Logs: 03-03-02
To: jsage@finchhaven.com
From: toot@finchhaven.com
Subject: [Logs] at FinchHaven for 03/3/2002
Logs at FinchHaven for 03/3/2002 extracted from /var/log/messages
Report generated 04:01:00 (TZ -08:00) 03/ 4/2002
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Context: dialup to access.att.net, dynamic IP in AT&T's 12.82.x.x class A
Connect time this date: +- 20 hours
Timestamps: US Pacific standard, GMT -08:00, synch by xntpd
Tools: snort 1.8.2, ipchains, logcheck, portsentry
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=ver.7
In /var/log/messages: Probes to port 21 ftp: 0
Probes to port 22 ssh: 3
Probes to port 23 telnet: 0
Probes to port 53 dns: 0
Probes to port 80 http: 32
Probes to port 111 sunrpc: 0
Probes to port 137 netbios-ns: 3
Probes to port 139 netbios-ssn: 0
Probes to port 445 ms-ds: 0
Probes to port 515 lpr: 0
Total, probes to all ports: 102
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Mar 3 04:05:49 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.243.108.143 Source port: 2887
Source host: 12-243-108-143.client.attbi.com
Target IP: 12.82.137.178 Target port: 80 Proto: TCP
Target host: 178.seattle-23-24rs.wa.dial-access.att.net
Mar 3 04:05:52 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.243.108.143 Source port: 2887
Source host: 12-243-108-143.client.attbi.com
Target IP: 12.82.137.178 Target port: 80 Proto: TCP
Target host: 178.seattle-23-24rs.wa.dial-access.att.net
Mar 3 05:34:11 - snort [1:0:0] UDP to 137 netBIOS ns
Source IP: 204.118.20.101 Source port: 137
Source host: 204.118.20.101
Target IP: 12.82.137.178 Target port: 137 Proto: UDP
Target host: 178.seattle-23-24rs.wa.dial-access.att.net
Mar 3 05:34:13 - snort [1:0:0] UDP to 137 netBIOS ns
Source IP: 204.118.20.101 Source port: 137
Source host: 204.118.20.101
Target IP: 12.82.137.178 Target port: 137 Proto: UDP
Target host: 178.seattle-23-24rs.wa.dial-access.att.net
Mar 3 05:34:14 - snort [1:0:0] UDP to 137 netBIOS ns
Source IP: 204.118.20.101 Source port: 137
Source host: 204.118.20.101
Target IP: 12.82.137.178 Target port: 137 Proto: UDP
Target host: 178.seattle-23-24rs.wa.dial-access.att.net
BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
© 1999-2001 William E. Weinman
US Sprint (NETBLK-SPRINT-BLKB)
13221 Woodland Pk. Rd
Herndon, VA 22071
US
Netname: SPRINT-BLKB
Netblock: 204.117.0.0 - 204.120.255.255
Maintainer: SPRN
Coordinator:
Sprintlink (Sprint) (SPRINT-NOC-ARIN) NOC@SPRINT.NET
800-232-6895
Domain System inverse mapping provided by:
NS1-AUTH.SPRINTLINK.NET206.228.179.10
NS2-AUTH.SPRINTLINK.NET144.228.254.10
NS3-AUTH.SPRINTLINK.NET144.228.255.10
Mar 3 08:15:38 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.91.161.69 Source port: 2329
Source host: 69.washington-29rh16rt.dc.dial-access.att.net
Target IP: 12.82.137.170 Target port: 80 Proto: TCP
Target host: 170.seattle-23-24rs.wa.dial-access.att.net
Mar 3 08:15:42 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.91.161.69 Source port: 2329
Source host: 69.washington-29rh16rt.dc.dial-access.att.net
Target IP: 12.82.137.170 Target port: 80 Proto: TCP
Target host: 170.seattle-23-24rs.wa.dial-access.att.net
Mar 3 08:26:12 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.171.188 Source port: 3838
Source host: 188.seattle14rh16rt.wa.dial-access.att.net
Target IP: 12.82.137.170 Target port: 80 Proto: TCP
Target host: 170.seattle-23-24rs.wa.dial-access.att.net
Mar 3 08:26:15 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.171.188 Source port: 3838
Source host: 188.seattle14rh16rt.wa.dial-access.att.net
Target IP: 12.82.137.170 Target port: 80 Proto: TCP
Target host: 170.seattle-23-24rs.wa.dial-access.att.net
Mar 3 08:54:12 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.237.115 Source port: 2292
Source host: 115.houston-07rh16rt.tx.dial-access.att.net
Target IP: 12.82.137.170 Target port: 80 Proto: TCP
Target host: 170.seattle-23-24rs.wa.dial-access.att.net
Mar 3 09:11:43 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.237.115 Source port: 2406
Source host: 115.houston-07rh16rt.tx.dial-access.att.net
Target IP: 12.82.137.170 Target port: 80 Proto: TCP
Target host: 170.seattle-23-24rs.wa.dial-access.att.net
