[prev in list] [next in list] [prev in thread] [next in thread]
List: intrusions
Subject: [Logs] tcp:515 only at FinchHaven for 12/25/2001
From: John Sage <jsage () finchhaven ! com>
Date: 2001-12-26 14:41:46
[Download RAW message or body]
Logs at FinchHaven for 12/25/2001 extracted from /var/log/messages
Report generated 04:01:00 (TZ -08:00) 12/26/2001
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Context: dialup to access.att.net, dynamic IP in AT&T's 12.82.x.x class A
Connect time this date: +- 20 hours
Timestamps: US Pacific standard, GMT -08:00, synch by xntpd
Tools: snort 1.8.2, ipchains, logcheck, portsentry
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=ver.7
In /var/log/messages: Probes to port 21 ftp: 0
Probes to port 22 ssh: 0
Probes to port 23 telnet: 0
Probes to port 53 dns: 74
Probes to port 80 http: 57
Probes to port 111 sunrpc: 0
Probes to port 137 netbios-ns: 0
Probes to port 139 netbios-ssn: 0
Probes to port 445 ms-ds: 0
Probes to port 515 lpr: 1
Total, probes to all ports: 133
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
One only: tcp:515 FR
tcp:80 probes not from my immediate (12.82.x.x) neighborhood:
12.247.x.x; 12.228.x.x; 12.234.x.x; 12.235.x.x; 12.233.x.x
tcp:80 probes not from my general (12.x.x.x) neighborhood:
none
("Probes to port 53 dns: 74 - another distancing/load balancing deal..)
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Dec 25 08:56:57 - snort [1:0:0] TCP to 515 lpr
Source IP: 193.52.91.136 Source port: 3599
Source host: pbbiblio-6.vjf.inserm.fr
Target IP: 12.82.129.85 Target port: 515 Proto: TCP
Target host: 85.seattle-03-04rs.wa.dial-access.att.net
[**] [1:0:0] TCP to 515 lpr [**]
12/25-08:56:57.717476 193.52.91.136:3599 -> 12.82.129.85:515
TCP TTL:43 TOS:0x0 ID:22754 IpLen:20 DgmLen:60 DF
******S* Seq: 0xC2BE741E Ack: 0x0 Win: 0x7D78 TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 44373331 0 NOP WS: 0
BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
© 1999-2001 William E. Weinman
% This is the RIPE Whois server.
% The objects are in RPSL format.
% Please visit http://www.ripe.net/rpsl for more information.
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html
inetnum: 193.52.90.0 - 193.52.91.255
netname: FR-INSERM-VILLEJUIF1
descr: INSERM-SC5
descr: VILLEJUIF
country: FR
admin-c: PM490-RIPE
tech-c: AF1548-RIPE
status: ASSIGNED PA
mnt-by: RENATER-MNT
changed: rensvp@renater.fr 19990923
changed: rensvp@renater.fr 20011031
source: RIPE
route: 193.52.91.0/24
descr: FR-INSERM-VILLEJUIF1
origin: AS2200
mnt-by: RENATER-MNT
changed: RenSVP@Renater.fr 19991008
source: RIPE
person: Philippe MYQUEL
address: 16 Avenue PV Couturier
address: 94807 VILLEJUIF CEDEX
address: France
phone: +33 1 45 59 50 59
fax-no: +33 1 45 59 50 80
e-mail: myquel@vjf.inserm.fr
nic-hdl: PM490-RIPE
changed: rensvp@renater.fr 19950127
source: RIPE
person: Andre Fleury
address: 16 Avenue PV Couturier
address: 94807 VILLEJUIF CEDEX
address: France
phone: +33 45 59 51 31
fax-no: +33 45 59 50 80
e-mail: fleury@vjf.inserm.fr
nic-hdl: AF1548-RIPE
changed: rensvp@renater.fr 19981203
source: RIPE
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
This report generated 12/26/2001 at 04:01:00 by a perl script written by
John Sage at FinchHaven.com, based upon the work of Dan Swan in his
script snort2html.pl
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic