Logs: 02-23-02
Date: Sun, 24 Feb 2002 04:01:00 -0800
To: jsage@finchhaven.com
From: toot@finchhaven.com
Subject: [Logs] at FinchHaven for 02/23/2002
Logs at FinchHaven for 02/23/2002 extracted from /var/log/messages
Report generated 04:01:00 (TZ -08:00) 02/24/2002
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Context: dialup to access.att.net, dynamic IP in AT&T's 12.82.x.x class A
Connect time this date: +- 20 hours
Timestamps: US Pacific standard, GMT -08:00, synch by xntpd
Tools: snort 1.8.2, ipchains, logcheck, portsentry
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=ver.7
In /var/log/messages: Probes to port 21 ftp: 0
Probes to port 22 ssh: 1
Probes to port 23 telnet: 0
Probes to port 53 dns: 12
Probes to port 80 http: 38
Probes to port 111 sunrpc: 0
Probes to port 137 netbios-ns: 0
Probes to port 139 netbios-ssn: 0
Probes to port 445 ms-ds: 0
Probes to port 515 lpr: 0
Total, probes to all ports: 47
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Feb 23 09:18:06 - snort [1:0:0] TCP to 22 ssh
Source IP: 194.143.41.132 Source port: 22
Source host: 194.143.41.132
Target IP: 12.82.132.108 Target port: 22 Proto: TCP
Target host: 108.seattle-11-12rs.wa.dial-access.att.net
Feb 23 09:20:42 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.234.140.100 Source port: 3231
Source host: 12-234-140-100.client.attbi.com
Target IP: 12.82.132.108 Target port: 80 Proto: TCP
Target host: 108.seattle-11-12rs.wa.dial-access.att.net
Feb 23 09:20:46 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.234.140.100 Source port: 3231
Source host: 12-234-140-100.client.attbi.com
Target IP: 12.82.132.108 Target port: 80 Proto: TCP
Target host: 108.seattle-11-12rs.wa.dial-access.att.net
Feb 23 09:43:14 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.244.35 Source port: 2463
Source host: 35.houston-11rh15rt.tx.dial-access.att.net
Target IP: 12.82.132.108 Target port: 80 Proto: TCP
Target host: 108.seattle-11-12rs.wa.dial-access.att.net
Feb 23 09:43:17 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.244.35 Source port: 2463
Source host: 35.houston-11rh15rt.tx.dial-access.att.net
Target IP: 12.82.132.108 Target port: 80 Proto: TCP
Target host: 108.seattle-11-12rs.wa.dial-access.att.net
Feb 23 10:10:10 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.137.94 Source port: 3649
Source host: 94.seattle-23-24rs.wa.dial-access.att.net
Target IP: 12.82.132.108 Target port: 80 Proto: TCP
Target host: 108.seattle-11-12rs.wa.dial-access.att.net
Feb 23 10:23:10 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.64.192.199 Source port: 1457
Source host: slip-12-64-192-199.mis.prserv.net
Target IP: 12.82.132.108 Target port: 80 Proto: TCP
Target host: 108.seattle-11-12rs.wa.dial-access.att.net
Feb 23 10:23:12 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.64.192.199 Source port: 1457
Source host: slip-12-64-192-199.mis.prserv.net
Target IP: 12.82.132.108 Target port: 80 Proto: TCP
Target host: 108.seattle-11-12rs.wa.dial-access.att.net
Feb 23 13:05:52 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.246.129.202 Source port: 2355
Source host: 12-246-129-202.client.attbi.com
Target IP: 12.82.132.108 Target port: 80 Proto: TCP
Target host: 108.seattle-11-12rs.wa.dial-access.att.net
Feb 23 13:05:55 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.246.129.202 Source port: 2355
Source host: 12-246-129-202.client.attbi.com
Target IP: 12.82.132.108 Target port: 80 Proto: TCP
Target host: 108.seattle-11-12rs.wa.dial-access.att.net
Feb 23 17:15:11 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.140.106 Source port: 2448
Source host: 106.seattle-05-10rs.wa.dial-access.att.net
Target IP: 12.82.128.83 Target port: 80 Proto: TCP
Target host: 83.seattle-01-02rs.wa.dial-access.att.net
Feb 23 17:15:14 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.140.106 Source port: 2448
Source host: 106.seattle-05-10rs.wa.dial-access.att.net
Target IP: 12.82.128.83 Target port: 80 Proto: TCP
Target host: 83.seattle-01-02rs.wa.dial-access.att.net
Feb 23 19:08:27 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.152.38 Source port: 4003
Source host: 38.seattle05rh15rt.wa.dial-access.att.net
Target IP: 12.82.128.83 Target port: 80 Proto: TCP
Target host: 83.seattle-01-02rs.wa.dial-access.att.net
Feb 23 19:08:30 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.152.38 Source port: 4003
Source host: 38.seattle05rh15rt.wa.dial-access.att.net
Target IP: 12.82.128.83 Target port: 80 Proto: TCP
Target host: 83.seattle-01-02rs.wa.dial-access.att.net
Feb 23 19:28:54 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.154.229 Source port: 2337
Source host: 229.seattle06rh15rt.wa.dial-access.att.net
Target IP: 12.82.128.83 Target port: 80 Proto: TCP
Target host: 83.seattle-01-02rs.wa.dial-access.att.net
Feb 23 19:28:57 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.154.229 Source port: 2337
Source host: 229.seattle06rh15rt.wa.dial-access.att.net
Target IP: 12.82.128.83 Target port: 80 Proto: TCP
Target host: 83.seattle-01-02rs.wa.dial-access.att.net
Feb 23 19:38:13 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.154.229 Source port: 3369
Source host: 229.seattle06rh15rt.wa.dial-access.att.net
Target IP: 12.82.128.83 Target port: 80 Proto: TCP
Target host: 83.seattle-01-02rs.wa.dial-access.att.net
Feb 23 19:38:16 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.154.229 Source port: 3369
Source host: 229.seattle06rh15rt.wa.dial-access.att.net
Target IP: 12.82.128.83 Target port: 80 Proto: TCP
Target host: 83.seattle-01-02rs.wa.dial-access.att.net
Feb 23 19:55:29 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.142.60 Source port: 2514
Source host: 60.seattle-25-30rs.wa.dial-access.att.net
Target IP: 12.82.128.83 Target port: 80 Proto: TCP
Target host: 83.seattle-01-02rs.wa.dial-access.att.net
Feb 23 19:55:32 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.142.60 Source port: 2514
Source host: 60.seattle-25-30rs.wa.dial-access.att.net
Target IP: 12.82.128.83 Target port: 80 Proto: TCP
Target host: 83.seattle-01-02rs.wa.dial-access.att.net
Feb 23 20:02:54 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.142.60 Source port: 4930
Source host: 60.seattle-25-30rs.wa.dial-access.att.net
Target IP: 12.82.128.83 Target port: 80 Proto: TCP
Target host: 83.seattle-01-02rs.wa.dial-access.att.net
Feb 23 20:02:57 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.142.60 Source port: 4930
Source host: 60.seattle-25-30rs.wa.dial-access.att.net
Target IP: 12.82.128.83 Target port: 80 Proto: TCP
Target host: 83.seattle-01-02rs.wa.dial-access.att.net
Feb 23 22:19:29 - snort [1:0:0] TCP to 12345 NetBus Backdoor
Source IP: 12.82.128.194 Source port: 1227
Source host: 194.seattle-01-02rs.wa.dial-access.att.net
Target IP: 12.82.128.83 Target port: 12345 Proto: TCP
Target host: 83.seattle-01-02rs.wa.dial-access.att.net
Feb 23 22:19:35 - snort [1:0:0] TCP to 12345 NetBus Backdoor
Source IP: 12.82.128.194 Source port: 1227
Source host: 194.seattle-01-02rs.wa.dial-access.att.net
Target IP: 12.82.128.83 Target port: 12345 Proto: TCP
Target host: 83.seattle-01-02rs.wa.dial-access.att.net
Feb 23 22:19:38 - snort [1:0:0] TCP to 12345 NetBus Backdoor
Source IP: 12.82.128.194 Source port: 1227
Source host: 194.seattle-01-02rs.wa.dial-access.att.net
Target IP: 12.82.128.83 Target port: 12345 Proto: TCP
Target host: 83.seattle-01-02rs.wa.dial-access.att.net
Feb 23 22:19:50 - snort [1:0:0] TCP to 12345 NetBus Backdoor
Source IP: 12.82.128.194 Source port: 1227
Source host: 194.seattle-01-02rs.wa.dial-access.att.net
Target IP: 12.82.128.83 Target port: 12345 Proto: TCP
Target host: 83.seattle-01-02rs.wa.dial-access.att.net
Feb 23 23:01:17 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.160.43 Source port: 2672
Source host: 43.seattle09rh15rt.wa.dial-access.att.net
Target IP: 12.82.128.83 Target port: 80 Proto: TCP
Target host: 83.seattle-01-02rs.wa.dial-access.att.net
Feb 23 23:01:20 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.160.43 Source port: 2672
Source host: 43.seattle09rh15rt.wa.dial-access.att.net
Target IP: 12.82.128.83 Target port: 80 Proto: TCP
Target host: 83.seattle-01-02rs.wa.dial-access.att.net
Feb 23 23:05:04 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.160.43 Source port: 2844
Source host: 43.seattle09rh15rt.wa.dial-access.att.net
Target IP: 12.82.128.83 Target port: 80 Proto: TCP
Target host: 83.seattle-01-02rs.wa.dial-access.att.net
Feb 23 23:06:33 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.129.159 Source port: 4256
Source host: 159.seattle-03-04rs.wa.dial-access.att.net
Target IP: 12.82.128.83 Target port: 80 Proto: TCP
Target host: 83.seattle-01-02rs.wa.dial-access.att.net
Feb 23 23:06:36 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.129.159 Source port: 4256
Source host: 159.seattle-03-04rs.wa.dial-access.att.net
Target IP: 12.82.128.83 Target port: 80 Proto: TCP
Target host: 83.seattle-01-02rs.wa.dial-access.att.net
Feb 23 23:36:54 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.160.43 Source port: 3363
Source host: 43.seattle09rh15rt.wa.dial-access.att.net
Target IP: 12.82.128.83 Target port: 80 Proto: TCP
Target host: 83.seattle-01-02rs.wa.dial-access.att.net
Feb 23 23:47:35 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.129.159 Source port: 3093
Source host: 159.seattle-03-04rs.wa.dial-access.att.net
Target IP: 12.82.128.83 Target port: 80 Proto: TCP
Target host: 83.seattle-01-02rs.wa.dial-access.att.net
Feb 23 23:47:38 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.129.159 Source port: 3093
Source host: 159.seattle-03-04rs.wa.dial-access.att.net
Target IP: 12.82.128.83 Target port: 80 Proto: TCP
Target host: 83.seattle-01-02rs.wa.dial-access.att.net
Feb 23 23:51:19 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.129.159 Source port: 3984
Source host: 159.seattle-03-04rs.wa.dial-access.att.net
Target IP: 12.82.128.83 Target port: 80 Proto: TCP
Target host: 83.seattle-01-02rs.wa.dial-access.att.net
Feb 23 23:51:22 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.129.159 Source port: 3984
Source host: 159.seattle-03-04rs.wa.dial-access.att.net
Target IP: 12.82.128.83 Target port: 80 Proto: TCP
Target host: 83.seattle-01-02rs.wa.dial-access.att.net
Feb 23 23:55:12 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.129.159 Source port: 1269
Source host: 159.seattle-03-04rs.wa.dial-access.att.net
Target IP: 12.82.128.83 Target port: 80 Proto: TCP
Target host: 83.seattle-01-02rs.wa.dial-access.att.net
Feb 23 23:55:15 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.129.159 Source port: 1269
Source host: 159.seattle-03-04rs.wa.dial-access.att.net
Target IP: 12.82.128.83 Target port: 80 Proto: TCP
Target host: 83.seattle-01-02rs.wa.dial-access.att.net
Feb 23 23:57:16 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.160.43 Source port: 2022
Source host: 43.seattle09rh15rt.wa.dial-access.att.net
Target IP: 12.82.128.83 Target port: 80 Proto: TCP
Target host: 83.seattle-01-02rs.wa.dial-access.att.net
Feb 24 00:00:39 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.129.159 Source port: 2298
Source host: 159.seattle-03-04rs.wa.dial-access.att.net
Target IP: 12.82.128.83 Target port: 80 Proto: TCP
Target host: 83.seattle-01-02rs.wa.dial-access.att.net
Feb 24 00:00:42 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.129.159 Source port: 2298
Source host: 159.seattle-03-04rs.wa.dial-access.att.net
Target IP: 12.82.128.83 Target port: 80 Proto: TCP
Target host: 83.seattle-01-02rs.wa.dial-access.att.net
Feb 24 00:04:37 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.160.43 Source port: 2075
Source host: 43.seattle09rh15rt.wa.dial-access.att.net
Target IP: 12.82.128.83 Target port: 80 Proto: TCP
Target host: 83.seattle-01-02rs.wa.dial-access.att.net
Feb 24 00:04:40 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.160.43 Source port: 2075
Source host: 43.seattle09rh15rt.wa.dial-access.att.net
Target IP: 12.82.128.83 Target port: 80 Proto: TCP
Target host: 83.seattle-01-02rs.wa.dial-access.att.net
This report generated 02/24/2002 at 04:01:00
by a perl script written by John Sage at FinchHaven.com,
based upon the work of Dan Swan in his script snort2html.pl
jsage@finchhaven.com
Last modified: Sun Feb 24 09:12:20 2002