Logs: 03-12-02
To: jsage@finchhaven.com
From: toot@finchhaven.com
Subject: [Logs] at FinchHaven for 03/12/2002
Logs at FinchHaven for 03/12/2002 extracted from /var/log/messages
Report generated 04:01:00 (TZ -08:00) 03/13/2002
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Context: dialup to access.att.net, dynamic IP in AT&T's 12.82.x.x class A
Connect time this date: +- 20 hours
Timestamps: US Pacific standard, GMT -08:00, synch by xntpd
Tools: snort 1.8.2, ipchains, logcheck, portsentry
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=ver.7
In /var/log/messages: Probes to port 21 ftp: 3
Probes to port 22 ssh: 0
Probes to port 23 telnet: 0
Probes to port 53 dns: 7
Probes to port 80 http: 15
Probes to port 111 sunrpc: 4
Probes to port 137 netbios-ns: 0
Probes to port 139 netbios-ssn: 0
Probes to port 445 ms-ds: 0
Probes to port 515 lpr: 0
Total, probes to all ports: 791
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Mar 12 06:27:44 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.254.154.220 Source port: 4436
Source host: 12-254-154-220.client.attbi.com
Target IP: 12.82.129.77 Target port: 80 Proto: TCP
Target host: 77.seattle-03-04rs.wa.dial-access.att.net
Mar 12 06:27:47 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.254.154.220 Source port: 4436
Source host: 12-254-154-220.client.attbi.com
Target IP: 12.82.129.77 Target port: 80 Proto: TCP
Target host: 77.seattle-03-04rs.wa.dial-access.att.net
Mar 12 09:17:49 - snort [1:0:0] TCP to 21 ftp
Source IP: 80.14.170.144 Source port: 4265
Source host: ALille-203-1-5-144.abo.wanadoo.fr
Target IP: 12.82.129.77 Target port: 21 Proto: TCP
Target host: 77.seattle-03-04rs.wa.dial-access.att.net
Mar 12 09:17:52 - snort [1:0:0] TCP to 21 ftp
Source IP: 80.14.170.144 Source port: 4265
Source host: ALille-203-1-5-144.abo.wanadoo.fr
Target IP: 12.82.129.77 Target port: 21 Proto: TCP
Target host: 77.seattle-03-04rs.wa.dial-access.att.net
Mar 12 09:17:58 - snort [1:0:0] TCP to 21 ftp
Source IP: 80.14.170.144 Source port: 4265
Source host: ALille-203-1-5-144.abo.wanadoo.fr
Target IP: 12.82.129.77 Target port: 21 Proto: TCP
Target host: 77.seattle-03-04rs.wa.dial-access.att.net
Mar 12 11:55:37 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.246.129.202 Source port: 2512
Source host: 12-246-129-202.client.attbi.com
Target IP: 12.82.129.77 Target port: 80 Proto: TCP
Target host: 77.seattle-03-04rs.wa.dial-access.att.net
Mar 12 11:55:40 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.246.129.202 Source port: 2512
Source host: 12-246-129-202.client.attbi.com
Target IP: 12.82.129.77 Target port: 80 Proto: TCP
Target host: 77.seattle-03-04rs.wa.dial-access.att.net
Mar 12 12:57:42 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.136.208 Source port: 3132
Source host: 208.seattle-21-22rs.wa.dial-access.att.net
Target IP: 12.82.129.77 Target port: 80 Proto: TCP
Target host: 77.seattle-03-04rs.wa.dial-access.att.net
Mar 12 12:57:45 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.136.208 Source port: 3132
Source host: 208.seattle-21-22rs.wa.dial-access.att.net
Target IP: 12.82.129.77 Target port: 80 Proto: TCP
Target host: 77.seattle-03-04rs.wa.dial-access.att.net
Mar 12 13:17:48 - snort [1:0:0] TCP to 111 sunrpc
Source IP: 194.221.140.5 Source port: 3699
Source host: www.mcis.de
Target IP: 12.82.129.77 Target port: 111 Proto: TCP
Target host: 77.seattle-03-04rs.wa.dial-access.att.net
Mar 12 13:34:11 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.141.70 Source port: 2673
Source host: 70.seattle-15-20rs.wa.dial-access.att.net
Target IP: 12.82.129.77 Target port: 80 Proto: TCP
Target host: 77.seattle-03-04rs.wa.dial-access.att.net
Mar 12 13:34:14 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.141.70 Source port: 2673
Source host: 70.seattle-15-20rs.wa.dial-access.att.net
Target IP: 12.82.129.77 Target port: 80 Proto: TCP
Target host: 77.seattle-03-04rs.wa.dial-access.att.net
Mar 12 13:44:26 - snort [1:0:0] TCP to 111 sunrpc
Source IP: 194.221.140.5 Source port: 2900
Source host: www.mcis.de
Target IP: 12.82.129.77 Target port: 111 Proto: TCP
Target host: 77.seattle-03-04rs.wa.dial-access.att.net
Mar 12 14:00:19 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.136.208 Source port: 3397
Source host: 208.seattle-21-22rs.wa.dial-access.att.net
Target IP: 12.82.129.77 Target port: 80 Proto: TCP
Target host: 77.seattle-03-04rs.wa.dial-access.att.net
Mar 12 14:00:22 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.136.208 Source port: 3397
Source host: 208.seattle-21-22rs.wa.dial-access.att.net
Target IP: 12.82.129.77 Target port: 80 Proto: TCP
Target host: 77.seattle-03-04rs.wa.dial-access.att.net
Mar 12 19:46:09 - snort [1:0:0] TCP to 111 sunrpc
Source IP: 210.12.186.13 Source port: 3328
Source host: 210.12.186.13
Target IP: 12.82.141.8 Target port: 111 Proto: TCP
Target host: 8.seattle-15-20rs.wa.dial-access.att.net
Mar 12 19:46:12 - snort [1:0:0] TCP to 111 sunrpc
Source IP: 210.12.186.13 Source port: 3328
Source host: 210.12.186.13
Target IP: 12.82.141.8 Target port: 111 Proto: TCP
Target host: 8.seattle-15-20rs.wa.dial-access.att.net
Mar 12 20:04:08 - snort [1:0:0] TCP to 123 ntp
Source IP: 211.184.140.152 Source port: 2310
Source host: 211.184.140.152
Target IP: 12.82.141.8 Target port: 123 Proto: TCP
Target host: 8.seattle-15-20rs.wa.dial-access.att.net
Mar 12 20:43:00 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.166.226 Source port: 3267
Source host: 226.seattle12rh15rt.wa.dial-access.att.net
Target IP: 12.82.141.8 Target port: 80 Proto: TCP
Target host: 8.seattle-15-20rs.wa.dial-access.att.net
Mar 12 20:43:02 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.166.226 Source port: 3267
Source host: 226.seattle12rh15rt.wa.dial-access.att.net
Target IP: 12.82.141.8 Target port: 80 Proto: TCP
Target host: 8.seattle-15-20rs.wa.dial-access.att.net
"The US Naval Observatory Master Clock..."
I was resetting my clocks after a power outage reset all my computers...
Mar 12 21:16:05 - snort [1:0:0] TCP from range 120-1024
Source IP: 192.5.41.239 Source port: 554
Source host: tycho.usno.navy.mil
Target IP: 12.82.141.8 Target port: 61320 Proto: TCP
Target host: 8.seattle-15-20rs.wa.dial-access.att.net
Mar 12 21:16:05 - snort [1:0:0] TCP from range 120-1024
Source IP: 192.5.41.239 Source port: 554
Source host: tycho.usno.navy.mil
Target IP: 12.82.141.8 Target port: 61321 Proto: TCP
Target host: 8.seattle-15-20rs.wa.dial-access.att.net
Mar 12 21:16:06 - snort [1:0:0] TCP from range 4322-8079
Source IP: 192.5.41.239 Source port: 7070
Source host: tycho.usno.navy.mil
Target IP: 12.82.141.8 Target port: 61322 Proto: TCP
Target host: 8.seattle-15-20rs.wa.dial-access.att.net
Mar 12 21:16:06 - snort [1:0:0] TCP from range 4322-8079
Source IP: 192.5.41.239 Source port: 7070
Source host: tycho.usno.navy.mil
Target IP: 12.82.141.8 Target port: 61323 Proto: TCP
Target host: 8.seattle-15-20rs.wa.dial-access.att.net
<snip> about a billion more of these...
Mar 12 23:28:22 - snort [1:0:0] TCP to 53 domain
Source IP: 202.237.14.185 Source port: 4080
Source host: ginza.ne.jp
Target IP: 12.82.141.8 Target port: 53 Proto: TCP
Target host: 8.seattle-15-20rs.wa.dial-access.att.net
Mar 12 23:59:38 - snort [1:0:0] UDP to 161 snmp
Source IP: 63.105.155.50 Source port: 12542
Source host: masq.railamerica.com
Target IP: 12.82.141.8 Target port: 161 Proto: UDP
Target host: 8.seattle-15-20rs.wa.dial-access.att.net
Mar 13 03:13:34 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 128.226.185.90 Source port: 4651
Source host: 128.226.185.90
Target IP: 12.82.140.64 Target port: 80 Proto: TCP
Target host: 64.seattle-05-10rs.wa.dial-access.att.net
Mar 13 03:13:37 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 128.226.185.90 Source port: 4651
Source host: 128.226.185.90
Target IP: 12.82.140.64 Target port: 80 Proto: TCP
Target host: 64.seattle-05-10rs.wa.dial-access.att.net
Mar 13 03:13:43 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 128.226.185.90 Source port: 4651
Source host: 128.226.185.90
Target IP: 12.82.140.64 Target port: 80 Proto: TCP
Target host: 64.seattle-05-10rs.wa.dial-access.att.net
This report generated 03/13/2002 at 04:01:00
by a perl script written by John Sage at FinchHaven.com,
based upon the work of Dan Swan in his script snort2html.pl
jsage@finchhaven.com
Last modified: Sat Mar 16 14:03:39 2002