Logs: 03-09-02
To: jsage@finchhaven.com
From: toot@finchhaven.com
Subject: [Logs] at FinchHaven for 03/9/2002
Logs at FinchHaven for 03/9/2002 extracted from /var/log/messages
Report generated 04:01:00 (TZ -08:00) 03/10/2002
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Context: dialup to access.att.net, dynamic IP in AT&T's 12.82.x.x class A
Connect time this date: +- 20 hours
Timestamps: US Pacific standard, GMT -08:00, synch by xntpd
Tools: snort 1.8.2, ipchains, logcheck, portsentry
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=ver.7
In /var/log/messages: Probes to port 21 ftp: 0
Probes to port 22 ssh: 0
Probes to port 23 telnet: 0
Probes to port 53 dns: 12
Probes to port 80 http: 15
Probes to port 111 sunrpc: 0
Probes to port 137 netbios-ns: 1
Probes to port 139 netbios-ssn: 0
Probes to port 445 ms-ds: 0
Probes to port 515 lpr: 0
Total, probes to all ports: 41
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Mar 9 09:27:55 - snort [1:0:0] ICMP echo request
Source IP: 218.24.129.150 Source port: -N/A-
Source host: 218.24.129.150
Target IP: 12.82.129.149 Target port: -N/A- Proto: ICMP
Target host: 149.seattle-03-04rs.wa.dial-access.att.net
Mar 9 09:45:34 - snort [1:0:0] TCP to 12345 NetBus Backdoor
Source IP: 12.82.129.30 Source port: 1328
Source host: 30.seattle-03-04rs.wa.dial-access.att.net
Target IP: 12.82.129.149 Target port: 12345 Proto: TCP
Target host: 149.seattle-03-04rs.wa.dial-access.att.net
Mar 9 09:45:37 - snort [1:0:0] TCP to 12345 NetBus Backdoor
Source IP: 12.82.129.30 Source port: 1328
Source host: 30.seattle-03-04rs.wa.dial-access.att.net
Target IP: 12.82.129.149 Target port: 12345 Proto: TCP
Target host: 149.seattle-03-04rs.wa.dial-access.att.net
Mar 9 09:45:43 - snort [1:0:0] TCP to 12345 NetBus Backdoor
Source IP: 12.82.129.30 Source port: 1328
Source host: 30.seattle-03-04rs.wa.dial-access.att.net
Target IP: 12.82.129.149 Target port: 12345 Proto: TCP
Target host: 149.seattle-03-04rs.wa.dial-access.att.net
Mar 9 09:45:55 - snort [1:0:0] TCP to 12345 NetBus Backdoor
Source IP: 12.82.129.30 Source port: 1328
Source host: 30.seattle-03-04rs.wa.dial-access.att.net
Target IP: 12.82.129.149 Target port: 12345 Proto: TCP
Target host: 149.seattle-03-04rs.wa.dial-access.att.net
Mar 9 10:00:28 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 68.38.147.116 Source port: 2346
Source host: bgp542967bgs.ewndsr01.nj.comcast.net
Target IP: 12.82.129.149 Target port: 80 Proto: TCP
Target host: 149.seattle-03-04rs.wa.dial-access.att.net
Mar 9 10:00:31 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 68.38.147.116 Source port: 2346
Source host: bgp542967bgs.ewndsr01.nj.comcast.net
Target IP: 12.82.129.149 Target port: 80 Proto: TCP
Target host: 149.seattle-03-04rs.wa.dial-access.att.net
Mar 9 10:00:37 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 68.38.147.116 Source port: 2346
Source host: bgp542967bgs.ewndsr01.nj.comcast.net
Target IP: 12.82.129.149 Target port: 80 Proto: TCP
Target host: 149.seattle-03-04rs.wa.dial-access.att.net
Mar 9 10:57:56 - snort [1:0:0] UDP to range 1026-60999
Source IP: 61.182.248.37 Source port: 1084
Source host: 61.182.248.37
Target IP: 12.82.129.149 Target port: 4000 Proto: UDP
Target host: 149.seattle-03-04rs.wa.dial-access.att.net
Mar 9 10:57:57 - snort [1:0:0] UDP to range 1026-60999
Source IP: 61.182.248.37 Source port: 1084
Source host: 61.182.248.37
Target IP: 12.82.129.149 Target port: 4001 Proto: UDP
Target host: 149.seattle-03-04rs.wa.dial-access.att.net
Mar 9 12:09:44 - snort [1:0:0] TCP to 12345 NetBus Backdoor
Source IP: 12.82.129.63 Source port: 2042
Source host: 63.seattle-03-04rs.wa.dial-access.att.net
Target IP: 12.82.129.149 Target port: 12345 Proto: TCP
Target host: 149.seattle-03-04rs.wa.dial-access.att.net
Mar 9 12:09:47 - snort [1:0:0] TCP to 12345 NetBus Backdoor
Source IP: 12.82.129.63 Source port: 2042
Source host: 63.seattle-03-04rs.wa.dial-access.att.net
Target IP: 12.82.129.149 Target port: 12345 Proto: TCP
Target host: 149.seattle-03-04rs.wa.dial-access.att.net
Mar 9 12:09:53 - snort [1:0:0] TCP to 12345 NetBus Backdoor
Source IP: 12.82.129.63 Source port: 2042
Source host: 63.seattle-03-04rs.wa.dial-access.att.net
Target IP: 12.82.129.149 Target port: 12345 Proto: TCP
Target host: 149.seattle-03-04rs.wa.dial-access.att.net
Mar 9 12:10:05 - snort [1:0:0] TCP to 12345 NetBus Backdoor
Source IP: 12.82.129.63 Source port: 2042
Source host: 63.seattle-03-04rs.wa.dial-access.att.net
Target IP: 12.82.129.149 Target port: 12345 Proto: TCP
Target host: 149.seattle-03-04rs.wa.dial-access.att.net
Mar 9 14:19:15 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 65.208.77.35 Source port: 3454
Source host: 65.208.77.35
Target IP: 12.82.129.149 Target port: 80 Proto: TCP
Target host: 149.seattle-03-04rs.wa.dial-access.att.net
Mar 9 14:19:18 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 65.208.77.35 Source port: 3454
Source host: 65.208.77.35
Target IP: 12.82.129.149 Target port: 80 Proto: TCP
Target host: 149.seattle-03-04rs.wa.dial-access.att.net
Mar 9 14:19:24 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 65.208.77.35 Source port: 3454
Source host: 65.208.77.35
Target IP: 12.82.129.149 Target port: 80 Proto: TCP
Target host: 149.seattle-03-04rs.wa.dial-access.att.net
Mar 9 14:58:50 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.248.239.184 Source port: 3016
Source host: 12-248-239-184.client.attbi.com
Target IP: 12.82.141.144 Target port: 80 Proto: TCP
Target host: 144.seattle-15-20rs.wa.dial-access.att.net
Mar 9 14:58:53 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.248.239.184 Source port: 3016
Source host: 12-248-239-184.client.attbi.com
Target IP: 12.82.141.144 Target port: 80 Proto: TCP
Target host: 144.seattle-15-20rs.wa.dial-access.att.net
Mar 9 17:39:04 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.247.96.41 Source port: 1250
Source host: 12-247-96-41.client.attbi.com
Target IP: 12.82.141.144 Target port: 80 Proto: TCP
Target host: 144.seattle-15-20rs.wa.dial-access.att.net
Mar 9 17:39:07 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.247.96.41 Source port: 1250
Source host: 12-247-96-41.client.attbi.com
Target IP: 12.82.141.144 Target port: 80 Proto: TCP
Target host: 144.seattle-15-20rs.wa.dial-access.att.net
Mar 9 17:39:28 - snort [1:0:0] UDP to 137 netBIOS ns
Source IP: 65.80.66.73 Source port: 1025
Source host: adsl-80-66-73.asm.bellsouth.net
Target IP: 12.82.141.144 Target port: 137 Proto: UDP
Target host: 144.seattle-15-20rs.wa.dial-access.att.net
Mar 9 18:02:53 - snort [1:0:0] TCP to 27374 SubSeven
Source IP: 172.163.117.238 Source port: 1266
Source host: ACA375EE.ipt.aol.com
Target IP: 12.82.141.144 Target port: 27374 Proto: TCP
Target host: 144.seattle-15-20rs.wa.dial-access.att.net
Mar 9 18:02:56 - snort [1:0:0] TCP to 27374 SubSeven
Source IP: 172.163.117.238 Source port: 1266
Source host: ACA375EE.ipt.aol.com
Target IP: 12.82.141.144 Target port: 27374 Proto: TCP
Target host: 144.seattle-15-20rs.wa.dial-access.att.net
Mar 9 18:03:02 - snort [1:0:0] TCP to 27374 SubSeven
Source IP: 172.163.117.238 Source port: 1266
Source host: ACA375EE.ipt.aol.com
Target IP: 12.82.141.144 Target port: 27374 Proto: TCP
Target host: 144.seattle-15-20rs.wa.dial-access.att.net
Mar 9 19:31:06 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 210.118.73.157 Source port: 4160
Source host: u73.e157.xgate.co.kr
Target IP: 12.82.141.144 Target port: 80 Proto: TCP
Target host: 144.seattle-15-20rs.wa.dial-access.att.net
Mar 9 19:31:09 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 210.118.73.157 Source port: 4160
Source host: u73.e157.xgate.co.kr
Target IP: 12.82.141.144 Target port: 80 Proto: TCP
Target host: 144.seattle-15-20rs.wa.dial-access.att.net
Mar 9 19:31:15 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 210.118.73.157 Source port: 4160
Source host: u73.e157.xgate.co.kr
Target IP: 12.82.141.144 Target port: 80 Proto: TCP
Target host: 144.seattle-15-20rs.wa.dial-access.att.net
Mar 9 20:51:22 - snort [1:0:0] TCP to 27374 SubSeven
Source IP: 24.90.53.253 Source port: 2471
Source host: 24-90-53-253.nyc.rr.com
Target IP: 12.82.141.144 Target port: 27374 Proto: TCP
Target host: 144.seattle-15-20rs.wa.dial-access.att.net
Mar 9 20:51:25 - snort [1:0:0] TCP to 27374 SubSeven
Source IP: 24.90.53.253 Source port: 2471
Source host: 24-90-53-253.nyc.rr.com
Target IP: 12.82.141.144 Target port: 27374 Proto: TCP
Target host: 144.seattle-15-20rs.wa.dial-access.att.net
Mar 9 20:51:31 - snort [1:0:0] TCP to 27374 SubSeven
Source IP: 24.90.53.253 Source port: 2471
Source host: 24-90-53-253.nyc.rr.com
Target IP: 12.82.141.144 Target port: 27374 Proto: TCP
Target host: 144.seattle-15-20rs.wa.dial-access.att.net
Mar 9 20:51:43 - snort [1:0:0] TCP to 27374 SubSeven
Source IP: 24.90.53.253 Source port: 2471
Source host: 24-90-53-253.nyc.rr.com
Target IP: 12.82.141.144 Target port: 27374 Proto: TCP
Target host: 144.seattle-15-20rs.wa.dial-access.att.net
Mar 9 22:09:27 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.142.159 Source port: 2816
Source host: 159.seattle-25-30rs.wa.dial-access.att.net
Target IP: 12.82.141.144 Target port: 80 Proto: TCP
Target host: 144.seattle-15-20rs.wa.dial-access.att.net
Mar 9 22:09:30 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.142.159 Source port: 2816
Source host: 159.seattle-25-30rs.wa.dial-access.att.net
Target IP: 12.82.141.144 Target port: 80 Proto: TCP
Target host: 144.seattle-15-20rs.wa.dial-access.att.net
This report generated 03/10/2002 at 04:01:00
by a perl script written by John Sage at FinchHaven.com,
based upon the work of Dan Swan in his script snort2html.pl
jsage@finchhaven.com
Last modified: Sun Mar 10 21:56:34 2002