Logs: 02-25-02


To: jsage@finchhaven.com
Cc: root@sparky.finchhaven.net
From: toot@finchhaven.com
Subject: [Logs] at FinchHaven for 02/25/2002

Logs at FinchHaven for 02/25/2002 extracted from /var/log/messages
Report generated 04:01:00 (TZ -08:00) 02/26/2002

+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Context: dialup to access.att.net, dynamic IP in AT&T's 12.82.x.x class A
Connect time this date: +- 20 hours
Timestamps: US Pacific standard, GMT -08:00, synch by xntpd
Tools: snort 1.8.2, ipchains, logcheck, portsentry
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=ver.7


Feb 25 05:16:25 - snort [1:0:0] TCP to 21 ftp 
  Source IP: 217.128.8.225   Source port: 1494 
Source host: AAnnecy-102-1-1-225.abo.wanadoo.fr
  Target IP: 12.82.128.251   Target port: 21   Proto: TCP 
Target host: 251.seattle-01-02rs.wa.dial-access.att.net

Feb 25 05:16:28 - snort [1:0:0] TCP to 21 ftp 
  Source IP: 217.128.8.225   Source port: 1494 
Source host: AAnnecy-102-1-1-225.abo.wanadoo.fr
  Target IP: 12.82.128.251   Target port: 21   Proto: TCP 
Target host: 251.seattle-01-02rs.wa.dial-access.att.net


Feb 25 05:28:29 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.17.165.244   Source port: 3264 
Source host: 12.17.165.244
  Target IP: 12.82.128.251   Target port: 80   Proto: TCP 
Target host: 251.seattle-01-02rs.wa.dial-access.att.net

Feb 25 05:28:32 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.17.165.244   Source port: 3264 
Source host: 12.17.165.244
  Target IP: 12.82.128.251   Target port: 80   Proto: TCP 
Target host: 251.seattle-01-02rs.wa.dial-access.att.net

Feb 25 05:35:55 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.17.165.244   Source port: 3668 
Source host: 12.17.165.244
  Target IP: 12.82.128.251   Target port: 80   Proto: TCP 
Target host: 251.seattle-01-02rs.wa.dial-access.att.net

Feb 25 05:35:58 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.17.165.244   Source port: 3668 
Source host: 12.17.165.244
  Target IP: 12.82.128.251   Target port: 80   Proto: TCP 
Target host: 251.seattle-01-02rs.wa.dial-access.att.net


Feb 25 08:15:50 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.235.66.230   Source port: 1584 
Source host: 12-235-66-230.client.attbi.com
  Target IP: 12.82.128.251   Target port: 80   Proto: TCP 
Target host: 251.seattle-01-02rs.wa.dial-access.att.net

Feb 25 08:15:53 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.235.66.230   Source port: 1584 
Source host: 12-235-66-230.client.attbi.com
  Target IP: 12.82.128.251   Target port: 80   Proto: TCP 
Target host: 251.seattle-01-02rs.wa.dial-access.att.net


Feb 25 11:13:46 - snort [1:0:0] TCP to 111 sunrpc 
  Source IP: 61.33.21.83   Source port: 1965 
Source host: 61.33.21.83
  Target IP: 12.82.128.251   Target port: 111   Proto: TCP 
Target host: 251.seattle-01-02rs.wa.dial-access.att.net

This is the *only* tcp:6346/gnutella probe I'm including - see "dialup cruft" for more details about the Gnutella blizzard I experienced this day...

Here's why:

===============================================================================
Snort processed 1435 packets.
Breakdown by protocol:                Action Stats:

    TCP: 1435       (100.000%)         ALERTS: 0         
    UDP: 0          (0.000%)          LOGGED: 0         
   ICMP: 0          (0.000%)          PASSED: 0         
    ARP: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 0          (0.000%)
===============================================================================

That's port 6346, Gnutella, **only**...


Feb 25 11:36:09 - snort [1:0:0] TCP to 6346 gnutella 
  Source IP: 12.254.23.104   Source port: 1314 
Source host: 12-254-23-104.client.attbi.com
  Target IP: 12.82.137.117   Target port: 6346   Proto: TCP 
Target host: 117.seattle-23-24rs.wa.dial-access.att.net


Feb 25 11:36:13 - snort [1:0:0] TCP to 111 sunrpc 
  Source IP: 212.210.177.7   Source port: 4393 
Source host: 212.210.177.7
  Target IP: 12.82.137.117   Target port: 111   Proto: TCP 
Target host: 117.seattle-23-24rs.wa.dial-access.att.net

<snip>:

Feb 25 12:00:11 - snort [1:0:0] ICMP echo request 
  Source IP: 205.146.79.20     Source port: -N/A-
Source host: External.Court.State.PA.US
  Target IP: 12.82.137.117   Target port: -N/A-   Proto: ICMP 
Target host: 117.seattle-23-24rs.wa.dial-access.att.net

<snip>

Feb 25 12:08:29 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.252.71.38   Source port: 2187 
Source host: 12-252-71-38.client.attbi.com
  Target IP: 12.82.137.117   Target port: 80   Proto: TCP 
Target host: 117.seattle-23-24rs.wa.dial-access.att.net

<snip>

Feb 25 12:10:56 - snort [1:0:0] TCP to 111 sunrpc 
  Source IP: 212.210.177.7   Source port: 1177 
Source host: 212.210.177.7
  Target IP: 12.82.137.117   Target port: 111   Proto: TCP 
Target host: 117.seattle-23-24rs.wa.dial-access.att.net

<snip>

Feb 25 17:09:30 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.234.181   Source port: 1698 
Source host: 181.houston-06rh15rt.tx.dial-access.att.net
  Target IP: 12.82.137.117   Target port: 80   Proto: TCP 
Target host: 117.seattle-23-24rs.wa.dial-access.att.net

Feb 25 17:09:33 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.234.181   Source port: 1698 
Source host: 181.houston-06rh15rt.tx.dial-access.att.net
  Target IP: 12.82.137.117   Target port: 80   Proto: TCP 
Target host: 117.seattle-23-24rs.wa.dial-access.att.net

<snip>

Feb 25 17:23:56 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.234.181   Source port: 1523 
Source host: 181.houston-06rh15rt.tx.dial-access.att.net
  Target IP: 12.82.137.117   Target port: 80   Proto: TCP 
Target host: 117.seattle-23-24rs.wa.dial-access.att.net

Feb 25 17:23:59 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.234.181   Source port: 1523 
Source host: 181.houston-06rh15rt.tx.dial-access.att.net
  Target IP: 12.82.137.117   Target port: 80   Proto: TCP 
Target host: 117.seattle-23-24rs.wa.dial-access.att.net

<snip>

Feb 25 17:27:44 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.234.181   Source port: 2326 
Source host: 181.houston-06rh15rt.tx.dial-access.att.net
  Target IP: 12.82.137.117   Target port: 80   Proto: TCP 
Target host: 117.seattle-23-24rs.wa.dial-access.att.net

Feb 25 17:27:46 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.234.181   Source port: 2326 
Source host: 181.houston-06rh15rt.tx.dial-access.att.net
  Target IP: 12.82.137.117   Target port: 80   Proto: TCP 
Target host: 117.seattle-23-24rs.wa.dial-access.att.net

<snip>

Feb 25 17:37:25 - snort [1:0:0] TCP to 6346 gnutella 
  Source IP: 172.133.21.153   Source port: 3732 
Source host: AC851599.ipt.aol.com
  Target IP: 12.82.137.117   Target port: 6346   Proto: TCP 
Target host: 117.seattle-23-24rs.wa.dial-access.att.net

Feb 25 17:37:31 - snort [1:0:0] TCP to 6346 gnutella 
  Source IP: 172.133.21.153   Source port: 3732 
Source host: AC851599.ipt.aol.com
  Target IP: 12.82.137.117   Target port: 6346   Proto: TCP 
Target host: 117.seattle-23-24rs.wa.dial-access.att.net

So now I disconnect to get rid of the Gnutella monster...

...and I get attacked by the KaZaa monster. :-(


Feb 25 17:56:39 - snort [1:0:0] TCP to 1214 KaZaa 
  Source IP: 80.213.75.75   Source port: 3934 
Source host: 80.213.75.75
  Target IP: 12.82.128.96   Target port: 1214   Proto: TCP 
Target host: 96.seattle-01-02rs.wa.dial-access.att.net

Feb 25 17:56:42 - snort [1:0:0] TCP to 1214 KaZaa 
  Source IP: 80.213.75.75   Source port: 3934 
Source host: 80.213.75.75
  Target IP: 12.82.128.96   Target port: 1214   Proto: TCP 
Target host: 96.seattle-01-02rs.wa.dial-access.att.net

And that's all of *them* I'm gonna include....


Feb 25 18:31:13 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.234.181   Source port: 1158 
Source host: 181.houston-06rh15rt.tx.dial-access.att.net
  Target IP: 12.82.128.96   Target port: 80   Proto: TCP 
Target host: 96.seattle-01-02rs.wa.dial-access.att.net

Feb 25 18:31:16 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.234.181   Source port: 1158 
Source host: 181.houston-06rh15rt.tx.dial-access.att.net
  Target IP: 12.82.128.96   Target port: 80   Proto: TCP 
Target host: 96.seattle-01-02rs.wa.dial-access.att.net


Feb 25 18:57:07 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.73.246.2   Source port: 2361 
Source host: 2.houston-05-10rs.tx.dial-access.att.net
  Target IP: 12.82.128.96   Target port: 80   Proto: TCP 
Target host: 96.seattle-01-02rs.wa.dial-access.att.net

