[prev in list] [next in list] [prev in thread] [next in thread]
List: intrusions
Subject: [Logs] tcp:515, tcp:22 probes at FinchHaven for 12/28/2001
From: John Sage <jsage () finchhaven ! com>
Date: 2001-12-30 4:00:06
[Download RAW message or body]
Logs at FinchHaven for 12/28/2001 extracted from /var/log/messages
Report generated 04:01:01 (TZ -08:00) 12/29/2001
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Context: dialup to access.att.net, dynamic IP in AT&T's 12.82.x.x class A
Connect time this date: +- 20 hours
Timestamps: US Pacific standard, GMT -08:00, synch by xntpd
Tools: snort 1.8.2, ipchains, logcheck, portsentry
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=ver.7
In /var/log/messages: Probes to port 21 ftp: 0
Probes to port 22 ssh: 5
Probes to port 23 telnet: 0
Probes to port 53 dns: 0
Probes to port 80 http: 52
Probes to port 111 sunrpc: 0
Probes to port 137 netbios-ns: 0
Probes to port 139 netbios-ssn: 0
Probes to port 445 ms-ds: 0
Probes to port 515 lpr: 3
Total, probes to all ports: 60
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
tcp:515, RU; tcp:22, US; tcp:22, SE; tcp:515, US
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Dec 28 06:53:06 - snort [1:0:0] TCP to 515 lpr
Source IP: 195.34.35.113 Source port: 1191
Source host: 195.34.35.113
Target IP: 12.82.129.189 Target port: 515 Proto: TCP
Target host: 189.seattle-03-04rs.wa.dial-access.att.net
[**] [1:0:0] TCP to 515 lpr [**]
12/28-06:53:06.924254 195.34.35.113:1191 -> 12.82.129.189:515
TCP TTL:45 TOS:0x0 ID:446 IpLen:20 DgmLen:60 DF
******S* Seq: 0xCE2F8C06 Ack: 0x0 Win: 0x7D78 TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 28653280 0 NOP WS: 0
BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
© 1999-2001 William E. Weinman
Request: 195.34.35.113
connecting to whois.arin.net [192.149.252.22:43] ...
connecting to whois.ripe.net [193.0.0.135:43] ...
% This is the RIPE Whois server.
% The objects are in RPSL format.
% Please visit http://www.ripe.net/rpsl for more information.
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html
inetnum: 195.34.35.64 - 195.34.35.127
netname: VALTEX-LAN
descr: Valtex International Corporation Moscow office
descr: Vavilov street 53 bldg 1, 117312 Moscow
country: RU
admin-c: RP542-RIPE
tech-c: RP542-RIPE
status: ASSIGNED PA
notify: noc@mtu.ru
mnt-by: MTU-NOC
changed: asadchik@mtu.ru 19971110
source: RIPE
route: 195.34.32.0/19
descr: MTU-Inform Moscow region network
descr: MTU-Inform company
descr: Smolenskaya-Sennaya Sq., 27-29
descr: P.O. BOX 38 119121
descr: Moscow, Russia
origin: AS8359
notify: noc@mtu.ru
mnt-by: MTU-NOC
changed: asadchik@mtu.ru 19971009
source: RIPE
person: Rostislav Poleshko
address: Valtex International Corporation
address: Vavilov street 53 bldg 1
address: 117312 Moscow, Russia
phone: +7 095 7339380
fax-no: +7 095 9139570
e-mail: alex@valtex.msk.su
nic-hdl: RP542-RIPE
notify: noc@mtu.ru
mnt-by: MTU-NOC
changed: asadchik@mtu.ru 19971106
source: RIPE
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Dec 28 08:07:17 - snort [1:0:0] TCP to 22 ssh
Source IP: 12.35.202.64 Source port: 4266
Source host: 12.35.202.64
Target IP: 12.82.129.101 Target port: 22 Proto: TCP
Target host: 101.seattle-03-04rs.wa.dial-access.att.net
Dec 28 08:07:20 - snort [1:0:0] TCP to 22 ssh
Source IP: 12.35.202.64 Source port: 4266
Source host: 12.35.202.64
Target IP: 12.82.129.101 Target port: 22 Proto: TCP
Target host: 101.seattle-03-04rs.wa.dial-access.att.net
Dec 28 08:07:26 - snort [1:0:0] TCP to 22 ssh
Source IP: 12.35.202.64 Source port: 4266
Source host: 12.35.202.64
Target IP: 12.82.129.101 Target port: 22 Proto: TCP
Target host: 101.seattle-03-04rs.wa.dial-access.att.net
Dec 28 08:07:38 - snort [1:0:0] TCP to 22 ssh
Source IP: 12.35.202.64 Source port: 4266
Source host: 12.35.202.64
Target IP: 12.82.129.101 Target port: 22 Proto: TCP
Target host: 101.seattle-03-04rs.wa.dial-access.att.net
[**] [1:0:0] TCP to 22 ssh [**]
12/28-08:07:17.792043 12.35.202.64:4266 -> 12.82.129.101:22
TCP TTL:55 TOS:0x0 ID:59333 IpLen:20 DgmLen:60 DF
******S* Seq: 0x5D8C0BA7 Ack: 0x0 Win: 0x7D78 TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 76889531 0 NOP WS: 0
[**] [1:0:0] TCP to 22 ssh [**]
12/28-08:07:20.782339 12.35.202.64:4266 -> 12.82.129.101:22
TCP TTL:55 TOS:0x0 ID:59782 IpLen:20 DgmLen:60 DF
******S* Seq: 0x5D8C0BA7 Ack: 0x0 Win: 0x7D78 TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 76889831 0 NOP WS: 0
[**] [1:0:0] TCP to 22 ssh [**]
12/28-08:07:26.782933 12.35.202.64:4266 -> 12.82.129.101:22
TCP TTL:55 TOS:0x0 ID:60543 IpLen:20 DgmLen:60 DF
******S* Seq: 0x5D8C0BA7 Ack: 0x0 Win: 0x7D78 TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 76890431 0 NOP WS: 0
[**] [1:0:0] TCP to 22 ssh [**]
12/28-08:07:38.774173 12.35.202.64:4266 -> 12.82.129.101:22
TCP TTL:55 TOS:0x0 ID:62026 IpLen:20 DgmLen:60 DF
******S* Seq: 0x5D8C0BA7 Ack: 0x0 Win: 0x7D78 TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 76891631 0 NOP WS: 0
BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
© 1999-2001 William E. Weinman
AT&T ITS (NET-ATT)ATT 12.0.0.0 - 12.255.255.255
Regus Business Centre Corp (NETBLK-REGUSUSA-202) REGUSUSA-202
12.35.202.0 - 12.35.202.255
Regus Business Centre Corp (NETBLK-REGUSUSA-202)
1620 26TH STREET
SANTA MONICA, CA 90404
US
Netname: REGUSUSA-202
Netblock: 12.35.202.0 - 12.35.202.255
Coordinator:
Simon, Russ (RS757-ARIN) rsimon@enpointe.com
(212)703-9240
Registrant:
En Pointe Technologies (ENPOINTE-DOM)
100 N. Sepulveda Bl. 19th Floor
El Segundo, CA 90245
US
Domain Name: ENPOINTE.COM
Administrative Contact, Technical Contact, Billing Contact:
Alfano, Daniel (DAX344) dalfano@ENPOINTE.COM
En Pointe Technologies
100 N. Sepulveda Bl. 19th Floor
El Segundo, CA 90245
US
310-725-5203
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Dec 28 21:16:21 - snort [1:0:0] TCP to 22 ssh
Source IP: 212.209.3.19 Source port: 22
Source host: 212.209.3.19
Target IP: 12.82.129.131 Target port: 22 Proto: TCP
Target host: 131.seattle-03-04rs.wa.dial-access.att.net
[**] [1:0:0] TCP to 22 ssh [**]
12/28-21:16:21.438743 212.209.3.19:22 -> 12.82.129.131:22
TCP TTL:236 TOS:0x0 ID:32173 IpLen:20 DgmLen:40
******S* Seq: 0x2E63FD14 Ack: 0x5F5C95C9 Win: 0x28 TcpLen: 20
BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
© 1999-2001 William E. Weinman
% This is the RIPE Whois server.
% The objects are in RPSL format.
% Please visit http://www.ripe.net/rpsl for more information.
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html
inetnum: 212.209.3.16 - 212.209.3.23
netname: ITMARKETING-SE
descr: It Marketing Consumer AB (use10827)
country: SE
admin-c: MH23464-RIPE
tech-c: JL8915-RIPE
status: ASSIGNED PA
notify: ip@se.uu.net
mnt-by: SE-UUNET-MNT
changed: sandra.jonsson@se.uu.net 20010221
source: RIPE
route: 212.209.0.0/16
descr: UUNET Sweden AB
origin: AS702
remarks: All kind of abuse from this network
remarks: should be reported to abuse@se.uu.net
remarks: For more info see the object USA1-RIPE
notify: ip@se.uu.net
mnt-by: SE-UUNET-MNT
changed: joche@se.uu.net 20010402
source: RIPE
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Dec 28 22:09:54 - snort [1:0:0] TCP to 515 lpr
Source IP: 12.232.104.29 Source port: 2733
Source host: 12-232-104-29.client.attbi.com
Target IP: 12.82.129.131 Target port: 515 Proto: TCP
Target host: 131.seattle-03-04rs.wa.dial-access.att.net
Dec 28 22:09:57 - snort [1:0:0] TCP to 515 lpr
Source IP: 12.232.104.29 Source port: 2733
Source host: 12-232-104-29.client.attbi.com
Target IP: 12.82.129.131 Target port: 515 Proto: TCP
Target host: 131.seattle-03-04rs.wa.dial-access.att.net
[**] [1:0:0] TCP to 515 lpr [**]
12/28-22:09:54.722829 12.232.104.29:2733 -> 12.82.129.131:515
TCP TTL:53 TOS:0x0 ID:57409 IpLen:20 DgmLen:60 DF
******S* Seq: 0xAA77BC7 Ack: 0x0 Win: 0x7D78 TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 7438288 0 NOP WS: 0
[**] [1:0:0] TCP to 515 lpr [**]
12/28-22:09:57.823106 12.232.104.29:2733 -> 12.82.129.131:515
TCP TTL:53 TOS:0x0 ID:58565 IpLen:20 DgmLen:60 DF
******S* Seq: 0xAA77BC7 Ack: 0x0 Win: 0x7D78 TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 7438588 0 NOP WS: 0
BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
© 1999-2001 William E. Weinman
AT&T ITS (NET-ATT)
200 Laurel Avenue South
Middletown, NJ 07748
US Netname: ATT
Netblock: 12.0.0.0 - 12.255.255.255
Maintainer: ATTW
Coordinator:
Kostick, Deirdre (DK71-ARIN) help@IP.ATT.NET
(888)613-6330
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
This report generated 12/29/2001 at 04:01:01 by a perl script written by
John Sage at FinchHaven.com, based upon the work of Dan Swan in his
script snort2html.pl
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic