log/messages
Report generated 04:01:00 (TZ -08:00) 03/18/2002
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Context: dialup to access.att.net, dynamic IP in AT&T's 12.82.x.x class A
Connect time this date: +- 20 hours
Timestamps: US Pacific standard, GMT -08:00, synch by xntpd
Tools: snort 1.8.2, ipchains, logcheck, portsentry
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=ver.7
In /var/log/messages: Probes to port 21 ftp: 3
Probes to port 22 ssh: 2
Probes to port 23 telnet: 0
Probes to port 53 dns: 0
Probes to port 80 http: 41
Probes to port 111 sunrpc: 1
Probes to port 137 netbios-ns: 1
Probes to port 139 netbios-ssn: 0
Probes to port 445 ms-ds: 0
Probes to port 515 lpr: 0
Total, probes to all ports: 64
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Mar 17 05:06:02 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.228.15.19 Source port: 2940
Source host: 12-228-15-19.client.attbi.com
Target IP: 12.82.140.16 Target port: 80 Proto: TCP
Target host: 16.seattle-05-10rs.wa.dial-access.att.net
Mar 17 05:06:05 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.228.15.19 Source port: 2940
Source host: 12-228-15-19.client.attbi.com
Target IP: 12.82.140.16 Target port: 80 Proto: TCP
Target host: 16.seattle-05-10rs.wa.dial-access.att.net
Mar 17 05:31:42 - snort [1:0:0] TCP to 21 ftp
Source IP: 65.90.122.10 Source port: 58932
Source host: 65.90.122.10
Target IP: 12.82.140.16 Target port: 21 Proto: TCP
Target host: 16.seattle-05-10rs.wa.dial-access.att.net
Mar 17 05:31:45 - snort [1:0:0] TCP to 21 ftp
Source IP: 65.90.122.10 Source port: 58932
Source host: 65.90.122.10
Target IP: 12.82.140.16 Target port: 21 Proto: TCP
Target host: 16.seattle-05-10rs.wa.dial-access.att.net
Mar 17 05:31:51 - snort [1:0:0] TCP to 21 ftp
Source IP: 65.90.122.10 Source port: 58932
Source host: 65.90.122.10
Target IP: 12.82.140.16 Target port: 21 Proto: TCP
Target host: 16.seattle-05-10rs.wa.dial-access.att.net
Mar 17 07:24:21 - snort [1:0:0] TCP to 8080 webcache
Source IP: 211.255.113.198 Source port: 1890
Source host: 211.255.113.198
Target IP: 12.82.140.16 Target port: 8080 Proto: TCP
Target host: 16.seattle-05-10rs.wa.dial-access.att.net
Mar 17 07:24:21 - snort [1:0:0] TCP to 3128 squid-http
Source IP: 211.255.113.198 Source port: 1891
Source host: 211.255.113.198
Target IP: 12.82.140.16 Target port: 3128 Proto: TCP
Target host: 16.seattle-05-10rs.wa.dial-access.att.net
Mar 17 07:24:24 - snort [1:0:0] TCP to 3128 squid-http
Source IP: 211.255.113.198 Source port: 1891
Source host: 211.255.113.198
Target IP: 12.82.140.16 Target port: 3128 Proto: TCP
Target host: 16.seattle-05-10rs.wa.dial-access.att.net
Mar 17 07:24:24 - snort [1:0:0] TCP to 8080 webcache
Source IP: 211.255.113.198 Source port: 1890
Source host: 211.255.113.198
Target IP: 12.82.140.16 Target port: 8080 Proto: TCP
Target host: 16.seattle-05-10rs.wa.dial-access.att.net
Mar 17 07:24:31 - snort [1:0:0] TCP to 3128 squid-http
Source IP: 211.255.113.198 Source port: 1891
Source host: 211.255.113.198
Target IP: 12.82.140.16 Target port: 3128 Proto: TCP
Target host: 16.seattle-05-10rs.wa.dial-access.att.net
Mar 17 07:24:31 - snort [1:0:0] TCP to 8080 webcache
Source IP: 211.255.113.198 Source port: 1890
Source host: 211.255.113.198
Target IP: 12.82.140.16 Target port: 8080 Proto: TCP
Target host: 16.seattle-05-10rs.wa.dial-access.att.net
Mar 17 07:30:31 - snort [1:0:0] TCP to range 1025-60999
Source IP: 199.199.151.211 Source port: 38113
Source host: office211.deskmedia.com
Target IP: 12.82.140.16 Target port: 55086 Proto: TCP
Target host: 16.seattle-05-10rs.wa.dial-access.att.net
Mar 17 10:11:37 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.233.4.21 Source port: 4673
Source host: 12-233-4-21.client.attbi.com
Target IP: 12.82.140.16 Target port: 80 Proto: TCP
Target host: 16.seattle-05-10rs.wa.dial-access.att.net
Mar 17 10:11:39 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.233.4.21 Source port: 4673
Source host: 12-233-4-21.client.attbi.com
Target IP: 12.82.140.16 Target port: 80 Proto: TCP
Target host: 16.seattle-05-10rs.wa.dial-access.att.net
Mar 17 11:17:03 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 218.0.191.30 Source port: 4426
Source host: 218.0.191.30
Target IP: 12.82.132.252 Target port: 80 Proto: TCP
Target host: 252.seattle-11-12rs.wa.dial-access.att.net
Mar 17 11:17:06 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 218.0.191.30 Source port: 4426
Source host: 218.0.191.30
Target IP: 12.82.132.252 Target port: 80 Proto: TCP
Target host: 252.seattle-11-12rs.wa.dial-access.att.net
Mar 17 11:17:12 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 218.0.191.30 Source port: 4426
Source host: 218.0.191.30
Target IP: 12.82.132.252 Target port: 80 Proto: TCP
Target host: 252.seattle-11-12rs.wa.dial-access.att.net
Mar 17 12:08:30 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.230.108.3 Source port: 4048
Source host: 12-230-108-3.client.attbi.com
Target IP: 12.82.132.252 Target port: 80 Proto: TCP
Target host: 252.seattle-11-12rs.wa.dial-access.att.net
Mar 17 12:08:31 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.230.108.3 Source port: 4048
Source host: 12-230-108-3.client.attbi.com
Target IP: 12.82.132.252 Target port: 80 Proto: TCP
Target host: 252.seattle-11-12rs.wa.dial-access.att.net
Mar 17 12:30:10 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.140.15 Source port: 3053
Source host: 15.seattle-05-10rs.wa.dial-access.att.net
Target IP: 12.82.132.252 Target port: 80 Proto: TCP
Target host: 252.seattle-11-12rs.wa.dial-access.att.net
Mar 17 12:30:12 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.140.15 Source port: 3053
Source host: 15.seattle-05-10rs.wa.dial-access.att.net
Target IP: 12.82.132.252 Target port: 80 Proto: TCP
Target host: 252.seattle-11-12rs.wa.dial-access.att.net
Mar 17 12:48:46 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.140.15 Source port: 1999
Source host: 15.seattle-05-10rs.wa.dial-access.att.net
Target IP: 12.82.132.252 Target port: 80 Proto: TCP
Target host: 252.seattle-11-12rs.wa.dial-access.att.net
Mar 17 12:48:48 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.140.15 Source port: 1999
Source host: 15.seattle-05-10rs.wa.dial-access.att.net
Target IP: 12.82.132.252 Target port: 80 Proto: TCP
Target host: 252.seattle-11-12rs.wa.dial-access.att.net
Mar 17 14:28:41 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.140.15 Source port: 4563
Source host: 15.seattle-05-10rs.wa.dial-access.att.net
Target IP: 12.82.132.252 Target port: 80 Proto: TCP
Target host: 252.seattle-11-12rs.wa.dial-access.att.net
Mar 17 14:28:44 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.140.15 Source port: 4563
Source host: 15.seattle-05-10rs.wa.dial-access.att.net
Target IP: 12.82.132.252 Target port: 80 Proto: TCP
Target host: 252.seattle-11-12rs.wa.dial-access.att.net
Mar 17 15:04:09 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.73.224.68 Source port: 3642
Source host: 68.houston-01-02rs.tx.dial-access.att.net
Target IP: 12.82.132.252 Target port: 80 Proto: TCP
Target host: 252.seattle-11-12rs.wa.dial-access.att.net
Mar 17 15:04:12 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.73.224.68 Source port: 3642
Source host: 68.houston-01-02rs.tx.dial-access.att.net
Target IP: 12.82.132.252 Target port: 80 Proto: TCP
Target host: 252.seattle-11-12rs.wa.dial-access.att.net
Mar 17 16:07:23 - snort [1:0:0] TCP to 12345 NetBus Backdoor
Source IP: 12.82.132.163 Source port: 1373
Source host: 163.seattle-11-12rs.wa.dial-access.att.net
Target IP: 12.82.132.252 Target port: 12345 Proto: TCP
Target host: 252.seattle-11-12rs.wa.dial-access.att.net
Mar 17 16:07:26 - snort [1:0:0] TCP to 12345 NetBus Backdoor
Source IP: 12.82.132.163 Source port: 1373
Source host: 163.seattle-11-12rs.wa.dial-access.att.net
Target IP: 12.82.132.252 Target port: 12345 Proto: TCP
Target host: 252.seattle-11-12rs.wa.dial-access.att.net
Mar 17 16:07:33 - snort [1:0:0] TCP to 12345 NetBus Backdoor
Source IP: 12.82.132.163 Source port: 1373
Source host: 163.seattle-11-12rs.wa.dial-access.att.net
Target IP: 12.82.132.252 Target port: 12345 Proto: TCP
Target host: 252.seattle-11-12rs.wa.dial-access.att.net
Mar 17 16:07:46 - snort [1:0:0] TCP to 12345 NetBus Backdoor
Source IP: 12.82.132.163 Source port: 1373
Source host: 163.seattle-11-12rs.wa.dial-access.att.net
Target IP: 12.82.132.252 Target port: 12345 Proto: TCP
Target host: 252.seattle-11-12rs.wa.dial-access.att.net
Mar 17 16:50:09 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.140.28 Source port: 1288
Source host: 28.seattle-05-10rs.wa.dial-access.att.net
Target IP: 12.82.132.252 Target port: 80 Proto: TCP
Target host: 252.seattle-11-12rs.wa.dial-access.att.net
Mar 17 16:50:12 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.140.28 Source port: 1288
Source host: 28.seattle-05-10rs.wa.dial-access.att.net
Target IP: 12.82.132.252 Target port: 80 Proto: TCP
Target host: 252.seattle-11-12rs.wa.dial-access.att.net
Mar 17 17:08:02 - snort [1:0:0] TCP to 22 ssh
Source IP: 208.63.48.13 Source port: 2601
Source host: 208.63.48.13
Target IP: 12.82.132.252 Target port: 22 Proto: TCP
Target host: 252.seattle-11-12rs.wa.dial-access.att.net
Mar 17 17:08:05 - snort [1:0:0] TCP to 22 ssh
Source IP: 208.63.48.13 Source port: 2601
Source host: 208.63.48.13
Target IP: 12.82.132.252 Target port: 22 Proto: TCP
Target host: 252.seattle-11-12rs.wa.dial-access.att.net
Mar 17 17:18:18 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.140.28 Source port: 2963
Source host: 28.seattle-05-10rs.wa.dial-access.att.net
Target IP: 12.82.132.252 Target port: 80 Proto: TCP
Target host: 252.seattle-11-12rs.wa.dial-access.att.net
Mar 17 17:18:20 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.140.28 Source port: 2963
Source host: 28.seattle-05-10rs.wa.dial-access.att.net
Target IP: 12.82.132.252 Target port: 80 Proto: TCP
Target host: 252.seattle-11-12rs.wa.dial-access.att.net
Mar 17 17:56:50 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.41.71.12 Source port: 3254
Source host: 12.41.71.12
Target IP: 12.82.132.252 Target port: 80 Proto: TCP
Target host: 252.seattle-11-12rs.wa.dial-access.att.net
Mar 17 18:34:55 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.246.232 Source port: 4776
Source host: 232.houston-12rh15rt.tx.dial-access.att.net
Target IP: 12.82.132.252 Target port: 80 Proto: TCP
Target host: 252.seattle-11-12rs.wa.dial-access.att.net
Mar 17 18:34:59 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.246.232 Source port: 4776
Source host: 232.houston-12rh15rt.tx.dial-access.att.net
Target IP: 12.82.132.252 Target port: 80 Proto: TCP
Target host: 252.seattle-11-12rs.wa.dial-access.att.net
Mar 17 18:56:15 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.230.243.137 Source port: 4985
Source host: 12-230-243-137.client.attbi.com
Target IP: 12.82.132.252 Target port: 80 Proto: TCP
Target host: 252.seattle-11-12rs.wa.dial-access.att.net
Mar 17 18:56:18 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.230.243.137 Source port: 4985
Source host: 12-230-243-137.client.attbi.com
Target IP: 12.82.132.252 Target port: 80 Proto: TCP
Target host: 252.seattle-11-12rs.wa.dial-access.att.net
Mar 17 20:04:47 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.237.64.180 Source port: 2629
Source host: 12-237-64-180.client.attbi.com
Target IP: 12.82.128.192 Target port: 80 Proto: TCP
Target host: 192.seattle-01-02rs.wa.dial-access.att.net
Mar 17 20:04:50 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.237.64.180 Source port: 2629
Source host: 12-237-64-180.client.attbi.com
Target IP: 12.82.128.192 Target port: 80 Proto: TCP
Target host: 192.seattle-01-02rs.wa.dial-access.att.net
Mar 17 20:52:57 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 218.22.114.10 Source port: 3576
Source host: 218.22.114.10
Target IP: 12.82.128.192 Target port: 80 Proto: TCP
Target host: 192.seattle-01-02rs.wa.dial-access.att.net
Mar 17 20:53:00 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 218.22.114.10 Source port: 3576
Source host: 218.22.114.10
Target IP: 12.82.128.192 Target port: 80 Proto: TCP
Target host: 192.seattle-01-02rs.wa.dial-access.att.net
Mar 17 20:53:06 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 218.22.114.10 Source port: 3576
Source host: 218.22.114.10
Target IP: 12.82.128.192 Target port: 80 Proto: TCP
Target host: 192.seattle-01-02rs.wa.dial-access.att.net
Mar 17 21:25:06 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.73.224.203 Source port: 4333
Source host: 203.houston-01-02rs.tx.dial-access.att.net
Target IP: 12.82.128.192 Target port: 80 Proto: TCP
Target host: 192.seattle-01-02rs.wa.dial-access.att.net
Mar 17 21:25:09 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.73.224.203 Source port: 4333
Source host: 203.houston-01-02rs.tx.dial-access.att.net
Target IP: 12.82.128.192 Target port: 80 Proto: TCP
Target host: 192.seattle-01-02rs.wa.dial-access.att.net
Mar 17 21:25:39 - snort [1:0:0] TCP to 111 sunrpc
Source IP: 61.186.142.195 Source port: 62160
Source host: 61.186.142.195
Target IP: 12.82.128.192 Target port: 111 Proto: TCP
Target host: 192.seattle-01-02rs.wa.dial-access.att.net
Mar 17 21:29:29 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.221.48.30 Source port: 3947
Source host: 12-221-48-30.client.insightBB.com
Target IP: 12.82.128.192 Target port: 80 Proto: TCP
Target host: 192.seattle-01-02rs.wa.dial-access.att.net
Mar 17 21:29:32 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.221.48.30 Source port: 3947
Source host: 12-221-48-30.client.insightBB.com
Target IP: 12.82.128.192 Target port: 80 Proto: TCP
Target host: 192.seattle-01-02rs.wa.dial-access.att.net
Mar 17 21:34:53 - snort [1:0:0] UDP to 137 netBIOS ns
Source IP: 12.82.128.113 Source port: 1085
Source host: 113.seattle-01-02rs.wa.dial-access.att.net
Target IP: 12.82.128.192 Target port: 137 Proto: UDP
Target host: 192.seattle-01-02rs.wa.dial-access.att.net
Mar 17 22:03:30 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.232.61.5 Source port: 1350
Source host: 12-232-61-5.client.attbi.com
Target IP: 12.82.128.192 Target port: 80 Proto: TCP
Target host: 192.seattle-01-02rs.wa.dial-access.att.net
Mar 17 23:07:12 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.243.216.208 Source port: 1982
Source host: 12-243-216-208.client.attbi.com
Target IP: 12.82.128.192 Target port: 80 Proto: TCP
Target host: 192.seattle-01-02rs.wa.dial-access.att.net
Mar 17 23:07:15 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.243.216.208 Source port: 1982
Source host: 12-243-216-208.client.attbi.com
Target IP: 12.82.128.192 Target port: 80 Proto: TCP
Target host: 192.seattle-01-02rs.wa.dial-access.att.net
Mar 17 23:35:13 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.251.106.202 Source port: 4872
Source host: 12-251-106-202.client.attbi.com
Target IP: 12.82.128.192 Target port: 80 Proto: TCP
Target host: 192.seattle-01-02rs.wa.dial-access.att.net
Mar 17 23:35:16 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.251.106.202 Source port: 4872
Source host: 12-251-106-202.client.attbi.com
Target IP: 12.82.128.192 Target port: 80 Proto: TCP
Target host: 192.seattle-01-02rs.wa.dial-access.att.net
Mar 17 23:42:45 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.234.40.223 Source port: 2327
Source host: 12-234-40-223.client.attbi.com
Target IP: 12.82.128.192 Target port: 80 Proto: TCP
Target host: 192.seattle-01-02rs.wa.dial-access.att.net
This report generated 03/18/2002 at 04:01:00
by a perl script written by John Sage at FinchHaven.com,
based upon the work of Dan Swan in his script snort2html.pl
jsage@finchhaven.com
Last modified: Thu Mar 21 04:56:22 2002