[prev in list] [next in list] [prev in thread] [next in thread]
List: intrusions
Subject: [Logs] tcp:27374, tcp:53, tcp:515, tcp:111, tcp:1433 probes at FinchHaven for 12/24/2001
From: John Sage <jsage () finchhaven ! com>
Date: 2001-12-25 17:46:29
[Download RAW message or body]
Merry Christmas, and a Happy New Year!
That said, let us continue:
Logs at FinchHaven for 12/24/2001 extracted from /var/log/messages
Report generated 04:01:01 (TZ -08:00) 12/25/2001
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Context: dialup to access.att.net, dynamic IP in AT&T's 12.82.x.x class A
Connect time this date: +- 20 hours
Timestamps: US Pacific standard, GMT -08:00, synch by xntpd
Tools: snort 1.8.2, ipchains, logcheck, portsentry
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=ver.7
In /var/log/messages: Probes to port 21 ftp: 0
Probes to port 22 ssh: 0
Probes to port 23 telnet: 0
Probes to port 53 dns: 1
Probes to port 80 http: 23
Probes to port 111 sunrpc: 1
Probes to port 137 netbios-ns: 0
Probes to port 139 netbios-ssn: 0
Probes to port 445 ms-ds: 0
Probes to port 515 lpr: 2
Total, probes to all ports: 65
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
tcp:27374 US; tcp:53 CA; tcp:515 TW; tcp:515 FR; tcp:111 KR; tcp:1433 MS
MySQL US; pings US; snip 28 TCP to 1214 KaZaa US...
tcp:80 probes not from my immediate (12.82.x.x) neighborhood:
12.98.x.x; 12.86.x.x; 12.236.x.x; 12.252.x.x; 12.85.x.x; 12.253.x.x;
12.91.x.x; 12.228.x.x; 12.235.x.x
tcp:80 probes not from my general (12.x.x.x) neighborhood:
198.206.247.219 - dhcp110.raima.com - US; 195.101.151.179 - FR-ORNIS - FR
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Dec 24 10:39:41 - snort [1:0:0] TCP to 27374 SubSeven
Source IP: 12.86.214.176 Source port: 4728
Source host: 176.dallas-08rh15rt-tx.dial-access.att.net
Target IP: 12.82.128.125 Target port: 27374 Proto: TCP
Target host: 125.seattle-01-02rs.wa.dial-access.att.net
Dec 24 10:39:44 - snort [1:0:0] TCP to 27374 SubSeven
Source IP: 12.86.214.176 Source port: 4728
Source host: 176.dallas-08rh15rt-tx.dial-access.att.net
Target IP: 12.82.128.125 Target port: 27374 Proto: TCP
Target host: 125.seattle-01-02rs.wa.dial-access.att.net
Dec 24 10:39:50 - snort [1:0:0] TCP to 27374 SubSeven
Source IP: 12.86.214.176 Source port: 4728
Source host: 176.dallas-08rh15rt-tx.dial-access.att.net
Target IP: 12.82.128.125 Target port: 27374 Proto: TCP
Target host: 125.seattle-01-02rs.wa.dial-access.att.net
[**] [1:0:0] TCP to 27374 SubSeven [**]
12/24-10:39:41.455133 12.86.214.176:4728 -> 12.82.128.125:27374
TCP TTL:118 TOS:0x0 ID:8450 IpLen:20 DgmLen:48 DF
******S* Seq: 0x9B895FEB Ack: 0x0 Win: 0x2238 TcpLen: 28
TCP Options (4) => MSS: 536 NOP NOP SackOK
[**] [1:0:0] TCP to 27374 SubSeven [**]
12/24-10:39:44.395392 12.86.214.176:4728 -> 12.82.128.125:27374
TCP TTL:118 TOS:0x0 ID:8472 IpLen:20 DgmLen:48 DF
******S* Seq: 0x9B895FEB Ack: 0x0 Win: 0x2238 TcpLen: 28
TCP Options (4) => MSS: 536 NOP NOP SackOK
[**] [1:0:0] TCP to 27374 SubSeven [**]
12/24-10:39:50.405996 12.86.214.176:4728 -> 12.82.128.125:27374
TCP TTL:118 TOS:0x0 ID:8532 IpLen:20 DgmLen:48 DF
******S* Seq: 0x9B895FEB Ack: 0x0 Win: 0x2238 TcpLen: 28
TCP Options (4) => MSS: 536 NOP NOP SackOK
BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
© 1999-2001 William E. Weinman
AT&T ITS (NET-ATT)
200 Laurel Avenue South
Middletown, NJ 07748
US
Netname: ATT
Netblock: 12.0.0.0 - 12.255.255.255
Maintainer: ATTW
Coordinator:
Kostick, Deirdre (DK71-ARIN) help@IP.ATT.NET
(888)613-6330
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Dec 24 12:40:19 - snort [1:0:0] TCP to 53 domain
Source IP: 209.52.213.149 Source port: 2368
Source host: 213-149.bigwhite.sunshinecable.com
Target IP: 12.82.128.125 Target port: 53 Proto: TCP
Target host: 125.seattle-01-02rs.wa.dial-access.att.net
[**] [1:0:0] TCP to 53 domain [**]
12/24-12:40:19.944346 209.52.213.149:2368 -> 12.82.128.125:53
TCP TTL:46 TOS:0x0 ID:17261 IpLen:20 DgmLen:60 DF
******S* Seq: 0xF1893B20 Ack: 0x0 Win: 0x7D78 TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 53156700 0 NOP WS: 0
BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
© 1999-2001 William E. Weinman
Telus Advanced Communications (NET-TELAC-BLK6) TELAC-BLK6
209.52.0.0 - 209.52.255.255
Sunshine Communications (NETBLK-SUNSHINEBLK-CA)SUNSHINEBLK-CA
209.52.210.0 - 209.52.213.255
Sunshine Communications (NETBLK-SUNSHINEBLK-CA)
7474 19th St.
Grand Forks, British Columbia V0H 1H0
CA
Netname: SUNSHINEBLK-CA
Netblock: 209.52.210.0 - 209.52.213.255
Maintainer: SUSH
Coordinator:
McKinnon, Kevin (KM1203-ARIN) kevin@sunshinecable.com
(250) 442-5844 (FAX) (250) 442-2665
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Dec 24 15:18:07 - snort [1:0:0] TCP to 515 lpr
Source IP: 61.30.190.156 Source port: 4135
Source host: 156.190.30.61.isp.tfn.net.tw
Target IP: 12.82.128.125 Target port: 515 Proto: TCP
Target host: 125.seattle-01-02rs.wa.dial-access.att.net
[**] [1:0:0] TCP to 515 lpr [**]
12/24-15:18:07.486559 61.30.190.156:4135 -> 12.82.128.125:515
TCP TTL:48 TOS:0x0 ID:5097 IpLen:20 DgmLen:60 DF
******S* Seq: 0x3E49CCC1 Ack: 0x0 Win: 0x7D78 TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 4236504 0 NOP WS: 0
BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
© 1999-2001 William E. Weinman
% Rights restricted by copyright. See
http://www.apnic.net/db/dbcopyright.html
% (whois6.apnic.net)
inetnum: 61.30.0.0 - 61.30.255.255
netname: TFN-TW
descr: Taiwan Fixed Network
descr: Telco and Network Service Provider
country: TW
admin-c: YMW6-AP
tech-c: CT168-AP
remarks: Allocation to TWNIC member. Please see whois.twnic.net
remarks: afor more authoritative information.
mnt-by: MAINT-TW-TWNIC
mnt-lower: MAINT-TW-TWNIC
changed: hostmaster@apnic.net 20010409
source: APNIC
person: Ying Min Wu
address: Taiwan Fixed Network
address: 2F,No.10,Lane 609
address: Sec.5,Chung-Shin Rd.
address: San-Chung, Taipei
country: TW
phone: +886-2-2278-0890
fax-no: +886-2-2999-05601
e-mail: eric_wu@profond.com.tw
nic-hdl: YMW6-AP
mnt-by: MAINT-TW-TWNIC
changed: hostmaster@apnic.net 20010409
changed: hostmaster@apnic.net 20010412
source: APNIC
person: Chunyeh Tsai
address: Taiwan Fixed Network
address: 2F,No.10,Lane 609
address: Sec.5,Chung-Shin Rd.
address: San-Chung, Taipei
country: TW
phone: +886-2-2278-0842
fax-no: +886-2-2999-0561
e-mail: chunyeh_tsai@profond.com.tw
nic-hdl: CT168-AP
mnt-by: MAINT-TW-TWNIC
changed: hostmaster@apnic.net 20010412
source: APNIC
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Dec 24 15:40:04 - snort [1:0:0] TCP to 515 lpr
Source IP: 193.52.91.136 Source port: 2800
Source host: pbbiblio-6.vjf.inserm.fr
Target IP: 12.82.131.162 Target port: 515 Proto: TCP
Target host: 162.seattle-08-09rs.wa.dial-access.att.net
[**] [1:0:0] TCP to 515 lpr [**]
12/24-15:40:04.860973 193.52.91.136:2800 -> 12.82.131.162:515
TCP TTL:43 TOS:0x0 ID:17495 IpLen:20 DgmLen:60 DF
******S* Seq: 0x768D7783 Ack: 0x0 Win: 0x7D78 TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 38151740 0 NOP WS: 0
BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
© 1999-2001 William E. Weinman
Request: 193.52.91.136
connecting to whois.arin.net [192.149.252.22:43] ...
connecting to whois.ripe.net [193.0.0.135:43] ...
% This is the RIPE Whois server.
% The objects are in RPSL format.
% Please visit http://www.ripe.net/rpsl for more information.
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html
inetnum: 193.52.90.0 - 193.52.91.255
netname: FR-INSERM-VILLEJUIF1
descr: INSERM-SC5
descr: VILLEJUIF
country: FR
admin-c: PM490-RIPE
tech-c: AF1548-RIPE
status: ASSIGNED PA
mnt-by: RENATER-MNT
changed: rensvp@renater.fr 19990923
changed: rensvp@renater.fr 20011031
source: RIPE
route: 193.52.91.0/24
descr: FR-INSERM-VILLEJUIF1
origin: AS2200
person: Philippe MYQUEL
address: 16 Avenue PV Couturier
address: 94807 VILLEJUIF CEDEX
address: France
phone: +33 1 45 59 50 59
fax-no: +33 1 45 59 50 80
e-mail: myquel@vjf.inserm.fr
nic-hdl: PM490-RIPE
person: Andre Fleury
address: 16 Avenue PV Couturier
address: 94807 VILLEJUIF CEDEX
address: France
phone: +33 45 59 51 31
fax-no: +33 45 59 50 80
e-mail: fleury@vjf.inserm.fr
nic-hdl: AF1548-RIPE
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Dec 24 16:43:44 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.152.4.93 Source port: 4022
Source host: mail.airborneranger.com
Target IP: 12.82.131.162 Target port: 80 Proto: TCP
Target host: 162.seattle-08-09rs.wa.dial-access.att.net
Dec 24 16:43:47 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 12.152.4.93 Source port: 4022
Source host: mail.airborneranger.com
Target IP: 12.82.131.162 Target port: 80 Proto: TCP
Target host: 162.seattle-08-09rs.wa.dial-access.att.net
[**] [1:0:0] Potential CodeRed/Nimda probe [**]
12/24-16:43:44.157724 12.152.4.93:4022 -> 12.82.131.162:80
TCP TTL:115 TOS:0x0 ID:56352 IpLen:20 DgmLen:44 DF
******S* Seq: 0x44538DBB Ack: 0x0 Win: 0x2000 TcpLen: 24
TCP Options (1) => MSS: 1460
[**] [1:0:0] Potential CodeRed/Nimda probe [**]
12/24-16:43:47.418032 12.152.4.93:4022 -> 12.82.131.162:80
TCP TTL:115 TOS:0x0 ID:50979 IpLen:20 DgmLen:44 DF
******S* Seq: 0x44538DBB Ack: 0x0 Win: 0x2000 TcpLen: 24
TCP Options (1) => MSS: 1460
BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
© 1999-2001 William E. Weinman
INTERNET OF SALISBURY (NETBLK-INTERNET135-4)
1809 BRENNER AVENUE
SALISBURY, NC 28144
US
Netname: INTERNET135-4
Netblock: 12.152.4.0 - 12.152.5.255
Coordinator:
Horne, Joey (JH1976-ARIN) jhorne@salisbury.net
704-638-0000
Request: airborneranger.com
connecting to whois.internic.net [198.41.0.6:43] ...
connecting to whois.networksolutions.com [216.168.224.69:43] ...
Registrant:
Airborne Rangers (AIRBORNERANGER-DOM)
508 Dunlap Street
Kannapolis, NC 28081
US
Domain Name: AIRBORNERANGER.COM
Administrative Contact, Technical Contact, Billing Contact:
Hyde, Kelly (KH3289) mrhyde@SALISBURY.NET
EyeFire Web Design
508 Dunlap Street
Kannapolis, NC 28081
US
704-938-2865
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/25-09:06:16.103828 12.152.4.93:80 -> 12.82.129.85:62742
TCP TTL:115 TOS:0x0 ID:47476 IpLen:20 DgmLen:208 DF
***AP*** Seq: 0xF6F04082 Ack: 0xE33EE695 Win: 0x2100 TcpLen: 20
48 54 54 50 2F 31 2E 31 20 32 30 34 20 4E 6F 20 HTTP/1.1 204 No
43 6F 6E 74 65 6E 74 0D 0A 53 65 72 76 65 72 3A Content..Server:
20 4D 69 63 72 6F 73 6F 66 74 2D 49 49 53 2F 34 Microsoft-IIS/4
2E 30 0D 0A 44 61 74 65 3A 20 54 75 65 2C 20 32 .0..Date: Tue, 2
35 20 44 65 63 20 32 30 30 31 20 31 37 3A 31 32 5 Dec 2001 17:12
3A 32 39 20 47 4D 54 0D 0A 43 6F 6E 74 65 6E 74 :29 GMT..Content
2D 54 79 70 65 3A 20 74 65 78 74 2F 68 74 6D 6C -Type: text/html
0D 0A 43 61 63 68 65 2D 63 6F 6E 74 72 6F 6C 3A ..Cache-control:
20 70 72 69 76 61 74 65 0D 0A 54 72 61 6E 73 66 private..Transf
65 72 2D 45 6E 63 6F 64 69 6E 67 3A 20 63 68 75 er-Encoding: chu
6E 6B 65 64 0D 0A 0D 0A nked....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/25-09:06:16.343846 12.152.4.93:80 -> 12.82.129.85:62742
TCP TTL:115 TOS:0x0 ID:54132 IpLen:20 DgmLen:121 DF
***AP*** Seq: 0xF6F0412A Ack: 0xE33EE695 Win: 0x2100 TcpLen: 20
31 61 0D 0A 3C 68 74 6D 6C 3E 3C 62 6F 64 79 3E 1a..<html><body>
3C 68 31 3E 20 48 54 54 50 2F 31 2E 31 20 0D 0A <h1> HTTP/1.1 ..
65 0D 0A 32 30 34 20 4E 6F 20 43 6F 6E 74 65 6E e..204 No Conten
74 0D 0A 31 33 0D 0A 3C 2F 68 31 3E 3C 2F 62 6F t..13..</h1></bo
64 79 3E 3C 2F 68 74 6D 6C 3E 0D 0A 30 0D 0A 0D dy></html>..0...
0A .
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Dec 24 18:51:13 - snort [1:0:0] TCP to 111 sunrpc
Source IP: 211.240.46.109 Source port: 1767
Source host: 211.240.46.109
Target IP: 12.82.131.162 Target port: 111 Proto: TCP
Target host: 162.seattle-08-09rs.wa.dial-access.att.net
[**] [1:0:0] TCP to 111 sunrpc [**]
12/24-18:51:13.193200 211.240.46.109:1767 -> 12.82.131.162:111
TCP TTL:50 TOS:0x0 ID:37224 IpLen:20 DgmLen:60 DF
******S* Seq: 0x480353A7 Ack: 0x0 Win: 0x7D78 TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 8361369 0 NOP WS: 0
BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
© 1999-2001 William E. Weinman
% Rights restricted by copyright. See
http://www.apnic.net/db/dbcopyright.html
% (whois7.apnic.net)
inetnum: 211.232.0.0 - 211.255.255.255
netname: KRNIC-KR
descr: KRNIC
descr: Korea Network Information Center
country: KR
admin-c: HM127-AP
tech-c: HM127-AP
remarks: ******************************************
remarks: KRNIC is the National Internet Registry
remarks: in Korea under APNIC. If you would like to
remarks: find assignment information in detail
remarks: please refer to the KRNIC Whois DB
remarks: http://whois.nic.or.kr/english/index.html
remarks: ******************************************
# ENGLISH
IP Address : 211.240.46.64-211.240.46.127
Network Name : EMOTICON
Connect ISP Name : ELIMNET
Connect Date : 20001128
Registration Date : 20001211
[ Organization Information ]
Orgnization ID : ORG152090
Org Name : EMOTICON
State : SEOUL
Address : 166-51 MYUNMOK DONG, JOONGRANG
Zip Code : 131-200
[ Admin Contact Information]
Name : YOUNGSUK MOON
Org Name : EMOTICON
State : SEOUL
Address : 166-51 MYUNMOK DONG, JOONGRANG GU,
Zip Code : 131-200
Phone : +82-16-230-5514
Fax : .
E-Mail : domain@elim.net
[ Technical Contact Information ]
Name : YOUNGSUK MOON
Org Name : EMOTICON
State : SEOUL
Address : 166-51 MYUNMOK DONG, JOONGRANG GU,
Zip Code : 131-200
Phone : +82-16-230-5514
Fax : .
E-Mail : domain@elim.net
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Dec 24 19:37:49 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 198.206.247.219 Source port: 4340
Source host: dhcp110.raima.com
Target IP: 12.82.131.162 Target port: 80 Proto: TCP
Target host: 162.seattle-08-09rs.wa.dial-access.att.net
Dec 24 19:37:52 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 198.206.247.219 Source port: 4340
Source host: dhcp110.raima.com
Target IP: 12.82.131.162 Target port: 80 Proto: TCP
Target host: 162.seattle-08-09rs.wa.dial-access.att.net
[**] [1:0:0] Potential CodeRed/Nimda probe [**]
12/24-19:37:49.852304 198.206.247.219:4340 -> 12.82.131.162:80
TCP TTL:115 TOS:0x0 ID:58120 IpLen:20 DgmLen:48 DF
******S* Seq: 0xAA502C72 Ack: 0x0 Win: 0x4000 TcpLen: 28
TCP Options (4) => MSS: 1360 NOP NOP SackOK
[**] [1:0:0] Potential CodeRed/Nimda probe [**]
12/24-19:37:52.212478 198.206.247.219:4340 -> 12.82.131.162:80
TCP TTL:115 TOS:0x0 ID:58450 IpLen:20 DgmLen:48 DF
******S* Seq: 0xAA502C72 Ack: 0x0 Win: 0x4000 TcpLen: 28
TCP Options (4) => MSS: 1360 NOP NOP SackOK
BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
© 1999-2001 William E. Weinman
Request: 198.206.247.219
connecting to whois.arin.net [192.149.252.22:43] ...
Raima Corp. (RAIMA2)
1605 NW Sammamish Rd.
Suite 200
Issaquah, WA 98027
US
Netname: RAIMA
Netblock: 198.206.247.0 - 198.206.247.255
Coordinator:
Domain Administrator (DA2592-ORG-ARIN) domain_admin@RAIMA.COM
(206) 515-9477
Fax- (206) 748-5200
BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
© 1999-2001 William E. Weinman
Organization:
Mbrane
Everett Fitzgibbons
1111 3rd ave, suite 2900
Seattle, WA 98101
US
Phone: 206-748-5301
Fax..: 520-222-2600
Email: everett.fitzgibbons@mbrane.com
Registrar Name....: Register.com
Registrar Whois...: whois.register.com
Registrar Homepage: http://www.register.com
Domain Name: RAIMA.COM
Created on..............: Thu, Sep 23, 1993
Expires on..............: Mon, Sep 22, 2003
Record last updated on..: Sun, Dec 23, 2001
Administrative Contact:
Mbrane
Everett Fitzgibbons
1111 3rd ave, suite 2900
Seattle, WA 98101
US
Phone: 206-748-5301
Fax..: 520-222-2600
Email: everett.fitzgibbons@mbrane.com
Technical Contact, Zone Contact:
Register.Com
Domain Registrar
575 8th Avenue - 11th Floor
New York, NY 10018
US
Phone: 212-798-9200
Fax..: 212-629-9305
Email: domain-registrar@register.com
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Dec 24 20:22:54 - snort [1:0:0] ICMP echo request
Source IP: 64.154.117.7 Source port: -N/A-
Source host: dialup-64.154.117.7.Dial1.Louisville1.Level3.net
Target IP: 12.82.131.162 Target port: -N/A- Proto: ICMP
Target host: 162.seattle-08-09rs.wa.dial-access.att.net
Dec 24 20:26:34 - snort [1:0:0] ICMP echo request
Source IP: 64.154.117.7 Source port: -N/A-
Source host: dialup-64.154.117.7.Dial1.Louisville1.Level3.net
Target IP: 12.82.131.162 Target port: -N/A- Proto: ICMP
Target host: 162.seattle-08-09rs.wa.dial-access.att.net
[**] [1:0:0] ICMP echo request [**]
12/24-20:22:54.560371 64.154.117.7 -> 12.82.131.162
ICMP TTL:53 TOS:0x0 ID:26390 IpLen:20 DgmLen:60
Type:8 Code:0 ID:3 Seq:17882 ECHO
[**] [1:0:0] ICMP echo request [**]
12/24-20:26:34.182593 64.154.117.7 -> 12.82.131.162
ICMP TTL:53 TOS:0x0 ID:32642 IpLen:20 DgmLen:60
Type:8 Code:0 ID:3 Seq:21464 ECHO
BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
© 1999-2001 William E. Weinman
Level 3 Communications, Inc. (NETBLK-LC-ORG-ARIN)
1025 Eldorado Boulevard
Broomfield, CO 80021
US
Netname: LC-ORG-ARIN
Netblock: 64.152.0.0 - 64.159.255.255
Maintainer: LVLT
Coordinator:
level Communications (LC-ORG-ARIN) ipaddressing@level3.com
+1 (877) 453-8353
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Dec 24 21:09:17 - snort [1:0:0] ICMP echo request
Source IP: 65.57.47.131 Source port: -N/A-
Source host: dialup-65.57.47.131.Dial1.Louisville1.Level3.net
Target IP: 12.82.131.162 Target port: -N/A- Proto: ICMP
Target host: 162.seattle-08-09rs.wa.dial-access.att.net
[**] [1:0:0] ICMP echo request [**]
12/24-21:09:17.799166 65.57.47.131 -> 12.82.131.162
ICMP TTL:53 TOS:0x0 ID:12445 IpLen:20 DgmLen:60
Type:8 Code:0 ID:2 Seq:929 ECHO
BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
© 1999-2001 William E. Weinman
Level 3 Communications, Inc. (NETBLK-LC-ORG-ARIN)
1025 Eldorado Boulevard
Broomfield, CO 80021
US
Netname: LC-ORG-ARIN
Netblock: 64.152.0.0 - 64.159.255.255
Maintainer: LVLT
Coordinator:
level Communications (LC-ORG-ARIN) ipaddressing@level3.com
+1 (877) 453-8353
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Dec 24 21:23:05 - snort [1:0:0] TCP to 1433 MS MySQL server
Source IP: 209.81.131.75 Source port: 1262
Source host: na-209-81-131-75.chicago.corecomm.net
Target IP: 12.82.131.162 Target port: 1433 Proto: TCP
Target host: 162.seattle-08-09rs.wa.dial-access.att.net
Dec 24 21:23:08 - snort [1:0:0] TCP to 1433 MS MySQL server
Source IP: 209.81.131.75 Source port: 1262
Source host: na-209-81-131-75.chicago.corecomm.net
Target IP: 12.82.131.162 Target port: 1433 Proto: TCP
Target host: 162.seattle-08-09rs.wa.dial-access.att.net
Dec 24 21:23:14 - snort [1:0:0] TCP to 1433 MS MySQL server
Source IP: 209.81.131.75 Source port: 1262
Source host: na-209-81-131-75.chicago.corecomm.net
Target IP: 12.82.131.162 Target port: 1433 Proto: TCP
Target host: 162.seattle-08-09rs.wa.dial-access.att.net
Dec 24 21:23:26 - snort [1:0:0] TCP to 1433 MS MySQL server
Source IP: 209.81.131.75 Source port: 1262
Source host: na-209-81-131-75.chicago.corecomm.net
Target IP: 12.82.131.162 Target port: 1433 Proto: TCP
Target host: 162.seattle-08-09rs.wa.dial-access.att.net
[**] [1:0:0] TCP to 1433 MS MySQL server [**]
12/24-21:23:05.554437 209.81.131.75:1262 -> 12.82.131.162:1433
TCP TTL:117 TOS:0x0 ID:10045 IpLen:20 DgmLen:44 DF
******S* Seq: 0x33C71DC9 Ack: 0x0 Win: 0x2000 TcpLen: 24
TCP Options (1) => MSS: 1460
[**] [1:0:0] TCP to 1433 MS MySQL server [**]
12/24-21:23:08.494719 209.81.131.75:1262 -> 12.82.131.162:1433
TCP TTL:117 TOS:0x0 ID:28989 IpLen:20 DgmLen:44 DF
******S* Seq: 0x33C71DC9 Ack: 0x0 Win: 0x2000 TcpLen: 24
TCP Options (1) => MSS: 1460
[**] [1:0:0] TCP to 1433 MS MySQL server [**]
12/24-21:23:14.515335 209.81.131.75:1262 -> 12.82.131.162:1433
TCP TTL:117 TOS:0x0 ID:60477 IpLen:20 DgmLen:44 DF
******S* Seq: 0x33C71DC9 Ack: 0x0 Win: 0x2000 TcpLen: 24
TCP Options (1) => MSS: 1460
[**] [1:0:0] TCP to 1433 MS MySQL server [**]
12/24-21:23:26.546588 209.81.131.75:1262 -> 12.82.131.162:1433
TCP TTL:117 TOS:0x0 ID:60734 IpLen:20 DgmLen:44 DF
******S* Seq: 0x33C71DC9 Ack: 0x0 Win: 0x2000 TcpLen: 24
TCP Options (1) => MSS: 1460
BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
© 1999-2001 William E. Weinman
CORECOMM LIMITED (NET-CORECOMM-2)
CORECOMM-2 209.81.128.0 - 209.81.255.255
Mindex (NETBLK-MEGSINET-MINDEX-2) MEGSINET-MINDEX-2
209.81.131.0 - 209.81.131.255
Mindex (NETBLK-MEGSINET-MINDEX-2)
4535 N. Beacon St.
Chicago, IL 60640
US
Netname: MEGSINET-MINDEX-2
Netblock: 209.81.131.0 - 209.81.131.255 Coordinator:
CORECOMM LIMITED (NOC72-ORG-ARIN) ipadmin@voyager.net
517-324-8940
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Dec 24 22:11:48 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 195.101.151.179 Source port: 2831
Source host: 195.101.151.179
Target IP: 12.82.131.162 Target port: 80 Proto: TCP
Target host: 162.seattle-08-09rs.wa.dial-access.att.net
Dec 24 22:11:51 - snort [1:0:0] Potential CodeRed/Nimda probe
Source IP: 195.101.151.179 Source port: 2831
Source host: 195.101.151.179
Target IP: 12.82.131.162 Target port: 80 Proto: TCP
Target host: 162.seattle-08-09rs.wa.dial-access.att.net
[**] [1:0:0] Potential CodeRed/Nimda probe [**]
12/24-22:11:48.663545 195.101.151.179:2831 -> 12.82.131.162:80
TCP TTL:106 TOS:0x0 ID:21457 IpLen:20 DgmLen:44 DF
******S* Seq: 0xE8F37BDD Ack: 0x0 Win: 0x2000 TcpLen: 24
TCP Options (1) => MSS: 1460
[**] [1:0:0] Potential CodeRed/Nimda probe [**]
12/24-22:11:51.953887 195.101.151.179:2831 -> 12.82.131.162:80
TCP TTL:106 TOS:0x0 ID:54738 IpLen:20 DgmLen:44 DF
******S* Seq: 0xE8F37BDD Ack: 0x0 Win: 0x2000 TcpLen: 24
TCP Options (1) => MSS: 1460
BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
© 1999-2001 William E. Weinman
Request: 195.101.151.179
connecting to whois.arin.net [192.149.252.22:43] ...
connecting to whois.ripe.net [193.0.0.135:43] ...
% This is the RIPE Whois server.
% The objects are in RPSL format.
% Please visit http://www.ripe.net/rpsl for more information.
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html
inetnum: 195.101.151.128 - 195.101.151.255
netname: FR-ORNIS
descr: ORNIS/MC2
country: FR
admin-c: SM492-RIPE
tech-c: JML8-RIPE
status: ASSIGNED PA
notify: addr-reg@rain.fr
route: 195.101.151.0/24
descr: ORNIS S.A
origin: AS8399
person: Sylvain Mouly
address: ORNIS
address: Tour d'Asnieres, 4 avenue Laurent Cely
address: 92606 Asnieres Cedex, France
phone: +33 1 41 11 27 27
fax-no: +33 1 40 86 20 60
e-mail: sylvain.mouly@mc2.net
nic-hdl: SM492-RIPE
changed: sylvain.mouly@mc2.net 19990407
source: RIPE
person: Jean-Marie Labeyrie
address: ORNIS
address: 21 boulevard de la Madeleine
address: 75001 PARIS
address: FR
phone: +33 142 869 898
fax-no: +33 142 869 965
e-mail: noc@ornis.net
nic-hdl: JML8-RIPE
changed: lepesqueur@ornis.com 20010828
source: RIPE
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
This report generated 12/25/2001 at 04:01:01 by a perl script written by
John Sage at FinchHaven.com, based upon the work of Dan Swan in his
script snort2html.pl
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic