Logs: 03-14-02
To: jsage@finchhaven.com
From: toot@finchhaven.com
Subject: [Logs] at FinchHaven for 03/14/2002
Logs at FinchHaven for 03/14/2002 extracted from /var/log/messages
Report generated 04:01:00 (TZ -08:00) 03/15/2002
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Context: dialup to access.att.net, dynamic IP in AT&T's 12.82.x.x class A
Connect time this date: +- 20 hours
Timestamps: US Pacific standard, GMT -08:00, synch by xntpd
Tools: snort 1.8.2, ipchains, logcheck, portsentry
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=ver.7
In /var/log/messages: Probes to port 21 ftp: 0
Probes to port 22 ssh: 2
Probes to port 23 telnet: 0
Probes to port 53 dns: 12
Probes to port 80 http: 41
Probes to port 111 sunrpc: 0
Probes to port 137 netbios-ns: 2
Probes to port 139 netbios-ssn: 0
Probes to port 445 ms-ds: 0
Probes to port 515 lpr: 0
Total, probes to all ports: 57
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Mar 14 06:16:33 - snort [1:0:0] TCP to 1214 KaZaa
Source IP: 63.208.234.195 Source port: 42074
Source host: unknown.Level3.net
Target IP: 12.82.137.217 Target port: 1214 Proto: TCP
Target host: 217.seattle-23-24rs.wa.dial-access.att.net
Mar 14 06:16:36 - snort [1:0:0] TCP to 1214 KaZaa
Source IP: 63.208.234.195 Source port: 42074
Source host: unknown.Level3.net
Target IP: 12.82.137.217 Target port: 1214 Proto: TCP
Target host: 217.seattle-23-24rs.wa.dial-access.att.net
Mar 14 06:18:57 - snort [1:0:0] TCP to 1214 KaZaa
Source IP: 63.208.234.195 Source port: 51448
Source host: unknown.Level3.net
Target IP: 12.82.137.217 Target port: 1214 Proto: TCP
Target host: 217.seattle-23-24rs.wa.dial-access.att.net
Mar 14 06:19:00 - snort [1:0:0] TCP to 1214 KaZaa
Source IP: 63.208.234.195 Source port: 51448
Source host: unknown.Level3.net
Target IP: 12.82.137.217 Target port: 1214 Proto: TCP
Target host: 217.seattle-23-24rs.wa.dial-access.att.net
Mar 14 06:21:27 - snort [1:0:0] TCP to 1214 KaZaa
Source IP: 63.208.234.195 Source port: 32912
Source host: unknown.Level3.net
Target IP: 12.82.137.217 Target port: 1214 Proto: TCP
Target host: 217.seattle-23-24rs.wa.dial-access.att.net
Mar 14 06:21:30 - snort [1:0:0] TCP to 1214 KaZaa
Source IP: 63.208.234.195 Source port: 32912
Source host: unknown.Level3.net
Target IP: 12.82.137.217 Target port: 1214 Proto: TCP
Target host: 217.seattle-23-24rs.wa.dial-access.att.net
Mar 14 06:46:24 - snort [1:0:0] UDP to 137 netBIOS ns
Source IP: 12.82.137.8 Source port: 1090
Source host: 8.seattle-23-24rs.wa.dial-access.att.net
Target IP: 12.82.137.217 Target port: 137 Proto: UDP
Target host: 217.seattle-23-24rs.wa.dial-access.att.net
Mar 14 06:53:40 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.235.45.119 Source port: 4453
Source host: 12-235-45-119.client.attbi.com
Target IP: 12.82.137.217 Target port: 80 Proto: TCP
Target host: 217.seattle-23-24rs.wa.dial-access.att.net
Mar 14 07:33:09 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 209.128.45.153 Source port: 3852
Source host: 1block.newtel.com
Target IP: 12.82.137.217 Target port: 80 Proto: TCP
Target host: 217.seattle-23-24rs.wa.dial-access.att.net
Mar 14 07:33:12 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 209.128.45.153 Source port: 3852
Source host: 1block.newtel.com
Target IP: 12.82.137.217 Target port: 80 Proto: TCP
Target host: 217.seattle-23-24rs.wa.dial-access.att.net
Mar 14 07:33:18 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 209.128.45.153 Source port: 3852
Source host: 1block.newtel.com
Target IP: 12.82.137.217 Target port: 80 Proto: TCP
Target host: 217.seattle-23-24rs.wa.dial-access.att.net
Mar 14 08:25:06 - snort [1:0:0] TCP to 22 ssh
Source IP: 62.157.86.180 Source port: 2639
Source host: mail.unit3000.net
Target IP: 12.82.137.217 Target port: 22 Proto: TCP
Target host: 217.seattle-23-24rs.wa.dial-access.att.net
Mar 14 10:00:53 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.134.175 Source port: 1416
Source host: 175.seattle-16-17rs.wa.dial-access.att.net
Target IP: 12.82.137.217 Target port: 80 Proto: TCP
Target host: 217.seattle-23-24rs.wa.dial-access.att.net
Mar 14 10:00:56 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.134.175 Source port: 1416
Source host: 175.seattle-16-17rs.wa.dial-access.att.net
Target IP: 12.82.137.217 Target port: 80 Proto: TCP
Target host: 217.seattle-23-24rs.wa.dial-access.att.net
Mar 14 10:20:06 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.230.228.10 Source port: 4989
Source host: 12-230-228-10.client.attbi.com
Target IP: 12.82.137.217 Target port: 80 Proto: TCP
Target host: 217.seattle-23-24rs.wa.dial-access.att.net
Mar 14 10:20:09 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.230.228.10 Source port: 4989
Source host: 12-230-228-10.client.attbi.com
Target IP: 12.82.137.217 Target port: 80 Proto: TCP
Target host: 217.seattle-23-24rs.wa.dial-access.att.net
Mar 14 10:43:57 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 61.144.189.228 Source port: 3263
Source host: 61.144.189.228
Target IP: 12.82.137.217 Target port: 80 Proto: TCP
Target host: 217.seattle-23-24rs.wa.dial-access.att.net
Mar 14 10:44:00 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 61.144.189.228 Source port: 3263
Source host: 61.144.189.228
Target IP: 12.82.137.217 Target port: 80 Proto: TCP
Target host: 217.seattle-23-24rs.wa.dial-access.att.net
Mar 14 10:44:06 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 61.144.189.228 Source port: 3263
Source host: 61.144.189.228
Target IP: 12.82.137.217 Target port: 80 Proto: TCP
Target host: 217.seattle-23-24rs.wa.dial-access.att.net
Mar 14 10:44:44 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.134.175 Source port: 4158
Source host: 175.seattle-16-17rs.wa.dial-access.att.net
Target IP: 12.82.137.217 Target port: 80 Proto: TCP
Target host: 217.seattle-23-24rs.wa.dial-access.att.net
Mar 14 10:44:47 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.134.175 Source port: 4158
Source host: 175.seattle-16-17rs.wa.dial-access.att.net
Target IP: 12.82.137.217 Target port: 80 Proto: TCP
Target host: 217.seattle-23-24rs.wa.dial-access.att.net
Mar 14 11:31:30 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.134.175 Source port: 1229
Source host: 175.seattle-16-17rs.wa.dial-access.att.net
Target IP: 12.82.137.217 Target port: 80 Proto: TCP
Target host: 217.seattle-23-24rs.wa.dial-access.att.net
Mar 14 11:31:33 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.134.175 Source port: 1229
Source host: 175.seattle-16-17rs.wa.dial-access.att.net
Target IP: 12.82.137.217 Target port: 80 Proto: TCP
Target host: 217.seattle-23-24rs.wa.dial-access.att.net
Mar 14 16:01:44 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.224.229.230 Source port: 4909
Source host: 12-224-229-230.client.attbi.com
Target IP: 12.82.135.106 Target port: 80 Proto: TCP
Target host: 106.seattle-18-19rs.wa.dial-access.att.net
Mar 14 16:01:47 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.224.229.230 Source port: 4909
Source host: 12-224-229-230.client.attbi.com
Target IP: 12.82.135.106 Target port: 80 Proto: TCP
Target host: 106.seattle-18-19rs.wa.dial-access.att.net
Mar 14 16:17:43 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 160.114.87.237 Source port: 3896
Source host: szfinx.tb.jgytf.u-szeged.hu
Target IP: 12.82.135.106 Target port: 80 Proto: TCP
Target host: 106.seattle-18-19rs.wa.dial-access.att.net
Mar 14 16:17:46 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 160.114.87.237 Source port: 3896
Source host: szfinx.tb.jgytf.u-szeged.hu
Target IP: 12.82.135.106 Target port: 80 Proto: TCP
Target host: 106.seattle-18-19rs.wa.dial-access.att.net
Mar 14 16:17:52 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 160.114.87.237 Source port: 3896
Source host: szfinx.tb.jgytf.u-szeged.hu
Target IP: 12.82.135.106 Target port: 80 Proto: TCP
Target host: 106.seattle-18-19rs.wa.dial-access.att.net
Mar 14 17:04:44 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.134.175 Source port: 2618
Source host: 175.seattle-16-17rs.wa.dial-access.att.net
Target IP: 12.82.135.106 Target port: 80 Proto: TCP
Target host: 106.seattle-18-19rs.wa.dial-access.att.net
Mar 14 17:04:47 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.134.175 Source port: 2618
Source host: 175.seattle-16-17rs.wa.dial-access.att.net
Target IP: 12.82.135.106 Target port: 80 Proto: TCP
Target host: 106.seattle-18-19rs.wa.dial-access.att.net
Mar 14 18:03:23 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.155.220 Source port: 2699
Source host: 220.seattle06rh16rt.wa.dial-access.att.net
Target IP: 12.82.135.106 Target port: 80 Proto: TCP
Target host: 106.seattle-18-19rs.wa.dial-access.att.net
Mar 14 18:03:26 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.155.220 Source port: 2699
Source host: 220.seattle06rh16rt.wa.dial-access.att.net
Target IP: 12.82.135.106 Target port: 80 Proto: TCP
Target host: 106.seattle-18-19rs.wa.dial-access.att.net
Mar 14 18:10:47 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.243.159 Source port: 2386
Source host: 159.houston-10rh16rt.tx.dial-access.att.net
Target IP: 12.82.135.106 Target port: 80 Proto: TCP
Target host: 106.seattle-18-19rs.wa.dial-access.att.net
Mar 14 18:10:49 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.243.159 Source port: 2386
Source host: 159.houston-10rh16rt.tx.dial-access.att.net
Target IP: 12.82.135.106 Target port: 80 Proto: TCP
Target host: 106.seattle-18-19rs.wa.dial-access.att.net
Mar 14 18:12:04 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.130.141 Source port: 3401
Source host: 141.seattle-06-07rs.wa.dial-access.att.net
Target IP: 12.82.135.106 Target port: 80 Proto: TCP
Target host: 106.seattle-18-19rs.wa.dial-access.att.net
Mar 14 18:12:07 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.130.141 Source port: 3401
Source host: 141.seattle-06-07rs.wa.dial-access.att.net
Target IP: 12.82.135.106 Target port: 80 Proto: TCP
Target host: 106.seattle-18-19rs.wa.dial-access.att.net
Mar 14 18:23:52 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 200.207.165.245 Source port: 2371
Source host: 200-207-165-245.dsl.telesp.net.br
Target IP: 12.82.135.106 Target port: 80 Proto: TCP
Target host: 106.seattle-18-19rs.wa.dial-access.att.net
Mar 14 18:23:59 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 200.207.165.245 Source port: 2371
Source host: 200-207-165-245.dsl.telesp.net.br
Target IP: 12.82.135.106 Target port: 80 Proto: TCP
Target host: 106.seattle-18-19rs.wa.dial-access.att.net
Mar 14 18:28:16 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.137.39 Source port: 1916
Source host: 39.seattle-23-24rs.wa.dial-access.att.net
Target IP: 12.82.135.106 Target port: 80 Proto: TCP
Target host: 106.seattle-18-19rs.wa.dial-access.att.net
Mar 14 18:28:19 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.137.39 Source port: 1916
Source host: 39.seattle-23-24rs.wa.dial-access.att.net
Target IP: 12.82.135.106 Target port: 80 Proto: TCP
Target host: 106.seattle-18-19rs.wa.dial-access.att.net
Mar 14 18:54:53 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.140.140 Source port: 2785
Source host: 140.seattle-05-10rs.wa.dial-access.att.net
Target IP: 12.82.135.106 Target port: 80 Proto: TCP
Target host: 106.seattle-18-19rs.wa.dial-access.att.net
Mar 14 18:54:56 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.140.140 Source port: 2785
Source host: 140.seattle-05-10rs.wa.dial-access.att.net
Target IP: 12.82.135.106 Target port: 80 Proto: TCP
Target host: 106.seattle-18-19rs.wa.dial-access.att.net
Mar 14 19:31:23 - snort [1:0:0] TCP to 22 ssh
Source IP: 211.197.100.15 Source port: 22
Source host: 211.197.100.15
Target IP: 12.82.135.106 Target port: 22 Proto: TCP
Target host: 106.seattle-18-19rs.wa.dial-access.att.net
Mar 14 21:30:00 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.140.153 Source port: 1163
Source host: 153.seattle-05-10rs.wa.dial-access.att.net
Target IP: 12.82.135.106 Target port: 80 Proto: TCP
Target host: 106.seattle-18-19rs.wa.dial-access.att.net
Mar 14 21:30:03 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.140.153 Source port: 1163
Source host: 153.seattle-05-10rs.wa.dial-access.att.net
Target IP: 12.82.135.106 Target port: 80 Proto: TCP
Target host: 106.seattle-18-19rs.wa.dial-access.att.net
Mar 14 22:05:48 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 213.29.237.23 Source port: 1463
Source host: 213.29.237.23
Target IP: 12.82.135.106 Target port: 80 Proto: TCP
Target host: 106.seattle-18-19rs.wa.dial-access.att.net
Mar 14 22:05:51 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 213.29.237.23 Source port: 1463
Source host: 213.29.237.23
Target IP: 12.82.135.106 Target port: 80 Proto: TCP
Target host: 106.seattle-18-19rs.wa.dial-access.att.net
Mar 14 22:05:57 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 213.29.237.23 Source port: 1463
Source host: 213.29.237.23
Target IP: 12.82.135.106 Target port: 80 Proto: TCP
Target host: 106.seattle-18-19rs.wa.dial-access.att.net
Mar 14 22:25:10 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.159.15 Source port: 4281
Source host: 15.seattle08rh16rt.wa.dial-access.att.net
Target IP: 12.82.135.106 Target port: 80 Proto: TCP
Target host: 106.seattle-18-19rs.wa.dial-access.att.net
Mar 14 22:25:13 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.159.15 Source port: 4281
Source host: 15.seattle08rh16rt.wa.dial-access.att.net
Target IP: 12.82.135.106 Target port: 80 Proto: TCP
Target host: 106.seattle-18-19rs.wa.dial-access.att.net
Mar 15 02:05:29 - snort [1:0:0] UDP to 137 netBIOS ns
Source IP: 209.3.112.70 Source port: 1025
Source host: 209.3.112.70
Target IP: 12.82.128.204 Target port: 137 Proto: UDP
Target host: 204.seattle-01-02rs.wa.dial-access.att.net
Mar 15 02:08:23 - snort [1:0:0] TCP to 6346 gnutella
Source IP: 203.122.32.133 Source port: 3226
Source host: 203.122.32.133
Target IP: 12.82.128.204 Target port: 6346 Proto: TCP
Target host: 204.seattle-01-02rs.wa.dial-access.att.net
Mar 15 02:08:27 - snort [1:0:0] TCP to 6346 gnutella
Source IP: 203.122.32.133 Source port: 3226
Source host: 203.122.32.133
Target IP: 12.82.128.204 Target port: 6346 Proto: TCP
Target host: 204.seattle-01-02rs.wa.dial-access.att.net
Mar 15 02:08:33 - snort [1:0:0] TCP to 6346 gnutella
Source IP: 203.122.32.133 Source port: 3226
Source host: 203.122.32.133
Target IP: 12.82.128.204 Target port: 6346 Proto: TCP
Target host: 204.seattle-01-02rs.wa.dial-access.att.net
Mar 15 02:08:46 - snort [1:0:0] TCP to 6346 gnutella
Source IP: 203.122.32.133 Source port: 3226
Source host: 203.122.32.133
Target IP: 12.82.128.204 Target port: 6346 Proto: TCP
Target host: 204.seattle-01-02rs.wa.dial-access.att.net
Mar 15 02:51:47 - snort [1:0:0] TCP to 6346 gnutella
Source IP: 210.50.85.121 Source port: 1242
Source host: 121.d.006.mel.iprimus.net.au
Target IP: 12.82.128.204 Target port: 6346 Proto: TCP
Target host: 204.seattle-01-02rs.wa.dial-access.att.net
Mar 15 02:51:50 - snort [1:0:0] TCP to 6346 gnutella
Source IP: 210.50.85.121 Source port: 1242
Source host: 121.d.006.mel.iprimus.net.au
Target IP: 12.82.128.204 Target port: 6346 Proto: TCP
Target host: 204.seattle-01-02rs.wa.dial-access.att.net
Mar 15 03:54:58 - snort [1:0:0] TCP to 6346 gnutella
Source IP: 62.254.23.232 Source port: 2177
Source host: pc1-hink3-0-cust232.not.cable.ntl.com
Target IP: 12.82.128.204 Target port: 6346 Proto: TCP
Target host: 204.seattle-01-02rs.wa.dial-access.att.net
Mar 15 03:55:01 - snort [1:0:0] TCP to 6346 gnutella
Source IP: 62.254.23.232 Source port: 2177
Source host: pc1-hink3-0-cust232.not.cable.ntl.com
Target IP: 12.82.128.204 Target port: 6346 Proto: TCP
Target host: 204.seattle-01-02rs.wa.dial-access.att.net
Mar 15 03:55:07 - snort [1:0:0] TCP to 6346 gnutella
Source IP: 62.254.23.232 Source port: 2177
Source host: pc1-hink3-0-cust232.not.cable.ntl.com
Target IP: 12.82.128.204 Target port: 6346 Proto: TCP
Target host: 204.seattle-01-02rs.wa.dial-access.att.net
This report generated 03/15/2002 at 04:01:00
by a perl script written by John Sage at FinchHaven.com,
based upon the work of Dan Swan in his script snort2html.pl
jsage@finchhaven.com
Last modified: Fri Mar 15 05:55:45 2002