Logs 02-21-02


Date: Fri, 22 Feb 2002 04:01:00 -0800
To: jsage@finchhaven.com
From: toot@finchhaven.com
Subject: [Logs] at FinchHaven for 02/21/2002

Logs at FinchHaven for 02/21/2002 extracted from /var/log/messages
Report generated 04:01:00 (TZ -08:00) 02/22/2002

+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Context: dialup to access.att.net, dynamic IP in AT&T's 12.82.x.x class A
Connect time this date: +- 20 hours
Timestamps: US Pacific standard, GMT -08:00, synch by xntpd
Tools: snort 1.8.2, ipchains, logcheck, portsentry
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=ver.7
In /var/log/messages:  Probes to port 21 ftp:        3
                       Probes to port 22 ssh:        0
                    Probes to port 23 telnet:        0
                       Probes to port 53 dns:        6
                      Probes to port 80 http:       46
                   Probes to port 111 sunrpc:        0
               Probes to port 137 netbios-ns:        0
              Probes to port 139 netbios-ssn:        0
                    Probes to port 445 ms-ds:        0
                      Probes to port 515 lpr:        0
                  Total, probes to all ports:       72
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

Feb 21 04:08:56 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.225.174.22   Source port: 1425 
Source host: 12-225-174-22.client.attbi.com
  Target IP: 12.82.129.53   Target port: 80   Proto: TCP 
Target host: 53.seattle-03-04rs.wa.dial-access.att.net

Feb 21 04:08:59 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.225.174.22   Source port: 1425 
Source host: 12-225-174-22.client.attbi.com
  Target IP: 12.82.129.53   Target port: 80   Proto: TCP 
Target host: 53.seattle-03-04rs.wa.dial-access.att.net


Feb 21 06:00:56 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.229.249.139   Source port: 2924 
Source host: 12-229-249-139.client.attbi.com
  Target IP: 12.82.129.53   Target port: 80   Proto: TCP 
Target host: 53.seattle-03-04rs.wa.dial-access.att.net

Feb 21 06:00:59 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.229.249.139   Source port: 2924 
Source host: 12-229-249-139.client.attbi.com
  Target IP: 12.82.129.53   Target port: 80   Proto: TCP 
Target host: 53.seattle-03-04rs.wa.dial-access.att.net


Feb 21 18:25:23 - snort [1:0:0] ICMP echo request 
  Source IP: 152.158.2.48     Source port: -N/A-
Source host: ns.de.prserv.net
  Target IP: 12.82.140.70   Target port: -N/A-   Proto: ICMP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net

Feb 21 18:25:49 - snort [1:0:0] ICMP echo request 
  Source IP: 152.158.2.48     Source port: -N/A-
Source host: ns.de.prserv.net
  Target IP: 12.82.140.70   Target port: -N/A-   Proto: ICMP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net


Feb 21 18:27:15 - snort [1:0:0] ICMP echo request 
  Source IP: 194.203.119.46     Source port: -N/A-
Source host: ns.wcom.co.uk
  Target IP: 12.82.140.70   Target port: -N/A-   Proto: ICMP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net


Feb 21 19:13:26 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.130.185   Source port: 4354 
Source host: 185.seattle-06-07rs.wa.dial-access.att.net
  Target IP: 12.82.140.70   Target port: 80   Proto: TCP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net

Feb 21 19:13:29 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.130.185   Source port: 4354 
Source host: 185.seattle-06-07rs.wa.dial-access.att.net
  Target IP: 12.82.140.70   Target port: 80   Proto: TCP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net


Feb 21 19:41:24 - snort [1:0:0] TCP to 27374 SubSeven 
  Source IP: 66.76.139.72   Source port: 1109 
Source host: 66.76.139.72
  Target IP: 12.82.140.70   Target port: 27374   Proto: TCP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net

Feb 21 19:41:27 - snort [1:0:0] TCP to 27374 SubSeven 
  Source IP: 66.76.139.72   Source port: 1109 
Source host: 66.76.139.72
  Target IP: 12.82.140.70   Target port: 27374   Proto: TCP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net

Feb 21 19:41:33 - snort [1:0:0] TCP to 27374 SubSeven 
  Source IP: 66.76.139.72   Source port: 1109 
Source host: 66.76.139.72
  Target IP: 12.82.140.70   Target port: 27374   Proto: TCP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net

Feb 21 19:41:45 - snort [1:0:0] TCP to 27374 SubSeven 
  Source IP: 66.76.139.72   Source port: 1109 
Source host: 66.76.139.72
  Target IP: 12.82.140.70   Target port: 27374   Proto: TCP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net


Feb 21 20:00:11 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.130.185   Source port: 3902 
Source host: 185.seattle-06-07rs.wa.dial-access.att.net
  Target IP: 12.82.140.70   Target port: 80   Proto: TCP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net

Feb 21 20:00:14 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.130.185   Source port: 3902 
Source host: 185.seattle-06-07rs.wa.dial-access.att.net
  Target IP: 12.82.140.70   Target port: 80   Proto: TCP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net

