Short summary of some of the attacks against us for November 2000

year - time EASTERN source_ip[:port] (dns name, if any) attack/scan/notes

2000/11/01-16:44:20.79 4.3.80.46 (crtntx1-ar1-080-046.biz.dsl.gtei.net) scan net for port 53
2000/11/01-20:51:32.61 132.235.154.138 (s2138.south-green.ohiou.edu) port scan 132.235.17.1
2000/11/02-11:36:55.82 132.235.28.36 (dhcp-028-036.cns.ohiou.edu-ALUMNISTU ?) scan net for port 9200
2000/11/02-21:03:15.27 24.164.199.43 (cpe-199-43.jam.rr.com) scan net for port 21
2000/11/02-21:08:24.06 61.147.52.67 (CHINANET-CN, CN) scan net 132.235.201.x for port 139
2000/11/03-02:28:29.29 207.71.220.65 (host1.sbch.org) scan net 132.235.201.x for port 137
2000/11/03-05:42:38.27 64.229.250.79 (HSE-Sherbrooke-ppp78874.qc.sympatico.ca) scan MOUNTD via portmap on 132.235.1.1
2000/11/05-08:40:31.06 195.215.184.244 (ip752.arcnxx3.adsl.tele.dk) trhu 2000/11/05-15:05:48.53 scan for port 123
2000/11/06-00:28:22.70 24.149.22.8 (dhcp-8-22-149-24.cf-res.cfu.net) scan net for port 27374
2000/11/06-00:29:09.24 24.7.130.170 (c156270-a.mrcr1.wa.home.com) scan net for port 27374
2000/11/06-00:32:26.33 24.18.42.106 (ci375432-a.ashvil1.nc.home.com) scan net 132.235.1.x for port 27374
2000/11/06-00:34:22.68 24.91.182.120 (h00105aa5e4bc.ne.mediaone.net) scan net for port 27374
2000/11/06-00:34:44.17 24.43.5.212 (cr831041-a.ym1.on.wave.home.com) scan net 132.235.4.x for port 27374
2000/11/09-05:51:33.09 24.93.188.147 ( a1-5d147.neo.rr.com or a1-5d147.neo.lrun.com) scan net for port 21
2000/11/10-06:55:10.22 193.232.88.16 (Moscow03-A2.rosprint.net[MOSCOW,RUSSIA]) connect to port 6 on 132.235.1.11
2000/11/10-09:49:35.21 208.184.162.71 (208.184.162.71.mirror-image.com[San Jose, CA, USA]) scan port 1024 on 132.235.1.[1,2]
2000/11/10-09:49:35.21 216.35.167.58 (Exodus Commnications Inc., Santa Clara, CA, US) scan port 1024 on 132.235.1.[1,2]
2000/11/10-09:49:35.22 209.249.97.40 (Abovenet Communications, Inc, San Jose, CA, USAscan port 1024 on 132.235.1.[1,2]
2000/11/10-09:49:35.33 194.205.125.26 (Internet Network Services,London, GB) scan port 1024 on 132.235.1.[1,2]
2000/11/10-09:49:35.33 212.78.160.237 (COLT Internet NL,Amsterdam, NL) scan port 1024 on 132.235.1.[1,2]
2000/11/10-09:49:35.34 212.23.225.98 (Mirror Image Internet Limited, London, UK) scan port 1024 on 132.235.1.[1,2]
2000/11/10-09:49:36.10 194.213.64.150 (Telenordia AB, STOCKHOLM, SWEDEN) scan port 1024 on 132.235.1.[1,2]
2000/11/10-11:31:52.34 24.23.52.71 (cc253312-a.hwrd1.md.home.com) scan net for port 21
2000/11/10-11:31:55.81 24.23.52.71 (cc253312-a.hwrd1.md.home.com) scan port 111 on various machines
2000/11/10-17:43:29.30 209.249.97.40 (Abovenet Communications, Inc, San Jose, CA, USAscan port 1024 on 132.235.1.[1,2]
2000/11/10-17:43:29.36 208.184.162.71 (208.184.162.71.mirror-image.com[San Jose, CA, USA]) scan port 1024 on 132.235.1.[1,2]
