Short summary of some of the attacks against us for January 2001 year - time EASTERN source_ip[:port] (dns name, if any) attack/scan/notes 2001/01/01-02:10:04.11 210.96.87.189 (Chang-su Elementary School,Pochun-gun, KR) scan net for port 53 2001/01/01-10:43:25.19 62.226.51.93 (p3EE2335D.dip.t-dialin.net) scan net 132.235.x.x for port 21 2001/01/02-00:45:41.00 203.141.133.114 (203.141.133.114.user.ad.il24.net) attempted spam relay via jets 2001/01/02-01:41:23.60 210.104.213.3 (Korea Telecom,SEOUL) scannet for port 23 2001/01/02-01:43:49.53 210.104.213.3 (Korea Telecom,SEOUL) scannet for port 21 2001/01/02-01:46:33.59 210.104.213.3 (Korea Telecom,SEOUL) scannet for port 23 2001/01/03-00:54:43.59 130.212.20.72 (rsensing2.sfsu.edu) scan net for port 111, 21 2001/01/03-08:52:57.49 217.1.89.231 (pD90159E7.dip.t-dialin.net) scan net for port 21 2001/01/03-12:26:25.98 18.31.0.163 (paprika.lcs.mit.edu) scan for named version. 2001/01/03-19:59:06.03 195.235.225.218 (Profesional colective of engineers, MADRID, SPAIN) scan net for port 8012 2001/01/04-00:29:27.15 207.35.165.194 (Mist Inc., ONTARIO, CA) scan net for port 21,111 2001/01/04-15:21:02.00 128.9.160.57 (zed.isi.edu) multiple named version probes, zone transfers. 2001/01/05-02:37:03.07 150.182.2.2 (linroute2.utsi.edu) scan net for port 21 2001/01/05-05:41:19.74 62.98.136.17 (WIND Telecomunicazioni spa ITALY) 1) scan net for ports 80,111,6000,79,53,31337,2766, 2001/01/05-05:41:19.74 62.98.136.17 (WIND Telecomunicazioni spa ITALY) 2) AND 139,25,21,22,1114,1,110,143,23 2001/01/05-05:41:19.74 62.98.136.17 (WIND Telecomunicazioni spa ITALY) 3) AND multiple probe/attack on web servers 2001/01/06-07:27:01.76 212.185.214.129 (pD4B9D681.dip.t-dialin.net) scan net for port 21 2001/01/06-12:46:32.89 64.229.252.154 (HSE-Sherbrooke-ppp79457.qc.sympatico.ca) scan net for port 21 2001/01/06-13:37:53.52 132.235.147.232 (dhcp-147-232.cns.ohiou.edu) portscan seorf 2001/01/06-15:34:16.72 208.37.208.100 (Concentric net (PlusTen)) scan net for port 23 2001/01/06-15:41:51.52 208.37.208.100 (Concentric net (PlusTen)) scan net for port 515 2001/01/06-15:57:58.52 208.37.208.100 (Concentric net (PlusTen)) scan net for port 23 2001/01/07-00:41:44.65 62.255.184.9 (pc9-lut9.cable.ntl.com) scan net for port 21 2001/01/07-13:28:43.49 66.26.8.63 (ilm26-8-063.ec.rr.com) scan net for port 21 2001/01/07-23:35:48.09 24.161.122.235 (syr-24-161-122-235.twcny.rr.com) scannet for port 111 2001/01/07-23:44:18.48 24.161.122.235 (syr-24-161-122-235.twcny.rr.com) statmon2 buff overflow attack 2001/01/08-14:19:27.41 38.27.184.152 (ip152.baton-rouge5.la.pub-ip.psi.net) 1) thru 2001/01/08-22:30:20.17 attack boss via ftp 2001/01/08-14:19:27.41 38.27.184.152 (ip152.baton-rouge5.la.pub-ip.psi.net) 2) trying a user login with a passwds from dictionary. 2001/01/08-15:50:59.45 192.55.91.31 (netprobe.lerc.nasa.gov) portscan ace from port 33429 to 33503 2001/01/08-23:05:15.12 38.27.184.152 (ip152.baton-rouge5.la.pub-ip.psi.net) start of attack on ace thru 2001/01/08-23:09:48.66 2001/01/09-05:00:10.85 149.159.98.81 (fr-98-81.forest.indiana.edu) scan net for port 27374 2001/01/09-07:12:12.05 128.211.160.245 (dsl-016-d.resnet.purdue.edu) scan net for port 27374 2001/01/09-07:16:48.28 210.96.87.189:2666 (Chang-su Elementary School,Republic of Korea) scan net for port 53 2001/01/10-09:50:01.08 209.225.26.18:5000 (Exodus.net) portscan net for high random ports 2001/01/10-11:36:15.74 208.32.28.166 (port-2-47-56k.jackson.zoomnet.net) portscan 132.235.15.201 2001/01/10-11:40:09.86 216.35.208.150:5000 (Exodus.net) portscan net for high random ports 2001/01/10-16:03:14.33 62.158.97.194 (p3E9E61C2.dip.t-dialin.net) scan net for port 21, try to create dirs. 2001/01/10-16:05:23.31 62.226.52.36 (p3EE23424.dip.t-dialin.net) scan net for port 21 2001/01/10-19:37:29.36 193.231.74.138 (Romania,on-line, ROMANIA) scan severl machines for port 21 2001/01/11-07:42:52.50 132.235.197.74 (crawford-pc.cns.ohiou.edu) scan net for port 7,21,70,53,80,110,119,143,161,37 2001/01/11-20:45:44.48 61.147.54.238 (CHINANET Jiangsu province network,CN) ftp probe on odd05 2001/01/11-22:39:49.32 61.147.54.134 (CHINANET Jiangsu province network,CN) ftp probe on odd05 2001/01/12-02:19:49.54 61.147.54.169 (CHINANET Jiangsu province network,CN) ftp probe on odd05 2001/01/12-08:59:26.05 64.230.222.19 (HSE-Sherbrooke-ppp98626.qc.sympatico.ca) scan net for port 1080 2001/01/12-12:51:45.55 195.217.211.241 (Linkguard Ltd, GB) scan net for port 80 2001/01/12-22:07:18.84 24.234.60.237 (dhcp237.60.lvcm.com) scan net for port 110 2001/01/13-06:18:14.77 195.217.211.241 (Linkguard Ltd, GB) scan net for port 80 2001/01/13-08:36:48.24 195.217.211.241 (Linkguard Ltd, GB) scan net for port 80 2001/01/14-07:37:06.86 216.35.103.80 (si4001.inktomi.com) scannet for port 80,4080,8000 2001/01/14-08:28:18.54 195.217.211.241 (Linkguard Ltd, GB) scan net for port 80 2001/01/14-14:12:50.15 24.26.124.126 (ubr-a-26.124.126.ormondbeach.cfl.rr.com) scan net for port 21 2001/01/15-02:29:28.43 138.89.35.212 (adsl-138-89-35-212.nnj.adsl.bellatlantic.net) scan net for port 21 2001/01/15-07:55:37.14 208.242.216.196 (Day Trade, Dallas,Tx, US) scan net for port 111 2001/01/15-08:28:28.36 208.242.216.196 (Day Trade, Dallas,Tx, US) Start attack of mulitple machien via portmapped services 2001/01/15-13:29:59.50 208.242.216.196 (Day Trade, Dallas,Tx, US) attack 132.235.17.45 w/buff overflow attack. 2001/01/15-14:18:19.09 169.207.160.129 (Executive PC, New Berlin, WI, US) 1)use backdoor on 132.235.17.45 to add entries to passwd file 2001/01/15-14:18:19.09 169.207.160.129 (Executive PC, New Berlin, WI, US) 2)download rootkit from packets.ca (use k, pass azn) 2001/01/15-14:18:19.09 169.207.160.129 (Executive PC, New Berlin, WI, US) 3)add IRC reflector, use for channel #azn - group of hackers 2001/01/15-14:18:19.09 169.207.160.129 (Executive PC, New Berlin, WI, US) 4)trying to get up to 200 slave machines 2001/01/15-21:08:34.38 128.228.16.204 (City University of New York, NY, USA) scan net for port 111 2001/01/16-09:16:34.06 211.216.49.152:21 (Korea network) scan net for port 21 2001/01/16-13:22:40.29 213.167.199.162:53 (Galactica isp -IT) scan net for port 53 2001/01/17-11:45:28.84 213.8.210.50 (Euronet Digital Communications, IL) portscan 132.235.1.252 2001/01/18-01:34:22.42 213.8.210.50 (Euronet Digital Communications, IL) 1) attack 132.235.1.252 w/ cmsd buffer overflow port 2001/01/18-01:34:22.42 213.8.210.50 (Euronet Digital Communications, IL) 2) along with multiple sun and SGI attacks. 2001/01/18-16:35:11.55 64.244.158.11:33897 (steem-gw.steem.com) scan net for port 80 2001/01/18-16:35:23.66 64.244.158.11:33897 (steem-gw.steem.com) scan net for port 27374 2001/01/18-19:01:48.86 149.171.36.15 (garyf.ee.unsw.EDU.AU) scan net for port 111 2001/01/20-11:42:36.07 24.191.66.42 (KUB Teknologi Sdn Bhd,Kuala Lumpur.MY) ftp scan on 132.235.4.x 2001/01/20-11:42:36.07 24.191.66.42 (ool-18bf422a.dyn.optonline.net) scannet 132.235.4.x for port 21 2001/01/20-13:22:13.51 24.191.66.42 (ool-18bf422a.dyn.optonline.net) scannet 132.235.36.x for port 21 2001/01/20-15:17:48.82 202.184.167.12 (KUB Teknologi Sdn Bhd,Kuala Lumpur.MY) buf overflow atacks against 132.235.1.[1,2] 2001/01/20-15:29:59.80 202.184.167.12 (KUB Teknologi Sdn Bhd,Kuala Lumpur.MY) ftp probes against 132.235.1.[1,2] 2001/01/21-21:19:53.45 24.15.107.45 (c1035155-a.moline1.il.home.com) scan net for port 1 2001/01/22-06:34:29.81 212.50.17.145 (bay15.pool.bol.bg) scan net for port 21 2001/01/22-11:50:12.18 24.12.178.2 (c342319-a.vncvr1.wa.home.com) scan net for port 27374 2001/01/22-11:50:15.68 24.138.29.38 (CDR29-38.accesscable.net) scan net for port 1243 2001/01/22-13:46:44.08 213.32.161.160 (notes.supportcenter.dk) scan net for port 21 2001/01/22-15:16:11.52 202.160.87.100 (MDService Co., Ltd.,Taipei, Taiwan, R.O.C.) scan net for port 111 2001/01/22-15:26:18.06 202.160.87.100 (MDService Co., Ltd.,Taipei, Taiwan, R.O.C.) buf overflow attack against several machines 2001/01/23-06:07:13.91 209.220.244.18:23 (w018.z209220244.chi-il.dsl.cnc.net) scan net for random high ports 2001/01/23-14:44:29.72 203.129.228.150 (Software technology Parks of India, Bangalor, INDIA) scan net for port 21 2001/01/23-20:11:49.79 64.224.1.20 (ipswgr0002atl2.interland.net) scannet for port 21 2001/01/23-20:54:57.21 202.123.195.157 (iLink.net Limited, HONG-KONG) scanet for port 21 2001/01/23-21:38:20.02 198.211.41.141 (Academic Systems Corp, CA, USA) scannet for port 23 2001/01/24-22:46:59.12 210.223.45.156 (Daewon INC, SEOUL, Korea) scan net for port 23 2001/01/25-17:47:04.22 211.152.144.250 (CST iAdvantage Co. Ltd., CN (honkkong?) ) scan net for port 111 2001/01/26-21:21:48.98 216.59.51.219:21 (d83b33db.dsl.flashcom.net) scan net for port 21 2001/01/27-08:04:09.84 200.246.140.214:21 (ppp214.telnet.com.br) scan net for port 21 2001/01/27-21:24:35.22 213.121.116.145 (host213-121-116-145.btopenworld.com) scan net for port 21 2001/01/27-21:52:37.86 203.45.144.239 (CPE-203-45-144-239.qld.bigpond.net.au) scan net for port 111 2001/01/28-03:41:24.37 24.234.70.165 (dhcp165.70.lvcm.com) scannet for port 21 2001/01/28-05:17:17.27 24.234.70.165 (dhcp165.70.lvcm.com) scan net for port 21 2001/01/28-08:02:07.68 192.58.221.253 (University of California, BBerkeley, CA , US) scannet for port 515 2001/01/28-08:09:54.43 192.58.221.253 (University of California, BBerkeley, CA , US) scannet for port 23 2001/01/28-12:59:59.18 206.107.192.3 (Pension Benefit Guaranty Corp, Washington, DC,US) scan net for port 111 2001/01/28-13:09:28.98 205.160.173.19 (pminet.pmicim.com) scan selected machines for port 21 2001/01/28-13:09:36.47 205.160.173.19 (pminet.pmicim.com) scan selected machines for port 25 2001/01/28-13:09:39.12 205.160.173.19 (pminet.pmicim.com) 1) launch multple buff overflow attacks against them. 2001/01/28-13:09:39.12 205.160.173.19 (pminet.pmicim.com) 1) scan ALL of our unix machines for port 111, 2001/01/28-22:04:24.60 211.55.86.200 (WOOWON CORPORATION, SEOUL, KR) scannet for pport 111 2001/01/29-00:50:24.06 210.179.224.248 (SEO SEOUL INFORMATION INDUSTRIAL HIGH SCHOOL,KR) scan net for port 111 2001/01/29-08:29:39.18 213.213.24.78 (h213-24-78.RM1.albacom.net) scan net for port 23 2001/01/29-17:26:15.18 207.90.223.2 (South Coast Computing Services, Inc.,HOUSTON.TX,US) scan net for port 111 2001/01/29-19:45:12.30 64.204.124.194:21 (64-204-124-194.client.dsl.net) scan net for port 21 2001/01/29-19:58:46.34 132.235.174.202 (w6202.west-green.ohiou.edu) portscan ace 2001/01/30-03:04:16.57 210.71.187.12 (CHTD, Chunghwa Telecom Co.,Ltd.,Taipei Taiwan) scan net for port 111 2001/01/30-03:04:18.30 210.71.187.12 (CHTD, Chunghwa Telecom Co.,Ltd.,Taipei Taiwan) buff ovflow attack on multiple machs. 2001/01/30-18:53:50.99 139.92.144.127 (IBM Netherlands N.V., The Netherlands) 1) scan net for port 111 2001/01/30-18:53:50.99 139.92.144.127 (IBM Netherlands N.V., The Netherlands) 2) start of buff overflow attakcs 2001/01/30-19:13:23.54 139.92.144.127 (IBM Netherlands N.V., The Netherlands) 1) compromise 132.235.16.228 (PLD/COURIER) 2001/01/30-19:13:23.54 139.92.144.127 (IBM Netherlands N.V., The Netherlands) 2) compromise 132.235.17.243 (PLD/COURIER) 2001/01/30-19:13:23.54 139.92.144.127 (IBM Netherlands N.V., The Netherlands) 3) ftp to phones.box.sk as tyler/nedrud 2001/01/30-19:13:23.54 139.92.144.127 (IBM Netherlands N.V., The Netherlands) 3) start irc bot to irc.techno-link.com/6667 2001/01/30-19:13:23.54 139.92.144.127 (IBM Netherlands N.V., The Netherlands) 5) nic baller 2001/01/30-22:36:11.58 210.71.187.12 ( (CHTD, Chunghwa Telecom Co.,Ltd.,Taipei Taiwan) scan net for port 111 2001/01/30-22:36:11.84 210.71.187.12 (CHTD, Chunghwa Telecom Co.,Ltd.,Taipei Taiwan) buff ovflow attack on multiple machs. 2001/01/31-15:23:57.36 62.226.51.122 (p3EE2337A.dip.t-dialin.net) scan net for port 21 2001/01/31-18:35:56.84 203.120.178.175 (ISE Labs Singapore) scan net for port 515 2001/01/31-18:35:57.36 203.120.178.175 (ISE Labs Singapore) scan net for port 21 2001/01/31-19:32:11.98 216.15.43.212 (dnai-216-15-43-212.cust.dnai.com) scannet for port 111 2001/01/31-19:51:45.63 203.120.178.175 (ISE Labs Singapore) scan net for port 23 2001/01/31-20:25:06.09 216.15.43.212 (dnai-216-15-43-212.cust.dnai.com) launch statmon buff overflow attacks - mult. mach. 2001/01/31-22:33:07.18 132.235.148.90 (dhcp-148-090.cns.ohiou.edu) scan net for port 1959 2001/01/31-22:43:37.86 132.235.148.90 (dhcp-148-090.cns.ohiou.edu) 1. scannet for port 1959 2001/01/31-22:43:37.86 132.235.148.90 (dhcp-148-090.cns.ohiou.edu) 2. and send each machine icmp source quench packets. 2001/01/31-22:54:39.43 205.133.156.18 (www.happyhosting.com) scan net for port 21