Logs: 02-14-02


To: jsage@finchhaven.com
Cc: root@sparky.finchhaven.net
From: toot@finchhaven.com
Subject: [Logs] at FinchHaven for 02/14/2002

Logs at FinchHaven for 02/14/2002 extracted from /var/log/messages
Report generated 04:01:01 (TZ -08:00) 02/15/2002

+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Context: dialup to access.att.net, dynamic IP in AT&T's 12.82.x.x class A
Connect time this date: +- 20 hours
Timestamps: US Pacific standard, GMT -08:00, synch by xntpd
Tools: snort 1.8.2, ipchains, logcheck, portsentry
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=ver.7


Feb 14 04:22:12 - snort [1:0:0] TCP to 111 sunrpc 
  Source IP: 210.117.6.205   Source port: 2221 
Source host: 210.117.6.205
  Target IP: 12.82.128.108   Target port: 111   Proto: TCP 
Target host: 108.seattle-01-02rs.wa.dial-access.att.net



Feb 14 06:22:17 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.43.52.131   Source port: 2682 
Source host: 12.43.52.131
  Target IP: 12.82.128.108   Target port: 80   Proto: TCP 
Target host: 108.seattle-01-02rs.wa.dial-access.att.net

Feb 14 06:22:20 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.43.52.131   Source port: 2682 
Source host: 12.43.52.131
  Target IP: 12.82.128.108   Target port: 80   Proto: TCP 
Target host: 108.seattle-01-02rs.wa.dial-access.att.net



Feb 14 07:10:04 - snort [1:0:0] ICMP echo request 
  Source IP: 210.24.202.36     Source port: -N/A-
Source host: adsl36.dyn202.pacific.net.sg
  Target IP: 12.82.128.108   Target port: -N/A-   Proto: ICMP 
Target host: 108.seattle-01-02rs.wa.dial-access.att.net



Feb 14 09:32:31 - snort [1:0:0] ICMP echo request 
  Source IP: 80.11.61.157     Source port: -N/A-
Source host: APlessis-Bouchard-104-1-1-157.abo.wanadoo.fr
  Target IP: 12.82.131.37   Target port: -N/A-   Proto: ICMP 
Target host: 37.seattle-08-09rs.wa.dial-access.att.net



Feb 14 10:34:37 - snort [1:0:0] TCP to 111 sunrpc 
  Source IP: 63.174.116.8   Source port: 1735 
Source host: 63.174.116.8
  Target IP: 12.82.131.37   Target port: 111   Proto: TCP 
Target host: 37.seattle-08-09rs.wa.dial-access.att.net



Feb 14 11:18:30 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.134.236   Source port: 3781 
Source host: 236.seattle-16-17rs.wa.dial-access.att.net
  Target IP: 12.82.131.37   Target port: 80   Proto: TCP 
Target host: 37.seattle-08-09rs.wa.dial-access.att.net

Feb 14 11:18:33 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.134.236   Source port: 3781 
Source host: 236.seattle-16-17rs.wa.dial-access.att.net
  Target IP: 12.82.131.37   Target port: 80   Proto: TCP 
Target host: 37.seattle-08-09rs.wa.dial-access.att.net


Feb 14 11:51:20 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.134.236   Source port: 2999 
Source host: 236.seattle-16-17rs.wa.dial-access.att.net
  Target IP: 12.82.131.37   Target port: 80   Proto: TCP 
Target host: 37.seattle-08-09rs.wa.dial-access.att.net

Feb 14 11:51:23 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.134.236   Source port: 2999 
Source host: 236.seattle-16-17rs.wa.dial-access.att.net
  Target IP: 12.82.131.37   Target port: 80   Proto: TCP 
Target host: 37.seattle-08-09rs.wa.dial-access.att.net


Feb 14 12:37:55 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.134.236   Source port: 2144 
Source host: 236.seattle-16-17rs.wa.dial-access.att.net
  Target IP: 12.82.131.37   Target port: 80   Proto: TCP 
Target host: 37.seattle-08-09rs.wa.dial-access.att.net

