Short summary of some of the attacks against us for Sep. 2001


year - time EASTERN source_ip[:port] (dns name, if any) attack/scan/notes

2001/09/01-03:52:17.37 172.176.190.190 (ACB0BEBE.ipt.aol.com) scan net for random ips, 1 high port ea. 1/hr
2001/09/01-04:47:16.12 62.224.247.153 (p3EE0F799.dip.t-dialin.net) scan net fo port 21
2001/09/01-06:26:51.56 217.80.216.93 (pD950D85D.dip.t-dialin.net) scan net for port 21
2001/09/01-09:34:50.24 156.63.161.51 (State of Ohio Network ) portscan several ips for 515,631,23,21,161,280,9099,9100
2001/09/01-16:56:03.58 193.253.211.59 (ALille-201-1-3-59.abo.wanadoo.fr) scannet for port 21
2001/09/01-19:14:42.05 128.230.205.169:0 (syru205-169.syr.edu) scan selecte ip for port 3072,1024
2001/09/02-06:01:06.10 63.251.5.46 (server2046.virtualave.net) scan 132.235.1.5 for ports 3128 8080
2001/09/02-17:19:23.11 213.239.150.163 (vhost8.cb3rob.co.uk) probe ports 1659 or 1514 on random ips
2001/09/03-04:03:49.29 216.232.58.112 (New Westminster, British Columbia,CA) scannet for port 111
2001/09/03-04:03:51.65 216.232.58.112 (New Westminster, British Columbia,CA) start of buff overflow attacks
2001/09/03-06:34:48.49 64.71.128.26 (100tx-f1-0.c7206.ipv6.he.net) beat on network switch on port 1659 (?)
2001/09/03-08:47:45.95 203.85.207.70:111 (pc070.fareastgroup.com) scan net for port 111
2001/09/03-16:02:22.45 196.40.9.115:111 (Terminales Santamaria S.A.,Alajuela,CR) scan net for port 111, buff overflow attacks
2001/09/03-20:39:08.83 63.10.134.27 (1Cust27.tnt1.phoenix2.az.da.uu.net) scan net for port 1080
2001/09/03-21:11:25.42 216.3.7.96 (dyn027-nas09.athens.frognet.net) scannet for port 27374
2001/09/04-05:44:07.56 217.81.203.72 (pD951CB48.dip.t-dialin.net) scan net for port 21
2001/09/04-16:24:55.61 217.136.34.66 (adsl-41538.turboline.skynet.be) attack 2 ips with GET /scripts/..%C0%AF../winnt/syst...
2001/09/04-18:24:52.63 62.37.128.144 (62-37-128-144.dialup.uni2.es) 1. anonftp fetch of dummy passwd file, then use 'cracked' 
2001/09/04-18:24:52.63 62.37.128.144 (62-37-128-144.dialup.uni2.es) 2. passwd to try multiple logins on ace.
2001/09/06-19:06:38.83 172.176.163.61 (ACB0A33D.ipt.aol.com) scan net for random ips, 1 high port ea
2001/09/06-19:35:06.29 61.147.56.66 (CHINANET Jiangsu province network,CN) try to ftp to 132.235.1.35.
2001/09/06-20:49:18.45 66.57.155.69 (clt57-155-069.carolina.rr.com) bang on 132.235.1.150 : 6346 > 75 times
2001/09/06-21:49:50.86 152.39.5.110 (divlab_07.shawu.edu) scannet for port 27374
2001/09/07-01:15:56.97 61.177.224.112 (CHINANET Jiangsu province network,CN) scan 132.235.1.48 for ports 27374,12345,139
2001/09/07-03:06:55.08 63.251.5.45 (server2045.virtualave.net) scan several ips for ports 8080,3128
2001/09/07-03:48:14.14 200.241.126.7 (cronos.argo.com.br) scan net for random ips, 1 high port ea
2001/09/07-05:59:56.96 200.241.126.7 (cronos.argo.com.br) try random high port on random ip 7 times today
2001/09/07-08:05:22.69 172.176.163.61 (ACB0A33D.ipt.aol.com) try random high port on random ip 5 times today
2001/09/07-18:46:39.37 66.57.155.69 (clt57-155-069.carolina.rr.com) conn to port 6346 on a pc 9 times. why?
2001/09/07-19:09:56.19 217.128.245.197 (AAmiens-101-1-3-197.abo.wanadoo.fr) scan net for prt 21
2001/09/07-22:20:02.88 211.154.103.70 (guangzhou branch,network 263 group,CN) scan net for prt 21
2001/09/07-23:34:39.46 202.128.131.172 (Hong Kong Telecom International Limited,HK) scan net for port 111
2001/09/08-04:36:05.06 61.175.252.139 (CHINANET Zhejiang province network,CN) scannet for port 515
2001/09/08-04:44:00.99 61.175.252.139 (CHINANET Zhejiang province network,CN) scannet for port 32
2001/09/08-07:01:49.67 62.208.91.225 (pool1.primacom.net) scannet for port 21
2001/09/08-07:50:49.51 210.75.208.7 ((CPIP)Beijing Information Highway Corp,CN) scannet for port 111, buff overflow attacks
2001/09/08-11:49:35.56 211.22.10.138 (CHTD, Chunghwa Telecom Co.,Ltd,CN) scan net for port 111
2001/09/08-13:48:53.83 62.219.1.72 (www.rabin-ks.org.il) try random high port on random ip 10 times today
2001/09/08-21:33:28.17 202.106.162.166 (Beijing Jun Yi High School,CN) scannet forp ort 53
2001/09/09-21:14:23.35 166.102.34.25 (ALLTEL Corporation,Little Rock, AK,US) scannet for port 111,21
2001/09/09-21:14:48.68 166.102.34.25 (ALLTEL Corporation,Little Rock, AK,US) 1. attack 132.235.18.86 ftpd buffer overflow 
2001/09/09-21:14:48.68 166.102.34.25 (ALLTEL Corporation,Little Rock, AK,US) 2.ftp to 63.251.5.5 (server37.hypermart.net) 
2001/09/09-21:14:48.68 166.102.34.25 (ALLTEL Corporation,Little Rock, AK,US) 3. use/pass =  donmautzi/gn825711mariusdmc
2001/09/09-21:14:48.68 166.102.34.25 (ALLTEL Corporation,Little Rock, AK,US) 4. get mautzi.tgz rootkit. install.
2001/09/09-21:14:48.68 166.102.34.25 (ALLTEL Corporation,Little Rock, AK,US) 5. send mail to 64.157.4.82 mautziroot@yahoo.com
2001/09/09-21:14:48.68 166.102.34.25 (ALLTEL Corporation,Little Rock, AK,US) 6 send mail to 209.228.32.104 xlogic@limp-bizkit.ro
2001/09/09-21:15:47.51 193.226.186.233 (station8.millenniumcafe.ro) conn to 132.235.18.86 via udp port 137
2001/09/09-21:17:12.60 210.179.255.125 (Korea) scan net for port 111
2001/09/09-21:18:11.56 193.226.186.233 (station8.millenniumcafe.ro) con to 132.235.18.86 on port 14181 (sshd trojan port)
2001/09/09-23:16:13.59 212.19.0.211 (vostokenergo.elektra.redcom.ru) scannet for port 4045
2001/09/10-00:57:09.65 210.186.96.149 (TMnet Telekom Malaysia,MY) scan net for telnet server, try to login as cicakx
2001/09/10-00:57:40.72 137.30.50.147 (marsh.geol.uno.edu) scan several ips for port 111
2001/09/10-01:29:10.27 213.93.35.20 (e35020.upc-e.chello.nl) probe portmap port on ace
2001/09/10-04:18:08.59 195.6.81.90 ( France Telecom Cable Interactive,FR) scannet for port 21
2001/09/10-12:40:15.80 65.1.2.231 (cc354126-b.venc1.fl.home.com) scannet for port 21
2001/09/10-19:17:39.59 202.109.116.253 (Shanghai Jiading Telecom Bureau,CN)  scannet for port 515
2001/09/10-19:29:49.97 202.109.116.253 (Shanghai Jiading Telecom Bureau,CN)  scannet for port 23
2001/09/10-21:30:03.86 24.31.172.8 (dhcp31172008.columbus.rr.com) scan net for port 21
2001/09/10-21:37:20.82 65.24.157.93 (dhcp065-024-157-093.columbus.rr.com) portscan  net for port 137,161
2001/09/10-21:38:49.64 65.24.157.93 (dhcp065-024-157-093.columbus.rr.com) portscan ace, boss, prime
2001/09/10-21:39:53.22 65.24.157.93 (dhcp065-024-157-093.columbus.rr.com) portscan selected machines
2001/09/11-03:50:01.84 195.249.88.3 (pointer server.kollegie6400.dk) scannet for port 53
2001/09/11-09:46:11.32 209.219.57.10 (gw1.beatty.com) multiple tries till 2001/09/11-12:03:29.19 on dns on roadkill...
2001/09/11-18:27:59.13 133.15.4.55 (cochem55.cochem2.tutkie.tut.ac.jp) scannet for port 111
2001/09/11-18:27:59.60 133.15.4.55 (cochem55.cochem2.tutkie.tut.ac.jp) scan anon ftp on select ips (linux)
2001/09/11-20:44:54.77 211.138.106.36 (China Mobile Communications Corporation,CN) scannet for port 111
2001/09/11-20:44:55.07 211.138.106.36 (China Mobile Communications Corporation,CN) scan select ips for port 21
2001/09/12-10:12:17.17 61.180.120.7 (CHINANET Jiangxi province network) attack several ips wht GET //............/winnt/system32/cmd.exe?/c+dir
2001/09/12-10:24:33.66 209.215.68.24 (BellSouth.net Inc.) conn to 132.235.19.84 port 12345, 139,137
2001/09/12-17:59:43.05 193.252.49.145 (ATours-101-1-1-145.abo.wanadoo.fr) scannet for port 21,anon ftp attacks.
2001/09/13-08:35:11.43 193.253.249.172 (ALille-201-1-4-172.abo.wanadoo.fr) scannet for port 21, anon ftp attacks
2001/09/13-22:39:15.61 211.101.246.16 (LFnetthe customer of Capital Network,BEIJING,CN) scan net for port 111
2001/09/13-22:42:35.27 211.101.246.16 (LFnetthe customer of Capital Network,BEIJING,CN) ftp to intersting local machines.
2001/09/14-05:58:21.67 61.177.255.144 () scan net for port 80...+code red type attack
2001/09/14-06:24:22.83 211.234.63.220 ((Korea crap) scannet for port 111
2001/09/14-06:24:23.10 211.234.63.220 ((Korea crap) start of buff overflow attacsk.
2001/09/14-12:01:40.33 61.180.64.53 (CHINANET Jiangxi province network,CN) scan net for port 80,attack with GET //............/winnt/system32/cmd.exe?/c+dir
2001/09/14-14:56:14.24 210.100.177.161 (Korea crap) scannet for port 111
2001/09/14-17:24:36.76 204.116.80.18 (Info Avenue Internet Services,Rock Hill, SC,US) scannet for port 111,rstatd
2001/09/14-18:24:47.72 64.231.253.232 (HSE-Montreal-ppp136939.qc.sympatico.ca) scannet for port 27374
2001/09/14-18:25:33.88 65.10.174.8 (c1885181-a.demone1.ia.home.com) scannet for port 27374
2001/09/14-18:44:34.18 24.31.174.11 (dhcp31174011.columbus.rr.com) try to connect to p1,p2 on port 9000...
2001/09/14-19:07:27.03 204.116.80.18 (Info Avenue Internet Services,Rock Hill, SC,US) start buff overflow attacks
2001/09/14-20:28:58.61 64.231.253.232 (HSE-Montreal-ppp136939.qc.sympatico.ca) scannet for port 2737
2001/09/14-20:28:59.85 24.185.186.49 (ool-18b9ba31.dyn.optonline.net) scan net for port 2737
2001/09/14-21:48:33.06 61.180.214.190 (CHINANET Heilongjiang province network,CN) scan net for port 80,attack with GET //............/winnt/system32/cmd.exe?/c+dir
2001/09/15-08:15:16.07 18.58.3.126 (NARWHAL.MIT.EDU) scan net for port 111
2001/09/15-14:25:41.81 131.187.108.243 (host108-243.athenscounty.lib.oh.us) conn to port 24 on p1,p2
2001/09/15-20:57:19.90 32.100.187.218 (slip-32-100-187-218.oh.us.prserv.net) scannet for icmp echo
2001/09/15-21:02:26.15 131.220.96.240 (upc240.astro.uni-bonn.de) scan net for port 21
2001/09/16-00:20:13.41 211.189.198.3 (Korea crap) scannet for port 111
2001/09/16-02:17:10.04 211.189.198.3 (Korea crap) start of buff overflow attacsk.
2001/09/16-04:21:37.10 211.42.188.231 (Korea crap) scannet for port 111
2001/09/16-04:21:37.32 211.42.188.231 (Korea crap) scan port 21 on boss
2001/09/16-08:57:28.26 212.233.11.136 (World Online Belgium N.V.,BE) scannet for port 21
2001/09/16-08:58:02.43 212.233.11.136 (ADSL.11.136.worldonline.be) scan net for port 21, anon ftp attacks
2001/09/16-12:26:13.29 194.102.174.251 (web01.goodsoft.ro) scannet for port 111
2001/09/16-12:26:47.80 202.106.127.40 (zhujigroup1,CN) scan net for port 111
2001/09/16-22:16:31.80 61.147.41.87 (CHINANET Jiangsu province network,CN) bang on dns server port on 132.235.1.70
2001/09/16-19:48:13.41 217.10.194.6 (MobiFon S.A.,ro) contact 1 random high num. port on random machines.
2001/09/17-02:31:27.77 202.102.193.252 (hefei lan and dial ip pool,CN) scannet for port 515
2001/09/17-02:38:53.60 202.102.193.252 (hefei lan and dial ip pool,CN) scannet for port 23
2001/09/17-03:35:12.25 61.147.41.192 (CHINANET Jiangsu province network,CN) bang on dns server port on 132.235.1.70
2001/09/17-11:55:52.80 209.248.191.2 (Data Management Associates,Cincinnati, OH,US) scan net for port 21
2001/09/17-15:03:31.01 212.199.26.42 ( Golden Lines,Petach-Tiikva, Israel) 1. scannet for port 80
2001/09/17-15:03:31.01 212.199.26.42 ( Golden Lines,Petach-Tiikva, Israel) 2.attack with GET /scripts/..%c0%af../winnt/system3...
2001/09/17-16:17:58.33 132.235.162.133 (e2133.east-green.ohiou.edu) scannet for port 21
2001/09/18-03:15:46.95 212.199.26.42 ( Golden Lines,Petach-Tiikva, Israel) 1. attack 132.235.15.90
2001/09/18-03:15:46.95 212.199.26.42 ( Golden Lines,Petach-Tiikva, Israel) 1. get program sensepost.exe, servudaemon
2001/09/18-03:15:46.95 212.199.26.42 ( Golden Lines,Petach-Tiikva, Israel) 4. setup private ftp site, user/pass = admin/blabla
2001/09/19-10:00:19.86 199.218.1.66 (netmon5.ohiou.athens.oh.us) portscan a printer in morton.
2001/09/19-13:36:22.20 132.235.162.192 (e2192.east-green.ohiou.edu) scannet for port 21
2001/09/20-10:54:53.42 217.109.160.231 (TELEPOL  GRAND ROANNE,FR) scannet for port 23
2001/09/20-12:12:51.92 216.191.138.7 (MetroNet Communications Group Inc.,Ontario,CA) scan net for port 23
2001/09/20-12:49:48.43 216.191.138.7 (MetroNet Communications Group Inc.,Ontario,CA) scan net for port 111
2001/09/20-15:26:04.99 208.7.253.37 (Sprint,US) scannet for port 111
2001/09/24-10:53:28.20 200.177.96.139 (wh39.terraempresas.com.br)   contact 1 random high num. port on random machines.
2001/09/24-17:10:00.41 24.202.13.163 (modemcable163.13-202-24.mtl.mc.videotron.ca) scan net on port 6346
2001/09/25-06:10:06.34200.177.96.139 (wh39.terraempresas.com.br)   contact 1 random high num. port on random machines.
2001/09/25-12:29:34.99 211.9.39.98 (Japan Network Information Center) scan net for port 6635
2001/09/25-16:23:30.11 212.179.141.208 (bzq-141-208.pop.bezeqint.net) scannet for port 21
2001/09/25-16:24:03.84 63.114.221.90 (customer-63-114-221-90.dialup.psouth.net) can net for port 21
2001/09/25-16:50:46.05 65.163.85.11 (ns1.exo2.net) scan net for port 111
2001/09/26-09:26:17.29 38.195.70.51 (ai70-051.aiinet.com) bang on port 1099 on 132.235.1.1
2001/09/26-10:59:05.91 203.238.6.129 (Korea Network Information Center) scan net for port 111
2001/09/26-11:07:26.25 132.235.171.66 (w3066.west-green.ohiou.edu) scan net for port 9200
2001/09/26-22:40:15.43 212.199.49.186 (?.goldenlines.net.il) scannet for port 21, then port 137 on some machiens
2001/09/27-00:19:54.29 132.235.162.199 (e2199.east-green.ohiou.edu) portscan net ports 137-600, 132.235.1.1-132.235.1.56
2001/09/27-00:23:05.85 132.235.162.199 (e2199.east-green.ohiou.edu) portscan net for port 137-139
2001/09/27-00:24:01.01 132.235.162.199 (e2199.east-green.ohiou.edu) restart previous portscan et for port 137-139
2001/09/27-06:42:53.40 217.88.251.106 (pD958FB6A.dip.t-dialin.net) scan net for port 21
2001/09/27-16:58:13.25 195.139.118.225 (port-1225.dialup.kpnqwest.no) scannet for port 21
2001/09/28-02:03:38.73 212.160.97.58 (kl08.interpab.com.pl) scan net for port 111
2001/09/28-02:09:51.58 212.160.97.58 (kl08.interpab.com.pl) probe ports 23,25 on 132.235.4.110
2001/09/28-06:32:57.74 132.235.87.148 (dhcp-087-148.cns.ohiou.edu) scan several machines for port 524
2001/09/28-08:47:52.65 66.89.18.136 (Concentric Network Corporation) scannet for port 23
2001/09/28-15:38:56.59 62.226.127.212 (p3EE27FD4.dip.t-dialin.net) scannet for port 21
2001/09/28-17:18:06.69 202.105.185.148 (ums.huizhou.gd.cn) scan net for port 111
2001/09/28-19:12:54.80 202.105.185.148 (ums.huizhou.gd.cn) start of buff overflow attacks.
2001/09/29-00:45:04.73 63.148.34.243 (Qwest Communications,US) contact 1 random high num. port on random machines.
2001/09/29-05:35:26.38 209.99.227.5 (Millicom Argentina SA,BR) scannet for port 111
2001/09/29-05:36:29.73 209.99.227.5 (Millicom Argentina SA,BR) start of buff overflow attacks
2001/09/29-09:18:58.93 216.201.32.207 (jack-ras2-4-cs-1.dial.bright.net) probe port 22 on ace
2001/09/29-09:19:41.83 216.201.32.207 (jack-ras2-4-cs-1.dial.bright.net) loigjn to p2 as jprofitt
2001/09/29-09:23:20.47 216.201.32.207 (jack-ras2-4-cs-1.dial.bright.net) portscan ace
2001/09/29-17:26:41.05 132.235.176.194 (dhcp-176-194.cns.ohiou.edu) scan nset for port 137
2001/09/29-18:30:29.53 132.235.176.194 (dhcp-176-194.cns.ohiou.edu) 1. portscan 132.235.1.[1,2,7]
2001/09/29-18:30:29.53 132.235.176.194 (dhcp-176-194.cns.ohiou.edu) 2.  special scan of web servers hitting cgi_bin scripts
2001/09/29-18:30:29.53 132.235.176.194 (dhcp-176-194.cns.ohiou.edu) 3.  with extraspecial interrest in /etc/passwd
2001/09/30-09:57:39.03 212.95.179.135 (ppp2-7.netel.bg) try to login as student/student, root/root, admin/admin
2001/09/30-10:04:26.51 62.42.36.63 (MN2-GA-u-0062.mc.onolab.com) use anon ftp on ace to obtain passwd file
2001/09/30-15:08:49.44 62.42.36.63 (MN2-GA-u-0062.mc.onolab.com) us anon ftp on ace to obtain passwd file
2001/09/30-22:08:36.36 196.15.190.250 (SAIX,Cape Town,ZA) scan net for port 111