[prev in list] [next in list] [prev in thread] [next in thread]
List: intrusions
Subject: [LOGS] March 28, 2002
From: Laurie Zirkle <lat () cns ! vt ! edu>
Date: 2002-03-29 13:16:15
[Download RAW message or body]
=-=-=-=-=-=-=-=-=-=-=
inetnum: 217.33.28.16 - 217.33.28.31
netname: BLOW-MOULDING-MATTERS-LTD
descr: Blow Moulding Matters Ltd
country: GB
Mar 28 00:02:53 hostbe rpcbind: refused connect from 217.33.28.29 to dump()
Mar 28 00:02:54 hostre rpcbind: refused connect from 217.33.28.29 to dump()
Mar 28 00:03:14 hostcl portmap[23694]: connect from 217.33.28.29 to dump(): request \
from unauthorized host
Mar 28 00:03:24 hostro rpcbind: refused connect from 217.33.28.29 to dump()
Mar 28 00:03:25 hoste portsentry[103]: attackalert: Connect from host: \
217.33.28.29/217.33.28.29 to TCP port: 111
Mar 28 00:05:03 hosty snort: [ID 702911 local0.alert] [1:1270:2] RPC portmap request \
rstatd [Classification: Decode of an RPC Query] [Priority: 2]: {TCP} 217.33.28.29:822 \
-> z.y.x.34:111
Mar 28 00:13:09 hostmau portmap[20277]: connect from 217.33.28.29 to dump(): request \
from unauthorized host
=-=-=-=-=-=-=-=-=-=-=
Mar 28 00:18:22 hoste portsentry[103]: attackalert: Connect from host: \
200.196.52.142/200.196.52.142 to TCP port: 80
=-=-=-=-=-=-=-=-=-=-=
Mar 28 03:19:29 hoste portsentry[103]: attackalert: Connect from host: \
65.56.73.20/65.56.73.20 to TCP port: 80
=-=-=-=-=-=-=-=-=-=-=
Mar 28 04:38:12 hoste portsentry[103]: attackalert: Connect from host: \
206.52.125.95/206.52.125.95 to TCP port: 80
=-=-=-=-=-=-=-=-=-=-=
Broadwing_Dial (NETBLK-BRW-DIAL-PSI-104-111)
504 Interchange Blvd Newark, DE 19711 US
Netname: BRW-DIAL-PSI-104-111
Netblock: 65.90.104.0 - 65.90.111.255
Mar 28 05:34:38 hostmau Connection attempt to TCP z.y.w.12:6346 from \
65.90.110.152:2971
Mar 28 05:34:41 hostmau Connection attempt to TCP z.y.w.12:6346 from \
65.90.110.152:2971
Mar 28 05:34:44 hostmau Connection attempt to TCP z.y.w.12:6346 from \
65.90.110.152:2971
Mar 28 05:34:47 hostmau Connection attempt to TCP z.y.w.12:6346 from \
65.90.110.152:2971
=-=-=-=-=-=-=-=-=-=-=
inetnum: 202.103.235.0 - 202.103.235.7
netname: GX-BOC
descr: Nanning, Guangxi subsidiary bank of Bank of China.