Feb 14 12:37:58 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.134.236   Source port: 2144 
Source host: 236.seattle-16-17rs.wa.dial-access.att.net
  Target IP: 12.82.131.37   Target port: 80   Proto: TCP 
Target host: 37.seattle-08-09rs.wa.dial-access.att.net


Feb 14 14:19:52 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.134.236   Source port: 1908 
Source host: 236.seattle-16-17rs.wa.dial-access.att.net
  Target IP: 12.82.131.37   Target port: 80   Proto: TCP 
Target host: 37.seattle-08-09rs.wa.dial-access.att.net

Feb 14 14:19:55 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.134.236   Source port: 1908 
Source host: 236.seattle-16-17rs.wa.dial-access.att.net
  Target IP: 12.82.131.37   Target port: 80   Proto: TCP 
Target host: 37.seattle-08-09rs.wa.dial-access.att.net



Feb 14 15:15:57 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 207.1.210.227   Source port: 3741 
Source host: 207.1.210.227
  Target IP: 12.82.131.37   Target port: 80   Proto: TCP 
Target host: 37.seattle-08-09rs.wa.dial-access.att.net

Feb 14 15:15:59 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 207.1.210.227   Source port: 3741 
Source host: 207.1.210.227
  Target IP: 12.82.131.37   Target port: 80   Proto: TCP 
Target host: 37.seattle-08-09rs.wa.dial-access.att.net

Feb 14 15:16:05 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 207.1.210.227   Source port: 3741 
Source host: 207.1.210.227
  Target IP: 12.82.131.37   Target port: 80   Proto: TCP 
Target host: 37.seattle-08-09rs.wa.dial-access.att.net



Feb 14 15:20:34 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.134.236   Source port: 2755 
Source host: 236.seattle-16-17rs.wa.dial-access.att.net
  Target IP: 12.82.131.37   Target port: 80   Proto: TCP 
Target host: 37.seattle-08-09rs.wa.dial-access.att.net

Feb 14 15:20:36 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.134.236   Source port: 2755 
Source host: 236.seattle-16-17rs.wa.dial-access.att.net
  Target IP: 12.82.131.37   Target port: 80   Proto: TCP 
Target host: 37.seattle-08-09rs.wa.dial-access.att.net



Feb 14 19:31:43 - snort [1:0:0] TCP to range 1025-60999 
  Source IP: 24.213.60.79   Source port: 6667 
Source host: 24.213.60.79.up.mi.chartermi.net
  Target IP: 12.82.131.69   Target port: 25415   Proto: TCP 
Target host: 69.seattle-08-09rs.wa.dial-access.att.net



Feb 14 20:45:39 - snort [1:0:0] TCP to 1214 KaZaa 
  Source IP: 172.135.49.197   Source port: 2195 
Source host: AC8731C5.ipt.aol.com
  Target IP: 12.82.131.69   Target port: 1214   Proto: TCP 
Target host: 69.seattle-08-09rs.wa.dial-access.att.net

Feb 14 20:45:41 - snort [1:0:0] TCP to 1214 KaZaa 
  Source IP: 172.135.49.197   Source port: 2195 
Source host: AC8731C5.ipt.aol.com
  Target IP: 12.82.131.69   Target port: 1214   Proto: TCP 
Target host: 69.seattle-08-09rs.wa.dial-access.att.net

Feb 14 20:45:47 - snort [1:0:0] TCP to 1214 KaZaa 
  Source IP: 172.135.49.197   Source port: 2195 
Source host: AC8731C5.ipt.aol.com
  Target IP: 12.82.131.69   Target port: 1214   Proto: TCP 
Target host: 69.seattle-08-09rs.wa.dial-access.att.net



Feb 15 01:11:53 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 211.92.49.174   Source port: 4210 
Source host: 211.92.49.174
  Target IP: 12.82.131.69   Target port: 80   Proto: TCP 
Target host: 69.seattle-08-09rs.wa.dial-access.att.net

Feb 15 01:11:56 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 211.92.49.174   Source port: 4210 
Source host: 211.92.49.174
  Target IP: 12.82.131.69   Target port: 80   Proto: TCP 
Target host: 69.seattle-08-09rs.wa.dial-access.att.net

Feb 15 01:12:02 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 211.92.49.174   Source port: 4210 
Source host: 211.92.49.174
  Target IP: 12.82.131.69   Target port: 80   Proto: TCP 
Target host: 69.seattle-08-09rs.wa.dial-access.att.net



Feb 15 03:01:36 - snort [1:0:0] UDP to 137 netBIOS ns 
  Source IP: 12.24.76.131   Source port: 277 
Source host: cmss-outside-perimeter01.chasemellon.com
  Target IP: 12.82.129.49   Target port: 137   Proto: UDP 
Target host: 49.seattle-03-04rs.wa.dial-access.att.net

Feb 15 03:01:36 - snort [1:0:0] UDP to 137 netBIOS ns 
  Source IP: 12.24.76.131   Source port: 278 
Source host: cmss-outside-perimeter01.chasemellon.com
  Target IP: 12.82.129.49   Target port: 137   Proto: UDP 
Target host: 49.seattle-03-04rs.wa.dial-access.att.net

Feb 15 03:01:37 - snort [1:0:0] UDP to 137 netBIOS ns 
  Source IP: 12.24.76.131   Source port: 278 
Source host: cmss-outside-perimeter01.chasemellon.com
  Target IP: 12.82.129.49   Target port: 137   Proto: UDP 
Target host: 49.seattle-03-04rs.wa.dial-access.att.net

Feb 15 03:01:37 - snort [1:0:0] UDP to 137 netBIOS ns 
  Source IP: 12.24.76.131   Source port: 277 
Source host: cmss-outside-perimeter01.chasemellon.com
  Target IP: 12.82.129.49   Target port: 137   Proto: UDP 
Target host: 49.seattle-03-04rs.wa.dial-access.att.net

Feb 15 03:01:39 - snort [1:0:0] UDP to 137 netBIOS ns 
  Source IP: 12.24.76.131   Source port: 277 
Source host: cmss-outside-perimeter01.chasemellon.com
  Target IP: 12.82.129.49   Target port: 137   Proto: UDP 
Target host: 49.seattle-03-04rs.wa.dial-access.att.net

Feb 15 03:01:39 - snort [1:0:0] UDP to 137 netBIOS ns 
  Source IP: 12.24.76.131   Source port: 278 
Source host: cmss-outside-perimeter01.chasemellon.com
  Target IP: 12.82.129.49   Target port: 137   Proto: UDP 
Target host: 49.seattle-03-04rs.wa.dial-access.att.net

Feb 15 03:01:40 - snort [1:0:0] UDP to 137 netBIOS ns 
  Source IP: 12.24.76.131   Source port: 279 
Source host: cmss-outside-perimeter01.chasemellon.com
  Target IP: 12.82.129.49   Target port: 137   Proto: UDP 
Target host: 49.seattle-03-04rs.wa.dial-access.att.net

Feb 15 03:01:42 - snort [1:0:0] UDP to 137 netBIOS ns 
  Source IP: 12.24.76.131   Source port: 279 
Source host: cmss-outside-perimeter01.chasemellon.com
  Target IP: 12.82.129.49   Target port: 137   Proto: UDP 
Target host: 49.seattle-03-04rs.wa.dial-access.att.net

Feb 15 03:01:43 - snort [1:0:0] UDP to 137 netBIOS ns 
  Source IP: 12.24.76.131   Source port: 279 
Source host: cmss-outside-perimeter01.chasemellon.com
  Target IP: 12.82.129.49   Target port: 137   Proto: UDP 
Target host: 49.seattle-03-04rs.wa.dial-access.att.net



This report generated 02/15/2002 at 04:01:01 
by a perl script written by John Sage at FinchHaven.com, 
based upon the work of Dan Swan in his script snort2html.pl



jsage@finchhaven.com
Last modified: Fri Feb 22 20:34:38 2002