Logs: 03-03-02


To: jsage@finchhaven.com
From: toot@finchhaven.com
Subject: [Logs] at FinchHaven for 03/3/2002

Logs at FinchHaven for 03/3/2002 extracted from /var/log/messages
Report generated 04:01:00 (TZ -08:00) 03/ 4/2002

+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Context: dialup to access.att.net, dynamic IP in AT&T's 12.82.x.x class A
Connect time this date: +- 20 hours
Timestamps: US Pacific standard, GMT -08:00, synch by xntpd
Tools: snort 1.8.2, ipchains, logcheck, portsentry
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=ver.7
In /var/log/messages:  Probes to port 21 ftp:        0
                       Probes to port 22 ssh:        3
                    Probes to port 23 telnet:        0
                       Probes to port 53 dns:        0
                      Probes to port 80 http:       32
                   Probes to port 111 sunrpc:        0
               Probes to port 137 netbios-ns:        3
              Probes to port 139 netbios-ssn:        0
                    Probes to port 445 ms-ds:        0
                      Probes to port 515 lpr:        0
                  Total, probes to all ports:       102
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

Mar  3 04:05:49 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.243.108.143   Source port: 2887 
Source host: 12-243-108-143.client.attbi.com
  Target IP: 12.82.137.178   Target port: 80   Proto: TCP 
Target host: 178.seattle-23-24rs.wa.dial-access.att.net

Mar  3 04:05:52 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.243.108.143   Source port: 2887 
Source host: 12-243-108-143.client.attbi.com
  Target IP: 12.82.137.178   Target port: 80   Proto: TCP 
Target host: 178.seattle-23-24rs.wa.dial-access.att.net



Mar  3 05:34:11 - snort [1:0:0] UDP to 137 netBIOS ns 
  Source IP: 204.118.20.101   Source port: 137 
Source host: 204.118.20.101
  Target IP: 12.82.137.178   Target port: 137   Proto: UDP 
Target host: 178.seattle-23-24rs.wa.dial-access.att.net

Mar  3 05:34:13 - snort [1:0:0] UDP to 137 netBIOS ns 
  Source IP: 204.118.20.101   Source port: 137 
Source host: 204.118.20.101
  Target IP: 12.82.137.178   Target port: 137   Proto: UDP 
Target host: 178.seattle-23-24rs.wa.dial-access.att.net

Mar  3 05:34:14 - snort [1:0:0] UDP to 137 netBIOS ns 
  Source IP: 204.118.20.101   Source port: 137 
Source host: 204.118.20.101
  Target IP: 12.82.137.178   Target port: 137   Proto: UDP 
Target host: 178.seattle-23-24rs.wa.dial-access.att.net


BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
 1999-2001 William E. Weinman 

US Sprint (NETBLK-SPRINT-BLKB)
   13221 Woodland Pk. Rd
   Herndon, VA 22071
   US    

Netname: SPRINT-BLKB
   Netblock: 204.117.0.0 - 204.120.255.255
   Maintainer: SPRN    

Coordinator:
      Sprintlink (Sprint)  (SPRINT-NOC-ARIN)  NOC@SPRINT.NET
      800-232-6895    

Domain System inverse mapping provided by: 
   NS1-AUTH.SPRINTLINK.NET206.228.179.10
   NS2-AUTH.SPRINTLINK.NET144.228.254.10
   NS3-AUTH.SPRINTLINK.NET144.228.255.10




Mar  3 08:15:38 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.91.161.69   Source port: 2329 
Source host: 69.washington-29rh16rt.dc.dial-access.att.net
  Target IP: 12.82.137.170   Target port: 80   Proto: TCP 
Target host: 170.seattle-23-24rs.wa.dial-access.att.net

Mar  3 08:15:42 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.91.161.69   Source port: 2329 
Source host: 69.washington-29rh16rt.dc.dial-access.att.net
  Target IP: 12.82.137.170   Target port: 80   Proto: TCP 
Target host: 170.seattle-23-24rs.wa.dial-access.att.net



Mar  3 08:26:12 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.171.188   Source port: 3838 
Source host: 188.seattle14rh16rt.wa.dial-access.att.net
  Target IP: 12.82.137.170   Target port: 80   Proto: TCP 
Target host: 170.seattle-23-24rs.wa.dial-access.att.net

Mar  3 08:26:15 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.171.188   Source port: 3838 
Source host: 188.seattle14rh16rt.wa.dial-access.att.net
  Target IP: 12.82.137.170   Target port: 80   Proto: TCP 
Target host: 170.seattle-23-24rs.wa.dial-access.att.net



Mar  3 08:54:12 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.237.115   Source port: 2292 
Source host: 115.houston-07rh16rt.tx.dial-access.att.net
  Target IP: 12.82.137.170   Target port: 80   Proto: TCP 
Target host: 170.seattle-23-24rs.wa.dial-access.att.net

Mar  3 09:11:43 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.237.115   Source port: 2406 
Source host: 115.houston-07rh16rt.tx.dial-access.att.net
  Target IP: 12.82.137.170   Target port: 80   Proto: TCP 
Target host: 170.seattle-23-24rs.wa.dial-access.att.net

Mar  3 09:11:45 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.237.115   Source port: 2406 
Source host: 115.houston-07rh16rt.tx.dial-access.att.net
  Target IP: 12.82.137.170   Target port: 80   Proto: TCP 
Target host: 170.seattle-23-24rs.wa.dial-access.att.net


Mar  3 10:34:40 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.237.115   Source port: 1232 
Source host: 115.houston-07rh16rt.tx.dial-access.att.net
  Target IP: 12.82.137.170   Target port: 80   Proto: TCP 
Target host: 170.seattle-23-24rs.wa.dial-access.att.net

Mar  3 10:34:43 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.237.115   Source port: 1232 
Source host: 115.houston-07rh16rt.tx.dial-access.att.net
  Target IP: 12.82.137.170   Target port: 80   Proto: TCP 
Target host: 170.seattle-23-24rs.wa.dial-access.att.net



Mar  3 10:36:06 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.234.113.21   Source port: 4611 
Source host: 12-234-113-21.client.attbi.com
  Target IP: 12.82.137.170   Target port: 80   Proto: TCP 
Target host: 170.seattle-23-24rs.wa.dial-access.att.net

Mar  3 10:36:09 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.234.113.21   Source port: 4611 
Source host: 12-234-113-21.client.attbi.com
  Target IP: 12.82.137.170   Target port: 80   Proto: TCP 
Target host: 170.seattle-23-24rs.wa.dial-access.att.net



Mar  3 11:11:16 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.91.241.116   Source port: 3374 
Source host: 116.atlanta-43-44rs.ga.dial-access.att.net
  Target IP: 12.82.137.170   Target port: 80   Proto: TCP 
Target host: 170.seattle-23-24rs.wa.dial-access.att.net

Mar  3 11:11:19 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.91.241.116   Source port: 3374 
Source host: 116.atlanta-43-44rs.ga.dial-access.att.net
  Target IP: 12.82.137.170   Target port: 80   Proto: TCP 
Target host: 170.seattle-23-24rs.wa.dial-access.att.net



Mar  3 11:53:49 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.237.115   Source port: 2176 
Source host: 115.houston-07rh16rt.tx.dial-access.att.net
  Target IP: 12.82.137.170   Target port: 80   Proto: TCP 
Target host: 170.seattle-23-24rs.wa.dial-access.att.net

Mar  3 11:53:51 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.237.115   Source port: 2176 
Source host: 115.houston-07rh16rt.tx.dial-access.att.net
  Target IP: 12.82.137.170   Target port: 80   Proto: TCP 
Target host: 170.seattle-23-24rs.wa.dial-access.att.net


Mar  3 12:34:48 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.237.115   Source port: 1321 
Source host: 115.houston-07rh16rt.tx.dial-access.att.net
  Target IP: 12.82.137.170   Target port: 80   Proto: TCP 
Target host: 170.seattle-23-24rs.wa.dial-access.att.net

Mar  3 12:34:51 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.237.115   Source port: 1321 
Source host: 115.houston-07rh16rt.tx.dial-access.att.net
  Target IP: 12.82.137.170   Target port: 80   Proto: TCP 
Target host: 170.seattle-23-24rs.wa.dial-access.att.net


Mar  3 12:57:09 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.237.115   Source port: 1240 
Source host: 115.houston-07rh16rt.tx.dial-access.att.net
  Target IP: 12.82.137.170   Target port: 80   Proto: TCP 
Target host: 170.seattle-23-24rs.wa.dial-access.att.net

Mar  3 12:57:11 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.237.115   Source port: 1240 
Source host: 115.houston-07rh16rt.tx.dial-access.att.net
  Target IP: 12.82.137.170   Target port: 80   Proto: TCP 
Target host: 170.seattle-23-24rs.wa.dial-access.att.net


Mar  3 13:17:42 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.237.115   Source port: 4523 
Source host: 115.houston-07rh16rt.tx.dial-access.att.net
  Target IP: 12.82.137.170   Target port: 80   Proto: TCP 
Target host: 170.seattle-23-24rs.wa.dial-access.att.net

Mar  3 13:17:45 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.237.115   Source port: 4523 
Source host: 115.houston-07rh16rt.tx.dial-access.att.net
  Target IP: 12.82.137.170   Target port: 80   Proto: TCP 
Target host: 170.seattle-23-24rs.wa.dial-access.att.net



Mar  3 13:20:54 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.225.174.22   Source port: 1251 
Source host: 12-225-174-22.client.attbi.com
  Target IP: 12.82.137.170   Target port: 80   Proto: TCP 
Target host: 170.seattle-23-24rs.wa.dial-access.att.net

Mar  3 13:20:56 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.225.174.22   Source port: 1251 
Source host: 12-225-174-22.client.attbi.com
  Target IP: 12.82.137.170   Target port: 80   Proto: TCP 
Target host: 170.seattle-23-24rs.wa.dial-access.att.net



Mar  3 14:12:33 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.237.115   Source port: 1388 
Source host: 115.houston-07rh16rt.tx.dial-access.att.net
  Target IP: 12.82.137.170   Target port: 80   Proto: TCP 
Target host: 170.seattle-23-24rs.wa.dial-access.att.net

Mar  3 14:12:36 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.237.115   Source port: 1388 
Source host: 115.houston-07rh16rt.tx.dial-access.att.net
  Target IP: 12.82.137.170   Target port: 80   Proto: TCP 
Target host: 170.seattle-23-24rs.wa.dial-access.att.net



Mar  3 14:33:50 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 148.235.80.168   Source port: 1106 
Source host: 148.235.80.168
  Target IP: 12.82.137.170   Target port: 80   Proto: TCP 
Target host: 170.seattle-23-24rs.wa.dial-access.att.net

Mar  3 14:33:53 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 148.235.80.168   Source port: 1106 
Source host: 148.235.80.168
  Target IP: 12.82.137.170   Target port: 80   Proto: TCP 
Target host: 170.seattle-23-24rs.wa.dial-access.att.net

Mar  3 14:33:59 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 148.235.80.168   Source port: 1106 
Source host: 148.235.80.168
  Target IP: 12.82.137.170   Target port: 80   Proto: TCP 
Target host: 170.seattle-23-24rs.wa.dial-access.att.net



Mar  3 17:11:15 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.237.185   Source port: 4996 
Source host: 185.houston-07rh16rt.tx.dial-access.att.net
  Target IP: 12.82.130.44   Target port: 80   Proto: TCP 
Target host: 44.seattle-06-07rs.wa.dial-access.att.net

Mar  3 17:11:18 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.237.185   Source port: 4996 
Source host: 185.houston-07rh16rt.tx.dial-access.att.net
  Target IP: 12.82.130.44   Target port: 80   Proto: TCP 
Target host: 44.seattle-06-07rs.wa.dial-access.att.net



Mar  3 18:11:47 - snort [1:0:0] TCP to 22 ssh 
  Source IP: 213.167.167.20   Source port: 22 
Source host: backup2.hfonetz.de
  Target IP: 12.82.130.44   Target port: 22   Proto: TCP 
Target host: 44.seattle-06-07rs.wa.dial-access.att.net


BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
 1999-2001 William E. Weinman 

% This is the RIPE Whois server.
% The objects are in RPSL format.
% Please visit http://www.ripe.net/rpsl for more information.
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html 

inetnum:      213.167.167.0 - 213.167.167.255
netname:      HFONETZ
descr:        Hochfranken Online GmbH+Co.KG
descr:        Bachstr.4
descr:        D-95176 Konradsreuth
descr:        *** HFONETZ-H ***
country:      DE
admin-c:      AH2885-RIPE
tech-c:       HO2308-RIPE
status:       ASSIGNED PA
notify:       hostmaster@hochfranken-online.de
mnt-by:       HFO-RIPE-MNT
changed:      hostmaster@hochfranken-online.de 20010629
source:       RIPE 

route:        213.167.160.0/19
descr:        Hochfranken Online GmbH+Co.KG
origin:       AS20805
notify:       hostmaster@hochfranken-online.de
mnt-by:       HFO-RIPE-MNT
changed:      hostmaster@hochfranken-online.de 20010629
source:       RIPE





Mar  3 19:45:23 - snort [1:0:0] TCP to 22 ssh 
  Source IP: 66.115.47.71   Source port: 37320 
Source host: opt.edirectnetwork.net
  Target IP: 12.82.130.44   Target port: 22   Proto: TCP 
Target host: 44.seattle-06-07rs.wa.dial-access.att.net

Mar  3 19:45:26 - snort [1:0:0] TCP to 22 ssh 
  Source IP: 66.115.47.71   Source port: 37320 
Source host: opt.edirectnetwork.net
  Target IP: 12.82.130.44   Target port: 22   Proto: TCP 
Target host: 44.seattle-06-07rs.wa.dial-access.att.net


BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
 1999-2001 William E. Weinman 

Ciberlynx, Inc. (NETBLK-CIBERLYNX-NET2)CIBERLYNX-NET2
    66.115.0.0 - 66.115.63.255

E Direct (NETBLK-EDIRECT)EDIRECT   66.115.47.0 - 66.115.47.255


BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
 1999-2001 William E. Weinman 

E Direct (NETBLK-EDIRECT)
   550 Faieway Drive #210
   Deerfield Beach, Florida 33441
   US    

Netname: EDIRECT
   Netblock: 66.115.47.0 - 66.115.47.255    

Coordinator:
      CiberLynx  (ZC87-ARIN)  netadm@ciberlynx.net
      954-379-0088    

   Record last updated on 19-Feb-2002.
   Database last updated on  3-Mar-2002 19:56:53 EDT.




This report generated 03/ 4/2002 at 04:01:00 
by a perl script written by John Sage at FinchHaven.com, 
based upon the work of Dan Swan in his script snort2html.pl


jsage@finchhaven.com
Last modified: Mon Mar 4 08:00:57 2002