Feb 25 18:57:10 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.73.246.2   Source port: 2361 
Source host: 2.houston-05-10rs.tx.dial-access.att.net
  Target IP: 12.82.128.96   Target port: 80   Proto: TCP 
Target host: 96.seattle-01-02rs.wa.dial-access.att.net


Feb 25 19:42:41 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.137.228   Source port: 2553 
Source host: 228.seattle-23-24rs.wa.dial-access.att.net
  Target IP: 12.82.128.96   Target port: 80   Proto: TCP 
Target host: 96.seattle-01-02rs.wa.dial-access.att.net

Feb 25 19:42:44 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.137.228   Source port: 2553 
Source host: 228.seattle-23-24rs.wa.dial-access.att.net
  Target IP: 12.82.128.96   Target port: 80   Proto: TCP 
Target host: 96.seattle-01-02rs.wa.dial-access.att.net


Feb 25 19:57:39 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.137.228   Source port: 4518 
Source host: 228.seattle-23-24rs.wa.dial-access.att.net
  Target IP: 12.82.128.96   Target port: 80   Proto: TCP 
Target host: 96.seattle-01-02rs.wa.dial-access.att.net

Feb 25 19:57:42 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.137.228   Source port: 4518 
Source host: 228.seattle-23-24rs.wa.dial-access.att.net
  Target IP: 12.82.128.96   Target port: 80   Proto: TCP 
Target host: 96.seattle-01-02rs.wa.dial-access.att.net


Feb 25 20:21:00 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.146.228   Source port: 1169 
Source host: 228.seattle02rh15rt.wa.dial-access.att.net
  Target IP: 12.82.128.96   Target port: 80   Proto: TCP 
Target host: 96.seattle-01-02rs.wa.dial-access.att.net

Feb 25 20:21:03 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.146.228   Source port: 1169 
Source host: 228.seattle02rh15rt.wa.dial-access.att.net
  Target IP: 12.82.128.96   Target port: 80   Proto: TCP 
Target host: 96.seattle-01-02rs.wa.dial-access.att.net


Feb 25 21:24:28 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.246.216   Source port: 4265 
Source host: 216.houston-12rh15rt.tx.dial-access.att.net
  Target IP: 12.82.128.96   Target port: 80   Proto: TCP 
Target host: 96.seattle-01-02rs.wa.dial-access.att.net

Feb 25 21:24:31 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.246.216   Source port: 4265 
Source host: 216.houston-12rh15rt.tx.dial-access.att.net
  Target IP: 12.82.128.96   Target port: 80   Proto: TCP 
Target host: 96.seattle-01-02rs.wa.dial-access.att.net


Feb 25 22:04:09 - snort [1:0:0] TCP to 515 lpr 
  Source IP: 61.129.72.242   Source port: 4426 
Source host: 61.129.72.242
  Target IP: 12.82.128.96   Target port: 515   Proto: TCP 
Target host: 96.seattle-01-02rs.wa.dial-access.att.net

Feb 25 22:04:12 - snort [1:0:0] TCP to 515 lpr 
  Source IP: 61.129.72.242   Source port: 4426 
Source host: 61.129.72.242
  Target IP: 12.82.128.96   Target port: 515   Proto: TCP 
Target host: 96.seattle-01-02rs.wa.dial-access.att.net


Feb 25 22:39:49 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.139.58   Source port: 1580 
Source host: 58.seattle-28-29rs.wa.dial-access.att.net
  Target IP: 12.82.128.96   Target port: 80   Proto: TCP 
Target host: 96.seattle-01-02rs.wa.dial-access.att.net

Feb 25 22:39:54 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.139.58   Source port: 1580 
Source host: 58.seattle-28-29rs.wa.dial-access.att.net
  Target IP: 12.82.128.96   Target port: 80   Proto: TCP 
Target host: 96.seattle-01-02rs.wa.dial-access.att.net


Feb 25 23:01:09 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.139.58   Source port: 3175 
Source host: 58.seattle-28-29rs.wa.dial-access.att.net
  Target IP: 12.82.128.96   Target port: 80   Proto: TCP 
Target host: 96.seattle-01-02rs.wa.dial-access.att.net

Feb 25 23:01:12 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.139.58   Source port: 3175 
Source host: 58.seattle-28-29rs.wa.dial-access.att.net
  Target IP: 12.82.128.96   Target port: 80   Proto: TCP 
Target host: 96.seattle-01-02rs.wa.dial-access.att.net


This report generated 02/26/2002 at 04:01:00 
by a perl script written by John Sage at FinchHaven.com, 
based upon the work of Dan Swan in his script snort2html.pl


jsage@finchhaven.com
Last modified: Wed Feb 27 06:17:00 2002