Short summary of some of the attacks against us for Jan. 2003 Just too many scans and not enough to keep the list up all the time year - time EASTERN source_ip[:port] (dns name, if any) attack/scan/notes 2003/01/07-03:56:02.13 219.163.42.27 (pc3.ssn39-unet.ocn.ne.jp) 1. re-attack condor, (from previous hack). Use login id without a 2003/01/07-03:56:02.13 219.163.42.27 (pc3.ssn39-unet.ocn.ne.jp) 2. password. ftp to 209.61.200.9 ( no16.dca1.superb.net ) as user 2003/01/07-03:56:02.13 219.163.42.27 (pc3.ssn39-unet.ocn.ne.jp) 3. dunia1 passwd 1234amalia to get .mail/psyBNCSunOS.tar 2003/01/07-03:56:02.13 219.163.42.27 (pc3.ssn39-unet.ocn.ne.jp) 4. ftp to 202.99.11.79 ( HINANET Beijing province ) user smp 2003/01/07-03:56:02.13 219.163.42.27 (pc3.ssn39-unet.ocn.ne.jp) 5. (calls itself www.eictrading.com ) 2003/01/07-03:56:02.13 219.163.42.27 (pc3.ssn39-unet.ocn.ne.jp) 6. password warong99 to get psybnc.conf; then cp psybnc in.telnetd 2003/01/07-03:56:02.13 219.163.42.27 (pc3.ssn39-unet.ocn.ne.jp) 7. Try to Logon to 132.235.15.206, but fails 2003/01/10-06:14:20.44 62.52.18.53 () scannet for port 1544 2003/01/10-06:27:15.97 218.224.36.126 (p4126-ipad49marunouchi.tokyo.ocn.ne.jp) scannet for port 1433 2003/01/10-06:27:15.97 218.224.36.126 (p4126-ipad49marunouchi.tokyo.ocn.ne.jp) scannet for port 1433 2003/01/10-08:10:45.06 80.11.133.225 (AFontenayssB-103-1-4-225.abo.wanadoo.fr) scannet for port 21 2003/01/10-09:26:02.41 132.235.241.55 (OHIOU.EDU) scannet for port 177 2003/01/10-10:10:45.43 194.143.228.90 () scannet for ports 80,57 2003/01/10-10:51:52.64 66.170.103.34 (66-170-103-34.spectrumaccess.net 1. scannet for port 3389 2. probe ports 445,139 on select ips 2003/01/10-10:59:12.59 62.84.66.82 (dial82.lynx.net.lb) scannet for port 1433 2003/01/10-12:14:50.66 205.208.171.108 () scannet for port 23, 443 2003/01/10-14:29:04.61 63.190.169.57 (sdn-ap-017txhousP0311.dialsprint.net) scannet for porst 80,8000,8001,8080,8090,81,8888,3128,4 2003/01/10-14:29:09.40 63.190.169.57 (sdn-ap-017txhousP0311.dialsprint.net)scannet for ports 80,8000,8001,8080,l8091,81,8888,3128,4480,6588 2003/01/10-14:58:42.77 62.43.29.44 (62-43-29-44.user.ono.com) scannet for port 443 2003/01/10-15:08:51.19 80.63.241.5 (0x503ff105.albnxx11.adsl-dhcp.tele.dk) scannet for ports 445,139 2003/01/10-18:10:00.78 211.224.89.166 () scannet for port 23 2003/01/10-18:35:46.50 63.188.227.144 (sdn-ap-010txhousP0906.dialsprint.net) scannet for porst 80,8000,8001,8080,8090,81,8888,3128,4480,6588 2003/01/10-19:30:25.33 24.59.40.189 (syr-24-59-40-189.twcny.rr.com) scannet for oprt 445,80 2003/01/10-22:21:53.40 212.20.74.130 () scannet for port 1433 2003/01/10-22:44:31.93 80.242.226.210 (80-242-226-210.multikabel.nl) scannet for port 1433 2003/01/11-07:10:17.55 200.74.27.101 (pc960-200-74-27-101.apoquindo2.pc.metropolis-inter.com) slowscan of net for ports 1080,8080l,80,3128 2003/01/11-08:14:22.62 80.0.223.10 (public3-pete1-6-cust10.pete.broadband.ntl.com) 1, scannet for ports 445,139,80 2003/01/11-08:14:22.62 80.0.223.10 (public3-pete1-6-cust10.pete.broadband.ntl.com) 2. probe 132.235.4.249 w/ 16000 connections 2003/01/11-08:33:55.50 210.49.68.164 (c16798.rochd2.qld.optusnet.com.au) scannet for ports 445. probe 132.235.4.249 2/2400 connects. 2003/01/11-09:15:46.89 195.64.94.84 (cust.94.84.adsl.cistron.nl) 1. scannet for ports 445, 139 80 2003/01/11-09:15:46.89 195.64.94.84 (cust.94.84.adsl.cistron.nl) 2. probe 132.235.4.249 w/ 4300 connections 2003/01/11-12:11:49.25 211.209.174.171 () scannet for port 1433 2003/01/11-13:20:17.14 211.253.154.26 () probe ports 11, 22, 23, 413, 110 on 132.235.1.82; try to login via ssh as root, others. 2003/01/11-13:49:30.90 65.30.120.145 (mkc-65-30-120-145.kc.rr.com) scannet for ports 1433 2003/01/11-14:32:58.34 194.176.35.125 () scannet for port 1433 2003/01/11-16:17:12.57 216.221.60.240 (dsl-60-240.aei.ca) scannet for port 139,445 2003/01/11-16:24:04.47 217.162.148.68 (dclient217-162-148-68.hispeed.ch) scannet for port 443 2003/01/11-20:56:31.19 217.39.89.216 (host217-39-89-216.in-addr.btopenworld.com) 1. scannet for port 80,445 2003/01/11-20:56:31.19 217.39.89.216 (host217-39-89-216.in-addr.btopenworld.com) 2. probe 132.235.4.249 w/ 9950 connects. 2003/01/11-21:23:35.12 4.21.135.241 () scannet gfor ports 80,57,21 2003/01/11-21:46:32.05 81.9.139.224 (cmr-81-9-139-224.telecable.es) portscan ace 2003/01/12-00:32:01.67 217.39.89.216 (host217-39-89-216.in-addr.btopenworld.com) hack in to pc 132.235.18.96j port 445... 2003/01/12-05:17:37.08 207.6.207.96 (bjia25vdy15je.bc.hsia.telus.net) acggressive scannet for ports 445,139,80 2003/01/12-05:37:06.05 217.1.1.59 (pD901013B.dip.t-dialin.net) sannet for ports 1433, 445, 80; probe 132.235.4.249 w/200 connects. 2003/01/12-06:00:11.07 207.6.207.96 (bjia25vdy15je.bc.hsia.telus.net) probe 132.235.1.89 ports 445,139 2003/01/12-06:00:24.32 217.1.1.59 (pD901013B.dip.t-dialin.net) probe 132.235.4.249 w/ 148 connecitions 2003/01/12-06:51:13.61 63.210.103.134 (unknown.Level3.net) slow scan of net to hight numberered port 2003/01/12-07:03:31.35 211.202.0.214 () scannet for port 21 2003/01/12-12:02:57.79 213.198.65.64 () scannet for port 1433 2003/01/12-12:57:35.28 217.107.214.246 () scannet for ports 80,3128,1080,8080,3128 2003/01/12-14:56:29.10 67.81.73.155 (ool-4351499b.dyn.optonline.net) 1. scannet for ports 445,139,80. 2003/01/12-14:56:29.10 67.81.73.155 (ool-4351499b.dyn.optonline.net) 2. probe 132.235.4.249 2/ 15000 connections 2003/01/12-18:08:52.54 144.132.255.87 (CPE-144-132-255-87.nsw.bigpond.net.au) scannet for port 445 2003/01/12-18:40:28.41 24.27.113.171 (cs2427113-171.houston.rr.com) scannet for port 445 2003/01/12-18:43:55.14 63.93.2.134 (63-93-2-134.bhfc.net) scannet for port 3389 2003/01/12-19:04:52.82 198.180.37.95 (www.tgs-support.com) 1. scannet fo ports 57,1433, 445 2003/01/12-19:04:52.82 198.180.37.95 (www.tgs-support.com) 2. probe 132.235.4.249 w/ 1100 connecitions 2003/01/12-21:13:05.05 24.43.252.93 (CPE014090205235.cpe.net.cable.rogers.com) scannet for port 23 2003/01/12-21:28:25.87 64.34.51.1 (dsl-64-34-51-1.telocity.com) scannet for ports 80,57,21 2003/01/12-21:42:16.98 200.68.202.62 (ppp-68-202-62.alternativagratis.com) probe boss ports 80,37,11,88,147,3069,3067,26274,3151,21,25,23,110,21115,79 2003/01/12-22:38:21.62 24.26.150.40 (dhcp26150040.columbus.rr.com) scannet for port 139,445 2003/01/13-01:25:28.53 195.67.85.2 () scannet for port 1433 2003/01/13-05:48:48.64 203.235.47.249 () scannet for port 21 2003/01/13-07:35:16.15 80.0.40.144 (public1-ledn1-3-cust144.leed.broadband.ntl.com) scannet for port 445 2003/01/13-12:41:26.88 80.32.96.114 (114.Red-80-32-96.pooles.rima-tde.net) scannet for port 1433 2003/01/13-12:42:00.28 195.64.94.84 (cust.94.84.adsl.cistron.nl) scannet for port 445,139 thru 14:25:10.37 2003/01/13-12:42:11.66 80.67.101.5 (GA-SL-101.005.ADSL.es.clara.net) scannet for port 1433 2003/01/13-13:44:54.41 24.203.113.90 (modemcable090.113-203-24.mtl.mc.videotron.ca) scannet for port 445,139 thru 17:06:27.48 2003/01/13-13:48:57.33 80.3.142.215 (pc1-pete2-5-cust215.pete.cable.ntl.com) scannet for port 445,139 2003/01/13-14:18:10.34 217.227.130.149 (pD9E38295.dip.t-dialin.net) scannet for port 445,139 2003/01/13-14:55:09.1824.162.99.177 (cs2416299-177.hot.rr.com) scannet for ports 81,8888,1080,8080, 2003/01/13-16:01:57.24 24.203.113.90 (modemcable090.113-203-24.mtl.mc.videotron.ca) install firedaemon, ftpd,ircbots...on 19.102 2003/01/13-16:04:13.02 80.134.146.103 (p50869267.dip.t-dialin.net) scannet for port 80,57,21 2003/01/13-16:47:45.09 24.30.199.228 (securityscan.sec.rr.com) scannet for ports 80,81,1080,3128,4480,6588,8000,8080,80801 2003/01/13-17:31:45.96 208.252.255.7 (host7.anshenla.com) scannet for port 1433 2003/01/13-18:13:50.27 24.68.179.162 (h24-68-179-162.pr.shawcable.net) scannet for port 445,139 thru 21:51:26.93 2003/01/13-19:08:14.13 203.255.14.94 () scannet for port 445,139 2003/01/13-20:13:47.01 63.87.237.67 (UUNET crap) scannet for port 1433 2003/01/13-21:07:28.82 216.58.90.226 (i216-58-90-226.igs.net) scannet for port 1433 2003/01/14-00:01:09.68 24.218.197.104 (h00045a5b04c5.ne.client2.attbi.com) scannet for port 1433 2003/01/14-03:33:30.67 65.96.66.247 (h00e018b4c09a.ne.client2.attbi.com) scannet for port 1433 2003/01/14-07:25:17.42 211.161.25.36 () scannet for port 1433 2003/01/14-08:39:23.96 210.156.52.2 (dns.hirogaku-u.ac.jp) MS diploma msg scan 132.235.4.20[3,7]:135 2003/01/14-08:39:25.96 200.79.237.97 () MS diploma msg scan 132.235.4.204 : 135 2003/01/14-08:39:37.23 200.42.51.185 (a200042051185.rev.prima.com.ar) MS diploma msg scan 132.235.4.[211,201] : 135 2003/01/14-08:49:36.45 80.230.188.88 ()scannet for ports 135, 445, 80 thru 09:16:35.69 2003/01/14-10:04:16.72 203.251.81.248 (taegu-c2511-3.kornet.nm.kr) sannet fo rport 21 2003/01/14-10:28:05.11 210.156.52.2 (dns.hirogaku-u.ac.jp) MS diploma msg scan 132.235.4.[212,213]:135 2003/01/14-10:28:05.45 217.37.104.137 (host217-37-104-137.in-addr.btopenworld.com) MS diploma msg scan 132.235.4.222 : 135 2003/01/14-10:28:07.16 200.67.34.69 (dsl-200-67-34-69.prodigy.net.mx) MS diploma msg scan 132.235.4.214 : 135 2003/01/14-12:39:04.26 80.230.212.219 () scannet for port 445,139 2003/01/14-12:40:08.37 161.58.90.241 () scannet for port 445,139 2003/01/14-17:56:33.56 12.111.197.132 () scannet for port 445, 139 to 21:56:14 2003/01/14-20:10:52.85 200.72.141.50 () MS diploma msg scan 132.235.4.[8,16] : 135 2003/01/14-20:48:07.17 61.98.55.195 () scannet for port 445,139 2003/01/14-22:58:32.16 208.58.84.15 (208-58-84-15.c3-0.upd-ubr2.trpr-upd.pa.cable.rcn.com) scannet for port 445, 139 2003/01/14-23:00:07.65208.58.84.15 (208-58-84-15.c3-0.upd-ubr2.trpr-upd.pa.cable.rcn.com) probe 132.235.4.249 15820 times 2003/01/15-02:13:35.22 80.11.92.225 (ANancy-103-1-2-225.abo.wanadoo.fr) scannet for ports 135, 80,445 2003/01/15-07:14:20.68 63.210.103.134 (unknown.Level3.net) slow scan of net, 1 packet to high port per ip 2003/01/15-07:47:47.07 217.107.214.246 () scannet fo prts 1080,8080,80,3128,1080 2003/01/15-09:35:05.56 218.72.3.144 () scannet for ports 8080,80,8000,3128 2003/01/15-10:01:32.56 200.13.181.134 () sacnnet for port 139 2003/01/15-11:26:24.05 148.233.14.21 () scannet for port 139 2003/01/15-12:03:00.44 200.168.24.153 (200-168-24-153.terra.com.br) MS diploma msg scan 132.235.4.72: 135 2003/01/15-12:03:01.58 200.168.10.164 (200-168-10-164.terra.com.br) MS diploma msg scan 132.235.4.73: 135 2003/01/15-15:13:16.46 217.85.24.14 (pD955180E.dip.t-dialin.net) scannet for port 57 2003/01/15-15:37:43.49 68.38.241.157 () scannet for port 445 2003/01/15-18:13:50.16 211.107.32.149 () scannet for port 1433 2003/01/15-19:36:05.80 159.226.48.188 () sdcannet for port 21 2003/01/15-23:19:03.94 128.123.157.233 (srv-siebel-1.nmsu.edu) scannet for ports 80,57 2003/01/16-00:47:39.19 206.49.217.46 () scannet for port 1433 2003/01/16-01:39:58.63 24.208.177.185 (dhcp024-208-177-185.columbus.rr.com) try to ftp to 132.235.1.121 2003/01/16-03:33:50.77 140.112.42.18 (dcserver.ee.ntu.edu.tw) scannet for port 80 2003/01/16-08:02:04.18 198.143.213.88 ( MICROLAB INC,orlando,fl,us) scannet for port 443 2003/01/16-08:02:32.60 81.48.27.58 (ACaen-105-1-7-58.abo.wanadoo.fr) scannet for prot 21 2003/01/16-08:34:13.81 80.95.2.172 (gdbc.net) scannet for ports 445, 139 2003/01/16-08:36:41.91 63.173.173.196 () scannet for ports 139 2003/01/16-08:42:01.61 81.50.206.107 (AMontpellier-201-1-4-107.abo.wanadoo.fr) scannet for port 1433, ICMP scan 2003/01/16-09:04:54.75 217.107.214.246 (CHARACTER NETWORK.MOSCOW,RU) scannet for port 1080.8080,80,3128 2003/01/16-10:37:38.52 209.100.0.127 () scannet for ports 139 2003/01/16-11:09:04.22 200.43.47.102 () scannet for ports 139 2003/01/16-11:09:26.13 64.219.115.225 () scannet for ports 139 2003/01/16-11:16:25.44 200.67.224.200 () scannet for ports 139 2003/01/16-11:34:42.06 194.184.23.27 (host27-23.pool194184.interbusiness.it) scannet for port 80,57,21 2003/01/16-11:48:05.18 80.201.218.146 () scannet for ports 139 2003/01/16-11:53:37.86 202.88.173.51 () scannet for ports 139 2003/01/16-12:14:49.31 217.128.1.248 (ACaen-105-1-3-248.abo.wanadoo.fr) scannet for port 21 2003/01/16-13:33:06.19 81.0.35.51 () scannet for ports 139 2003/01/16-13:33:36.91 193.254.35.180 () scannet for ports 139 2003/01/16-14:03:31.35 80.135.188.182 () scannet for ports 139 2003/01/16-14:25:41.07 145.53.245.19 () scannet for ports 139 2003/01/16-14:30:44.75 200.67.77.224 () scannet for ports 139 2003/01/16-16:18:21.01 148.240.20.69 () scannet for ports 139 2003/01/16-16:53:28.58 66.196.8.77 () scannet for ports 139 2003/01/16-17:53:43.71 148.245.244.227 () scannet for ports 139 2003/01/16-18:37:12.21 81.102.253.72 () scannet for ports 139 2003/01/16-19:07:43.98 80.235.22.34 (80-235-22-34-dsl.plus.estpak.ee) scannet for port 1433 2003/01/16-19:21:36.10 80.235.22.34 () scannet for ports 1433 2003/01/16-19:34:45.24 80.205.187.162 () scannet for ports 139 2003/01/16-19:43:56.35 212.187.19.93 (c19093.upc-c.chello.nl) scannet for port 1433 2003/01/16-21:00:25.82 24.100.231.251 (CPE3435393430373532.cpe.net.cable.rogers.com) scannet for port 445 thru 23:23:41.23 2003/01/16-22:47:07.48 193.213.208.40 () scannet for ports 80 2003/01/16-22:51:19.66 63.138.22.35 (CPE00e0188a84d1-CM008037863060.cpe.net.cable.rogers.com) scannet for port 445 to 00:23:41.97 2003/01/16-22:51:19.66 63.138.22.35 (CPE00e0188a84d1-CM008037863060.cpe.net.cable.rogers.com)probe 132.235.4.249 8100 times 2003/01/16-22:54:16.28 24.145.192.51 (user-0c93g1j.cable.mindspring.com) scannet for port 445 thru 23:29:21.80 2003/01/17-02:58:48.66 61.8.227.115 () scannet for port 4899 2003/01/17-05:31:07.49 68.61.167.250 (pcp01124694pcs.frsrc101.mi.comcast.net) scannet for ports 445, 80 2003/01/17-14:06.00 wmu-51-92.tm.net hacker login to condor acct with stollen passwd 2003/01/18-06:59:33.36 68.117.58.61 (c68.117.58.61.rose.mn.charter.com) scannet for port 1433 2003/01/18-08:34:42.50 217.237.112.165 (pD9ED70A5.dip.t-dialin.net) scannet for port 57 2003/01/18-09:44:33.54 24.42.165.38 (CPE013020005521.cpe.net.cable.rogers.com) scannet for ports 445,80 2003/01/18-12:13:35.67 168.187.140.141 () scannet for port 31789 2003/01/18-12:22:07.07 203.241.120.95 () scnanet for port 445,139 2003/01/18-13:21:42.51 132.235.229.185 (dhcp-229-185.cns.ohiou.edu) scannet for ports 524,445,139,137 2003/01/18-20:31:29.21 61.170.201.5 () scannet for ports 8080.80,8000 2003/01/18-21:18:33.48 211.160.161.68 () scannet for port 1433 2003/01/18-23:07:14.18 217.35.64.254 (host217-35-64-254.in-addr.btopenworld.com) access hacker ftpd on FLATS1 w/admin userid/passwd 2003/01/18-23:13:04.11 217.35.64.254 (host217-35-64-254.in-addr.btopenworld.com) 1. ftp xdcc irc bot files to FLATLS1 2003/01/18-23:13:04.11 217.35.64.254 (host217-35-64-254.in-addr.btopenworld.com) 2. channel #fuckin-xdcc server irc.quazie.net 2003/01/18-23:13:04.11 217.35.64.254 (host217-35-64-254.in-addr.btopenworld.com) 3. user_realname Whois Me Again, and I'll Fucking Kill you. 2003/01/18-23:58:03.06 24.203.113.90 (modemcable090.113-203-24.mtl.mc.videotron.ca) scannet for ports 445 139 thru 00:30:40.82 2003/01/19-01:39:34.63 67.34.51.146 (adsl-34-51-146.mia.bellsouth.net) scannet for port 749 2003/01/19-03:49:24.31 24.122.16.226 (16-226.dr.cgocable.ca) scannet for ports 445,80 2003/01/19-04:45:47.87 80.60.26.133 (ip503c1a85.speed.planet.nl) scannet for ports 445,139,80 thru 05:59:50. 2003/01/19-15:19:44.79 217.39.79.102 (host217-39-79-102.in-addr.btopenworld.com) access hacker ftpd FLATS1 ip w/admin userid/passwd 2003/01/19-17:52:32.01 12.237.86.26 (12-237-86-26.client.attbi.com) scannet for ports 80,445 thru 2003/01/20-05:59:56.82 2003/01/19-23:51:37.14 67.81.77.169 67.81.77.169ool-43514da9.dyn.optonline.net) access hacker ftpd on FLATS1 w/admin userid/passwd 2003/01/19-23:53.00 202.190.233.1(SUNserv.obuda.kando.hu) hacker login to condor acct with stollen passwd 2003/01/19-23:56.00 203.106.185.46() hacker login to condor acct with stollen passwd 2003/01/19-23:56:47.89 193.224.41.132 (SUNserv.obuda.kando.hu) IRC PASS serafina NICK KoolDuke USER founder 2003/01/19-23:56:47.89 193.224.41.132 (SUNserv.obuda.kando.hu) ftp to 202.99.11.79 (www.eictrading.com) login smp/warong99 2003/01/19-23:56:47.89 193.224.41.132 (SUNserv.obuda.kando.hu) get root.c, psybncsun.tar 2003/01/21-03:08.00 202.190.233.1(SUNserv.obuda.kando.hu) hacker login to condor acct with stollen passwd 2003/01/21-03:12:17.22 202.190.233.1 () try to logon to 132.235.16.100 as root/warong99. Denied. 2003/01/22-16:59:58.52 216.8.129.159 (dyn216-8-129-159.ADSL.mnsi.net) ftp to hacker ftpd on pc19.134 2003/01/23-06:07:07.86 202.99.11.79 () telnetd buff overflow attack on several ips 2003/01/28-13:52:05.23 217.57.8.100 (host100-8.pool21757.interbusiness.it) start of long string of probes, buff overflow attacks to 14:06:10.21 2003/01/29-13:09:30.76 61.84.86.25 (Korea crap) scan port 25, claim to have mail to and from china9988@21cn.com 2003/01/29-11:18:39.15 200.168.71.186 (200-168-71-186.terra.com.br) send pc's windows pop msgs - spam