country: CN
Also on Mar 21 03:02:29 -> Mar 21 03:02:36, Mar 21 22:43:31 ->
Mar 21 22:43:38, Mar 24 19:07:58 -> Mar 24 19:08:04
Mar 28 05:43:42 hostj portsentry[13043]: [ID 702911 daemon.notice] attackalert: \
Connect from host: 202.103.235.2/202.103.235.2 to TCP port: 80
Mar 28 05:43:42 hostj portsentry[13043]: [ID 702911 daemon.notice] attackalert: \
Connect from host: 202.103.235.2/202.103.235.2 to TCP port: 80
Mar 28 05:43:43 hostj portsentry[13043]: [ID 702911 daemon.notice] attackalert: \
Connect from host: 202.103.235.2/202.103.235.2 to TCP port: 80
Mar 28 05:43:43 hostj portsentry[13043]: [ID 702911 daemon.notice] attackalert: \
Connect from host: 202.103.235.2/202.103.235.2 to TCP port: 80
Mar 28 05:43:44 hostj portsentry[13043]: [ID 702911 daemon.notice] attackalert: \
Connect from host: 202.103.235.2/202.103.235.2 to TCP port: 80
Mar 28 05:43:44 hostj portsentry[13043]: [ID 702911 daemon.notice] attackalert: \
Connect from host: 202.103.235.2/202.103.235.2 to TCP port: 80
Mar 28 05:43:45 hostj portsentry[13043]: [ID 702911 daemon.notice] attackalert: \
Connect from host: 202.103.235.2/202.103.235.2 to TCP port: 80
Mar 28 05:43:45 hostj portsentry[13043]: [ID 702911 daemon.notice] attackalert: \
Connect from host: 202.103.235.2/202.103.235.2 to TCP port: 80
Mar 28 05:43:46 hostj portsentry[13043]: [ID 702911 daemon.notice] attackalert: \
Connect from host: 202.103.235.2/202.103.235.2 to TCP port: 80
Mar 28 05:43:46 hostj portsentry[13043]: [ID 702911 daemon.notice] attackalert: \
Connect from host: 202.103.235.2/202.103.235.2 to TCP port: 80
Mar 28 05:43:46 hostj portsentry[13043]: [ID 702911 daemon.notice] attackalert: \
Connect from host: 202.103.235.2/202.103.235.2 to TCP port: 80
Mar 28 05:43:47 hostj portsentry[13043]: [ID 702911 daemon.notice] attackalert: \
Connect from host: 202.103.235.2/202.103.235.2 to TCP port: 80
Mar 28 05:43:47 hostj portsentry[13043]: [ID 702911 daemon.notice] attackalert: \
Connect from host: 202.103.235.2/202.103.235.2 to TCP port: 80
Mar 28 05:43:48 hostj portsentry[13043]: [ID 702911 daemon.notice] attackalert: \
Connect from host: 202.103.235.2/202.103.235.2 to TCP port: 80
Mar 28 05:43:48 hostj portsentry[13043]: [ID 702911 daemon.notice] attackalert: \
Connect from host: 202.103.235.2/202.103.235.2 to TCP port: 80
Mar 28 05:43:49 hostj portsentry[13043]: [ID 702911 daemon.notice] attackalert: \
Connect from host: 202.103.235.2/202.103.235.2 to TCP port: 80
=-=-=-=-=-=-=-=-=-=-=
Mar 28 06:30:52 hoste portsentry[103]: attackalert: Connect from host: \
217.162.122.75/217.162.122.75 to TCP port: 80
=-=-=-=-=-=-=-=-=-=-=
Acecape, Inc. (NETBLK-ACECAPE-001)
325 W 38 St. Suite 1005 New York NY 10018 US
Netname: ACECAPE-001
Netblock: 66.114.64.0 - 66.114.95.255
Maintainer: ACE
Mar 28 07:03:15 hoste portsentry[103]: attackalert: Connect from host: \
66.114.78.239/66.114.78.239 to TCP port: 80
Mar 28 07:12:53 hostmau portsentry[210]: attackalert: Connect from host: \
p78-239.acedsl.com/66.114.78.239 to TCP port: 80
=-=-=-=-=-=-=-=-=-=-=
Mar 28 07:20:09 hostdar in.ftpd[23300]: refused connect from 211.22.175.6
Mar 28 07:20:09 hostdar in.ftpd[23301]: refused connect from 211.22.175.6
Mar 28 07:20:12 hostdar in.ftpd[23302]: refused connect from 211.22.175.6
Mar 28 07:20:12 hostdar in.ftpd[23303]: refused connect from 211.22.175.6
=-=-=-=-=-=-=-=-=-=-=
Mar 28 08:41:06 hoste portsentry[103]: attackalert: Connect from host: \
216.251.203.210/216.251.203.210 to TCP port: 80
=-=-=-=-=-=-=-=-=-=-=
Mar 28 09:02:45 hostdar in.ftpd[23394]: refused connect from 218.22.156.20
Mar 28 09:02:46 hostdar in.ftpd[23395]: refused connect from 218.22.156.20
Mar 28 09:02:50 hostdar in.ftpd[23396]: refused connect from 218.22.156.20
Mar 28 09:02:50 hostdar in.ftpd[23397]: refused connect from 218.22.156.20
Mar 28 09:02:50 hostdar in.ftpd[23398]: refused connect from 218.22.156.20
Mar 28 09:02:50 hostdar in.ftpd[23399]: refused connect from 218.22.156.20
Mar 28 09:02:51 hostdar in.ftpd[23400]: refused connect from 218.22.156.20
Mar 28 09:02:51 hostdar in.ftpd[23401]: refused connect from 218.22.156.20
=-=-=-=-=-=-=-=-=-=-=
Mar 28 09:29:11 hoste portsentry[103]: attackalert: Connect from host: \
211.92.177.65/211.92.177.65 to TCP port: 80
=-=-=-=-=-=-=-=-=-=-=
Mar 28 09:32:52 hoste portsentry[103]: attackalert: Connect from host: \
66.13.169.150/66.13.169.150 to TCP port: 80
=-=-=-=-=-=-=-=-=-=-=
domínio: TELESP.NET.BR
entidade: TELECOMUNICACÕES DE SAO PAULO S/A - TELESP
documento: 002.558.157/0001-62
Mar 28 09:41:59 hostj named[17165]: [ID 295310 daemon.notice] security: notice: \
denied query from [200.206.163.231].2257 for "version.bind" TXT/CHAOS
Mar 28 09:41:59 hostmi named[7971]: [ID 295310 daemon.notice] security: notice: \
denied query from [200.206.163.231].2258 for "version.bind" TXT/CHAOS
Mar 28 09:41:59 hosty named[7451]: [ID 295310 daemon.notice] security: notice: denied \
query from [200.206.163.231].2256 for "version.bind" TXT/CHAOS
Mar 28 09:41:59 hosty snort: [ID 702911 local0.alert] [1:257:1] DNS named version \
attempt [Classification: Attempted Information Leak] [Priority: 2]: {UDP} \
200.206.163.231:2256 -> z.y.x.34:53
=-=-=-=-=-=-=-=-=-=-=
Broadwing_Dial (NETBLK-BRW-DIAL-PSI-104-111)
504 Interchange Blvd Newark, DE 19711 US
Netname: BRW-DIAL-PSI-104-111
Netblock: 65.90.104.0 - 65.90.111.255
Mar 28 10:02:19 hostmau Connection attempt to TCP z.y.w.12:6346 from \
65.90.110.140:1700
Mar 28 10:02:22 hostmau Connection attempt to TCP z.y.w.12:6346 from \
65.90.110.140:1700
Mar 28 10:02:26 hostmau Connection attempt to TCP z.y.w.12:6346 from \
65.90.110.140:1700
Mar 28 10:02:36 hostmau Connection attempt to TCP z.y.w.12:6346 from \
65.90.110.140:1700
=-=-=-=-=-=-=-=-=-=-=
Mar 28 10:12:11 hostj portsentry[13043]: [ID 702911 daemon.notice] attackalert: \
Connect from host: 12-236-167-210.client.attbi.com/12.236.167.210 to \
TCP port: 80
Mar 28 10:12:11 hostj portsentry[13043]: [ID 702911 daemon.notice] attackalert: \
Connect from host: 12-236-167-210.client.attbi.com/12.236.167.210 to \
TCP port: 80
Mar 28 10:12:11 hostj portsentry[13043]: [ID 702911 daemon.notice] attackalert: \
Connect from host: 12-236-167-210.client.attbi.com/12.236.167.210 to \
TCP port: 80
Mar 28 10:12:11 hostj portsentry[13043]: [ID 702911 daemon.notice] attackalert: \
Connect from host: 12-236-167-210.client.attbi.com/12.236.167.210 to \
TCP port: 80
Mar 28 10:12:12 hostj portsentry[13043]: [ID 702911 daemon.notice] attackalert: \
Connect from host: 12-236-167-210.client.attbi.com/12.236.167.210 to \
TCP port: 80
Mar 28 10:12:12 hostj portsentry[13043]: [ID 702911 daemon.notice] attackalert: \
Connect from host: 12-236-167-210.client.attbi.com/12.236.167.210 to \
TCP port: 80
Mar 28 10:12:12 hostj portsentry[13043]: [ID 702911 daemon.notice] attackalert: \
Connect from host: 12-236-167-210.client.attbi.com/12.236.167.210 to \
TCP port: 80
Mar 28 10:12:12 hostj portsentry[13043]: [ID 702911 daemon.notice] attackalert: \
Connect from host: 12-236-167-210.client.attbi.com/12.236.167.210 to \
TCP port: 80
Mar 28 10:12:12 hostj portsentry[13043]: [ID 702911 daemon.notice] attackalert: \
Connect from host: 12-236-167-210.client.attbi.com/12.236.167.210 to \
TCP port: 80
Mar 28 10:12:13 hostj portsentry[13043]: [ID 702911 daemon.notice] attackalert: \
Connect from host: 12-236-167-210.client.attbi.com/12.236.167.210 to TCP port: 80
=-=-=-=-=-=-=-=-=-=-=
Mar 28 11:28:26 hostdar sshd1[23465]: refused connect from 210.179.181.196
Mar 28 11:28:32 hostdar sshd1[23466]: refused connect from 210.179.181.196
Mar 28 11:28:32 hostdar sshd1[23467]: refused connect from 210.179.181.196
Mar 28 11:28:32 hostdar sshd1[23468]: refused connect from 210.179.181.196
Mar 28 11:28:33 hostdar sshd1[23469]: refused connect from 210.179.181.196
=-=-=-=-=-=-=-=-=-=-=
Mar 28 12:37:37 hosty snort: [ID 702911 local0.alert] [1:615:1] SCAN Proxy attempt \
[Classification: Attempted Information Leak] [Priority: 2]: {TCP} 200.168.83.26:4628 \
-> z.y.x.34:1080
=-=-=-=-=-=-=-=-=-=-=
Mar 28 12:42:45 hostj portsentry[13043]: [ID 702911 daemon.notice] attackalert: \
Connect from host: modem-117-ct11.citizens.swva.net/66.37.75.117 to TCP port: 110
=-=-=-=-=-=-=-=-=-=-=
Also on Mar 22 01:37:10, Mar 22 08:07:25
Mar 28 12:44:27 hostj named[17165]: [ID 295310 daemon.notice] security: notice: \
denied query from [64.4.120.62].53 for "VERSION.BIND" TXT/CHAOS
=-=-=-=-=-=-=-=-=-=-=
Mar 28 13:08:05 hoste portsentry[103]: attackalert: Connect from host: \
211.218.170.201/211.218.170.201 to TCP port: 80
=-=-=-=-=-=-=-=-=-=-=
Compania Dominicana de Telefonos (NETBLK-CODETEL-2BLK)
C/ 30 de Marzo #12 Santo Domingo, DN DO
Netname: CODETEL-2BLK
Netblock: 66.98.0.0 - 66.98.95.255
Maintainer: CODT
Mar 28 13:29:17 hostsn snort: [1:1256:3] WEB-IIS CodeRed v2 root.exe access \
[Classification: Web Application Attack] [Priority: 1]: {TCP} 66.98.32.43:21975 -> \
a.b.c.49:80
Mar 28 13:30:33 hostsn snort: [1:1002:2] WEB-IIS cmd.exe access [Classification: Web \
Application Attack] [Priority: 1]: {TCP} 66.98.32.43:11784 -> \
a.b.c.49:80
Mar 28 13:31:48 hostsn snort: [1:1002:2] WEB-IIS cmd.exe access [Classification: Web \
Application Attack] [Priority: 1]: {TCP} 66.98.32.43:11167 -> \
a.b.c.49:80
Mar 28 13:33:03 hostsn snort: [1:1002:2] WEB-IIS cmd.exe access [Classification: Web \
Application Attack] [Priority: 1]: {TCP} 66.98.32.43:12166 -> \
a.b.c.49:80
Mar 28 13:34:22 hostsn snort: [1:1002:2] WEB-IIS cmd.exe access [Classification: Web \
Application Attack] [Priority: 1]: {TCP} 66.98.32.43:11856 -> \
a.b.c.49:80
Mar 28 13:35:33 hostsn snort: [1:1002:2] WEB-IIS cmd.exe access [Classification: Web \
Application Attack] [Priority: 1]: {TCP} 66.98.32.43:12210 -> \
a.b.c.49:80
Mar 28 13:36:48 hostsn snort: [1:1002:2] WEB-IIS cmd.exe access [Classification: Web \
Application Attack] [Priority: 1]: {TCP} 66.98.32.43:21470 -> \
a.b.c.49:80
Mar 28 13:38:03 hostsn snort: [1:1002:2] WEB-IIS cmd.exe access [Classification: Web \
Application Attack] [Priority: 1]: {TCP} 66.98.32.43:21404 -> \
a.b.c.49:80
Mar 28 13:39:19 hostsn snort: [1:1002:2] WEB-IIS cmd.exe access [Classification: Web \
Application Attack] [Priority: 1]: {TCP} 66.98.32.43:11451 -> \
a.b.c.49:80
Mar 28 13:40:33 hostsn snort: [1:1002:2] WEB-IIS cmd.exe access [Classification: Web \
Application Attack] [Priority: 1]: {TCP} 66.98.32.43:10825 -> \
a.b.c.49:80
Mar 28 13:41:48 hostsn snort: [1:1002:2] WEB-IIS cmd.exe access [Classification: Web \
Application Attack] [Priority: 1]: {TCP} 66.98.32.43:21447 -> \
a.b.c.49:80
Mar 28 13:43:04 hostsn snort: [1:1002:2] WEB-IIS cmd.exe access [Classification: Web \
Application Attack] [Priority: 1]: {TCP} 66.98.32.43:21786 -> \
a.b.c.49:80
Mar 28 13:44:18 hostsn snort: [1:1002:2] WEB-IIS cmd.exe access [Classification: Web \
Application Attack] [Priority: 1]: {TCP} 66.98.32.43:21614 -> \
a.b.c.49:80
Mar 28 13:45:34 hostsn snort: [1:1002:2] WEB-IIS cmd.exe access [Classification: Web \
Application Attack] [Priority: 1]: {TCP} 66.98.32.43:21921 -> \
a.b.c.49:80
Mar 28 13:46:49 hostsn snort: [1:1002:2] WEB-IIS cmd.exe access [Classification: Web \
Application Attack] [Priority: 1]: {TCP} 66.98.32.43:11463 -> a.b.c.49:80
=-=-=-=-=-=-=-=-=-=-=
IP Address : 211.185.158.0-211.185.158.127
Network Name : SEONGHWAN-H
Connect ISP Name : PUBNET
Connect Date : 20001203
Registration Date : 20001205
[ Organization Information ]
Orgnization ID : ORG151120
Org Name : SEONGHWAN HIGH SCHOOL
State : CHUNGNAM
Address : 551BEONJI SONGDEOKRI SEONGHWANEUB CHEONANSI
Zip Code : 330-800
Mar 28 13:54:22 211.185.158.1:22 -> a.b.w.62:22 SYNFIN ******SF
Mar 28 13:54:22 hosthu snort: [111:13:1] spp_stream4: STEALTH ACTIVITY (SYN FIN scan) \
detection {TCP} 211.185.158.1:22 -> a.b.w.62:22
Mar 28 13:54:22 hosthu snort: spp_portscan: PORTSCAN DETECTED to port 22 from \
211.185.158.1 (STEALTH)
Mar 28 13:58:46 hosthu snort: spp_portscan: portscan status from 211.185.158.1: 1 \
connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar 28 13:58:50 hosthu snort: spp_portscan: End of portscan from 211.185.158.1: TOTAL \
