Short summary of attacks against us for April 2000


year - time EASTERN source_ip[:port] (dns name, if any) attack/scan/notes

2000/03/01-18:56:13.70 209.67.29.8 (Exodus Communications, CA)  continuing scan of ace and boss or port 33434
2000/04/01-03:31:05.72 209.197.226.130 (lair.obelisk.net) sadmind buffer overflow attack against boss
2000/04/01-19:04:13.25 200.255.105.3 (mendanha.msb.br) scan net for port 53
2000/04/02-20:43:08 200.33.149.145(modem145.caribe.net.mx) Dufus dowloaded fake passwd file, then tried to logon with 'creackec' apsswds.
2000/04/03-12:00:34.52 213.24.31.251 (GSP univer, Moscow Russia) scan net for port 21a
2000/04/03-13:01:54.68 216.160.38.58 (dialupM58.mpls.uswest.net) buffer overlow attack on boss
2000/04/03-20:32:24.86 203.84.59.202 (59-202.ingramnet.com) scan port 111 on ace
2000/04/04-06:51:06.37 200.33.149.155 (mendanha.msb.br) scan net for port 21
2000/04/04-19:10:30.07 24.8.148.36(c372259-a.pinol1.sfba.home.com) scan net for port 21
2000/04/06-14:09:09.50 198.234.255.38 (ohio-net, state of ohio) probe port 4000 on seorf
2000/04/06-22:15:31.64 203.22.112.12 (cracker.intercoast.com.au) portmap dump of ace
2000/04/06-23:17:55.62 203.241.200.125 (DONG-EUI UNIVERSITY, PUSAN, Korea.)lots of dns lookups, probe port 111 on ace,boss
2000/04/07-00:46:03.86 203.230.217.134 (churchmusic.skhu.ac.kr) portmap dump of ace
2000/04/07-01:01:09.10 206.161.225.2 (columbia.digiweb.com) calander manager buff overflow attack, signiture root.FRO@foobar
2000/04/07-01:02:21.19 193.252.124.3 (proxyhttptc2-01.wanadoosat.com) scan net for port 21 (for user anonymous)
2000/04/07-04:00:25.06 212.49.139.235 (www.sierranieves.org) probe port 111 on boss
2000/04/08-00:54:07.29 24.92.165.47 (dt031n2f.tampabay.rr.com) probe several machines for ports 137,139
2000/04/08-00:55:53.00 210.92.146.66 (Yeon kyung Electronics Co.LTD,KOREA) probe port 111 on freenet
2000/04/08-09:34:58.17 192.116.7.35 (linux.bethlehembiblecollege.edu) scan net 132.235.1.x for port 43
2000/04/08-16:47:27.70 212.43.198.245 (claranet.fr, fr.clara.ent, FRANCE) use TFTP port (69) to try to get /etc/passwd
2000/04/08-18:39:00.16 208.140.224.12:60000 (pem01-12.swva.net) scan net 132.235.1.x for port 2140
2000/04/09-18:50:39.44 203.241.200.125 (DONG-EUI UNIVERSITY, PUSAN KR) scan port 111 on ace, boss
2000/04/09-20:24:43.27 144.92.98.76 (orson.lis.wisc.edu) scan net 132.235.4.x for port 53
2000/04/10-11:59:50.15 210.115.234.101 (i101.hallym.ac.kr) probe port 111 on ace
2000/04/10-12:43:18.79 132.235.198.114(dhcp-198-114.cns.ohiou.edu) probe port 177 on several machines
2000/04/10-13:35:23.65 200.33.22.xx (Departamento del Distrito Federal, MEXICO) about 100 machines sent packets to 255.255.255.255 : 138 thru 2000/04/11-06:12:45.95
2000/04/10-17:16:53.27 199.2.32.11:6667 (irc-w1.concentric.net) communicate with port 3222 on 132.235.16.160
2000/04/10-18:19:27.94 208.146.45.17 (s7.virtualave.net) probe machine for ports 8080,3128,1080,81
2000/04/10-18:39:34.54 132.235.22.149 (dhcp-022-149.cns.ohiou.edu) scan net 132.235.x.x for port 21
2000/04/10-20:55:05.04 132.235.22.149 (dhcp-022-149.cns.ohiou.edu) scan net 132.235.x.x for port 139
2000/04/10-21:45:57.58 203.249.107.145(Korean Education Network. KOREA) scan 132.235.1[67].xx for port 111
2000/04/10-22:33:20.77 203.249.107.145 (Korean Education Network. KOREA) probe port 111 on ace and boss
2000/04/11-02:15:47.18 24.234.52.243 (ian-n-brenda.com - aka dhcp243.52.lvcm.com) portscan 132.235.x.x for moltiple ports
2000/04/11-02:25:58.49 132.235.153.146 (s1146.south-green.ohiou.edu) heavy port scan of 132.235.15.142
2000/04/11-05:04:09.46 206.42.12.6 (tux.firstnethou.com) scan net for port 53.
2000/04/11-06:26:03.09 203.241.200.125(DONG-EUI UNIVERSITY, PUSAN KR) scan 132.235.15.x for port 111
2000/04/11-10:43:42.88 198.112.109.8 (oxygen.camsoft.com) scan multiple machines fo port 137 in Stocker
2000/04/11-11:05:10.22 132.235.22.149 (dhcp-022-149.cns.ohiou.edu) scan 132.235.x.x for port 139
2000/04/11-11:05:10.22 132.235.22.149 (dhcp-022-149.cns.ohiou.edu) scan net for port 139
2000/04/11-11:13:03.48 132.235.22.149 (dhcp-022-149.cns.ohiou.edu) scan 132.235.x.x for port 137
2000/04/11-12:27:06.40 132.235.159.58 (s7058.south-green.ohiou.edu) port scan of 132.235.17.17
2000/04/11-13:53:56.74 132.235.22.149 (dhcp-022-149.cns.ohiou.edu) scan 132.235.x.x for port 139
2000/04/11-16:50:11.54 200.33.22.xxx (Departamento del Distrito Federal,MEXICO) 1 - broadcast to 255.255.255.255:13[78]
2000/04/11-16:50:11.54 200.33.22.xxx (Departamento del Distrito Federal,MEXICO) 2 - for over 100 src machines, 
2000/04/11-16:50:11.54 200.33.22.xxx (Departamento del Distrito Federal,MEXICO) 3 - thru 2000/04/12-07:05:06.08
2000/04/11-19:26:39.10 12.20.24.133 *(DIAL-A-MATRESS, NY, NY) scan 132.235.1.x for port 1524
2000/04/11-23:23:23.68 12.20.24.133 *(DIAL-A-MATRESS, NY, NY) scan 132.235.1.x for port 1524
2000/04/12-00:00:22.03 159.148.165.250 (unix.spt.lv) scan net for port 53
2000/04/12-01:50:20.11 132.235.159.58 (s7058.south-green.ohiou.edu) port scan of 132.235.17.11
2000/04/12-14:41:56.81 200.33.22.xxx (Departamento del Distrito Federal,MEXICO)  - thru 2000/04/13-00:45:04.33
2000/04/12-14:41:56.81 200.33.22.xxx (Departamento del Distrito Federal,MEXICO) 1 - broadcast to 255.255.255.255:13[78]
2000/04/12-14:41:56.81 200.33.22.xxx (Departamento del Distrito Federal,MEXICO) 2- for over 100 src machines,
2000/04/12-19:51:25.40 12.20.24.133 (DIAL-A-MATRESS, NY, NY) scan net for port 600
2000/04/13-00:24:13.88 128.175.13.74 (strauss.udel.edu) scan net looking for port 80
2000/04/13-07:16:10.39 212.108.4.154:80 AMSTERDAM, NL) stat of slow network scan
2000/04/13-07:24:52.20 212.108.4.153:80 (AMSTERDAM, NL) stat of slow network scan
2000/04/13-07:26:30.75 212.108.4.152:80 (AMSTERDAM, NL) stat of slow network scan
2000/04/13-18:01:53.51 12.79.98.211 (211.buffalo-06-07rs.ny.dial-access.att.net) portscan ace
2000/04/13-xx:xx:xx.xx 200.33.22.xxx (Departamento del Distrito Federal,MEXICO)  - thru 2000/04/13-00:45:04.33
2000/04/13-xx:xx:xx.xx 200.33.22.xxx (Departamento del Distrito Federal,MEXICO) 1 - broadcast to 255.255.255.255:13[78]
2000/04/13-xx:xx:xx.xx 200.33.22.xxx (Departamento del Distrito Federal,MEXICO) 2- for over 100 src machines,
2000/04/14-01:21:09.60 212.108.4.15[23]:80 (Comned Networks,Amsterdam NL) weird slow scan of net till 2000/04/16-20:44:38.54
2000/04/14-01:50:26.24 200.33.22.xxx (Departamento del Distrito Federal,MEXICO) 1 - broadcast to 255.255.255.255:13[78]
2000/04/14-01:50:26.24 200.33.22.xxx (Departamento del Distrito Federal,MEXICO) 2 thru 2000/04/16-21:32:37.75
2000/04/14-07:20:25.16 200.33.22.xxx (Departamento del Distrito Federal,MEXICO) 1 - broadcast to 255.255.255.255:13[78]
2000/04/14-07:20:25.16 200.33.22.xxx (Departamento del Distrito Federal,MEXICO) 2 - thru 2000/04/14-20:50:20.35
2000/04/14-07:29:25.26 212.108.4.153 (Comned Networks,AMSTERDAM NL) scan random machines/ports thru 2000/04/17-06:42:40.90
2000/04/14-07:45:55.79 212.108.4.153 (Comned Networks,AMSTERDAM NL) scan random machines/ports thru 2000/04/17-07:13:36.69
2000/04/14-08:19:22.03 212.108.4.152 (Comned Networks,AMSTERDAM NL) scan random machines/ports thru 2000/04/17-07:41:58.86
2000/04/14-08:36:13.08 212.108.4.154 (Comned Networks,AMSTERDAM NL) scan random machines/ports thru 2000/04/17-06:54:49.02
2000/04/14-09:01:08.54 38.223.33.232:443 (PSI net) bang on 132.235.18.1 until 2000/04/14-12:32:12.39
2000/04/14-10:04:08.04 38.223.33.245:443 (PSI net) bang on 132.235.18.1 until 2000/04/14-22:58:11.75
2000/04/14-22:07:02.91 24.48.222.2 (ADELPHIA CABLE) scan net for port 23
2000/04/14-22:07:23.07  24.48.222.2 (ADELPHIA CABLE) probe various machines forvarious machines forvarious machines for 
2000/04/15-02:26:31.68 212.108.4.152 0 (Comned Networks,AMSTERDAM NL) scan random machines/ports thru 2000/04/17-06:52:08.70
2000/04/15-02:27:51.91 132.235.159.58 (s7058.south-green.ohiou.edu) portscan 132.235.17.11
2000/04/15-02:31:24.64 199.3.230.125 (SPRINTLINK.NET) scan net for port 80
2000/04/15-06:30:27.61 199.3.230.125:1273 (SPRINTLINK.NET) scan net for port 111
2000/04/15-10:56:38.16 216.200.162.50:53 (50.162.200.216.fastpoint.net) scan net for port 53
2000/04/15-21:02:10.63 195.99.43.46 (host5-99-43-46.btinternet.com, GB) scan andom machines/ports thru 2000/04/16-09:18:43.07
2000/04/15-23:01:41.17 195.41.97.108 (DENMARK) port scan of random machines/ports thru 2000/04/16-02:35:53.26
2000/04/16-08:20:51.31 206.53.130.3 (AIA inc. CA, US) scan random machiens/ports thru 2000/04/17-00:09:19.63
2000/04/16-19:43:49.07 208.176.146.189 (w189.z208176146.sjc-ca.dsl.cnc.net) scan net for port 137
2000/04/16-23:27:41.21 216.3.0.102 (frognet.net) connect to 202.45.189.182 (Duh, what gatewaa?)
2000/04/17-04:05:27.22 212.108.4.176 (Comned Networks,AMSTERDAM NL) scan random machines/ports thru 2000/04/17-06:54:49.02
2000/04/17-04:05:45.72 212.108.4.176(Comned Networks,AMSTERDAM NL) scan random machines/ports thru 2000/04/17-07:47:40.40
2000/04/17-05:11:53.20 212.108.4.180 (Comned Networks,AMSTERDAM NL) scan random machines/ports thru 2000/04/17-07:50:46.68
2000/04/17-06:12:27.90 212.108.4.xxx (Comned Networks,AMSTERDAM NL) slow scan random machines/ports thru 2000/04/18-03:24:11.43
2000/04/17-08:21:10.51 206.161.225.2 (columbia.digiweb.com) probe of cmsd, packet signatures of root.GTR@foobar
2000/04/17-10:07:15.50 200.33.22.xxx (Departamento del Distrito Federal,MEXICO) 255.255.255.255:13[78] thru 2000/04/14-20:50:20.35
2000/04/17-10:20:32.66 195.116.152.104 (www.olech.pl) single packet probe to port 111 on 132.235.1.1
2000/04/17-13:27:55.01 210.220.143.254 (HYEHWA MULTI INTERNET, SEOUL, KR) scan ports on ace, probe portmapper, shares.
2000/04/17-13:44:55.39 203.89.227.194 (spider.tellusion.com) scan net for port 80, 8080
2000/04/17-18:33:50.48 202.99.26.7 (Ministry of Foreign Affairs of P.R.C., BEIJING,) probe port 137 on 2 machines
2000/04/18-06:52:07.87 200.33.22.xxx (Departamento del Distrito Federal,MEXICO) 255.255.255.255:13[78] thru 2000/04/19-00:51:58.83
2000/04/18-07:30:55.86 212.108.4.xxx (Comned Networks,AMSTERDAM NL) slow scan random machines/ports thru 2000/04/19-05:55:39.15
2000/04/18-08:54:51.22 206.251.12.170 (vital.bleeding.com) slow scan of random ports/machines till 2000/04/19-05:15:00.63
2000/04/18-16:18:11.94 24.29.31.153 (cvg-031-153.cinci.rr.com) scan net for port 80,8080
2000/04/18-23:49:16.78 207.15.208.1 (rtr-atl-4-E0.comstar.net) slow scan of random ports/machines till 2000/04/19-01:46:24.68
2000/04/19-06:05:18.06 155.230.104.177 (Kyungpook National UniversityTaegu, Korea) probe 132.235.18.1 for port 111
2000/04/19-07:12:18.58 155.230.104.177:53(Kyungpook National UniversityTaegu, Korea) scan net for port 111
2000/04/19-08:06:23.84 155.230.104.177 (Kyungpook National UniversityTaegu, Korea) scan net for port 111
2000/04/19-09:00:45.49 151.17.242.89 (Omnianet S.r.l., Italy) scan net for port 21
2000/04/19-13:59:00.69 155.230.104.177 (Kyungpook National UniversityTaegu, Korea) scan net for port 111
2000/04/19-16:20:28.96 193.136.142.12 (lemac12.dem.ist.utl.pt) scan net for port 1
2000/04/19-19:44:19.99 200.33.22.xxx (Departamento del Distrito Federal,MEXICO) 255.255.255.255:13[78] thru 2000/04/20-06:21:45.89
2000/04/20-02:43:42.97 24.234.45.60 (wonderingraven.net) scan port 111 on ace
2000/04/20-12:52:36.29 200.33.22.xxx (Departamento del Distrito Federal,MEXICO) 255.255.255.255:13[78] thru 2000/04/23-12:00:19.63
2000/04/20-14:53:22.93 132.235.198.114 (dhcp-198-114.cns.ohiou.edu) scan net for port 177
2000/04/21-10:10:54.70 216.3.0.177 (dyn048-ts6a.athens.frognet.net) scan freenet for port 993
2000/04/21-13:28:33.53 209.247.110.10 (Level 3 Communications,Louisville, CO, US) scan machines for port 53
2000/04/21-13:40:24.26 210.105.101.11 (Level 3 Communications,Louisville, CO, US) scan machines for port 53
2000/04/21-13:48:33.26 210.105.101.11 (Level 3 Communications,Louisville, CO, US) scan machines for port 53
2000/04/22-04:56:51.57 139.175.250.55 (SEED-NET, Taipei,TW) scan net for port 53
2000/04/23-19:26:17.59 216.3.5.16 (dyn015-nas01.nelsonville.frognet.net) scan freenet for port 993
2000/04/23-20:55:13.49 216.3.0.172 (dyn043-ts6a.athens.frognet.net) scan p1 for port 135
2000/04/24-02:43:34.69 212.242.57.30 (msx-osl-17-30.ppp.cybercity.no) atttemp old backdoor loingid of check_mate
2000/04/24-03:55:22.58 209.232.244.10 (adsl-209-232-244-10.dsl.mtry01.pacbell.net) scan net for port 53
2000/04/24-09:18:21.00 128.112.80.152 (fugue.csbmb.Princeton.EDU) scan net for port 80
2000/04/25-11:02:50.17 132.235.198.114 (dhcp-198-114.cns.ohiou.edu) portscan of p1 from 1 - 7100
2000/04/26-08:25:45.58 132.235.198.114 (dhcp-198-114.cns.ohiou.edu) scan ports 6000-7100 on p1
2000/04/26-08:49:45.78 210.145.109.162 (ns.sfinx.co.jp) scan net for port 111
2000/04/26-09:13:53.01 63.28.242.80 (1Cust80.tnt1.idaho-falls.id.da.uu.net) scan net for port 111
2000/04/27-08:16:29.04 200.196.83.205 (b20205.dial-rjo1.impsat.com.br) Brazil back to bang on port 111 on ace
2000/04/27-09:12:28.12 64.39.14.14 (bruno.com) seems to be a scan thru 2000/04/27-11:41:26.18 of random machines
2000/04/27-14:12:05.56 148.202.51.210 (Universidad de Guadalajara, juarez Mexico)  probe 255.255.255.255 port 111
2000/04/27-17:51:52.71 132.194.22.49 (peggeth.cudenver.edu) connect to port 23 on 132.235.2.67
2000/04/27-17:51:56.96 132.194.22.49 (peggeth.cudenver.edu) start of ~250 connections to port 750 on 132.235.2.67


2000/04/27-17:51:57.03 132.194.22.49 (peggeth.cudenver.edu) buffer overflow attack on sadmind rpc port on 132.235.2.67
2000/04/27-17:56:21.77 132.194.22.49 (peggeth.cudenver.edu) connect to port 23 on 132.235.2.67
2000/04/27-22:21:12.38 132.194.22.49 (peggeth.cudenver.edu) repeat abover buffer overflow attack on 132.235.2.82
2000/04/28-00:33:28.90 193.40.212.180 (toila.edu.ee) scan net for port 53
2000/04/28-08:45:26.47 168.95.79.119 (h119.s79.ts.hinet.net) scan net for port 111
2000/04/28-09:56:06.06 200.255.65.148 (nrjo01-1148.rjo.embratel.net.br) scan net for port 111
2000/04/28-10:44:35.80 168.95.79.119 (h119.s79.ts.hinet.net) scan net for port 53
2000/04/28-12:12:25.70 63.91.54.24 (Icon-o-Voice  Ridgeland, MS, US) probe 132.235.4.63 port 80, 21, 25 
2000/04/28-12:12:25.70 63.91.54.24 (Icon-o-Voice  Ridgeland, MS, US) scan net with packet to 255.255.255.255:161
2000/04/28-12:47:09.21 200.255.65.148 (nrjo01-1148.rjo.embratel.net.br) buff overlfow attack against 132.235.17.1 
2000/04/28-12:56:38.27 200.255.65.148 (nrjo01-1148.rjo.embratel.net.br) buffbb overlfow attack against multiple machines via sadmind
2000/04/28-12:56:38.29 200.255.65.148 (nrjo01-1148.rjo.embratel.net.br) hack into 132.235.1.19, others. get hack pgms from 210.94.224.11
2000/04/28-22:49:17.83 212.109.2.136 (Linkar AB,Stockholm, SE) scan machine 132.235.18.1 for ports 109,110,111,143,1080,53
2000/04/29-09:40:30.93 209.95.117.12 (cascade.brigadoon.com) scan multiple ports on 132.235.88.246 
2000/04/29-10:21:47.95 132.235.164.171 (e4171.east-green.ohiou.edu) scan net for port 139, 137
2000/04/29-21:21:38.86 193.40.212.180 (toila.edu.ee) scan net for port 53
2000/05/01-07:09:00.40 195.127.94.7 (Advanced Computer Consulting GmbH, GERMANY) scan net for port 111
2000/05/01-07:08:56.59 195.127.94.7 (Advanced Computer Consulting GmbH, GERMANY) scan net for port 110
2000/05/01-19:03:31.50 210.182.66.3 (Jangin Furniture Co., Ltd,INCHON,KR) scan net for port 53