Feb 21 20:09:31 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.130.185   Source port: 3207 
Source host: 185.seattle-06-07rs.wa.dial-access.att.net
  Target IP: 12.82.140.70   Target port: 80   Proto: TCP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net

Feb 21 20:09:34 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.130.185   Source port: 3207 
Source host: 185.seattle-06-07rs.wa.dial-access.att.net
  Target IP: 12.82.140.70   Target port: 80   Proto: TCP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net


Feb 21 20:14:39 - snort [1:0:0] ICMP echo request 
  Source IP: 194.42.1.1     Source port: -N/A-
Source host: zeus.cc.ucy.ac.cy
  Target IP: 12.82.140.70   Target port: -N/A-   Proto: ICMP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net


Feb 21 20:15:30 - snort [1:0:0] ICMP echo request 
  Source IP: 194.42.1.1     Source port: -N/A-
Source host: zeus.cc.ucy.ac.cy
  Target IP: 12.82.140.70   Target port: -N/A-   Proto: ICMP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net


Feb 21 20:17:41 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.243.2   Source port: 3009 
Source host: 2.houston-10rh16rt.tx.dial-access.att.net
  Target IP: 12.82.140.70   Target port: 80   Proto: TCP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net

Feb 21 20:17:45 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.243.2   Source port: 3009 
Source host: 2.houston-10rh16rt.tx.dial-access.att.net
  Target IP: 12.82.140.70   Target port: 80   Proto: TCP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net


Feb 21 20:22:12 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.157.97   Source port: 4677 
Source host: 97.seattle07rh16rt.wa.dial-access.att.net
  Target IP: 12.82.140.70   Target port: 80   Proto: TCP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net

Feb 21 20:22:15 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.157.97   Source port: 4677 
Source host: 97.seattle07rh16rt.wa.dial-access.att.net
  Target IP: 12.82.140.70   Target port: 80   Proto: TCP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net


Feb 21 20:30:01 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.136.94   Source port: 3777 
Source host: 94.seattle-21-22rs.wa.dial-access.att.net
  Target IP: 12.82.140.70   Target port: 80   Proto: TCP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net

Feb 21 20:30:04 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.136.94   Source port: 3777 
Source host: 94.seattle-21-22rs.wa.dial-access.att.net
  Target IP: 12.82.140.70   Target port: 80   Proto: TCP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net


Feb 21 20:46:24 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.157.97   Source port: 3082 
Source host: 97.seattle07rh16rt.wa.dial-access.att.net
  Target IP: 12.82.140.70   Target port: 80   Proto: TCP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net

Feb 21 20:46:27 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.157.97   Source port: 3082 
Source host: 97.seattle07rh16rt.wa.dial-access.att.net
  Target IP: 12.82.140.70   Target port: 80   Proto: TCP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net

Feb 21 20:55:44 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.157.97   Source port: 2841 
Source host: 97.seattle07rh16rt.wa.dial-access.att.net
  Target IP: 12.82.140.70   Target port: 80   Proto: TCP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net

Feb 21 20:55:47 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.157.97   Source port: 2841 
Source host: 97.seattle07rh16rt.wa.dial-access.att.net
  Target IP: 12.82.140.70   Target port: 80   Proto: TCP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net


Feb 21 21:07:26 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.130.185   Source port: 2271 
Source host: 185.seattle-06-07rs.wa.dial-access.att.net
  Target IP: 12.82.140.70   Target port: 80   Proto: TCP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net

Feb 21 21:07:29 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.130.185   Source port: 2271 
Source host: 185.seattle-06-07rs.wa.dial-access.att.net
  Target IP: 12.82.140.70   Target port: 80   Proto: TCP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net




Feb 21 21:37:54 - snort [1:0:0] TCP to 21 ftp 
  Source IP: 80.134.16.16   Source port: 3009 
Source host: p50861010.dip.t-dialin.net
  Target IP: 12.82.140.70   Target port: 21   Proto: TCP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net

Feb 21 21:37:57 - snort [1:0:0] TCP to 21 ftp 
  Source IP: 80.134.16.16   Source port: 3009 
Source host: p50861010.dip.t-dialin.net
  Target IP: 12.82.140.70   Target port: 21   Proto: TCP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net

Feb 21 21:38:02 - snort [1:0:0] TCP to 21 ftp 
  Source IP: 80.134.16.16   Source port: 3009 
Source host: p50861010.dip.t-dialin.net
  Target IP: 12.82.140.70   Target port: 21   Proto: TCP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net



Feb 21 21:46:47 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.130.185   Source port: 3552 
Source host: 185.seattle-06-07rs.wa.dial-access.att.net
  Target IP: 12.82.140.70   Target port: 80   Proto: TCP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net

Feb 21 21:46:50 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.130.185   Source port: 3552 
Source host: 185.seattle-06-07rs.wa.dial-access.att.net
  Target IP: 12.82.140.70   Target port: 80   Proto: TCP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net


Feb 21 22:06:36 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.161.43   Source port: 1654 
Source host: 43.seattle09rh16rt.wa.dial-access.att.net
  Target IP: 12.82.140.70   Target port: 80   Proto: TCP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net

