Short summary of some of the attacks against us for Feb. 2001 year - time EASTERN source_ip[:port] (dns name, if any) attack/scan/notes Oh boy, I didn't see anything for the 1st OR 2nd. Wonder what I missed. 2001/02/03-00:21:13.17 172.174.133.80 (ACAE8550.ipt.aol.com) scan net for port 23 2001/02/03-00:21:13.17 209.219.220.134 (ATHM-209-219-xxx-134.home.net) scan net for port 515 2001/02/03-02:31:01.99 209.219.220.134 (ATHM-209-219-xxx-134.home.net) scan net for port 515 2001/02/03-02:37:28.79 209.219.220.134 (ATHM-209-219-xxx-134.home.net) scan net for port 23 2001/02/03-10:29:11.78 209.246.214.131 (dialup-209.246.214.131.Philadelphia1.Level3.net) scan net for port 21 2001/02/03-23:33:03.53 149.171.28.53 (petpc53.petrol.unsw.EDU.AU) scan net for port 111, buff overflow attacks also 2001/02/03-23:48:15.36 209.219.220.134 (ATHM-209-219-xxx-134.home.net) scan net for port 23 2001/02/05-16:14:32.71 194.204.49.250 (tuli.kiri.ee) start of dns lookup barrage - thru 2001/02/08-15:30 at least 2001/02/05-21:12:34.63 210.178.7.60 (Korea Crap) scan net for port 111, buff overflow attack on statmon 2001/02/06-04:13:35.51 206.186.216.72 (Sprint canada) scannet for port 21 2001/02/06-07:31:16.95 206.186.216.72 (Skycable,Winnipeg,CA) scan net for port 21 2001/02/06-08:26:38.40 62.225.211.217 (p3EE1D3D9.dip.t-dialin.net) repeated attempts to access 132.235.15.70:21 2001/02/06-14:41:52.24 193.253.208.54 (ABayonne-101-1-1-54.abo.wanadoo.fr) scannet for port 21, for anonymous writable dirs 2001/02/06-20:05:05.24 131.187.108.229 (host108-229.athenscounty.lib.oh.us) try to logon to seorf as root / amy3000 2001/02/06-21:09:12.93 199.89.192.194 (www.accentsystems.com) scannet for port 111 2001/02/07-15:07:09.60 132.235.232.14 (crab-lab.zool.ohiou.edu) weird attemp to fcp /etc/hosts from ace and boss as guest 2001/02/08-02:31:17.22 208.184.13.69 (Abovenet Communications, Inc, San Jose, Ca, US) scannet for port 53 2001/02/08-08:04:07.52 213.8.128.179 (Euronet Digital Communications, IL) 1) scan net for port 21. Follow up attacks via 2001/02/08-08:04:07.52 213.8.128.179 (Euronet Digital Communications, IL) 2) cwd /pub, /public, /upload, /_vti_txt etc. 2001/02/08-08:04:07.52 213.8.128.179 (Euronet Digital Communications, IL) 3) against selected machines. 2001/02/09-15:06:34.92 195.232.111.51 (par-qbu-gpb-vty51.as.wcom.net) scannet for port 23 2001/02/09-17:33:45.91 24.7.110.113 (ci916056-a.galatn1.tn.home.com) scan net for port 21 2001/02/09-19:55:17.48 217.87.24.36 (pD9571824.dip.t-dialin.net) scan net for port 21 2001/02/09-20:33:48.42 203.186.139.89 (Internet Service Provider in Hong Kong) scannet for port 515 2001/02/09-20:42:48.71 203.186.139.89 (Internet Service Provider in Hong Kong) scannet for port 523 2001/02/10-01:55:46.87 208.179.63.5 (Tayco Engineering,Long Beach, CA,US) probe port 23 on dns servers. 2001/02/10-15:45:53.12 24.43.172.115 (cr266497-a.ym1.on.wave.home.com) scan net for port 21 2001/02/11-14:46:19.24 200.192.198.139 (dl-tnt1-C8C0C68B.rio.terra.com.br) scan net for port 53 2001/02/13-09:49:28.80 210.93.250.166 (SK Telecom Co., Ltd.,SEOUL,KR) portscan 132.235.1.11 ports 1-1000 2001/02/13-09:50:29.02 210.93.250.166 (SK Telecom Co., Ltd.,SEOUL,KR) probe ports 23,22,19 2001/02/13-09:52:17.90 210.93.250.166 (SK Telecom Co., Ltd.,SEOUL,KR) finger probes to see who is logged on, then try telent as them 2001/02/13-14:13:40.36 210.93.250.166 (SK Telecom Co., Ltd.,SEOUL,KR) portscan 132.235.1.11 ports 1-1000 2001/02/13-14:46:36.71 132.235.90.7 (?.oucom.ohiou.edu) scan net for udp ports 138,139,38293 2001/02/14-12:36:58.81 132.235.12.148 (dhcp-012-148.cns.ohiou.edu) connect to 132.235.1.1 : 82 2001/02/14-12:37:42.53 132.235.12.148 (dhcp-012-148.cns.ohiou.edu) connect to 132.235.1.1 : 81 2001/02/14-14:10:20.00 64.244.158.11 (paradise.steem.com) traceroute boss 2001/02/14-14:11:05.06 64.244.158.2 (masq.steem.com) start of periodic tracroutes on boss till 2001/02/14-17:10:47.19 2001/02/14-16:41:48.56 203.228.121.176 (korea) portscan 132.235.1.11 on 1-1203 2001/02/14-16:42:55.98 203.228.121.176 (korea) begin fingering users on 132.235.1.11 2001/02/14-17:42:55.13 63.169.43.15 (ghetto.goldengull.net) scan net for port 53 2001/02/14-22:06:36.18 212.33.70.50 (Address space for pl.biaman,POLAND) scan net for port 21 2001/02/15-07:32:46.55 132.235.90.7 (?.oucom.ohiou.edu) scan net for udp ports 138,139,38293 2001/02/15-10:50:12.78 132.235.94.25 (???) scan net for port 38293 2001/02/15-11:35:05.75 132.235.94.25 (???) scan net for port 41524 2001/02/15-11:50:45.73 132.235.94.25 (???) scan net for port 38293 2001/02/15-12:46:54.09 64.244.158.2 (masq.steem.com) start of multiple traceroutes to boss thru 2001/02/15-15:53:50.01 2001/02/15-13:01:35.60 132.235.94.25 (???) scan net for port 41524 (CA/Cheyenne ArcServe ???) 2001/02/15-13:27:46.35 132.235.94.25 (???) probe ports 138,139 on specific machiens 2001/02/15-13:43:33.24 132.235.94.25 (???) scan net for port 38293 (Norton Anti-viru???...) 2001/02/15-14:28:37.79 132.235.94.25 (???) (Etc) 2001/02/15-15:54:55.36 64.228.197.207 (HSE-Montreal-ppp139248.sympatico.ca) scan net 132.235.201.x for port 21 2001/02/15-17:26:43.82 216.196.162.187 (nr5-216-196-162-187.fuse.net) scan net for port 27374 2001/02/15-22:30:05.60 63.26.1.85 (1Cust85.tnt4.nashville.tn.da.uu.net) portscan 132.235.1.252 2001/02/15-23:13:43.40 24.69.28.218 (h24-69-28-218.gv.shawcable.net) scan net for port 27374 2001/02/15-23:27:37.14 142.103.56.234 (srtp05-234.resnet.ubc.ca) scannet for port 27374 2001/02/15-23:27:45.72 24.112.41.38 (pointer cr986423-a.hnsn1.on.wave.home.com) scan net for port 27374 2001/02/16-07:15:04.94 132.235.90.7 (?.oucom.ohiou.edu) scannet for port 38293 - norton ativirus coprorate editions? 2001/02/16-07:54:42.08 132.235.94.25 (?.oucom.ohiou.edu) scannet for port 38293 2001/02/16-08:05:55.53 132.235.94.25 (?.oucom.ohiou.edu) scannet for port 41524 2001/02/16-08:57:45.01 132.235.94.25 (?.oucom.ohiou.edu) scannet for port 41524 2001/02/16-09:31:39.78 132.235.92.34 (?.oucom.ohiou.edu) scannet for port 38293 2001/02/16-16:20:16.55 195.237.208.7 (vyl.vihti.fi) scan net for port 53 2001/02/17-05:35:49.43 64.12.24.50 (America Online, Inc) scan net for port 2753 2001/02/17-07:40:47.60 64.7.19.6 (sdsl-64-7-19-6.dsl.aus.megapath.net) scan net for port 515 2001/02/17-11:08:43.45 164.124.107.35 (DACOM Corporation,SEOUL, KR) portscan 132.235.1.11 high and low ports 2001/02/17-17:34:08.42 24.167.127.8 (cs167127-8.austin.rr.com) scan net for port 53 2001/02/17-17:46:37.81 62.10.34.214 (to1-214.dialup.tiscalinet.it) scan port 80 on 132.235.3.[12345] 2001/02/17-18:10:21.92 62.10.34.214 (to1-214.dialup.tiscalinet.it) scan port 23 on 132.235.1.[12345] 2001/02/17-20:17:52.73 213.134.130.18 (sim.simplicom.com.pl) scan net for port 53 2001/02/17-23:11:24.95 128.138.117.50 (rgnt50.Colorado.EDU) scan net for port 111 & buff overflow attacks 2001/02/18-03:08:23.89 63.73.29.114 (Baton Rouge International,Baton Rouge, LA,US) scan net for port 111 2001/02/18-17:47:47.59 170.141.48.3 (State of Tennessee,Department of Finance and Administration, TN) scannet for port 111 2001/02/18-23:47:00.26 132.235.148.213 (pointer dhcp-148-213.cns.ohiou.edu)portscan prime (assum user jdoolan) 2001/02/19-11:22:21.88 64.244.158.2 (masq.steem.com) start of stream of tracrouts to boss thru 2001/02/19-19:50:08.31 2001/02/19-22:45:42.48 195.154.50.126 (ppp126-net1-idf2-bas1.isdnet.net) scannet for port 21 2001/02/19-22:51:11.48 211.23.87.134 (CHTD, Chunghwa Telecom Co,Taipei Taiwan) scan net for port 21 2001/02/20-06:20:02.89 64.244.158.2 (America Online, Inc) start tracroutes to 132.235.1.1 thru 2001/02/21-05:20:08.24 2001/02/20-10:45:15.34 64.39.173.1 (173-1.SPEEDe.golden.net) probe 132.235.1.239 on ports 80,1080,8080,3128 2001/02/20-13:26:26.92 192.102.197.159 (cedar02.cps.intel.com) portscan 132.235.19.91 2001/02/20-13:48:51.22 166.90.248.158 (stargate.compuware.com) scan several machines for port 21 2001/02/20-16:31:10.08 132.235.175.77 (w7077.west-green.ohiou.edu) portscan 132.235.19.77 2001/02/20-18:34:56.49 24.93.68.192:88 (local-server.carolina.rr.com) scan 12 machines for ports 1024,3072 2001/02/20-20:33:55.03 196.22.213.55 (ns2.teksweb.com) scan net for port 111, buff overflow against some machines 2001/02/20-21:41:45.87 64.204.64.226 (64-204-64-226.client.dsl.net) scan net 132.235.201.x for port 111, 2001/02/20-21:47:22.23 203.186.138.225 ( Internet Service Provider in Hong Kong) scannet for port 515, 23 2001/02/21-02:30:36.99 212.122.13.2 (Printing&Publishing House DALPRESS,Vladivostok, Russia) scan net for port 21 2001/02/22-11:42:33.89 212.25.111.194 (ram-9194.bezeqint.net) finger query on boss, try to telnet in as tysko passwd tysko 2001/02/22-18:01:08.44 128.206.196.196 (mu-196196.dhcp.missouri.edu) scannet for port 21 2001/02/22-19:50:10.56 64.14.95.168 (Exodus Communications Inc., SANTA CLARA, CA,US) scan net for port 515 2001/02/22-19:58:27.09 64.14.95.168 (Exodus Communications Inc., SANTA CLARA, CA,US) scan net for port 23 2001/02/23-20:43:23.70 63.207.159.245 (adsl-63-207-159-245.dsl.lsan03.pacbell.net) scan net for port 111 2001/02/24-17:05:29.37 63.50.204.170 (uunet address) probe 132.235.1.7 for port 119. 2001/02/24-17:55:26.34 209.245.157.137 (Level 3 Communications,Louisville, CO,US) scan net for port 111 2001/02/24-18:15:14.21 209.245.157.137 (Level 3 Communications,Louisville, CO,US) probe statmon port on many machines 2001/02/24-18:25:34.41 209.245.157.137 (Level 3 Communications,Louisville, CO,US) scan net for port 21 2001/02/24-18:35:08.68 209.245.157.137 (Level 3 Communications,Louisville, CO,US) scan net for port 53 2001/02/25-00:02:13.61 137.204.204.1 (delfino.ambra.unibo.it) scan net for port 53 2001/02/25-03:31:35.05 24.112.117.68 (cr369543-a.lngly1.bc.wave.home.com) scannet for port 27374 2001/02/25-07:15:32.20 147.46.97.167 (ksam.snu.ac.kr) scan net for port 111, statmon probes to some machines. 2001/02/25-10:58:40.77 200.193.245.246 (Internet Group do Brasil Ltda,Sao Paulo?, Brazil) scan net for port 21 2001/02/25-16:25:46.30 63.162.16.92 (cblmdm63-162-16-92.buckeye-express.com) scan net for port 27374 2001/02/25-19:12:47.79 24.16.2.177 (c972064-a.reno1.nv.home.com) scan net for port 27374 2001/02/25-20:34:44.34 63.50.203.220 (uunet address) probe for port 119 on 132.235.1.7 2001/02/26-00:12:27.26 213.93.220.37 (e220037.upc-e.chello.nl) scan net for port 21 2001/02/26-06:53:09.97 165.132.59.150 (Yonsei University,SEOUL, Korea) scannet for port 21 2001/02/26-20:37:49.09 203.120.178.175 (ISE Labs Singapore) scan net for port 515 2001/02/26-22:52:28.70 195.223.48.84 (HTM SPORT SPA,IT) scan net for port 53 2001/02/28-15:25:23.78 210.110.249.87 (KORDIC,Taejon, Korea) scan net for port 111 2001/02/28-17:05:33.34 206.239.85.84 (?.verio.net) ~60 connections to random ip/port pairs thru 2001/03/01-04:02:05.32