Logs: 02-22-02


To: jsage@finchhaven.com
From: toot@finchhaven.com
Subject: [Logs] at FinchHaven for 02/22/2002


Logs at FinchHaven for 02/22/2002 extracted from /var/log/messages
Report generated 04:01:00 (TZ -08:00) 02/23/2002

+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Context: dialup to access.att.net, dynamic IP in AT&T's 12.82.x.x class A
Connect time this date: +- 20 hours
Timestamps: US Pacific standard, GMT -08:00, synch by xntpd
Tools: snort 1.8.2, ipchains, logcheck, portsentry
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=ver.7
In /var/log/messages:  Probes to port 21 ftp:        0
                       Probes to port 22 ssh:        0
                    Probes to port 23 telnet:        0
                       Probes to port 53 dns:        6
                      Probes to port 80 http:       54
                   Probes to port 111 sunrpc:        0
               Probes to port 137 netbios-ns:        0
              Probes to port 139 netbios-ssn:        0
                    Probes to port 445 ms-ds:        0
                      Probes to port 515 lpr:        0
                  Total, probes to all ports:       60
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

Feb 22 04:48:56 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.224.191.29   Source port: 4310 
Source host: 12-224-191-29.client.attbi.com
  Target IP: 12.82.128.33   Target port: 80   Proto: TCP 
Target host: 33.seattle-01-02rs.wa.dial-access.att.net

Feb 22 04:48:58 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.224.191.29   Source port: 4310 
Source host: 12-224-191-29.client.attbi.com
  Target IP: 12.82.128.33   Target port: 80   Proto: TCP 
Target host: 33.seattle-01-02rs.wa.dial-access.att.net



Feb 22 06:42:37 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.226.6.81   Source port: 3833 
Source host: 12-226-6-81.client.attbi.com
  Target IP: 12.82.128.33   Target port: 80   Proto: TCP 
Target host: 33.seattle-01-02rs.wa.dial-access.att.net

Feb 22 06:42:40 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.226.6.81   Source port: 3833 
Source host: 12-226-6-81.client.attbi.com
  Target IP: 12.82.128.33   Target port: 80   Proto: TCP 
Target host: 33.seattle-01-02rs.wa.dial-access.att.net



Feb 22 07:13:11 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.246.66.159   Source port: 3869 
Source host: 12-246-66-159.client.attbi.com
  Target IP: 12.82.128.33   Target port: 80   Proto: TCP 
Target host: 33.seattle-01-02rs.wa.dial-access.att.net

Feb 22 07:13:14 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.246.66.159   Source port: 3869 
Source host: 12-246-66-159.client.attbi.com
  Target IP: 12.82.128.33   Target port: 80   Proto: TCP 
Target host: 33.seattle-01-02rs.wa.dial-access.att.net



Feb 22 07:40:54 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.234.92.135   Source port: 2387 
Source host: 12-234-92-135.client.attbi.com
  Target IP: 12.82.128.33   Target port: 80   Proto: TCP 
Target host: 33.seattle-01-02rs.wa.dial-access.att.net

Feb 22 07:40:56 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.234.92.135   Source port: 2387 
Source host: 12-234-92-135.client.attbi.com
  Target IP: 12.82.128.33   Target port: 80   Proto: TCP 
Target host: 33.seattle-01-02rs.wa.dial-access.att.net



Feb 22 09:30:18 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.142.21   Source port: 3867 
Source host: 21.seattle-25-30rs.wa.dial-access.att.net
  Target IP: 12.82.128.33   Target port: 80   Proto: TCP 
Target host: 33.seattle-01-02rs.wa.dial-access.att.net

Feb 22 09:30:22 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.142.21   Source port: 3867 
Source host: 21.seattle-25-30rs.wa.dial-access.att.net
  Target IP: 12.82.128.33   Target port: 80   Proto: TCP 
Target host: 33.seattle-01-02rs.wa.dial-access.att.net



Feb 22 12:27:48 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.142.16   Source port: 2259 
Source host: 16.seattle-25-30rs.wa.dial-access.att.net
  Target IP: 12.82.137.78   Target port: 80   Proto: TCP 
Target host: 78.seattle-23-24rs.wa.dial-access.att.net

