NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Incidents> 2000-07

Subject: Some stats of events
From: Henri J. Schlereth (henrisBGA.COM)
Date: Mon Jul 10 2000 - 06:52:04 CDT

Next message: mmurrayTAOS.COM: "Hostile email"
Previous message: Richard Bejtlich: "Re: tin.it and others non collaborative isps."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

While I am a aware that people have differing criteria on what
constitutes an "intrusion", here's mine:

I have a 4 hour IP (dynamic dial-up, 56K modem), I provide
no external services, and only two people I know ever
connect to me from the outside on rare occassions. Any
thing else can be considered accidents, probes, intrusions
but they will be logged.

Really, I am just a nobody on a modem line, this is way
too persistent behavior to just be "accidents", especially
since last year I had only 4.

The listing for portmap reflects rpcinfo -p dumps.

All errors are mine, of course. Enjoy.

Henri

Intrusion Log Book

Date Time IP CC US type port
**-**-**** 23:59:59 XXX.XXX.XXX.XXX br ca ******* XXX

10-15-1999 08:35:22 192.45.82.251 ca login 513
11-06-1999 12:30:01 204.29.160.17 fl portmap 111
11-17-1999 01:16:39 195.210.100.199 it portmap 111
11-19-1999 04:43:00 131.123.98.92 oh portmap 111

Total: 4 (YTD)

01-04-2000 17:27:02 210.105.42.91 kr portmap 111
01-04-2000 17:27:05 210.105.42.91 kr telnet 23
01-05-2000 19:28:45 210.105.42.91 kr portmap 111
01-05-2000 19:28:46 210.105.42.91 kr telnet 23
01-13-2000 21:40:38 210.104.236.196 kr telnet 23
01-13-2000 21:40:39 210.104.236.196 kr portmap 111
01-14-2000 19:36:06 206.107.248.20 az portmap 111
01-19-2000 06:47:45 210.91.106.220 kr portmap 111
01-26-2000 07:52:24 149.170.199.144 uk portmap 111

Total: 9

02-10-2000 22:46:12 24.30.24.207 mi imap 143
02-13-2000 12:53:55 205.238.142.59 tx portmap 111
02-13-2000 18:28:24 209.41.91.18 tx portmap 111
02-25-2000 03:18:02 194.77.138.18 de portmap 111
02-28-2000 19:56:15 212.36.1.178 bg ftp 21

Total: 5

03-04-2000 05:46:52 130.118.46.74 ca portmap 111
03-05-2000 05:07:24 207.246.86.18 ky telnet 23
03-06-2000 06:20:20 129.11.69.109 uk pop2 109
03-19-2000 12:50:55 200.196.82.234 br portmap 111
03-22-2000 17:02:45 207.172.211.45 va imap 143

Total: 5

04-03-2000 01:38:46 200.47.62.41 ar portmap 111
04-16-2000 07:24:28 209.86.158.8 ga ftp 21
04-14-2000 14:05:46 194.168.237.218 uk nntp 119
04-19-2000 00:54:02 205.244.34.51 do BO 31337
04-20-2000 15:32:36 194.168.63.54 uk nntp 119
04-23-2000 11:14:15 194.168.59.119 uk nntp 119
04-28-2000 21:10:16 209.203.228.237 wa portmap 111

Total: 7

05-05-2000 19:12:33 192.231.29.12 ms portmap 111
05-05-2000 19:12:42 192.231.29.12 ms telnet 23
05-13-2000 13:18:21 195.217.161.181 uk nntp 119
05-13-2000 20:06:49 210.216.154.135 kr imap 143
05-21-2000 21:36:04 210.220.201.100 kr portmap 111
05-21-2000 21:36:06 210.220.201.100 kr ftp 21
05-30-2000 08:54:21 210.112.192.74 kr sp 98
(sp= syn probe)

Total: 7

06-03-2000 10:11:50 62.155.162.143 de nntp 119
06-03-2000 17:01:25 212.41.49.63 uk nntp 119
06-06-2000 01:23:12 205.178.30.17 ca socks 1080
06-09-2000 16:31:28 216.87.144.2 tx sp 98
06-11-2000 02:18:00 172.163.135.37(AOL) va sp 139
06-11-2000 11:37:54 172.165.94.219(AOL) va sp 139
06-11-2000 11:43:45 172.165.94.219(AOL) va sp 139
06-11-2000 12:02:08 172.163.98.77(AOL) va sp 139
06-11-2000 12:34:11 172.163.98.77(AOL) va sp 139
06-13-2000 04:01:43 206.54.51.20 ca ftp 21
06-15-2000 04:12:33 207.218.207.86 tx nntp 119
06-18-2000 21:17:39 200.243.205.3 br sp 2583
06-18-2000 21:17:39 200.243.205.3 br NetBus 12345
06-18-2000 21:17:39 200.243.205.3 br NetBus 123466
06-18-2000 20:07:38 210.217.24.1 kr sp-ingreslock 4851
06-24-2000 22:45:58 193.145.133.202 es imap 143
06-25-2000 20:05:08 210.99.142.122 kr sp 98
06-28-2000 03:09:59 207.218.220.54 tx nntp 119
06-28-2000 15:50:27 210.99.142.122 kr sp 4706

Total: 19

07-02-2000 04:51:36 212.65.5.143 nl nntp 119
07-04-2000 16:35:32 64.7.7.222 ny telnet 23
07-04-2000 17:30:35 210.225.130.135 jp ftp 21
07-04-2000 18:39:57 63.216.196.88 ca domain 53
07-05-2000 04:27:52 209.55.69.98 ca portmap 111
07-05-2000 20:56:51 210.225.135.222 jp ftp 21
07-06-2000 11:23:06 212.41.222.118 it FakeBO 80
07-07-2000 16:34:08 208.58.215.121 va asp 27374
07-08-2000 04:09:06 62.158.195.2 de nntp 119
07-09-2000 20:12:24 211.36.42.222 kr portmap 111

Total: 10
YTD: 52

Next message: mmurrayTAOS.COM: "Hostile email"
Previous message: Richard Bejtlich: "Re: tin.it and others non collaborative isps."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]