Incidents: 03-15-02
A smattering of interesting probes from my firewall logs, Friday, March 15 2002
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
snort2html.plx:
Mar 15 05:10:21 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 61.133.1.116 Source port: 4767
Source host: 61.133.1.116
Target IP: 12.82.128.204 Target port: 80 Proto: TCP
Target host: 204.seattle-01-02rs.wa.dial-access.att.net
Mar 15 05:10:24 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 61.133.1.116 Source port: 4767
Source host: 61.133.1.116
Target IP: 12.82.128.204 Target port: 80 Proto: TCP
Target host: 204.seattle-01-02rs.wa.dial-access.att.net
Mar 15 05:10:31 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 61.133.1.116 Source port: 4767
Source host: 61.133.1.116
Target IP: 12.82.128.204 Target port: 80 Proto: TCP
Target host: 204.seattle-01-02rs.wa.dial-access.att.net
BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
© 1999-2001 William E. Weinman
Request: 61.133.1.116
connecting to whois.arin.net [192.149.252.22:43] ...
connecting to WHOIS.APNIC.NET [202.12.29.13:43] ...
% Rights restricted by copyright. See http://www.apnic.net/db/dbcopyright.html
% (whois6.apnic.net)
inetnum: 61.133.0.0 - 61.133.127.255
netname: CHINANET-SD
descr: CHINANET Shandong province network
descr: Data Communication Division
descr: China Telecom
country: CN
admin-c: CH93-AP
tech-c: XZ14-AP
mnt-by: MAINT-CHINANET
mnt-lower: MAINT-ZXF
changed: hostmaster@ns.chinanet.cn.net 20000601
source: APNIC
person: Chinanet Hostmaster
address: A12,Xin-Jie-Kou-Wai Street
country: CN
phone: +86-10-62370437
fax-no: +86-10-62053995
e-mail: hostmaster@ns.chinanet.cn.net
nic-hdl: CH93-AP
mnt-by: MAINT-CHINANET
changed: hostmaster@ns.chinanet.cn.net 20000101
source: APNIC
person: XIAOFENG ZHANG
address: Shandong Public Information Service Bureau
address: No.77 Jingsan Road,Jinan,Shandong P.R China
country: CN
phone: +86-531-6052163
fax-no: +86-531-6052414
e-mail: ip@pub.sd.cninfo.net
nic-hdl: XZ14-AP
mnt-by: MAINT-ZXF
changed: zxf@sdinfo.net 20001012
source: APNIC
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
snort2html.plx:
Mar 15 07:06:12 - snort [1:0:0] UDP to 137 netBIOS ns
Source IP: 12.82.129.171 Source port: 1055
Source host: 171.seattle-03-04rs.wa.dial-access.att.net
Target IP: 12.82.129.58 Target port: 137 Proto: UDP
Target host: 58.seattle-03-04rs.wa.dial-access.att.net
Mar 15 07:34:13 - snort [1:0:0] UDP to 137 netBIOS ns
Source IP: 12.82.129.245 Source port: 1075
Source host: 245.seattle-03-04rs.wa.dial-access.att.net
Target IP: 12.82.129.58 Target port: 137 Proto: UDP
Target host: 58.seattle-03-04rs.wa.dial-access.att.net
snort alert:
[**] [1:0:0] UDP to 137 netBIOS ns [**]
03/15-07:06:12.460045 12.82.129.171:1055 -> 12.82.129.58:137
UDP TTL:126 TOS:0x0 ID:24087 IpLen:20 DgmLen:78
Len: 58
00 7B 00 10 00 01 00 00 00 00 00 00 20 43 4B 41 .{.......... CKA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21 AAAAAAAAAAAAA..!
00 01 ..
[**] [1:0:0] UDP to 137 netBIOS ns [**]
03/15-07:34:13.770063 12.82.129.245:1075 -> 12.82.129.58:137
UDP TTL:126 TOS:0x0 ID:16681 IpLen:20 DgmLen:78
Len: 58
00 7B 00 10 00 01 00 00 00 00 00 00 20 43 4B 41 .{.......... CKA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21 AAAAAAAAAAAAA..!
00 01 ..