Feb 22 12:27:51 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.142.16   Source port: 2259 
Source host: 16.seattle-25-30rs.wa.dial-access.att.net
  Target IP: 12.82.137.78   Target port: 80   Proto: TCP 
Target host: 78.seattle-23-24rs.wa.dial-access.att.net


Feb 22 12:33:26 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.142.16   Source port: 4933 
Source host: 16.seattle-25-30rs.wa.dial-access.att.net
  Target IP: 12.82.137.78   Target port: 80   Proto: TCP 
Target host: 78.seattle-23-24rs.wa.dial-access.att.net

Feb 22 12:33:29 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.142.16   Source port: 4933 
Source host: 16.seattle-25-30rs.wa.dial-access.att.net
  Target IP: 12.82.137.78   Target port: 80   Proto: TCP 
Target host: 78.seattle-23-24rs.wa.dial-access.att.net


Feb 22 12:48:18 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.142.16   Source port: 1923 
Source host: 16.seattle-25-30rs.wa.dial-access.att.net
  Target IP: 12.82.137.78   Target port: 80   Proto: TCP 
Target host: 78.seattle-23-24rs.wa.dial-access.att.net

Feb 22 12:48:21 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.142.16   Source port: 1923 
Source host: 16.seattle-25-30rs.wa.dial-access.att.net
  Target IP: 12.82.137.78   Target port: 80   Proto: TCP 
Target host: 78.seattle-23-24rs.wa.dial-access.att.net


Feb 22 13:01:30 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.142.16   Source port: 3617 
Source host: 16.seattle-25-30rs.wa.dial-access.att.net
  Target IP: 12.82.137.78   Target port: 80   Proto: TCP 
Target host: 78.seattle-23-24rs.wa.dial-access.att.net

Feb 22 13:01:33 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.142.16   Source port: 3617 
Source host: 16.seattle-25-30rs.wa.dial-access.att.net
  Target IP: 12.82.137.78   Target port: 80   Proto: TCP 
Target host: 78.seattle-23-24rs.wa.dial-access.att.net


Feb 22 13:31:21 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.142.16   Source port: 3917 
Source host: 16.seattle-25-30rs.wa.dial-access.att.net
  Target IP: 12.82.137.78   Target port: 80   Proto: TCP 
Target host: 78.seattle-23-24rs.wa.dial-access.att.net

Feb 22 13:31:24 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.142.16   Source port: 3917 
Source host: 16.seattle-25-30rs.wa.dial-access.att.net
  Target IP: 12.82.137.78   Target port: 80   Proto: TCP 
Target host: 78.seattle-23-24rs.wa.dial-access.att.net


Feb 22 14:37:41 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.142.16   Source port: 3144 
Source host: 16.seattle-25-30rs.wa.dial-access.att.net
  Target IP: 12.82.137.78   Target port: 80   Proto: TCP 
Target host: 78.seattle-23-24rs.wa.dial-access.att.net

Feb 22 14:37:44 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.142.16   Source port: 3144 
Source host: 16.seattle-25-30rs.wa.dial-access.att.net
  Target IP: 12.82.137.78   Target port: 80   Proto: TCP 
Target host: 78.seattle-23-24rs.wa.dial-access.att.net


Feb 22 15:09:25 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.142.16   Source port: 4492 
Source host: 16.seattle-25-30rs.wa.dial-access.att.net
  Target IP: 12.82.137.78   Target port: 80   Proto: TCP 
Target host: 78.seattle-23-24rs.wa.dial-access.att.net

Feb 22 15:09:28 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.142.16   Source port: 4492 
Source host: 16.seattle-25-30rs.wa.dial-access.att.net
  Target IP: 12.82.137.78   Target port: 80   Proto: TCP 
Target host: 78.seattle-23-24rs.wa.dial-access.att.net


Feb 22 15:37:54 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.238.128.154   Source port: 4073 
Source host: 12-238-128-154.client.attbi.com
  Target IP: 12.82.137.78   Target port: 80   Proto: TCP 
Target host: 78.seattle-23-24rs.wa.dial-access.att.net


Feb 22 16:02:13 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.136.219   Source port: 2684 
Source host: 219.seattle-21-22rs.wa.dial-access.att.net
  Target IP: 12.82.137.78   Target port: 80   Proto: TCP 
Target host: 78.seattle-23-24rs.wa.dial-access.att.net

Feb 22 16:02:16 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.136.219   Source port: 2684 
Source host: 219.seattle-21-22rs.wa.dial-access.att.net
  Target IP: 12.82.137.78   Target port: 80   Proto: TCP 
Target host: 78.seattle-23-24rs.wa.dial-access.att.net


Feb 22 16:46:38 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.151.209   Source port: 2985 
Source host: 209.seattle04rh16rt.wa.dial-access.att.net
  Target IP: 12.82.137.78   Target port: 80   Proto: TCP 
Target host: 78.seattle-23-24rs.wa.dial-access.att.net

Feb 22 16:46:40 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.151.209   Source port: 2985 
Source host: 209.seattle04rh16rt.wa.dial-access.att.net
  Target IP: 12.82.137.78   Target port: 80   Proto: TCP 
Target host: 78.seattle-23-24rs.wa.dial-access.att.net


Feb 22 17:00:23 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.142.16   Source port: 2795 
Source host: 16.seattle-25-30rs.wa.dial-access.att.net
  Target IP: 12.82.137.78   Target port: 80   Proto: TCP 
Target host: 78.seattle-23-24rs.wa.dial-access.att.net

Feb 22 17:00:26 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.142.16   Source port: 2795 
Source host: 16.seattle-25-30rs.wa.dial-access.att.net
  Target IP: 12.82.137.78   Target port: 80   Proto: TCP 
Target host: 78.seattle-23-24rs.wa.dial-access.att.net



Feb 22 17:07:15 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.151.209   Source port: 2469 
Source host: 209.seattle04rh16rt.wa.dial-access.att.net
  Target IP: 12.82.137.78   Target port: 80   Proto: TCP 
Target host: 78.seattle-23-24rs.wa.dial-access.att.net

Feb 22 17:07:17 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.151.209   Source port: 2469 
Source host: 209.seattle04rh16rt.wa.dial-access.att.net
  Target IP: 12.82.137.78   Target port: 80   Proto: TCP 
Target host: 78.seattle-23-24rs.wa.dial-access.att.net



Feb 22 17:09:18 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.160.228   Source port: 3405 
Source host: 228.seattle09rh15rt.wa.dial-access.att.net
  Target IP: 12.82.137.78   Target port: 80   Proto: TCP 
Target host: 78.seattle-23-24rs.wa.dial-access.att.net

Feb 22 17:09:21 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.160.228   Source port: 3405 
Source host: 228.seattle09rh15rt.wa.dial-access.att.net
  Target IP: 12.82.137.78   Target port: 80   Proto: TCP 
Target host: 78.seattle-23-24rs.wa.dial-access.att.net



Feb 22 17:24:46 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.249.122.29   Source port: 1202 
Source host: 12-249-122-29.client.attbi.com
  Target IP: 12.82.137.78   Target port: 80   Proto: TCP 
Target host: 78.seattle-23-24rs.wa.dial-access.att.net



Feb 22 17:32:24 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.151.209   Source port: 2156 
Source host: 209.seattle04rh16rt.wa.dial-access.att.net
  Target IP: 12.82.137.78   Target port: 80   Proto: TCP 
Target host: 78.seattle-23-24rs.wa.dial-access.att.net

Feb 22 17:32:26 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.151.209   Source port: 2156 
Source host: 209.seattle04rh16rt.wa.dial-access.att.net
  Target IP: 12.82.137.78   Target port: 80   Proto: TCP 
Target host: 78.seattle-23-24rs.wa.dial-access.att.net



Feb 22 17:33:10 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.142.16   Source port: 1127 
Source host: 16.seattle-25-30rs.wa.dial-access.att.net
  Target IP: 12.82.137.78   Target port: 80   Proto: TCP 
Target host: 78.seattle-23-24rs.wa.dial-access.att.net

Feb 22 17:33:13 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.142.16   Source port: 1127 
Source host: 16.seattle-25-30rs.wa.dial-access.att.net
  Target IP: 12.82.137.78   Target port: 80   Proto: TCP 
Target host: 78.seattle-23-24rs.wa.dial-access.att.net



Feb 22 18:12:01 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.160.228   Source port: 4765 
Source host: 228.seattle09rh15rt.wa.dial-access.att.net
  Target IP: 12.82.137.78   Target port: 80   Proto: TCP 
Target host: 78.seattle-23-24rs.wa.dial-access.att.net

Feb 22 18:12:04 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.160.228   Source port: 4765 
Source host: 228.seattle09rh15rt.wa.dial-access.att.net
  Target IP: 12.82.137.78   Target port: 80   Proto: TCP 
Target host: 78.seattle-23-24rs.wa.dial-access.att.net


Feb 22 18:43:36 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.160.228   Source port: 1861 
Source host: 228.seattle09rh15rt.wa.dial-access.att.net
  Target IP: 12.82.137.78   Target port: 80   Proto: TCP 
Target host: 78.seattle-23-24rs.wa.dial-access.att.net

Feb 22 18:43:41 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.160.228   Source port: 1861 
Source host: 228.seattle09rh15rt.wa.dial-access.att.net
  Target IP: 12.82.137.78   Target port: 80   Proto: TCP 
Target host: 78.seattle-23-24rs.wa.dial-access.att.net


Feb 22 18:47:21 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.160.228   Source port: 3220 
Source host: 228.seattle09rh15rt.wa.dial-access.att.net
  Target IP: 12.82.137.78   Target port: 80   Proto: TCP 
Target host: 78.seattle-23-24rs.wa.dial-access.att.net

Feb 22 18:47:24 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.160.228   Source port: 3220 
Source host: 228.seattle09rh15rt.wa.dial-access.att.net
  Target IP: 12.82.137.78   Target port: 80   Proto: TCP 
Target host: 78.seattle-23-24rs.wa.dial-access.att.net



Feb 22 22:12:38 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.232.254.216   Source port: 4777 
Source host: 12-232-254-216.client.attbi.com
  Target IP: 12.82.133.166   Target port: 80   Proto: TCP 
Target host: 166.seattle-13-14rs.wa.dial-access.att.net

Feb 22 22:12:41 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.232.254.216   Source port: 4777 
Source host: 12-232-254-216.client.attbi.com
  Target IP: 12.82.133.166   Target port: 80   Proto: TCP 
Target host: 166.seattle-13-14rs.wa.dial-access.att.net



Feb 23 00:28:28 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.142.184   Source port: 2216 
Source host: 184.seattle-25-30rs.wa.dial-access.att.net
  Target IP: 12.82.133.166   Target port: 80   Proto: TCP 
Target host: 166.seattle-13-14rs.wa.dial-access.att.net

Feb 23 00:28:31 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.142.184   Source port: 2216 
Source host: 184.seattle-25-30rs.wa.dial-access.att.net
  Target IP: 12.82.133.166   Target port: 80   Proto: TCP 
Target host: 166.seattle-13-14rs.wa.dial-access.att.net



Feb 23 01:02:20 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.153.244   Source port: 2383 
Source host: 244.seattle05rh16rt.wa.dial-access.att.net
  Target IP: 12.82.133.166   Target port: 80   Proto: TCP 
Target host: 166.seattle-13-14rs.wa.dial-access.att.net

Feb 23 01:02:23 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.153.244   Source port: 2383 
Source host: 244.seattle05rh16rt.wa.dial-access.att.net
  Target IP: 12.82.133.166   Target port: 80   Proto: TCP 
Target host: 166.seattle-13-14rs.wa.dial-access.att.net


Feb 23 02:02:31 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.234.141.6   Source port: 1543 
Source host: 12-234-141-6.client.attbi.com
  Target IP: 12.82.133.166   Target port: 80   Proto: TCP 
Target host: 166.seattle-13-14rs.wa.dial-access.att.net

Feb 23 02:02:34 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.234.141.6   Source port: 1543 
Source host: 12-234-141-6.client.attbi.com
  Target IP: 12.82.133.166   Target port: 80   Proto: TCP 
Target host: 166.seattle-13-14rs.wa.dial-access.att.net



This report generated 02/23/2002 at 04:01:00 
by a perl script written by John Sage at FinchHaven.com, 
based upon the work of Dan Swan in his script snort2html.pl


jsage@finchhaven.com
Last modified: Wed Feb 27 19:48:47 2002