Mar 3 09:11:45 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.237.115 Source port: 2406
Source host: 115.houston-07rh16rt.tx.dial-access.att.net
Target IP: 12.82.137.170 Target port: 80 Proto: TCP
Target host: 170.seattle-23-24rs.wa.dial-access.att.net
Mar 3 10:34:40 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.237.115 Source port: 1232
Source host: 115.houston-07rh16rt.tx.dial-access.att.net
Target IP: 12.82.137.170 Target port: 80 Proto: TCP
Target host: 170.seattle-23-24rs.wa.dial-access.att.net
Mar 3 10:34:43 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.237.115 Source port: 1232
Source host: 115.houston-07rh16rt.tx.dial-access.att.net
Target IP: 12.82.137.170 Target port: 80 Proto: TCP
Target host: 170.seattle-23-24rs.wa.dial-access.att.net
Mar 3 10:36:06 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.234.113.21 Source port: 4611
Source host: 12-234-113-21.client.attbi.com
Target IP: 12.82.137.170 Target port: 80 Proto: TCP
Target host: 170.seattle-23-24rs.wa.dial-access.att.net
Mar 3 10:36:09 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.234.113.21 Source port: 4611
Source host: 12-234-113-21.client.attbi.com
Target IP: 12.82.137.170 Target port: 80 Proto: TCP
Target host: 170.seattle-23-24rs.wa.dial-access.att.net
Mar 3 11:11:16 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.91.241.116 Source port: 3374
Source host: 116.atlanta-43-44rs.ga.dial-access.att.net
Target IP: 12.82.137.170 Target port: 80 Proto: TCP
Target host: 170.seattle-23-24rs.wa.dial-access.att.net
Mar 3 11:11:19 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.91.241.116 Source port: 3374
Source host: 116.atlanta-43-44rs.ga.dial-access.att.net
Target IP: 12.82.137.170 Target port: 80 Proto: TCP
Target host: 170.seattle-23-24rs.wa.dial-access.att.net
Mar 3 11:53:49 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.237.115 Source port: 2176
Source host: 115.houston-07rh16rt.tx.dial-access.att.net
Target IP: 12.82.137.170 Target port: 80 Proto: TCP
Target host: 170.seattle-23-24rs.wa.dial-access.att.net
Mar 3 11:53:51 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.237.115 Source port: 2176
Source host: 115.houston-07rh16rt.tx.dial-access.att.net
Target IP: 12.82.137.170 Target port: 80 Proto: TCP
Target host: 170.seattle-23-24rs.wa.dial-access.att.net
Mar 3 12:34:48 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.237.115 Source port: 1321
Source host: 115.houston-07rh16rt.tx.dial-access.att.net
Target IP: 12.82.137.170 Target port: 80 Proto: TCP
Target host: 170.seattle-23-24rs.wa.dial-access.att.net
Mar 3 12:34:51 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.237.115 Source port: 1321
Source host: 115.houston-07rh16rt.tx.dial-access.att.net
Target IP: 12.82.137.170 Target port: 80 Proto: TCP
Target host: 170.seattle-23-24rs.wa.dial-access.att.net
Mar 3 12:57:09 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.237.115 Source port: 1240
Source host: 115.houston-07rh16rt.tx.dial-access.att.net
Target IP: 12.82.137.170 Target port: 80 Proto: TCP
Target host: 170.seattle-23-24rs.wa.dial-access.att.net
Mar 3 12:57:11 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.237.115 Source port: 1240
Source host: 115.houston-07rh16rt.tx.dial-access.att.net
Target IP: 12.82.137.170 Target port: 80 Proto: TCP
Target host: 170.seattle-23-24rs.wa.dial-access.att.net
Mar 3 13:17:42 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.237.115 Source port: 4523
Source host: 115.houston-07rh16rt.tx.dial-access.att.net
Target IP: 12.82.137.170 Target port: 80 Proto: TCP
Target host: 170.seattle-23-24rs.wa.dial-access.att.net
Mar 3 13:17:45 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.237.115 Source port: 4523
Source host: 115.houston-07rh16rt.tx.dial-access.att.net
Target IP: 12.82.137.170 Target port: 80 Proto: TCP
Target host: 170.seattle-23-24rs.wa.dial-access.att.net
Mar 3 13:20:54 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.225.174.22 Source port: 1251
Source host: 12-225-174-22.client.attbi.com
Target IP: 12.82.137.170 Target port: 80 Proto: TCP
Target host: 170.seattle-23-24rs.wa.dial-access.att.net
Mar 3 13:20:56 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.225.174.22 Source port: 1251
Source host: 12-225-174-22.client.attbi.com
