Incidents: 03-15-02

A smattering of interesting probes from my firewall logs, Friday, March 15 2002



+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
snort2html.plx:

Mar 15 05:10:21 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 61.133.1.116   Source port: 4767 
Source host: 61.133.1.116
  Target IP: 12.82.128.204   Target port: 80   Proto: TCP 
Target host: 204.seattle-01-02rs.wa.dial-access.att.net

Mar 15 05:10:24 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 61.133.1.116   Source port: 4767 
Source host: 61.133.1.116
  Target IP: 12.82.128.204   Target port: 80   Proto: TCP 
Target host: 204.seattle-01-02rs.wa.dial-access.att.net

Mar 15 05:10:31 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 61.133.1.116   Source port: 4767 
Source host: 61.133.1.116
  Target IP: 12.82.128.204   Target port: 80   Proto: TCP 
Target host: 204.seattle-01-02rs.wa.dial-access.att.net


BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
 1999-2001 William E. Weinman 

Request: 61.133.1.116
connecting to whois.arin.net [192.149.252.22:43] ...
connecting to WHOIS.APNIC.NET [202.12.29.13:43] ... 

% Rights restricted by copyright. See http://www.apnic.net/db/dbcopyright.html
% (whois6.apnic.net) 

inetnum:     61.133.0.0 - 61.133.127.255
netname:     CHINANET-SD
descr:       CHINANET Shandong province network
descr:       Data Communication Division
descr:       China Telecom
country:     CN
admin-c:     CH93-AP
tech-c:      XZ14-AP
mnt-by:      MAINT-CHINANET
mnt-lower:   MAINT-ZXF
changed:     hostmaster@ns.chinanet.cn.net 20000601
source:      APNIC 

person:      Chinanet Hostmaster
address:     A12,Xin-Jie-Kou-Wai Street
country:     CN
phone:       +86-10-62370437
fax-no:      +86-10-62053995
e-mail:      hostmaster@ns.chinanet.cn.net
nic-hdl:     CH93-AP
mnt-by:      MAINT-CHINANET
changed:     hostmaster@ns.chinanet.cn.net 20000101
source:      APNIC 

person:      XIAOFENG ZHANG
address:     Shandong Public Information Service Bureau
address:     No.77 Jingsan Road,Jinan,Shandong P.R China
country:     CN
phone:       +86-531-6052163
fax-no:      +86-531-6052414
e-mail:      ip@pub.sd.cninfo.net
nic-hdl:     XZ14-AP
mnt-by:      MAINT-ZXF
changed:     zxf@sdinfo.net 20001012
source:      APNIC


+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
snort2html.plx:

Mar 15 07:06:12 - snort [1:0:0] UDP to 137 netBIOS ns 
  Source IP: 12.82.129.171   Source port: 1055 
Source host: 171.seattle-03-04rs.wa.dial-access.att.net
  Target IP: 12.82.129.58   Target port: 137   Proto: UDP 
Target host: 58.seattle-03-04rs.wa.dial-access.att.net

Mar 15 07:34:13 - snort [1:0:0] UDP to 137 netBIOS ns 
  Source IP: 12.82.129.245   Source port: 1075 
Source host: 245.seattle-03-04rs.wa.dial-access.att.net
  Target IP: 12.82.129.58   Target port: 137   Proto: UDP 
Target host: 58.seattle-03-04rs.wa.dial-access.att.net


snort alert:

[**] [1:0:0] UDP to 137 netBIOS ns [**]
03/15-07:06:12.460045 12.82.129.171:1055 -> 12.82.129.58:137
UDP TTL:126 TOS:0x0 ID:24087 IpLen:20 DgmLen:78
Len: 58 

00 7B 00 10 00 01 00 00 00 00 00 00 20 43 4B 41  .{.......... CKA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21  AAAAAAAAAAAAA..!
00 01                                            ..


[**] [1:0:0] UDP to 137 netBIOS ns [**]
03/15-07:34:13.770063 12.82.129.245:1075 -> 12.82.129.58:137
UDP TTL:126 TOS:0x0 ID:16681 IpLen:20 DgmLen:78
Len: 58

00 7B 00 10 00 01 00 00 00 00 00 00 20 43 4B 41  .{.......... CKA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21  AAAAAAAAAAAAA..!
00 01                                            ..



