Short summary of attacks against us for Feb 2000 year - time EASTERN source_ip[:port] (dns name, if any) attack/scan/notes 2000/02/04-10:03:45.00 209.181.150.241 (ashera.jlcarroll.net) scan net fort port 32771 2000/02/05-00:02:19.58 63.70.25.195 net probe of ports 111 2000/02/05-01:10:31.59 63.70.25.195 probe various ports on net, attack of buff overflow, inetd with port kerberos, ingreslock, 2000/02/05-04:08:16.85 205.155.7.2 buffer overflow attacks on various machiens on net. 2000/02/05-13:22:53.69 213.56.40.179 scan subnet 132.235.1.x for port 2003 2000/02/05-13:22:53.70 213.56.40.179 (ca-ol-montpellier-1-179.abo.wanadoo.fr) scan net for port 2003 2000/02/05-17:54:26.19 207.71.8.168 sent packet to addr 255.255.255.255 port 111 2000/02/05-17:55:56.07 207.71.8.168 (www.e-immigrant.com) scan net for port 111 2000/02/05-19:36:49.37 210.222.56.101 sent packet to addr 255.255.255.255 port 53 2000/02/05-19:42:16.37 210.222.56.101 () scan net for port 25 2000/02/05-19:50:06.37 210.222.56.101 sent packet to addr 255.255.255.255 port 53 2000/02/05-21:16:47.38 198.102.179.163:137 probe 132.235.1.1 port 137 2000/02/06-04:53:54.00 203.241.183.111 port scan of ace 2000/02/06-19:52:18.49 130.161.36.84 packet to 255.255.255.255 port 1514 2000/02/06-21:08:34.29 203.240.244.11:0 proble ace and boss port 111 2000/02/06-23:24:04.19 130.161.36.84:113 packet to 132.235.2.66 port 1659 2000/02/07-00:00:25.20 203.240.244.11:0 probe boss port 111 2000/02/07-03:52:12.77 61.132.13.110 probes of certain machines. 2000/02/07-03:58:01.14 203.240.244.11:0 probe ace and boss port 143 2000/02/07-05:17:39.96 130.161.36.84:113 packet to 132.235.2.79 pot 1659 2000/02/07-05:52:13.45 203.240.244.11:0 probe boss port 143 2000/02/07-09:03:11.68 203.5.74.214:137 probe 132.235.1.2 port 137 2000/02/07-10:31:31.95 63.198.94.8 probe net for port 111 2000/02/07-10:31:51.94 63.198.94.8 probe net for port 111 2000/02/07-10:32:55.92 63.198.94.8 () scan net for port 111 2000/02/07-13:17:30.98 155.223.1.41 sent packet to addr 255.255.255.255 port 161, followd by continuous hist to ports 80,. 25, 21 and 161 continuously 2000/02/07-19:13:48.40 24.218.36.115 sent packet to addr 255.255.255.255 port 111 2000/02/07-20:54:24.20 194.97.158.155 start mining name server on boss 2000/02/08-00:42:17.56 209.161.237.130 scan of ports including 111 on ace 2000/02/08-04:09:50.15 209.189.117.252 scan port 25, 110 on net. 2000/02/08-06:23:44.88 194.97.158.155 (space.net, Germany) mine dns on ace and boss, then start probe prot 53 on various machines. 2000/02/08-09:27:00.69 140.90.111.159 probe 132.235.17.156 port 21 once an hour. 2000/02/08-15:21:43.77 200.196.82.86(b19086.dial-rjo.impsat.com.br) heavy scans of DNS, then machines on net for mountd ports. Mount authentication command uses host name of CyberThug :-) 2000/02/08-17:22:46.76 165.230.180.142:23 scan random ports 2000/02/08-18:37:52.66 146.188.201.61 (194.ATM8-0-0.GW5.SEA1.ALTER.NET) probe seemingly random ports on random machines... 2000/02/08-19:01:43.65 24.93.213.12 scan net for port 111, broadcast and spec. addr. 2000/02/08-22:52:16.34 192.228.137.118 weird hits on port 79, like looking for someone... 