Target IP: 12.82.137.170 Target port: 80 Proto: TCP
Target host: 170.seattle-23-24rs.wa.dial-access.att.net
Mar 3 14:12:33 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.237.115 Source port: 1388
Source host: 115.houston-07rh16rt.tx.dial-access.att.net
Target IP: 12.82.137.170 Target port: 80 Proto: TCP
Target host: 170.seattle-23-24rs.wa.dial-access.att.net
Mar 3 14:12:36 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.237.115 Source port: 1388
Source host: 115.houston-07rh16rt.tx.dial-access.att.net
Target IP: 12.82.137.170 Target port: 80 Proto: TCP
Target host: 170.seattle-23-24rs.wa.dial-access.att.net
Mar 3 14:33:50 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 148.235.80.168 Source port: 1106
Source host: 148.235.80.168
Target IP: 12.82.137.170 Target port: 80 Proto: TCP
Target host: 170.seattle-23-24rs.wa.dial-access.att.net
Mar 3 14:33:53 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 148.235.80.168 Source port: 1106
Source host: 148.235.80.168
Target IP: 12.82.137.170 Target port: 80 Proto: TCP
Target host: 170.seattle-23-24rs.wa.dial-access.att.net
Mar 3 14:33:59 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 148.235.80.168 Source port: 1106
Source host: 148.235.80.168
Target IP: 12.82.137.170 Target port: 80 Proto: TCP
Target host: 170.seattle-23-24rs.wa.dial-access.att.net
Mar 3 17:11:15 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.237.185 Source port: 4996
Source host: 185.houston-07rh16rt.tx.dial-access.att.net
Target IP: 12.82.130.44 Target port: 80 Proto: TCP
Target host: 44.seattle-06-07rs.wa.dial-access.att.net
Mar 3 17:11:18 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.237.185 Source port: 4996
Source host: 185.houston-07rh16rt.tx.dial-access.att.net
Target IP: 12.82.130.44 Target port: 80 Proto: TCP
Target host: 44.seattle-06-07rs.wa.dial-access.att.net
Mar 3 18:11:47 - snort [1:0:0] TCP to 22 ssh
Source IP: 213.167.167.20 Source port: 22
Source host: backup2.hfonetz.de
Target IP: 12.82.130.44 Target port: 22 Proto: TCP
Target host: 44.seattle-06-07rs.wa.dial-access.att.net
BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
© 1999-2001 William E. Weinman
% This is the RIPE Whois server.
% The objects are in RPSL format.
% Please visit http://www.ripe.net/rpsl for more information.
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html
inetnum: 213.167.167.0 - 213.167.167.255
netname: HFONETZ
descr: Hochfranken Online GmbH+Co.KG
descr: Bachstr.4
descr: D-95176 Konradsreuth
descr: *** HFONETZ-H ***
country: DE
admin-c: AH2885-RIPE
tech-c: HO2308-RIPE
status: ASSIGNED PA
notify: hostmaster@hochfranken-online.de
mnt-by: HFO-RIPE-MNT
changed: hostmaster@hochfranken-online.de 20010629
source: RIPE
route: 213.167.160.0/19
descr: Hochfranken Online GmbH+Co.KG
origin: AS20805
notify: hostmaster@hochfranken-online.de
mnt-by: HFO-RIPE-MNT
changed: hostmaster@hochfranken-online.de 20010629
source: RIPE
Mar 3 19:45:23 - snort [1:0:0] TCP to 22 ssh
Source IP: 66.115.47.71 Source port: 37320
Source host: opt.edirectnetwork.net
Target IP: 12.82.130.44 Target port: 22 Proto: TCP
Target host: 44.seattle-06-07rs.wa.dial-access.att.net
Mar 3 19:45:26 - snort [1:0:0] TCP to 22 ssh
Source IP: 66.115.47.71 Source port: 37320
Source host: opt.edirectnetwork.net
Target IP: 12.82.130.44 Target port: 22 Proto: TCP
Target host: 44.seattle-06-07rs.wa.dial-access.att.net
BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
© 1999-2001 William E. Weinman
Ciberlynx, Inc. (NETBLK-CIBERLYNX-NET2)CIBERLYNX-NET2
66.115.0.0 - 66.115.63.255
E Direct (NETBLK-EDIRECT)EDIRECT 66.115.47.0 - 66.115.47.255
BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
© 1999-2001 William E. Weinman
E Direct (NETBLK-EDIRECT)
550 Faieway Drive #210
Deerfield Beach, Florida 33441
US
Netname: EDIRECT
Netblock: 66.115.47.0 - 66.115.47.255
Coordinator:
CiberLynx (ZC87-ARIN) netadm@ciberlynx.net
954-379-0088
Record last updated on 19-Feb-2002.
Database last updated on 3-Mar-2002 19:56:53 EDT.
This report generated 03/ 4/2002 at 04:01:00
by a perl script written by John Sage at FinchHaven.com,
based upon the work of Dan Swan in his script snort2html.pl
jsage@finchhaven.com
Last modified: Mon Mar 4 08:00:57 2002