time(0s) hosts(1) TCP(1) UDP(0) STEALTH
Mar 28 13:54:59 211.185.158.1:22 -> a.b.c.49:22 SYNFIN ******SF
Mar 28 13:54:59 hostsn snort: [111:13:1] spp_stream4: STEALTH ACTIVITY (SYN FIN scan) \
detection {TCP} 211.185.158.1:22 -> a.b.c.49:22
Mar 28 13:54:59 hostsn snort: spp_portscan: PORTSCAN DETECTED to port 22 from \
211.185.158.1 (STEALTH)
Mar 28 14:16:20 hostsn snort: spp_portscan: portscan status from 211.185.158.1: 1 \
connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar 28 14:19:22 hostsn snort: spp_portscan: End of portscan from 211.185.158.1: TOTAL \
time(0s) hosts(1) TCP(1) UDP(0) STEALTH
=-=-=-=-=-=-=-=-=-=-=
Mar 28 14:26:28 hostsn portsentry[60004]: attackalert: Connect from host: \
sos-power-sales.ca/209.217.122.43 to TCP port: 80
=-=-=-=-=-=-=-=-=-=-=
Also on Feb 5 21:14:06, Feb 6 19:05:35, Feb 7 16:17:38,
Feb 14 15:18:50, Feb 15 19:08:09, Feb 18 20:33:32, Feb 25 17:52:23,
Mar 1 01:52:04, Mar 5 16:42:21, Mar 7 16:03:37, Mar 13 17:58:43,
Mar 15 20:28:00, Mar 18 18:30:50, Mar 21 15:58:57, Mar 22 19:21:25,
Mar 25 17:58:55, Mar 27 19:46:39, Mar 27 21:26:14
Mar 28 15:20:44 hosty snort: [ID 702911 local0.alert] [1:1322:4] BAD TRAFFIC bad frag \
bits [Classification: Misc activity] [Priority: 3]: {UDP} 207.155.184.100 -> z.y.x.34
=-=-=-=-=-=-=-=-=-=-=
Mar 28 16:06:37 hostdar in.ftpd[23594]: refused connect from 200.27.125.72
Mar 28 16:06:37 hostdar in.ftpd[23595]: refused connect from 200.27.125.72
Mar 28 16:06:38 hostdar in.ftpd[23596]: refused connect from 200.27.125.72
Mar 28 16:06:40 hostdar in.ftpd[23597]: refused connect from 200.27.125.72
Mar 28 16:06:42 hostdar in.ftpd[23598]: refused connect from 200.27.125.72
=-=-=-=-=-=-=-=-=-=-=
Mar 28 17:13:31 hoste portsentry[103]: attackalert: Connect from host: \
210.82.192.23/210.82.192.23 to TCP port: 80
=-=-=-=-=-=-=-=-=-=-=
Mar 28 18:01:51 hoste portsentry[103]: attackalert: Connect from host: \
61.243.9.87/61.243.9.87 to TCP port: 80
=-=-=-=-=-=-=-=-=-=-=
Mar 28 19:27:03 hoste portsentry[103]: attackalert: Connect from host: \
211.194.67.100/211.194.67.100 to TCP port: 80
=-=-=-=-=-=-=-=-=-=-=
Mar 28 19:47:39 hoste portsentry[103]: attackalert: Connect from host: \
195.199.47.61/195.199.47.61 to TCP port: 80
=-=-=-=-=-=-=-=-=-=-=
Mar 28 20:20:35 hostmau Connection attempt to TCP z.y.w.12:21 from 203.98.133.149:21
=-=-=-=-=-=-=-=-=-=-=
Mar 28 20:47:09 hoste portsentry[103]: attackalert: Connect from host: \
195.152.244.89/195.152.244.89 to TCP port: 80
=-=-=-=-=-=-=-=-=-=-=
Mar 28 21:26:28 hoste portsentry[103]: attackalert: Connect from host: \
203.123.64.13/203.123.64.13 to TCP port: 80
=-=-=-=-=-=-=-=-=-=-=
Mar 28 21:50:10 hoste portsentry[103]: attackalert: Connect from host: \
12.239.121.80/12.239.121.80 to TCP port: 80
=-=-=-=-=-=-=-=-=-=-=
Mar 28 23:27:54 hoste portsentry[103]: attackalert: Connect from host: \
209.214.75.186/209.214.75.186 to TCP port: 80
--
Laurie
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic