Short summary of some of the attacks against us for October 2000 year - time EASTERN source_ip[:port] (dns name, if any) attack/scan/notes 2000/10/01-05:04:52.88 63.44.40.233 (1Cust233.tnt7.ewr3.da.uu.net) scan net for port 31337 2000/10/01-18:17:46.23 202.164.97.138 (Wilnet Communications Pvt. Ltd., IN) scan net for port 21 2000/10/02-09:14:09.46 132.146.129.99 (push.info.bt.co.uk) start of probes (tracert?) to ports 33457-33464 on our net 2000/10/02-09:37:15.94 192.35.44.16 (abaris.crd.GE.COM) probe ftp port on 132.235.1.(11,12,49) 2000/10/02-12:59:30.38 212.177.241.153 (UUNET -IT) try to connect to 132.235.201.x:111 25 times each 2000/10/02-15:58:37.92 212.177.241.101 (UUNET -IT)scan net 132.235.x.x for port 21 2000/10/02-16:00:59.30 212.177.241.101 (UUNET -IT) try to connect to 132.235.201.x:21 25 times each 2000/10/02-16:02:02.44 212.177.241.101 (UUNET International, IT) scan net for port 21 2000/10/02-16:25:42.47 132.235.152.44 (s0044.south-green.ohiou.edu) portscan 132.235.17.1 2000/10/02-16:37:42.99 132.235.152.44 (s0044.south-green.ohiou.edu) portscan 132.235.1.2 2000/10/02-23:40:55.51 132.235.159.28 (s7028.south-green.ohiou.edu) portscan 132.235.15.113 2000/10/03-04:05:49.40 64.229.252.166 (HSE-Sherbrooke-ppp79469.qc.sympatico.ca) scan net for port 1080 2000/10/03-13:00:46.30 212.177.241.253 (UUNET -IT) scan net for port 109 2000/10/03-20:27:36.80 63.198.206.140 (adsl-63-198-206-140.dsl.snfc21.pacbell.net) scan net for port 21 2000/10/04-16:26:43.08 63.202.13.20 (adsl-63-202-13-20.dsl.snfc21.pacbell.net) scan net for port 21 2000/10/04-19:44:45.65 192.216.12.142 (Kaiser Foundation Research Institute, OAKLAND, CA, USA) portscan (1-1000) ace 2000/10/05-11:57:32.73 202.153.112.222 (Cable & Wireless HKT, HK) scan net for port 21 2000/10/05-16:47:15.08 151.14.56.209 (Italia OnLine S.P.A, IT) scan ports 23,25,143,110,80 on selected ips. 2000/10/05-19:52:20.41 132.235.147.232 (dhcp-147-232.cns.ohiou.edu) portscan132.235.18.231 2000/10/05-19:54:13.34 132.235.147.232 (dhcp-147-232.cns.ohiou.edu) portsdan 132.235.1.252 2000/10/05-20:19:00.59 132.235.147.232 (dhcp-147-232.cns.ohiou.edu) portscan 132.235.16.47 2000/10/06-00:49:53.77 212.177.241.58 ( UUNET, IT) 1.scan net for port 111 2000/10/06-00:49:53.77 212.177.241.58 ( UUNET, IT) 2. Followed by specific probes to answering machines 2000/10/06-16:19:02.71 205.252.137.210 (Capital Area Internet Service, MCLEAN, VA, US) scan net for port 98 2000/10/06-16:33:39.91 205.252.137.210 (Capital Area Internet Service, MCLEAN, VA, US) scan net for port 98 2000/10/06-16:39:39.00 205.252.137.210 (Capital Area Internet Service,) follow up probes to port 111, then other ports on selected ips. 2000/10/06-19:24:50.48 132.235.198.192 (www-benton.ridges.ohiou.edu) scan net for port 111 2000/10/07-05:52:27.21 131.96.144.50 (mitchell.chara.Gsu.EDU) scan net for port 111 thru 2000/10/07-06:46:44.87 2000/10/07-06:07:29.79 131.96.144.50 (mitchell.chara.Gsu.EDU) scan each machine in 132.235.201.x for port 111 4 times 2000/10/07-09:10:00.76 205.252.137.210 (Capital Area Internet Service, MCLEAN, VA, US) scan net for port 111 2000/10/07-09:29:09.17 205.252.137.210 (Capital Area Internet Service) hacked into 132.235.17.??? via statmon buff overflow 2000/10/07-09:29:09.17 205.252.137.210 (Capital Area Internet Service) hacked into 132.235.18.??? via statmon buff overflow 2000/10/07-09:31:19.56 205.252.137.210 (Capital Area Internet Service) probe statd and others on machines answering previous probe 2000/10/07-15:52:15.12 64.35.54.98 (ns1.happyweb.net) scan for port 53 on net 2000/10/07-15:58:15.94 210.220.213.251 (ELIMNET, SEOUL, KR) scan net 132.235.3.x for port 53 2000/10/07-16:34:38.27 64.35.54.98 (ns1.happyweb.net) scan port 21 on a subset of machines on net 2000/10/07-16:34:54.96 64.35.54.98 (ns1.happyweb.net) scan port 111 on all machine on net 2000/10/07-21:18:44.03 209.85.32.228 (SoftAware, Inc.,Marina del Rey, CA) scan net for port 21 2000/10/08-22:00:54.06 132.231.1.253 (University of Passau, GERMANY) scan net for port 19000 2000/10/09-05:25:54.74 63.195.16.5 (adsl-63-195-16-5.dsl.chic01.pacbell.net) scan net for port 21 2000/10/10-07:46:06.42 62.14.116.19 (19-C-BARC.adsl.jazztelbone.net) scan net for port 21 2000/10/10-12:46:03.35 206.210.66.2 (hunt-mail.rahuntfdn.org) scan net for port 21 2000/10/11-05:00:28.90 130.126.72.94 (lar0939.urh.uiuc.edu) scan net for port 27374 2000/10/11-11:35:00.69 132.235.12.72 (dhcp-012-072.chubb.ohiou.edu) scan net for port 129,524 2000/10/11-18:56:15.28 209.187.13.18 (nyc-29-f-18.nyc.dsl.cerfnet.com) scan net for port 21 2.235.1.7 : 27665 2000/10/12-08:04:04.80 132.235.197.74 (crawford-pc.cns.ohiou.edu) scan net for port 21. 2000/10/12-19:54:23.08 208.178.253.2 (Conway Data, ATLANTA, GA) scan net for port 53 2000/10/12-21:31:26.06 156.98.2.2 (boris.lmic.state.mn.us) scan net for port 135,139,137,21,23,... 2000/10/13-16:16:40.33 132.235.174.206 (w6206.west-green.ohiou.edu) portscan of p1 2000/10/13-16:16:59.06 132.235.174.206 (w6206.west-green.ohiou.edu) portscan of prime 2000/10/14-13:45:53.14 132.8.135.39 (Maxwell AFB-Gunter Annex, AL) probe port 161 on several machines 2000/10/15-03:16:04.40 61.155.253.143 (CHINANET Jiangsu province network, CHINA) scan net 132.235.201.x for port 139 2000/10/16-02:32:59.73 141.165.41.110 (picard.cs.GaSoU.edu) hacker ftp warez file TO bobcat 2000/10/16-02:34:36.80 199.86.32.23 (pm3.skypoint.net) hacker ftps warez file FROM bobcat 2000/10/16-03:09:19.01 61.155.255.195 (CHINANET Jiangsu province network, CHINA) scan net 132.235.201.x for port 139 2000/10/16-03:09:25.99 61.155.255.195 (CHINANET Jiangsu province network, CHINA) scan net 132.235.201.x for port 139 2000/10/16-16:49:11.91 195.218.69.200 (Sarax Media Oy / Moon Tv,Helsinki,Finland) scan net for port 53 2000/10/17-08:49:13.83 194.38.74.106 (pointer www.watiz.com) scan net for port 53 2000/10/17-11:09:47.14 132.235.147.141 (dhcp-147-141.cns.ohiou.edu) port scan 132.235.3.137 2000/10/17-11:33:23.88 24.20.136.155 (c332834-a.wntck1.sfba.home.com) scan net for port 33448 2000/10/17-13:43:02.22 132.8.135.39 (SSG/SIN,Maxwell AFB-Gunter Annex, AL) scan multiple machines for port 161 2000/10/17-20:52:18.06 213.46.58.82 (d58082.dtk.chello.nl) scan 132.235.x.xxx for port 21 2000/10/17-22:20:35.48 195.226.229.54:60000 (as4-54.qualitynet.net) scan net 132.235.3.xxx for port 2140 2000/10/17-23:44:23.12 202.102.53.98 (CHINANET Jiangsu province network,CH) scan net 132.235.201.xxx for port 139 2000/10/18-04:56:26.63 61.155.254.148 (CHINANET Jiangsu province network,CH) scan net 132.235.201.xxx for port 139 2000/10/18-13:24:58.04 132.8.135.39 (SSG/SIN,Maxwell AFB-Gunter Annex, AL) scan 132.235.1.x for port 161 2000/10/19-13:47:49.55 194.206.208.188 (CSI Transpac, PARIS, FR) scan port 79 on several machines 2000/10/19-13:52:04.01 194.206.208.188 (CSI Transpac, PARIS, FR) attempt to logon to web server. 2000/10/19-21:54:19.45 194.206.208.173 (CSI Transpac, PARIS, FR) scan net for port 23 2000/10/21-19:41:26.80 216.3.0.81 (dyn016-ts5a.athens.frognet.net) attemp to login to seorf as root/sysadmin, daemon/daemon 2000/10/22-10:30:42.62 198.172.172.3 (mach3-tfg.orl.fl.verio.net) scan net for port 1 2000/10/23-22:39:50.26 64.229.249.40 (HSE-Sherbrooke-ppp78581.qc.sympatico.ca) scannet for port 21 2000/10/24-10:12:45.58 132.235.196.112 (dhcp-196-112.cns.ohiou.edu,ASGARD,CNS,SANDFORR) scan net for port 21 2000/10/25-03:34:12.62 132.235.162.183 (e2183.east-green.ohiou.edu) scan net for port 21 2000/10/25-12:55:47.78 132.8.135.39 (SSG/SIN,Maxwell AFB-Gunter Annex, AL) scan net for port 161 2000/10/25-22:30:15.86 24.30.242.12:137 (va-24-30-242-12.va.mediaone.net) scan net 132.235.201.x for port 137 2000/10/25-22:58:15.11 194.235.164.130 (dns.global-one.it) hacket attac against 132.235.17.1 2000/10/26-04:13:17.81 63.193.21.82 (63-193-21-82.velocityhsi.com) scan net 132.235.x.x for port 21 2000/10/26-07:15:53.98 62.224.238.42 (p3EE0EE2A.dip.t-dialin.net) scan net for port 21 2000/10/26-19:00:11.78 216.3.1.34 (dyn033-ts8a.athens.frognet.net) try to login to freenet as root/system,root/sysop,sys/sys,uucp/uucp 2000/10/26-20:06:11.28 212.185.219.158 (pD4B9DB9E.dip.t-dialin.net) scan net for port 21 2000/10/27-17:11:44.70 216.3.0.188 (dyn059-ts6a.athens.frognet.net) portscan 132.235.1.108 2000/10/28-13:40:44.36 63.207.34.194 (adsl-63-207-34-194.dsl.lsan03.pacbell.net) initial login to compromised lwelch account on bobcat 2000/10/29-13:54:09.30 63.207.34.194 (adsl-63-207-34-194.dsl.lsan03.pacbell.net) 2nd login to compromised lwelch account on bobcat 2000/10/30-09:54:23.49 195.215.251.41 (ip295.arcnxx3.adsl.tele.dk) scan net for port 123- ntp port, probe for server type. 2000/10/30-22:57:56.49 24.218.187.128 (h0001032189a2.ne.mediaone.net) 1. login to compromised lwelch account on bobcat, 2000/10/30-22:57:56.49 24.218.187.128 (h0001032189a2.ne.mediaone.net) 2, ftp eggdrop irc bot 2000/10/30-22:57:56.49 24.218.187.128 (h0001032189a2.ne.mediaone.net) 3. from sunsite.unc.edu, install and establish 2000/10/30-22:57:56.49 24.218.187.128 (h0001032189a2.ne.mediaone.net) 4. connection to 24.147.254.200:2222 2000/10/30-22:57:56.49 24.218.187.128 (h0001032189a2.ne.mediaone.net) 5. (choppy.ne.mediaone.net) for control link.