2000/02/09-06:28:48.84 194.97.158.155 scan net for port 32771 2000/02/09-06:31:49.60 194.97.158.155 (space.net, Germany) probe port 32771 on net via broadcast and specific machines addrs. 2000/02/09-11:20:30.49 195.243.198.120 scan net for port 111 2000/02/09-13:18:29.00 198.94.52.220 scan several machiens for port 1514 2000/02/09-16:12:35.11 202.167.35.254 scan port 111 on net, attack ttdbserver with buffer overflow 2000/02/09-16:14:06.78 202.167.35.254 hit port 111 then port 32773 on topdog 3 times. 2000/02/09-16:23:22.37 24.26.110.37 scan net fort port 111 2000/02/10-01:34:44.14 200.223.126.144 strange probe pattern on ace of ports 79,80, 23 (no login), repeated. 2000/02/10-08:57:18.00 203.22.127.20 broadcast scan for port 60257 2000/02/10-11:16:43.66 195.243.198.120:1276 scan port 1524 on several machines 2000/02/10-15:23:01.07 200.196.84.74 scan ports 25,79, 110,143,23 80 on our DNS servers. until 2000/02/10-15:25:00.24 2000/02/10-15:26:40.08 195.44.205.153:60000 scan net for port 2140 via broadcast and specific ip 2000/02/10-16:41:23.22 200.196.82.135 scan net for port 111 via 255.255.255.255 broadcast 2000/02/10-17:06:57.40 200.17.93.34 probe port 32780 then port 111 2000/02/10-17:09:03.58 195.243.198.120:2666 scan port 111 on about 10 machines 2000/02/10-17:56:23.02 200.196.82.135 scan net for port 111 via 255.255.255.255 broadcast 2000/02/10-18:43:29.37 195.243.198.120:2666 scan port 109 on about 10 machines 2000/02/10-20:44:08.20 200.196.94.67 scan net for port 111 2000/02/11-06:11:16.28 134.7.1.56:2666 scan net for port 111 2000/02/11-17:57:43.84 200.196.82.254 beat on boss for port 111, 1524 2000/02/12-13:01:10.95 200.17.93.62 scan machiens for port 111, then probe ports 32783, 875, 776, 32774,then use buffer overflow attack. 2000/02/12-13:35:24.81 200.196.82.196 scan 132.235.18.xxx port 111 via 255.255.255.255 and individual ips. 2000/02/12-14:03:42.46 200.196.82.31 scan 132.235.18.xxx port 111 via 255.255.255.255 and individual ips. 2000/02/12-14:24:38.90 200.196.82.31 scan 132.235.17.xxx port 111 via 255.255.255.255 and individual ips. 2000/02/12-18:47:14.08 24.0.114.175 scan net for port 143 2000/02/12-18:47:24.03 24.0.114.175 broadcast 255.255.255.255 port 143 2000/02/12-19:57:44.16 200.196.82.31 scan 132.235.18.xxx port 111 via 255.255.255.255 and individual ips. 2000/02/12-20:18:08.87 200.196.82.31 scan 132.235.17.xxx port 111 via 255.255.255.255 and individual ips. 2000/02/12-22:53:41.27 38.27.184.54 buffer overflow attacks with .rhosts files of joeyo@carlo.physics.ecu.edu:.rhosts in ~root 2000/02/12-22:53:41.27 38.27.184.54 start of scan, machine ports 80,53,110,143,79,23 thru 2000/02/13-14:13:31.83 2000/02/13-01:25:24.65 216.132.183.159 scan several machines for port 111. 2000/02/13-04:30:58.42 63.27.114.2 probe port 111 on boss 2000/02/13-05:39:20.89 24.130.49.191:7434 scan net form port 31337 via 255.255.255.255 and individual ips. 2000/02/13-05:40:40.32 24.130.49.191 scan port 31337 via 255.255.255.255 and individual ips. 2000/02/13-11:18:49.64 24.93.124.55 probe port 23 on machine 132.235.1.[1267] 2000/02/13-13:01:41.35 200.196.84.48 scan net for port 111 2000/02/13-13:06:01.19 200.196.84.48 scan 132.235.18.xxx port 111 via 255.255.255.255 and individual ips. 2000/02/13-13:27:11.74 200.196.84.48 scan 132.235.17.xxx port 111 via 255.255.255.255 and individual ips. 2000/02/13-15:41:45.07 209.36.110.81 scan net for ports 21, 1080 via 255.255.255.255 individual ips. 2000/02/13-19:16:03.06 167.206.61.151 scan port 21 via 255.255.255.255 and individual ips. 2000/02/13-19:51:13.19 200.15.46.68 scan port 8080 via 255.255.255.255 and individual ips. 2000/02/14-19:53:15.33 167.206.61.151 (bab61-151.optonline.net) scan net for port 21, try to make direc. vi annon ftp on ace. 2000/02/14-21:23:01.84 210.216.188.2:53 (korea) scan net for port 111 2000/02/15-18:34:01.81 203.63.249.28:2666 (?.connect.com.au) scan port 109 via 255.255.255.255 and specific ip. 2000/02/16-03:08:08.18 24.66.234.122 (24.66.234.122.ab.wave.home.com) probe ace for ports 79 23 80 143 53 111 2000/02/16-04:57:14.99 209.47.148.18:2666 ( toronto.trends.ca) scan net for port 111 2000/02/16-05:58:28.26 194.16.186.40 (WGYNET Sweden) strange ftp scan on helper. 2000/02/16-23:04:54.57 206.132.186.131(green.alexa.com) scan random machines for port 80 2000/02/16-13:40:48.85 132.235.197.25 (galileo.cns.ohiou.edu) scan 132.235.x.x for port 80 vi 255.255.255.255 and ind. ips. 2000/02/17-01:05:04.94 195.243.198.120:2666 (DE) scan port 109 on several machines. 2000/02/17-03:53:04.13 195.243.198.120:2666 (DE) scan port 109 on 3 machines 2000/02/17-19:07:56.88 24.93.213.12 (c1-1d012.neo.rr.com) scan net for port 111 by ip and 255.255.255.255 2000/02/17-19:11:20.88 24.93.213.12 (c1-1d012.neo.rr.com) scan net for port 111 by ip and 255.255.255.255 2000/02/18-02:50:25.00 132.235.168.68 (w0068.west-green.ohiou.edu) scan several machines for port 27374 2000/02/18-09:47:12.40 210.103.120.43 (Korea) scan port 111 on ace 2000/02/18-11:11:31.60 38.225.108.65 (PSI net) scan net for port 32772 by ip 2000/02/18-11:22:17.05 193.10.185.6 (ike.dormnet.his.se) probe port 111 on ace 2000/02/18-19:21:27.00 212.25.68.96 (Israel) probe ace port 111, 143, 720 2000/02/19-01:00:47.02 210.221.163.97 (TOTAL-COMPUTER-SYSTEM, Korea) scan port 111 on ace 2000/02/19-04:10:57.27 171.64.139.21 (LakeBuenaVista.Stanford.EDU) scan ace for multiple ports 2000/02/19-17:14:32.89 200.41.37.121 (esmeraldadialup, AR) probe port 111 on boss 2000/02/19-23:35:45.80 207.211.35.247 (247-35.siteleader.net) scan ace for ports 1524 2222 12345 16660 60001 2000/02/20-02:25:47.48 209.95.132.118 (slima.cybw.net - Equidor) scan net for port 111 by ip and 255.255.255.255 2000/02/20-05:08:00.12 35.10.130.181 (cunni124.user.msu.edu) scan net for port 27374 by ip. 2000/02/20-13:43:50.08 211.35.2.130:2666 (Korea) scan net for port 111 by ip. 2000/02/20-13:50:13.63 211.35.2.130 (Korea) buffer overflow attack on sadmind on america. 2000/02/20-14:27:55.40 209.181.196.108 (USwest) scan ace for ports 25, 79, 110, 23, 80, 113, 143, 53, 6000, 80 2000/02/20-15:07:02.01 210.216.188.2 (DACOM CORPORATION Seoul, KOREA) scan port 111 on ace, 132.235.2.67 2000/02/20-15:07:49.69 211.35.2.130:2666 (Korea) scan net for port 111 by ip. 2000/02/20-15:18:47.02 163.152.40.133 (theochem.korea.ac.kr) scan random machines for port 5232 2000/02/20-19:48:58.52 202.128.72.2 ( isp in guam) scan by ip for port 111. 2000/02/20-19:54:13.65 130.184.165.46 (msp.eleg.uark.edu) probe sadmind and ttdbserverd on boss and ace, buffer overflow attack on ace and boss. 2000/02/20-20:38:01.17 202.128.72.2 (INTERNETPCI - ISP in Guam) scan net for port 111 2000/02/20-23:00:11.72 202.128.72.2 (INTERNETPCI - SP in Guam) scan 132.235.36 by ip for port 111 2000/02/21-11:06:54.42 130.184.165.46 (msp.eleg.uark.edu) buffer overflow attack on mars.math 2000/02/21-11:08:31.05 200.188.86.127 (ig-1-127.sp.dial.psinet.com.br) utilize hack by buff. overflo from 130.184.165.46 2000/02/22-17:01:15.57 216.214.175.155 (max4-27.cleveland.corecomm.net) repeated attemps to connect to boss on port 1080 2000/02/22-20:23:23.69 207.226.173.193:137 (cais.net) probe port 137 on several machines. 2000/02/23-06:57:10.21 203.101.72.93 (async92-pen-isp-1.nas.one.net.au) scan for pot 31337 by ip on net 2000/02/23-08:02:06.05 210.206.242.130 (DACOM CORP, KOREA) scan port 111 on several machines 2000/02/23-20:19:17.93 128.186.110.128 (lap10.hep.fsu.edu) scan port 111 on ace 2000/02/23-20:52:14.22 216.132.106.99 (*.hlc.net) scan port 1524 on ace 2000/02/23-22:07:14.18 216.132.106.99 (*.hlc.net) scan port 12345 on ace 2000/02/24-01:59:03.54 200.246.207.134 (a04134.sp.mandic.com.br) start of scans of port 111 on net. 2000/02/24-02:09:01.27 150.128.39.41 (ultra.uji.es) buff overflow attack (hacker moved from uark.edu?) 2000/02/24-03:24:32.03 132.235.153.40:1080 (s1040.south-green.ohiou.edu) scan net by ip for port 137 2000/02/24-21:02:51.00 200.246.207.126 (a04126.sp.mandic.com.br) scan port 11 on 132.235.15.21 2000/02/24-22:22:47.16 24.93.127.55 (dhcp93127055.columbus.rr.com) hit 132.235.2.67 with > 450 packets on port 161 2000/02/24-22:22:47.16 24.93.127.55:4831 (dhcp93127055.columbus.rr.com) scan several ips for port 161 2000/02/25-07:58:07.28 202.167.121.193:53 (Vietnam Data Comm) start of series of contacts to port 46424 on boss 2000/02/25-07:58:10.35 203.162.3.234:53 (hanoi-fw.vnd.net) start of series of contacts to port 46424 on boss 2000/02/25-12:22:13.50 209.181.225.41 (edsl40.mpls.uswest.net) scannet by ip for port 137 2000/02/26-09:37:35.47 202.121.32.10(Shanghai 200032, China) probe/attack port 111 and calendar manager on ace. 2000/02/26-10:07:44.73 200.196.83.70 (b20070.dial-rjo1.impsat.com.br) probe port 111 of ace 2000/02/26-11:04:00.66 200.196.84.83 (b21083.dial-rjo2.impsat.com.br) probe port 111 of ace 2000/02/26-17:32:26.35 209.161.237.232 (ts3-14t-104.idirect.com) probe 111 on ace 2000/02/27-04:32:13.60 63.70.25.21 (Sattech (Private) Ltd., Karachi, PK) scan port 111 on freenet, try to login as root, passw check_mate.... 2000/02/27-09:21:01.27 141.44.21.3 (knecht.CS.Uni-Magdeburg.De) scan net for port 8080 by ip and 255.255.255.255. 2000/02/27-11:40:45.45 200.254.73.158 (gd658.gd.com.br) probe 111 on ace 2000/02/27-14:37:04.04 210.92.138.152 (Kimminchul Game Plaza, KOREA) probe 111 on ace 2000/02/27-14:49:18.64 62.82.195.25 (BE-25-BARC-X4.red.retevision.es) A really dumb moron ftpd' old passwd file from ace and 2000/02/27-14:49:18.64 62.82.195.25 (BE-25-BARC-X4.red.retevision.es) --1 then tried to use login/passwd combos on 132.235.1.1. 2000/02/27-16:09:02.83 209.244.229.58 (dialup-209.244.229.58.Washington1.Level3.net) scan net by ip for port 31337 2000/02/27-18:01:47.67 143.107.114.36 (sol.iagusp.usp.br) attack ace with ttdbdserver buff overflow attack. 2000/02/27-18:30:21.48 63.81.225.47 (ppp.63.81.225.047.dragonbbs.com) scan homer for ports 33477 thru 33479 2000/02/27-19:14:39.31 200.196.82.249 (b19249.dial-rjo.impsat.com.br) determined try to hack boss and ace: scan web server ports, 2000/02/27-19:14:39.31 200.196.82.249 (b19249.dial-rjo.impsat.com.br) --1 ports 724 53 111 6000 143 110 109 21 9000 6666 6667 6668 2000/02/27-19:14:39.31 200.196.82.249 (b19249.dial-rjo.impsat.com.br) --2 6669 7000 21 80 2000/02/27-19:14:39.31 200.196.82.249 (b19249.dial-rjo.impsat.com.br) --3 finger users search.** and cmd_rootsh, scan port 111 and 2000/02/27-19:14:39.31 200.196.82.249 (b19249.dial-rjo.impsat.com.br) --4 port 739. statmon buffer overflow attack. Mountd probes(from 2000/02/27-19:14:39.31 200.196.82.249 (b19249.dial-rjo.impsat.com.br) --5 machine named CyberThug - again.) Finally, attempt to telnet as 2000/02/27-19:14:39.31 200.196.82.249 (b19249.dial-rjo.impsat.com.br) --6 user csv, then send a stream of garbage/control chars to telnet port. 2000/02/27-19:14:39.31 200.196.82.249 (b19249.dial-rjo.impsat.com.br) --7 THen one final connection to XWIN server. 2000/02/28-00:37:58.31 12.6.231.51 (four.marlboro.edu) scan net fort port 53 by ip and 255.255.255.255 2000/02/28-07:44:14.51 202.167.121.193 (Vietnam Data Comm, Vietnam) continual hits on port 46424 on boss for 24 hrs 2000/02/28-07:44:18.37 203.162.3.234 (hanoi-fw.vnd.net) continual hits on port 46424 on boss for 24 hrs 2000/02/28-09:46:32.37 207.171.143.92 (i-conn LLC, CT USA) scan port 137 via ip 2000/02/28-12:18:11.14 210.99.103.2 (Telecom-PUBNET - Korea) scan for port 2766 vi ip an 255.255.255.255 2000/02/29-07:58:45.23 192.117.186.53 (R-H-186-53.access.net.il) probe telnet, ftp, mountd ports on ace 2000/02/29-14:53:15.71 139.78.185.79 (idabel.agr.okstate.edu) probe portmapper on ace 2000/02/29-15:46:58.25 192.115.209.1 (ppp1.infolink.net.il) probe portmapper on boss 2000/02/29-18:01:55.40 210.225.33.66:2666 (ns.artteknika.com, Japan) scan net for port 111 by ip 2000/02/29-18:19:53.47 203.228.63.140:2666 (korea telecom, Korea) scan net for port 111 via ip. 2000/02/29-20:20:34.69 63.193.116.74 (adsl-63-193-116-74.dsl.snfc21.pacbell.net) scan net for port 32772 by ip and broadcast 2000/02/29-22:59:38.55 207.54.132.252 (gbg3.apk.net) scan net for port 33 by ip an broadcast 2000/02/29-22:59:38.55 207.54.132.252 (gbg3.apk.net, Korea) scan net for port 111 via ip. 2000/02/29-23:31:28.56 200.215.131.55 (sheditora-gw.ism.com.br) probe portmapper on ace