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
snort2html.plx:
Mar 15 12:20:56 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 217.235.50.236 Source port: 62626
Source host: pD9EB32EC.dip.t-dialin.net
Target IP: 12.82.129.58 Target port: 80 Proto: TCP
Target host: 58.seattle-03-04rs.wa.dial-access.att.net
Mar 15 12:20:59 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 217.235.50.236 Source port: 62626
Source host: pD9EB32EC.dip.t-dialin.net
Target IP: 12.82.129.58 Target port: 80 Proto: TCP
Target host: 58.seattle-03-04rs.wa.dial-access.att.net
Mar 15 12:21:05 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 217.235.50.236 Source port: 62626
Source host: pD9EB32EC.dip.t-dialin.net
Target IP: 12.82.129.58 Target port: 80 Proto: TCP
Target host: 58.seattle-03-04rs.wa.dial-access.att.net
BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
© 1999-2001 William E. Weinman
% This is the RIPE Whois server.
% The objects are in RPSL format.
% Please visit http://www.ripe.net/rpsl for more information.
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html
inetnum: 217.224.0.0 - 217.237.161.47
netname: DTAG-DIAL15
descr: Deutsche Telekom AG
country: DE
admin-c: DTIP-RIPE
tech-c: ST5359-RIPE
status: ASSIGNED PA
remarks: ************************************************************
remarks: * ABUSE CONTACT: abuse@t-ipnet.de IN CASE OF HACK ATTACKS, *
remarks: * ILLEGAL ACTIVITY, VIOLATION, SCANS, PROBES, SPAM, ETC. *
remarks: ************************************************************
notify: auftrag@nic.telekom.de
notify: dbd@nic.dtag.de
mnt-by: DTAG-NIC
changed: auftrag@nic.telekom.de 20020108
source: RIPE
route: 217.224.0.0/11
descr: Deutsche Telekom AG, Internet service provider
origin: AS3320
mnt-by: DTAG-RR
changed: bp@nic.dtag.de 20010405
source: RIPE
person: DTAG Global IP-Adressing
address: Deutsche Telekom AG
address: Postfach 900110
address: D-90492 Nuernberg
address: Germany
phone: +49 911 68909856
e-mail: ripe.dtip@telekom.de
nic-hdl: DTIP-RIPE
mnt-by: DTAG-NIC
changed: auftrag@nic.telekom.de 20020311
source: RIPE
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
snort2html.plx:
Mar 15 14:12:45 - snort [1:0:0] TCP to 111 sunrpc
Source IP: 200.56.98.93 Source port: 25247
Source host: red-corpb23-93.telnor.net
Target IP: 12.82.129.58 Target port: 111 Proto: TCP
Target host: 58.seattle-03-04rs.wa.dial-access.att.net
snort packet capture:
Version 1.8.2 (Build 86)
By Martin Roesch (roesch@sourcefire.com, www.snort.org)
03/15-14:12:45.550041 200.56.98.93:25247 -> 12.82.129.58:111
TCP TTL:51 TOS:0x0 ID:57299 IpLen:20 DgmLen:44
******S* Seq: 0x1C2FD097 Ack: 0x0 Win: 0x200 TcpLen: 24
TCP Options (1) => MSS: 1460
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
TTL decrement from 64 = Linux, OpenBSD, AIX
Win size = 0x200? - that's weird..
TCP options = 1 = MSS = Solaris 7, AIX
DgmLen = 44 = Solaris 7, AIX
BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
© 1999-2001 William E. Weinman
Network Information Center Mexico (NETBLK-NIC-MEXICO-5)NIC-MEXICO-5
200.56.0.0 - 200.57.255.255
Telefonos del Noroeste S.A. de C.V. (NETBLK-TELNOR-NET-2) TELNOR-NET-2
200.56.96.0 - 200.56.111.255
Telefonos del Noroeste S.A. de C.V. (NETBLK-TELNOR-NET-2)
Pio Pico #2101
Tijuana, Baja California 22000
MX
Netname: TELNOR-NET-2
Netblock: 200.56.96.0 - 200.56.111.255
Maintainer: TNCV
Coordinator:
Nevarez, Luis Rodolfo (LRN1-ARIN) rone@telnor.com
526-6332215
Record last updated on 27-Jun-2001.
Database last updated on 20-Mar-2002 19:58:52 EDT.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
snort2html.plx:
Mar 15 20:02:56 - snort [1:0:0] UDP to 53 domain
Source IP: 64.70.2.15 Source port: 55555
Source host: 64.70.2.15
Target IP: 12.82.128.79 Target port: 53 Proto: UDP
Target host: 79.seattle-01-02rs.wa.dial-access.att.net
Mar 15 20:02:56 - snort [1:0:0] UDP to 53 domain
Source IP: 64.70.2.15 Source port: 55555
Source host: 64.70.2.15
Target IP: 12.82.128.79 Target port: 53 Proto: UDP
Target host: 79.seattle-01-02rs.wa.dial-access.att.net
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Mar 15 20:24:23 - snort [1:0:0] TCP to 139 netBIOS ss
Source IP: 194.65.158.24 Source port: 3115
Source host: 194.65.158.24
Target IP: 12.82.128.79 Target port: 139 Proto: TCP
Target host: 79.seattle-01-02rs.wa.dial-access.att.net
Mar 15 20:24:26 - snort [1:0:0] TCP to 139 netBIOS ss
Source IP: 194.65.158.24 Source port: 3115
Source host: 194.65.158.24
Target IP: 12.82.128.79 Target port: 139 Proto: TCP
Target host: 79.seattle-01-02rs.wa.dial-access.att.net
Mar 15 20:24:32 - snort [1:0:0] TCP to 139 netBIOS ss
Source IP: 194.65.158.24 Source port: 3115
Source host: 194.65.158.24
Target IP: 12.82.128.79 Target port: 139 Proto: TCP
Target host: 79.seattle-01-02rs.wa.dial-access.att.net
Mar 15 20:24:45 - snort [1:0:0] TCP to 139 netBIOS ss
Source IP: 194.65.158.24 Source port: 3115
Source host: 194.65.158.24
Target IP: 12.82.128.79 Target port: 139 Proto: TCP
Target host: 79.seattle-01-02rs.wa.dial-access.att.net
Mar 15 20:25:42 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.142.39 Source port: 2187
Source host: 39.seattle-25-30rs.wa.dial-access.att.net
Target IP: 12.82.128.79 Target port: 80 Proto: TCP
Target host: 79.seattle-01-02rs.wa.dial-access.att.net
Mar 15 20:25:45 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.142.39 Source port: 2187
Source host: 39.seattle-25-30rs.wa.dial-access.att.net
Target IP: 12.82.128.79 Target port: 80 Proto: TCP
Target host: 79.seattle-01-02rs.wa.dial-access.att.net
Mar 15 21:09:35 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.130.177 Source port: 2049
Source host: 177.seattle-06-07rs.wa.dial-access.att.net
Target IP: 12.82.128.79 Target port: 80 Proto: TCP
Target host: 79.seattle-01-02rs.wa.dial-access.att.net
Mar 15 21:09:38 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.82.130.177 Source port: 2049
Source host: 177.seattle-06-07rs.wa.dial-access.att.net
Target IP: 12.82.128.79 Target port: 80 Proto: TCP
Target host: 79.seattle-01-02rs.wa.dial-access.att.net
Mar 15 21:25:46 - snort [1:0:0] TCP to 21 ftp
Source IP: 217.226.184.12 Source port: 2732
Source host: pD9E2B80C.dip.t-dialin.net
Target IP: 12.82.128.79 Target port: 21 Proto: TCP
Target host: 79.seattle-01-02rs.wa.dial-access.att.net
Mar 15 21:25:49 - snort [1:0:0] TCP to 21 ftp
Source IP: 217.226.184.12 Source port: 2732
Source host: pD9E2B80C.dip.t-dialin.net
Target IP: 12.82.128.79 Target port: 21 Proto: TCP
Target host: 79.seattle-01-02rs.wa.dial-access.att.net
Mar 15 21:25:55 - snort [1:0:0] TCP to 21 ftp
Source IP: 217.226.184.12 Source port: 2732
Source host: pD9E2B80C.dip.t-dialin.net
Target IP: 12.82.128.79 Target port: 21 Proto: TCP
Target host: 79.seattle-01-02rs.wa.dial-access.att.net
Mar 15 23:12:53 - snort [1:0:0] TCP to 515 lpr
Source IP: 200.68.13.210 Source port: 4661
Source host: 200.68.13.210
Target IP: 12.82.128.79 Target port: 515 Proto: TCP
Target host: 79.seattle-01-02rs.wa.dial-access.att.net
Mar 15 23:12:56 - snort [1:0:0] TCP to 515 lpr
Source IP: 200.68.13.210 Source port: 4661
Source host: 200.68.13.210
Target IP: 12.82.128.79 Target port: 515 Proto: TCP
Target host: 79.seattle-01-02rs.wa.dial-access.att.net
Mar 16 00:12:40 - snort [1:0:0] TCP to 1080 socks
Source IP: 12.251.95.152 Source port: 2863
Source host: 12-251-95-152.client.attbi.com
Target IP: 12.82.128.79 Target port: 1080 Proto: TCP
Target host: 79.seattle-01-02rs.wa.dial-access.att.net
This report generated 03/16/2002 at 04:01:00
by a perl script written by John Sage at FinchHaven.com,
based upon the work of Dan Swan in his script snort2html.pl
jsage@finchhaven.com
Last modified: Wed Mar 20 21:17:51 2002