+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
snort2html.plx:

Mar 15 12:20:56 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 217.235.50.236   Source port: 62626 
Source host: pD9EB32EC.dip.t-dialin.net
  Target IP: 12.82.129.58   Target port: 80   Proto: TCP 
Target host: 58.seattle-03-04rs.wa.dial-access.att.net

Mar 15 12:20:59 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 217.235.50.236   Source port: 62626 
Source host: pD9EB32EC.dip.t-dialin.net
  Target IP: 12.82.129.58   Target port: 80   Proto: TCP 
Target host: 58.seattle-03-04rs.wa.dial-access.att.net

Mar 15 12:21:05 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 217.235.50.236   Source port: 62626 
Source host: pD9EB32EC.dip.t-dialin.net
  Target IP: 12.82.129.58   Target port: 80   Proto: TCP 
Target host: 58.seattle-03-04rs.wa.dial-access.att.net


BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
 1999-2001 William E. Weinman 

% This is the RIPE Whois server.
% The objects are in RPSL format.
% Please visit http://www.ripe.net/rpsl for more information.
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html 

inetnum:      217.224.0.0 - 217.237.161.47
netname:      DTAG-DIAL15
descr:        Deutsche Telekom AG
country:      DE
admin-c:      DTIP-RIPE
tech-c:       ST5359-RIPE
status:       ASSIGNED PA
remarks:      ************************************************************
remarks:      * ABUSE CONTACT: abuse@t-ipnet.de IN CASE OF HACK ATTACKS, *
remarks:      * ILLEGAL ACTIVITY, VIOLATION, SCANS, PROBES, SPAM, ETC.   *
remarks:      ************************************************************
notify:       auftrag@nic.telekom.de
notify:       dbd@nic.dtag.de
mnt-by:       DTAG-NIC
changed:      auftrag@nic.telekom.de 20020108
source:       RIPE 

route:        217.224.0.0/11
descr:        Deutsche Telekom AG, Internet service provider
origin:       AS3320
mnt-by:       DTAG-RR
changed:      bp@nic.dtag.de 20010405
source:       RIPE 

person:       DTAG Global IP-Adressing
address:      Deutsche Telekom AG
address:      Postfach 900110
address:      D-90492 Nuernberg
address:      Germany
phone:        +49 911 68909856
e-mail:       ripe.dtip@telekom.de
nic-hdl:      DTIP-RIPE
mnt-by:       DTAG-NIC
changed:      auftrag@nic.telekom.de 20020311
source:       RIPE



+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
snort2html.plx:

Mar 15 14:12:45 - snort [1:0:0] TCP to 111 sunrpc 
  Source IP: 200.56.98.93   Source port: 25247 
Source host: red-corpb23-93.telnor.net
  Target IP: 12.82.129.58   Target port: 111   Proto: TCP 
Target host: 58.seattle-03-04rs.wa.dial-access.att.net



snort packet capture:

Version 1.8.2 (Build 86)
By Martin Roesch (roesch@sourcefire.com, www.snort.org)

03/15-14:12:45.550041 200.56.98.93:25247 -> 12.82.129.58:111
TCP TTL:51 TOS:0x0 ID:57299 IpLen:20 DgmLen:44
******S* Seq: 0x1C2FD097  Ack: 0x0  Win: 0x200  TcpLen: 24
TCP Options (1) => MSS: 1460 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

TTL decrement from 64 = Linux, OpenBSD, AIX
Win size = 0x200? - that's weird..
TCP options = 1 = MSS = Solaris 7, AIX
DgmLen = 44 = Solaris 7, AIX



BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
 1999-2001 William E. Weinman

Network Information Center Mexico (NETBLK-NIC-MEXICO-5)NIC-MEXICO-5
   200.56.0.0 - 200.57.255.255

Telefonos del Noroeste S.A. de C.V. (NETBLK-TELNOR-NET-2) TELNOR-NET-2
  200.56.96.0 - 200.56.111.255


Telefonos del Noroeste S.A. de C.V. (NETBLK-TELNOR-NET-2)
   Pio Pico #2101
   Tijuana, Baja California 22000
   MX    

Netname: TELNOR-NET-2
   Netblock: 200.56.96.0 - 200.56.111.255
   Maintainer: TNCV    

Coordinator:
      Nevarez, Luis Rodolfo  (LRN1-ARIN)  rone@telnor.com
      526-6332215 

   Record last updated on 27-Jun-2001.
   Database last updated on  20-Mar-2002 19:58:52 EDT.



=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
snort2html.plx:

Mar 15 20:02:56 - snort [1:0:0] UDP to 53 domain 
  Source IP: 64.70.2.15   Source port: 55555 
Source host: 64.70.2.15
  Target IP: 12.82.128.79   Target port: 53   Proto: UDP 
Target host: 79.seattle-01-02rs.wa.dial-access.att.net

Mar 15 20:02:56 - snort [1:0:0] UDP to 53 domain 
  Source IP: 64.70.2.15   Source port: 55555 
Source host: 64.70.2.15
  Target IP: 12.82.128.79   Target port: 53   Proto: UDP 
Target host: 79.seattle-01-02rs.wa.dial-access.att.net






=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Mar 15 20:24:23 - snort [1:0:0] TCP to 139 netBIOS ss 
  Source IP: 194.65.158.24   Source port: 3115 
Source host: 194.65.158.24
  Target IP: 12.82.128.79   Target port: 139   Proto: TCP 
Target host: 79.seattle-01-02rs.wa.dial-access.att.net

Mar 15 20:24:26 - snort [1:0:0] TCP to 139 netBIOS ss 
  Source IP: 194.65.158.24   Source port: 3115 
Source host: 194.65.158.24
  Target IP: 12.82.128.79   Target port: 139   Proto: TCP 
Target host: 79.seattle-01-02rs.wa.dial-access.att.net

Mar 15 20:24:32 - snort [1:0:0] TCP to 139 netBIOS ss 
  Source IP: 194.65.158.24   Source port: 3115 
Source host: 194.65.158.24
  Target IP: 12.82.128.79   Target port: 139   Proto: TCP 
Target host: 79.seattle-01-02rs.wa.dial-access.att.net

Mar 15 20:24:45 - snort [1:0:0] TCP to 139 netBIOS ss 
  Source IP: 194.65.158.24   Source port: 3115 
Source host: 194.65.158.24
  Target IP: 12.82.128.79   Target port: 139   Proto: TCP 
Target host: 79.seattle-01-02rs.wa.dial-access.att.net



Mar 15 20:25:42 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.142.39   Source port: 2187 
Source host: 39.seattle-25-30rs.wa.dial-access.att.net
  Target IP: 12.82.128.79   Target port: 80   Proto: TCP 
Target host: 79.seattle-01-02rs.wa.dial-access.att.net

Mar 15 20:25:45 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.142.39   Source port: 2187 
Source host: 39.seattle-25-30rs.wa.dial-access.att.net
  Target IP: 12.82.128.79   Target port: 80   Proto: TCP 
Target host: 79.seattle-01-02rs.wa.dial-access.att.net



Mar 15 21:09:35 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.130.177   Source port: 2049 
Source host: 177.seattle-06-07rs.wa.dial-access.att.net
  Target IP: 12.82.128.79   Target port: 80   Proto: TCP 
Target host: 79.seattle-01-02rs.wa.dial-access.att.net

Mar 15 21:09:38 - snort [1:0:0] Potential CodeRed/Nimda probe 
  Source IP: 12.82.130.177   Source port: 2049 
Source host: 177.seattle-06-07rs.wa.dial-access.att.net
  Target IP: 12.82.128.79   Target port: 80   Proto: TCP 
Target host: 79.seattle-01-02rs.wa.dial-access.att.net



Mar 15 21:25:46 - snort [1:0:0] TCP to 21 ftp 
  Source IP: 217.226.184.12   Source port: 2732 
Source host: pD9E2B80C.dip.t-dialin.net
  Target IP: 12.82.128.79   Target port: 21   Proto: TCP 
Target host: 79.seattle-01-02rs.wa.dial-access.att.net

Mar 15 21:25:49 - snort [1:0:0] TCP to 21 ftp 
  Source IP: 217.226.184.12   Source port: 2732 
Source host: pD9E2B80C.dip.t-dialin.net
  Target IP: 12.82.128.79   Target port: 21   Proto: TCP 
Target host: 79.seattle-01-02rs.wa.dial-access.att.net

Mar 15 21:25:55 - snort [1:0:0] TCP to 21 ftp 
  Source IP: 217.226.184.12   Source port: 2732 
Source host: pD9E2B80C.dip.t-dialin.net
  Target IP: 12.82.128.79   Target port: 21   Proto: TCP 
Target host: 79.seattle-01-02rs.wa.dial-access.att.net



Mar 15 23:12:53 - snort [1:0:0] TCP to 515 lpr 
  Source IP: 200.68.13.210   Source port: 4661 
Source host: 200.68.13.210
  Target IP: 12.82.128.79   Target port: 515   Proto: TCP 
Target host: 79.seattle-01-02rs.wa.dial-access.att.net

Mar 15 23:12:56 - snort [1:0:0] TCP to 515 lpr 
  Source IP: 200.68.13.210   Source port: 4661 
Source host: 200.68.13.210
  Target IP: 12.82.128.79   Target port: 515   Proto: TCP 
Target host: 79.seattle-01-02rs.wa.dial-access.att.net



Mar 16 00:12:40 - snort [1:0:0] TCP to 1080 socks 
  Source IP: 12.251.95.152   Source port: 2863 
Source host: 12-251-95-152.client.attbi.com
  Target IP: 12.82.128.79   Target port: 1080   Proto: TCP 
Target host: 79.seattle-01-02rs.wa.dial-access.att.net



This report generated 03/16/2002 at 04:01:00 
by a perl script written by John Sage at FinchHaven.com, 
based upon the work of Dan Swan in his script snort2html.pl


jsage@finchhaven.com
Last modified: Wed Mar 20 21:17:51 2002