*SHORT* summary of some of the attacks against us for Oct. 2003 Just too many scans and not enough time to keep the list up all the time so... some of the more intresting scans/attacks, or 1 day samples are here year - time EASTERN source_ip[:port] (dns name, if any) attack/scan/notes 2003/10/04-06:18:15.57 203.232.108.6 (Sunghwa College,CHONNAM,KR) telnet buffer overflow attack on topdog, probe port 111 2003/10/04-06:09:09.30 210.187.192.59 (as-192-59.tm.net.my) finger 123@todog, telnet to topdoq using user/pass of qutoa150/quota150 (sys acct) 2003/10/03-14:04:33.37 213.249.185.85 (adsl.213-249-185-85.karoo.KCOM.COM) scannet for sql server, try to login as root 2003/10/03-14:33:25.61 200.207.10.181 (200-207-10-181.dsl.telesp.net.br) scannet for ports 80,21,57 2003/10/05-13:59:49.27 148.223.73.206 (customer-148-223-73-206.uninet.net.mx) attack sql servers on net guessing passwords 2003/10/05-16:10:00.97 195.240.127.80 (Tiscali BV (ISP), Tiscali Netherlands) attack sql servers on net trying ot login as root 2003/10/05-17:00:03.48 67.85.187.144 (ool-4355bb90.dyn.optonline.net) attack sql servers on net trying to login as root, admin 2003/10/07-09:56:41.31 210.187.192.70 (as-192-70.tm.net.my) finger 123@topdog, try to logon to system acct w/null passwd, try buff overflow attack on telnet 2003/10/07-09:55:12.13 210.63.130.97 (Micro Idea Instruments Co.,Taiwan) scannet for port 111, buff overflow attack via telnet 2003/10/07-09:57:12.82 203.232.108.6 (Sunghwa College.KR) telnet buff overflow attack 2003/10/15-02:59:42 61.155.123.14 (CHINANET jiangsu province network) probe odd05 via aftp user test 40 times til 03:04:38 2003/10/15-03:07:12 61.155.117.4 (CHINANET jiangsu province network) probe odd05 via aftp user test 140 times til 03:21:30 2003/10/13-11:55:30.07 194.93.79.140 (Netwing EDV-Dienstleistungs GmbH,AT) pound on sql servers - 10117 connections thru 12:09:12.46 2003/10/21-09:54:59.70 63.238.60.3 (LMU EZWORKS,FREMONT,OH,US) scannet for port 111 2003/10/21-12:11:55.35 207.230.17.3 (The Planet Group,Naperville,IL,US) scan net for sql server, attack 2003/10/23-03:48:40.66 61.11.26.142 (DISHNET,Nungambakkam,CHENNAI,IN) 1. attack goose via web server. 2003/10/23-03:48:40.66 61.11.26.142 (DISHNET,Nungambakkam,CHENNAI,IN) 2. ftp to 158.121.130.59 usr dump pass up get system.exe and system.dll (ftpd) 2003/10/23-03:48:40.66 61.11.26.142 (DISHNET,Nungambakkam,CHENNAI,IN) 3. put files nc.exe httpodbc.dll, FTPloogger.exe, INFO.EXE, kill.exe, list.exe. NewDay.exe, ocrpsalkzv3.dll, OnDirCreated.exe, OnDirDeleted.exe, root.exe, ServuEvent.dll, ServUEvent.ini 2003/10/23-06:06:50.18 216.139.138.130 (New York Connect,NY,NY,USA) pound on sql servers till 22:48:57.16 78017 times. 2003/10/30-08:49:07.71 216.64.135.63 (GST TelecomVancouver,WA,US) ftp to ace as roo/lOser, demo/demo 2003/10/29-17:20:33.76 195.120.10.5 (Data Port s.r.l,IT) pound on IIS server with default user 'SA' passwd attack thru 05:56:11.62 next day 180217 connections