Feb 21 22:06:38 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.161.43   Source port: 1654 
Source host: 43.seattle09rh16rt.wa.dial-access.att.net
  Target IP: 12.82.140.70   Target port: 80   Proto: TCP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net

Feb 21 22:28:53 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.161.43   Source port: 1112 
Source host: 43.seattle09rh16rt.wa.dial-access.att.net
  Target IP: 12.82.140.70   Target port: 80   Proto: TCP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net

Feb 21 22:28:56 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.161.43   Source port: 1112 
Source host: 43.seattle09rh16rt.wa.dial-access.att.net
  Target IP: 12.82.140.70   Target port: 80   Proto: TCP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net


Feb 21 22:32:33 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.161.43   Source port: 2444 
Source host: 43.seattle09rh16rt.wa.dial-access.att.net
  Target IP: 12.82.140.70   Target port: 80   Proto: TCP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net

Feb 21 22:32:37 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.161.43   Source port: 2444 
Source host: 43.seattle09rh16rt.wa.dial-access.att.net
  Target IP: 12.82.140.70   Target port: 80   Proto: TCP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net

Feb 21 22:32:58 - snort [1:0:0] TCP from range 8444-60999 
  Source IP: 66.186.213.43   Source port: 49448 
Source host: 66.186.213.43
  Target IP: 12.82.140.70   Target port: 61160   Proto: TCP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net

Feb 21 22:38:12 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.161.43   Source port: 4847 
Source host: 43.seattle09rh16rt.wa.dial-access.att.net
  Target IP: 12.82.140.70   Target port: 80   Proto: TCP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net

Feb 21 22:38:15 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.161.43   Source port: 4847 
Source host: 43.seattle09rh16rt.wa.dial-access.att.net
  Target IP: 12.82.140.70   Target port: 80   Proto: TCP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net


Feb 21 23:13:11 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.161.246   Source port: 2402 
Source host: 246.seattle09rh16rt.wa.dial-access.att.net
  Target IP: 12.82.140.70   Target port: 80   Proto: TCP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net

Feb 21 23:13:11 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.161.246   Source port: 2406 
Source host: 246.seattle09rh16rt.wa.dial-access.att.net
  Target IP: 12.82.140.70   Target port: 80   Proto: TCP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net

Feb 21 23:13:13 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.161.246   Source port: 2402 
Source host: 246.seattle09rh16rt.wa.dial-access.att.net
  Target IP: 12.82.140.70   Target port: 80   Proto: TCP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net

Feb 21 23:13:13 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.161.246   Source port: 2406 
Source host: 246.seattle09rh16rt.wa.dial-access.att.net
  Target IP: 12.82.140.70   Target port: 80   Proto: TCP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net

Feb 21 23:16:51 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.161.246   Source port: 2523 
Source host: 246.seattle09rh16rt.wa.dial-access.att.net
  Target IP: 12.82.140.70   Target port: 80   Proto: TCP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net

Feb 21 23:16:54 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.161.246   Source port: 2523 
Source host: 246.seattle09rh16rt.wa.dial-access.att.net
  Target IP: 12.82.140.70   Target port: 80   Proto: TCP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net


Feb 21 23:31:26 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.130.185   Source port: 2009 
Source host: 185.seattle-06-07rs.wa.dial-access.att.net
  Target IP: 12.82.140.70   Target port: 80   Proto: TCP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net

Feb 21 23:31:29 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.130.185   Source port: 2009 
Source host: 185.seattle-06-07rs.wa.dial-access.att.net
  Target IP: 12.82.140.70   Target port: 80   Proto: TCP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net

Feb 22 01:35:33 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.130.185   Source port: 4619 
Source host: 185.seattle-06-07rs.wa.dial-access.att.net
  Target IP: 12.82.140.70   Target port: 80   Proto: TCP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net

Feb 22 01:35:37 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.130.185   Source port: 4619 
Source host: 185.seattle-06-07rs.wa.dial-access.att.net
  Target IP: 12.82.140.70   Target port: 80   Proto: TCP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net

Feb 22 01:37:31 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.130.185   Source port: 2047 
Source host: 185.seattle-06-07rs.wa.dial-access.att.net
  Target IP: 12.82.140.70   Target port: 80   Proto: TCP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net

Feb 22 01:37:34 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.130.185   Source port: 2047 
Source host: 185.seattle-06-07rs.wa.dial-access.att.net
  Target IP: 12.82.140.70   Target port: 80   Proto: TCP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net


Feb 22 01:51:28 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.138.107   Source port: 2108 
Source host: 107.seattle-26-27rs.wa.dial-access.att.net
  Target IP: 12.82.140.70   Target port: 80   Proto: TCP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net

Feb 22 01:51:31 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.138.107   Source port: 2108 
Source host: 107.seattle-26-27rs.wa.dial-access.att.net
  Target IP: 12.82.140.70   Target port: 80   Proto: TCP 
Target host: 70.seattle-05-10rs.wa.dial-access.att.net



This report generated 02/22/2002 at 04:01:00
 by a perl script written by John Sage at FinchHaven.com,
 based upon the work of Dan Swan in his script snort2html.pl


jsage@finchhaven.com
Last modified: Fri Feb 22 10:21:33 2002