Short summary of some of the attacks against us for August 2000 year - time EASTERN source_ip[:port] (dns name, if any) attack/scan/notes 2000/09/03-07:05:22.26 193.68.10.144 (shoumen144.pip.digsys.bg) 1. connect to bobcat on port ingreslock (see if prev. attack worked) 2000/09/03-07:05:22.26 193.68.10.144 (shoumen144.pip.digsys.bg) 2. telnet to bobat (and others). send a DISPLAY environment 2000/09/03-07:05:22.26 193.68.10.144 (shoumen144.pip.digsys.bg) 3. variable of: 'DISPLAY<1>darkx.darkside.net:0.0' 2000/09/03-07:05:22.26 193.68.10.144 (shoumen144.pip.digsys.bg) 4. Probe ftp port on several machines 2000/09/03-07:09:12.04 131.169.149.40 (teslahc.desy.de) 1. Probe bobcat on port 111, ftp port. 2000/09/03-07:09:12.04 131.169.149.40 (teslahc.desy.de) 2. attack with buff overflow on cmsd, ttdbserverd ports. 2000/09/03-07:12:45.94 198.67.33.248 (shell.ncm.com) scan net for port 80 2000/09/03-07:13:07.04 198.67.33.248 (shell.ncm.com) scan multiple machines for ports 111, 148, 23, 6000,21, 53 2000/09/03-10:52:18.42 212.211.18.65 (mfs-pci-bqn-vty65.as.wcom.net) scan multiple machines ports 111, 32777, 1524 2000/09/03-10:54:37.77 157.88.7.180 (ns1.gabytel.org) attack condor/dolphins calander mgr buff overflow attack 2000/09/03-11:04:17.52 157.88.7.180 (ns1.gabytel.org) attack packers.ent calander mgr buff overflow attack 2000/09/03-11:05:15.64 131.169.149.40 (teslahc.desy.de) 1. Probe bobcat on port 111, ftp port. 2000/09/03-11:05:15.64 131.169.149.40 (teslahc.desy.de) 2. attack with buff overflow on cmsd, ttdbserverd ports. 2000/09/03-11:27:20.06 212.211.0.28 (mfs-pci-bqe-vty28.as.wcom.net) scan 132.235.16.100:23 132.235.16.70:[21,23], 132.235.17.17 port 111 2000/09/03-11:27:21.95 198.67.33.102 (unix.tpe.com) Try to connect to condor.ent on ingreslock port, probe portmapper for sadmind 2000/09/03-12:31:21.47 213.167.205.50 (Galactica S.r.l, ITALY) scan net for port 21 2000/09/04-11:17:56.25 193.68.10.147 (shoumen144.pip.digsys.bg) 6. telnet to jets.ent. send a DISPLAY environment 2000/09/04-11:17:56.25 193.68.10.147 (shoumen144.pip.digsys.bg) 7. variable of: 'DISPLAY<1>darkx.darkside.net:0.0 2000/09/04-11:17:56.25 193.68.10.147 (shoumen144.pip.digsys.bg) 8. get mountd dump from jets 2000/09/04-11:17:56.25 193.68.10.147 (shoumen144.pip.digsys.bg) 9. etc.etc.etc. 2000/09/04-11:17:56.25 193.68.10.147 (shoumen147.pip.digsys.bg) 1. try to connect to ingreslock port on bobcat 2000/09/04-11:17:56.25 193.68.10.147 (shoumen147.pip.digsys.bg) 2. scan mountd port on bobcat. 2000/09/04-11:17:56.25 193.68.10.147 (shoumen147.pip.digsys.bg) 3. scan ftp port on condor 2000/09/04-11:17:56.25 193.68.10.147 (shoumen147.pip.digsys.bg) 4. try to connect to ingreslock port on condor 2000/09/04-11:17:56.25 193.68.10.147 (shoumen147.pip.digsys.bg) 5. attck sadmind on condor with buff overflow 2000/09/04-11:22:46.16 157.88.7.180 (ns1.gabytel.org) attack condor with CMSD buff overflow attack 2000/09/04-14:49:04.99 212.204.213.101 (HOSTED-BY.widexs.nl) scan net for port 53 2000/09/04-17:40:47.73 143.248.143.68 (oerc.kaist.ac.kr) scan 132.235.18.1 for ports 80,111,143, 21, 23, 53, 6000 2000/09/04-17:48:20.14 193.68.10.147 (shoumen147.pip.digsys.bg) attack boss w/ buff overflow on sadmind port 2000/09/05-06:49:36.22 199.172.136.19 (gemini2.ieee.org) probe port 113, 41583,42655,58000,60450,, etc on multiple machines to 2000/09/06-03:07:35.29 2000/09/05-12:50:58.44 212.211.0.61 (mfs-pci-bqe-vty61.as.wcom.net) probe portmap port, connect to 132.235.17.1 port 1524 (ingreslock) 2000/09/05-13:09:10.84 157.88.7.180 (ns1.gabytel.org) probe 132.235.17.17 port 111 2000/09/05-13:09:21.45 212.211.0.61 (mfs-pci-bqe-vty61.as.wcom.net) connect to 132.235.17.17 port 1524 (ingreslock) 2000/09/05-13:13:31.76 143.248.143.68 (oerc.kaist.ac.kr) scan net 132.235.3.x for port 80 2000/09/05-13:13:37.91 143.248.143.68 (oerc.kaist.ac.kr) multiple packets to 132.235.3.0 (yes, 0) ports 111,23,6000,143,21,53 2000/09/05-13:13:40.28 143.248.143.68 (oerc.kaist.ac.kr) multiple packets to 132.235.3.0 (yes, 0) ports 30384,33705,30651 2000/09/05-13:13:57.25 143.248.143.68 (oerc.kaist.ac.kr) start scan of multiple machines, port-by-port on 111,23,6000,143,21,53 2000/09/05-13:15:36.44 143.248.143.68 (oerc.kaist.ac.kr) multiple packets to 132.235.3.255 ports 111,23,6000,143,21,53 2000/09/05-14:10:12.69 143.248.143.68 (oerc.kaist.ac.kr) now scan subnet 132.235.15.x, but high ports of 35735,39438,36713 2000/09/05-14:23:40.02 143.248.143.68 (oerc.kaist.ac.kr) now scan subnet 132.235.16.x 2000/09/05-14:47:18.09 143.248.143.68 (oerc.kaist.ac.kr) now scan subnet 132.235.17.x 2000/09/05-15:01:53.10 143.248.143.68 (oerc.kaist.ac.kr) now scan subnet 132.235.18.x 2000/09/05-15:10:10.11 132.235.166.172 (e6172.east-green.ohiou.edu) scannet for port 27374 2000/09/05-15:45:45.23 132.235.125.87 (dhcp-125-087.cns.ohiou.edu) scannet for port 2200 2000/09/05-15:56:11.82 132.235.166.172 (e6172.east-green.ohiou.edu) scannet for port 2200 2000/09/05-16:38:34.00 132.235.166.172 (e6172.east-green.ohiou.edu) scannet for port 1243 2000/09/05-19:09:54.85 24.10.121.54 (cc1025999-a.narltn1.nj.home.com) scan net for port 53 2000/09/05-19:51:22.67 143.248.143.68 (oerc.kaist.ac.kr) now scan 132.235.88.210-132.235.88.253 for port 80 2000/09/05-19:51:48.09 143.248.143.68 (oerc.kaist.ac.kr) now scan 132.235.88.210 ports 111,13,21,23,53,6000 2000/09/05-19:52:06.61 143.248.143.68 (oerc.kaist.ac.kr) LOTS of attempted telnet connects to 132.235.88.21[10] 2000/09/05-19:52:27.19 143.248.143.68 (oerc.kaist.ac.kr) continue scans on machines in 132.235.88 range, w/ LOTS on telent connects 2000/09/06-05:06:26.96 212.211.4.12 (mfs-pci-bqg-vty12.as.wcom.net) probe portmap port, connect to port 1524 (ingreslock) on thoth 2000/09/06-05:07:12.43 157.88.7.180 (ns1.gabytel.org) buffer overflow attack against 132.235.3.135 2000/09/06-05:09:02.63 212.211.4.12 (mfs-pci-bqg-vty12.as.wcom.net) probe portmap port, connect to port 1524 (ingreslock) on swish 2000/09/06-05:09:19.51 157.88.7.180 (ns1.gabytel.org) buffer overflow attack against 132.235.15.141 2000/09/07-06:41:31.32 62.226.60.44 (p3EE23C2C.dip.t-dialin.net) attemp to login as root on 132.235.16.100 2000/09/07-09:51:58.13 157.88.7.180 (ns1.gabytel.org) buffer overflow attack on STATMON2 port againts 132.235.1.252 2000/09/07-10:04:05.15 132.235.24.25 (plato.phy.ohiou.edu) attack 132.235.3.128 w/buff overflow attack on cmsd port 2000/09/07-10:06:29.59 132.235.24.25 (plato.phy.ohiou.edu) attack 132.235.15.1 w/ buff overflow on cmsd port 2000/09/08-05:16:08.43 132.235.166.172 (e6172.east-green.ohiou.edu) scan net for port 2200 2000/09/08-05:34:46.39 132.235.166.172 (e6172.east-green.ohiou.edu) scan net for port 27374 2000/09/08-05:36:00.78 132.235.166.172 (e6172.east-green.ohiou.edu) scan net for port 12346 2000/09/08-18:13:25.68 200.1.161.49 (Universidad Espiritu Santo,Guayaquil,ECUADOR) port scan 132.235.1[567].1 for 635,110,143,53,21,109 2000/09/08-20:10:38.34 200.1.161.49 (Universidad Espiritu Santo,Guayaquil,ECUADOR) scan 132.235.3.1 for port 635 2000/09/09-14:29:16.95 171.64.252.120 (tango.Stanford.EDU) 1, hacked into ai.ent, get rootkit from ftp.xoom.com (tunezz21/maarkus) 2000/09/09-14:29:16.95 171.64.252.120 (tango.Stanford.EDU) 2, installed irix rootkit 2000/09/10-08:09:32.25 212.253.66.233 (Superonline,Istanbul - Turkey) scan net forp ort 27374 2000/09/10-13:31:42.27 212.5.130.239 (pva15.mobikom.net) scan net for port 21 2000/09/10-19:53:24.84 210.109.243.110 (Inet INC.,SEOUL, KR) scan 132.325.x.x for port 111 2000/09/11-18:58:16.21 213.123.38.164 (host213-123-38-164.btinternet.com) scannet for port 21 2000/09/11-19:16:39.11 212.41.61.148 (user61-148.jakinternet.co.uk) scan net for port 21 2000/09/12-23:36:28.82 195.230.8.14 (ipp-8-014-sofia.ttm.bg) scannet for port 21 2000/09/13-05:56:21.73 61.132.13.177 (CHINANET Jiangsu province network, CN) probe 132.235.1.35:80 2000/09/13-19:58:17.80 202.102.119.115 (CHINANET Jiangsu province networ, CN) probe 132.235.1.35:80 2000/09/13-21:14:38.87 61.132.13.177 (CHINANET Jiangsu province network, CN) probe 132.235.1.35:80 2000/09/14-06:04:50.39 61.132.13.177 (CHINANET Jiangsu province network, CN) probe 132.235.1.35:80 (why?) 2000/09/14-18:24:56.61 212.41.59.84 (user59-84.jakinternet.co.uk) scan net for port 111 2000/09/14-22:01:00.57 61.132.13.177 (CHINANET Jiangsu province network, CN) probe 132.235.1.35:80 2000/09/14-22:23:12.30 61.132.13.218 (CHINANET Jiangsu province network, CN) probe 132.235.1.35:80 2000/09/15-00:16:36.29 61.132.13.218 (CHINANET Jiangsu province network, CN) probe 132.235.1.35:80 2000/09/15-04:43:06.85 61.132.127.126 (CHINANET Jiangsu province network, CN) probe 132.235.1.35:80 2000/09/16-10:36:15.35 128.169.40.167 (LIBPC127.LIB.UTK.EDU) scannet for port 23 2000/09/16-10:45:58.38 128.169.40.167 (LIBPC127.LIB.UTK.EDU) attack 132.235.15.113 w/statmon buff overflow, create root user. 2000/09/17-01:23:30.85 204.229.203.2 (Kirksville College of Osteopathic Medicine) portscan net for port 111 2000/09/17-04:57:15.18 204.229.203.2 (Kirksville...) start of scan on port 111, 1 ip every 20 mins-thru 2000/09/18-05:33:26.18 2000/09/18-05:53:50.35 204.229.203.2 (Kirksville College of Osteopathic Medicine) portscan net for port 111 - slowscan 2000/09/18-17:39:07.85 212.179.157.43(BEZEQ INTERNATIONAL,Israel) 1. hacker logged on 132.235.15.113 install eggbot, nicname edu 2000/09/18-17:39:07.85 212.179.157.43(BEZEQ INTERNATIONAL,Israel) 2. continued used of irc throught day, resulted in hacker 2000/09/18-17:39:07.85 212.179.157.43(BEZEQ INTERNATIONAL,Israel) 3. on 132.235.15.113 being banned as a bad bot. looser. 2000/09/18-21:08:31.39 192.16.122.4 (irc.skynetweb.com) shows hacker of rm used same irc bot channel for papineau.phy.ohiou.edu 2000/09/19-00:36:38.80 194.230.143.166 (pop-mu-7-1-dialup-166.freesurf.ch) probe ports 1234[56] on 132.235.18.249 2000/09/20-04:57:04.89 204.229.203.2 (Kirksville College of Osteopathic Medicine) start of scan on port 111, 1 ip every 20 mins 2000/09/24-17:05:14.62 24.93.108.43 (dhcp93108043.columbus.rr.com) scan net for port 21 2000/09/25-16:52:46.30 24.6.102.180 (cc145406-a.chstfld1.va.home.com) scan net for port 27374 2000/09/26-00:41:15.05 132.235.152.44 (s0044.south-green.ohiou.edu) portscan 132.235.17.1 2000/09/27-14:02:30.44 132.235.198.40 (dhcp-198-040.cns.ohiou.edu) scan net 132.235.201.xxx host by host for port 139 2000/09/27-14:02:30.44 132.235.198.40 (dhcp-198-040.cns.ohiou.edu) scan net 132.235.201.xxx host by host for port 139 2000/09/27-18:31:02.14 132.236.147.105 (CORNELL.EDU) scan net 132.235.201.xxx host by host for port 139 2000/09/27-18:31:02.14 132.236.147.105 (CORNELL.EDU) scan net 132.235.201.xxx host by host for port 139 2000/09/28-05:57:25.65 130.101.232.243 (dhcp232-243.office.uakron.edu) 1. bang on 132.235.1.7:21 with garbage. 2000/09/28-05:57:25.65 130.101.232.243 (dhcp232-243.office.uakron.edu) 2. until 2000/09/28-09:53:47.95 2000/09/28-07:25:55.88 61.132.13.218 (CHINANET Jiangsu province network,CN) bang on 132.235.1.35:80 for no known reason 2000/09/28-08:55:26.11 61.132.13.202 (CHINANET Jiangsu province network,CN) continued all day long 2000/09/28-09:58:55.19 130.101.232.243 (dhcp232-243.office.uakron.edu) portscan 132.235.1.1 thru 2000/09/28-10:41:19.53 2000/09/28-09:58:55.68 130.101.232.243 (dhcp232-243.office.uakron.edu) portscan 132.235.1.2 thru 2000/09/28-10:41:19.53 2000/09/28-10:41:35.23 130.101.232.243 (dhcp232-243.office.uakron.edu) portscan 132.235.1.3 2000/09/28-10:44:20.97 130.101.232.243 (dhcp232-243.office.uakron.edu) portscan 132.235.1.7 2000/09/28-10:45:39.97 130.101.232.200 (dhcp232-200.office.uakron.edu) 1. bang on 132.235.1.147:631 (network printer) 2000/09/28-10:45:39.97 130.101.232.243 (dhcp232-243.office.uakron.edu) 2. thru 2000/09/28-12:01:51.07 2000/09/28-10:47:25.81 130.101.232.243 (dhcp232-243.office.uakron.edu) restart ftp attack on 132.325.1.7 2000/09/28-13:38:20.63 132.235.198.40 (dhcp-198-040.cns.ohiou.edu) scan net 132.235.201.x for port 139. 2000/09/28-19:41:59.97 132.235.21.26 (dhcp-021-026.airport.ohiou.edu) scan net 132.235.201.x for port 139. 2000/09/28-19:41:59.97 132.235.21.26 (dhcp-021-026.airport.ohiou.edu) scan net 132.235.201.x for port 139. 2000/09/28-21:22:52.17 61.132.13.218 (CHINANET Jiangsu province network,CN) bang on 132.235.1.35:80 for no known reason 2000/09/28-22:13:56.69 61.132.13.202 (CHINANET Jiangsu province network,CN) bang on 132.235.1.35:80 for no known reason 2000/09/29-00:08:13.46 61.132.13.218 (CHINANET Jiangsu province network,CN) bang on 132.235.1.35:80 for no known reason 2000/09/29-00:17:53.41 61.132.13.202 (CHINANET Jiangsu province network,CN) bang on 132.235.1.35:80 for no known reason 2000/09/29-01:10:56.46 132.235.147.232 (dhcp-147-232.cns.ohiou.edu) portscan 132.235.17.212 2000/09/29-03:34:42.94 61.155.228.215 (CHINANET Jiangsu province network,CN) bang on 132.235.1.35:21 for no known reason 2000/09/29-03:45:05.01 61.132.13.202 (CHINANET Jiangsu province network,CN) bang on 132.235.1.35:80 for no known reason 2000/09/29-04:34:13.40 61.132.13.218 (CHINANET Jiangsu province network,CN) bang on 132.235.1.35:80 for no known reason 2000/09/30-20:24:06.37 202.85.182.160 (iAdvantage Ltd.,, Hong Kong) scan net for port 21 2000/09/30-23:25:38.78 165.230.147.141 (mohinim.resnet.rutgers.edu) scan net for port 27374