2000/11/10-17:43:29.42 216.33.35.214 (Exodus Commnications Inc., Santa Clara, CA, US) scan port 1024 on 132.235.1.[1,2]
2000/11/10-17:43:29.43 216.35.167.58 (Exodus Commnications Inc., Santa Clara, CA, US) scan port 1024 on 132.235.1.[1,2]
2000/11/10-17:43:29.50 194.205.125.26 (Internet Network Services,London, GB) scan port 1024 on 132.235.1.[1,2]
2000/11/10-17:43:29.52 212.78.160.237 (COLT Internet NL,Amsterdam, NL) scan port 1024 on 132.235.1.[1,2]
2000/11/10-17:43:29.54 194.213.64.150 (Telenordia AB, STOCKHOLM, SWEDEN) scan port 1024 on 132.235.1.[1,2]
2000/11/10-17:43:29.54 212.23.225.98 (Mirror Image Internet Limited, London, UK) scan port 1024 on 132.235.1.[1,2]
2000/11/11-11:01:55.55 132.235.147.242 (dhcp-147-242.cns.ohiou.edu) portscan 132.235.15.142
2000/11/11-21:48:29.78 24.65.56.149 (24.65.56.149.on.wave.home.com) scan net for port 27374
2000/11/12-01:08:47.37 24.42.46.171 (cr449893-a.rchrd1.on.wave.home.com) probe port 111 on boss
2000/11/12-02:58:43.74 24.163.96.131 (ffaxvawx4-1-131.cox.rr.com) scan net for port 23
2000/11/12-02:58:47.32 24.163.96.131 (ffaxvawx4-1-131.cox.rr.com) scan port 111 on various machines
2000/11/12-16:47:16.55 199.243.250.136 (jupiter.ngen.bellnexxia.net) 1. use stollen passwd to login to springfield,
2000/11/12-16:47:16.55 199.243.250.136 (jupiter.ngen.bellnexxia.net) 2. check for sudu, lp, lpset cmds, read /etc/system
2000/11/11-21:44:45.79 24.65.56.149 (24.65.56.149.on.wave.home.com) scan net for port 27374
2000/11/12-03:00:51.59 24.163.96.131 (ffaxvawx4-1-131.cox.rr.com) scan net for port 23
2000/11/12-03:24:28.38 24.163.96.131 (ffaxvawx4-1-131.cox.rr.com) scan selected machines for port 21
2000/11/12-16:47:16.55 199.243.250.136 (jupiter.ngen.bellnexxia.net) 3. ftp to ftp.technotronics.com and download 
2000/11/12-16:47:16.55 199.243.250.136 (jupiter.ngen.bellnexxia.net) 4. unix/solaris-exploits/sparc/2.6/lpstat.c, compile, failed
2000/11/12-16:47:16.55 199.243.250.136 (jupiter.ngen.bellnexxia.net) 5. get ex_mailtool.c, ex_lobc.c, compile, try fail.
2000/11/13-22:35:47.79 204.91.230.11 (lnuserv1.pg.cc.md.us) portscan net for port 635,110,143,53,21,109:
2000/11/13-22:40:54.72 204.91.230.11 (lnuserv1.pg.cc.md.us) scan 132.235.201.25[0-4] for port 635
2000/11/13-22:40:55.45 204.91.230.11 (lnuserv1.pg.cc.md.us) scan 132.235.201.254 for ports 110, 143, 53, 21
2000/11/14-05:22:02.71 65.33.59.140 (ubr-33.59.140.unionpark.cfl.rr.com) scan net for port 21
2000/11/14-06:04:46.81 65.33.59.140 (ubr-33.59.140.unionpark.cfl.rr.com) scan net 132.235.201.x for port 21
2000/11/15-02:55:51.95 63.204.249.241:137 (adsl-63-204-249-241.dsl.lsan03.pacbell.net) scan net for port 137
2000/11/15-05:52:07.12 216.67.53.199:137 (nas-53-199.sanantonio.navipath.net) scan 132.235.201.x for port 137
2000/11/15-14:04:08.73 62.98.166.154 (Wind Telecomunicazioni spa, IT) scan machines for port 111
2000/11/15-14:04:56.56 62.98.166.154 (Wind Telecomunicazioni spa, IT) mountd probe to 132.235.1.7
2000/11/15-14:04:59.70 62.98.166.154 (Wind Telecomunicazioni spa, IT) named probe on 132.235.1.1:53
2000/11/15-14:05:00.88 62.98.166.154 (Wind Telecomunicazioni spa, IT) probe port 80 on network switches
2000/11/15-18:19:47.61 65.24.162.123 (dhcp065-024-162-123.columbus.rr.com) scan net for port 139
2000/11/15-18:29:08.01 65.24.162.123 (dhcp065-024-162-123.columbus.rr.com) scan selected machines for port 445
2000/11/16-11:15:56.35 212.185.72.210 (mdc-medical digital concepts, germany) scan 132.235.201.x for port 515
2000/11/16-11:19:27.47 211.21.49.166 (Taipei Taiwan ) scan net for port 515
2000/11/16-12:02:21.78 132.235.147.242 (dhcp-147-242.cns.ohiou.edu) portscan 132.235.15.142
2000/11/16-12:02:41.95 132.235.147.242 (dhcp-147-242.cns.ohiou.edu) portscan 132.235.15.194
2000/11/16-12:02:56.12 132.235.147.242 (dhcp-147-242.cns.ohiou.edu) portscan 132.235.15.113
2000/11/16-16:23:34.81 212.185.72.210 (mdc-medical digital concepts, germany) probe packet to 132.235.201.0 : 111
2000/11/16-16:23:34.81 212.185.72.210 (mdc-medical digital concepts, germany) probe packet to 132.235.3.0 : 111
2000/11/16-16:23:44.79 212.185.72.210 (mdc-medical digital concepts, germany) scan 132.235.201.x for port 111
2000/11/16-17:08:21.60 212.185.72.210 (mdc-medical digital concepts, germany) scan 132.235.201.x for port 111
2000/11/16-17:47:57.49 64.35.35.162 (zombfib.com.ar) heavy probes (100) to 132.235.201.1 port 111, 1004
2000/11/16-18:02:14.85 207.43.239.14 (sprint, somewhere) scan net for port 23, 25
2000/11/16-20:11:05.72 64.35.35.162 (zombfib.com.ar) 1. probe port 111, mount and other services on various hosts
2000/11/16-20:11:05.72 64.35.35.162 (zombfib.com.ar) 2 thru 2000/11/17-00:32:18.34
2000/11/16-20:14:30.75 212.185.72.210 (mdc-medical digital concepts, germany) scan 132.235.201.x for port 137
2000/11/16-23:29:20.79 207.108.244.23 (dialup23.albq.uswest.net) probe packet to 132.235.201.0 : 161 
2000/11/16-23:29:20.79 207.108.244.23 (dialup23.albq.uswest.net) probe packet to 132.235.3.0 : 161 
2000/11/17-17:32:28.68 64.14.200.154 (exodus.net...)  probe port 1024 on ace
2000/11/17-17:32:28.79 62.26.119.34  (Mirror Image Internet AB, Stockholm, Sweden) probe port 1024 on ace
2000/11/18-09:48:41.14 202.239.140.221 (FOS1-221.konnect.net) _vti_inf probes on seorf.
2000/11/19-01:02:58.01 161.67.8.43 (almansa.info-ab.uclm.es) probe port 111 on ace
2000/11/19-07:04:24.42 216.192.219.10 (atl-qbu-zpd-vty10.as.wcom.net) 1. attack 132.235.1.1 via port 111, 32772, 1524
2000/11/19-07:04:24.42 216.192.219.10 (atl-qbu-zpd-vty10.as.wcom.net) 2. buff overflow against multiple archetectures.
2000/11/19-07:31:33.28 193.68.1.71 (varna71.pip.digsys.bg) 1. attack 132.235.1.1 via port 111, 32772, 1524
2000/11/19-07:31:33.28 193.68.1.71 (varna71.pip.digsys.bg) 2. buff overflow against multiple archetectures.
2000/11/19-15:43:34.14 202.141.26.165 (Indian Institute of Technology, IN)  scan port 111 on ace
2000/11/19-15:43:34.89 144.16.247.63 (chem.iitm.ernet.in) probe port 111 on ace
2000/11/19-22:49:02.63 64.217.91.77 (adsl-64-217-91-77.dsl.austtx.swbell.net) scan port 111 on several machines
2000/11/19-22:49:03.78 64.217.91.77 (adsl-64-217-91-77.dsl.austtx.swbell.net) scan hosts fort port 111
2000/11/20-00:51:51.80 195.120.109.18 (Hi-Net s.r.l., IT) scan net for port 23
2000/11/20-01:18:51.58 195.120.109.18 (Hi-Net s.r.l., IT) probe port 23 on machines that answered previous scan
2000/11/20-23:35:29.22 166.114.102.217 ( cl57.cbb.entelnet.bo) scan net for port 21
2000/11/21-08:21:03.45 195.120.158.150 (mbox.progettoufficio.it) scan net for port 21
2000/11/21-09:04:02.53 166.114.102.252 ( ???.cbb.entelnet.bo) scannet for port 21
2000/11/21-13:26:09.89432 128.169.244.32 (CRAMER.MATH.UTK.EDU) multiple attacks (NT/IIS types) against 132.235.36.2 thru 13:26:50
2000/11/21-17:33:41.09 203.146.85.92 (Chiangmai Univerisity, TH) probe mountd port on 132.235.1.1
2000/11/21-23:18:38.75 212.140.92.97 (BTnet,Hertfordshire,GB) 1. user infestor on 212.140.92.97 ftps passwd file from 132.235.1.2
2000/11/21-23:31:41.70 212.140.92.97 (BTnet,Hertfordshire,GB) 2. Then moron tries cracked passwd on 132.235.1.1.
2000/11/22-02:07:55.44 206.102.239.8 (Providence College, Providence, RI, US) scan net for port 23
2000/11/24-05:12:45.75 132.235.17.17(packers.ent.ohiou.edu) try to login as root w/ old backdoor password on to bobcat
2000/11/24-14:52:34.62 24.218.187.128 (h0001032189a2.ne.mediaone.net) 1. user used stolen login, irc at 205.252.46.98:6668 chanel
2000/11/24-14:52:34.62 24.218.187.128 (h0001032189a2.ne.mediaone.net) 2.  #978 to brag they rooted OSIRIS 
2000/11/24-15:56:03.14 24.218.187.128 (h0001032189a2.ne.mediaone.net) ftp sev.978.org 2121, cd "zirc 9", download statd attack.
2000/11/26-23:35       24.218.187.128 (h0001032189a2.ne.mediaone.net) logon to 132.235.17.1 w/stollen passwd
2000/11/28-07:40:01.55 62.156.5.24 (p3E9C0518.dip.t-dialin.net) scan 132.235.201.x for port 21 
2000/11/28-13:55:53.85 24.218.187.128 (h0001032189a2.ne.mediaone.net) 1. logon to 132.235.17.1 w/stollen passwd, download 
2000/11/28-13:55:53.85 24.218.187.128 (h0001032189a2.ne.mediaone.net) 2. download statd attack via ftp from choppy.com/.war
2000/11/28-13:55:53.85 24.218.187.128 (h0001032189a2.ne.mediaone.net) 3. user billyboi, attemp to run.
2000/11/29-15:22:03.89 216.101.170.130 (adsl-216-101-170-130.dsl.snfc21.pacbell.net) probe port 111 & services on various machines
2000/11/29-15:22:11.62 216.101.170.130 (adsl-216-101-170-130.dsl.snfc21.pacbell.net) probe port 111, 32771, 21 on 132.235.15.137
2000/11/29-16:48:55.93 216.101.170.130 (adsl-216-101-170-130.dsl.snfc21.pacbell.net) probe port 21 on various machines
2000/11/30-10:31:13.54 132.235.28.35 (dhcp-028-035.cns.ohiou.edu) scan net 132.235.3.x for port 9200
2000/11/30-10:31:20.23 132.235.28.35 (dhcp-028-035.cns.ohiou.edu) scan net 132.235.1.x for port 9200
2000/12/01-01:59:36.79 132.235.63.5 (dhcp-063-005.cns.ohiou.edu) scan 10 machines 12 times for port 137
2000/12/01-02:20:59.18 132.235.63.5 (dhcp-063-005.cns.ohiou.edu) scan net for ports 55559, 43768, 54253