Security Incidents mailing list archives
Some stats of events
From: henris () BGA COM (Henri J. Schlereth)
Date: Mon, 10 Jul 2000 06:52:04 -0500
While I am a aware that people have differing criteria on what constitutes an "intrusion", here's mine: I have a 4 hour IP (dynamic dial-up, 56K modem), I provide no external services, and only two people I know ever connect to me from the outside on rare occassions. Any thing else can be considered accidents, probes, intrusions but they will be logged. Really, I am just a nobody on a modem line, this is way too persistent behavior to just be "accidents", especially since last year I had only 4. The listing for portmap reflects rpcinfo -p dumps. All errors are mine, of course. Enjoy. Henri Intrusion Log Book Date Time IP CC US type port **-**-**** 23:59:59 XXX.XXX.XXX.XXX br ca ******* XXX 10-15-1999 08:35:22 192.45.82.251 ca login 513 11-06-1999 12:30:01 204.29.160.17 fl portmap 111 11-17-1999 01:16:39 195.210.100.199 it portmap 111 11-19-1999 04:43:00 131.123.98.92 oh portmap 111 Total: 4 (YTD) 01-04-2000 17:27:02 210.105.42.91 kr portmap 111 01-04-2000 17:27:05 210.105.42.91 kr telnet 23 01-05-2000 19:28:45 210.105.42.91 kr portmap 111 01-05-2000 19:28:46 210.105.42.91 kr telnet 23 01-13-2000 21:40:38 210.104.236.196 kr telnet 23 01-13-2000 21:40:39 210.104.236.196 kr portmap 111 01-14-2000 19:36:06 206.107.248.20 az portmap 111 01-19-2000 06:47:45 210.91.106.220 kr portmap 111 01-26-2000 07:52:24 149.170.199.144 uk portmap 111 Total: 9 02-10-2000 22:46:12 24.30.24.207 mi imap 143 02-13-2000 12:53:55 205.238.142.59 tx portmap 111 02-13-2000 18:28:24 209.41.91.18 tx portmap 111 02-25-2000 03:18:02 194.77.138.18 de portmap 111 02-28-2000 19:56:15 212.36.1.178 bg ftp 21 Total: 5 03-04-2000 05:46:52 130.118.46.74 ca portmap 111 03-05-2000 05:07:24 207.246.86.18 ky telnet 23 03-06-2000 06:20:20 129.11.69.109 uk pop2 109 03-19-2000 12:50:55 200.196.82.234 br portmap 111 03-22-2000 17:02:45 207.172.211.45 va imap 143 Total: 5 04-03-2000 01:38:46 200.47.62.41 ar portmap 111 04-16-2000 07:24:28 209.86.158.8 ga ftp 21 04-14-2000 14:05:46 194.168.237.218 uk nntp 119 04-19-2000 00:54:02 205.244.34.51 do BO 31337 04-20-2000 15:32:36 194.168.63.54 uk nntp 119 04-23-2000 11:14:15 194.168.59.119 uk nntp 119 04-28-2000 21:10:16 209.203.228.237 wa portmap 111 Total: 7 05-05-2000 19:12:33 192.231.29.12 ms portmap 111 05-05-2000 19:12:42 192.231.29.12 ms telnet 23 05-13-2000 13:18:21 195.217.161.181 uk nntp 119 05-13-2000 20:06:49 210.216.154.135 kr imap 143 05-21-2000 21:36:04 210.220.201.100 kr portmap 111 05-21-2000 21:36:06 210.220.201.100 kr ftp 21 05-30-2000 08:54:21 210.112.192.74 kr sp 98 (sp= syn probe) Total: 7 06-03-2000 10:11:50 62.155.162.143 de nntp 119 06-03-2000 17:01:25 212.41.49.63 uk nntp 119 06-06-2000 01:23:12 205.178.30.17 ca socks 1080 06-09-2000 16:31:28 216.87.144.2 tx sp 98 06-11-2000 02:18:00 172.163.135.37(AOL) va sp 139 06-11-2000 11:37:54 172.165.94.219(AOL) va sp 139 06-11-2000 11:43:45 172.165.94.219(AOL) va sp 139 06-11-2000 12:02:08 172.163.98.77(AOL) va sp 139 06-11-2000 12:34:11 172.163.98.77(AOL) va sp 139 06-13-2000 04:01:43 206.54.51.20 ca ftp 21 06-15-2000 04:12:33 207.218.207.86 tx nntp 119 06-18-2000 21:17:39 200.243.205.3 br sp 2583 06-18-2000 21:17:39 200.243.205.3 br NetBus 12345 06-18-2000 21:17:39 200.243.205.3 br NetBus 123466 06-18-2000 20:07:38 210.217.24.1 kr sp-ingreslock 4851 06-24-2000 22:45:58 193.145.133.202 es imap 143 06-25-2000 20:05:08 210.99.142.122 kr sp 98 06-28-2000 03:09:59 207.218.220.54 tx nntp 119 06-28-2000 15:50:27 210.99.142.122 kr sp 4706 Total: 19 07-02-2000 04:51:36 212.65.5.143 nl nntp 119 07-04-2000 16:35:32 64.7.7.222 ny telnet 23 07-04-2000 17:30:35 210.225.130.135 jp ftp 21 07-04-2000 18:39:57 63.216.196.88 ca domain 53 07-05-2000 04:27:52 209.55.69.98 ca portmap 111 07-05-2000 20:56:51 210.225.135.222 jp ftp 21 07-06-2000 11:23:06 212.41.222.118 it FakeBO 80 07-07-2000 16:34:08 208.58.215.121 va asp 27374 07-08-2000 04:09:06 62.158.195.2 de nntp 119 07-09-2000 20:12:24 211.36.42.222 kr portmap 111 Total: 10 YTD: 52
Current thread:
- Re: scan log and subsequent response from the host's ISP, (continued)
- Re: scan log and subsequent response from the host's ISP Dan Hollis (Jul 10)
- Re: scan log and subsequent response from the host's ISP Pavel Lozhkin (Jul 10)
- Snort (about large-udp attack) JW Oh (Jul 10)
- lifestages on IRC Omicron N (Jul 09)
- Re: lifestages on IRC Robert van der Meulen (Jul 10)
- Re: lifestages on IRC Vincent Hillier (Jul 10)
- Re: lifestages on IRC T. H. Haymore (Jul 10)
- Re: scan log and subsequent response from the host's ISP Forrester, Mike (Jul 07)
- tin.it and others non collaborative isps. Osvaldo Janeri Filho (Jul 07)
- Re: tin.it and others non collaborative isps. Bradley Woodward (Jul 10)
- Some stats of events Henri J. Schlereth (Jul 10)
- Re: tin.it and others non collaborative isps. gabriel rosenkoetter (Jul 10)
- Re: tin.it and others non collaborative isps. Philipp Buehler (Jul 11)
- Re: tin.it and others non collaborative isps. Richard Bejtlich (Jul 11)
- Hostile email mmurray () TAOS COM (Jul 12)
- I Was rooted Andrew Heath (Jul 17)
- Obfuscated URL's in spam Kee Hinckley (Jul 18)
- 85.85.85.85 weirdness Wozz (Jul 18)
- Re: 85.85.85.85 weirdness Pascal Bouchareine (Jul 19)
- Re: 85.85.85.85 weirdness Wozz (Jul 19)
- Re: 85.85.85.85 weirdness Jud (Jul 19)
- tin.it and others non collaborative isps. Osvaldo Janeri Filho (Jul 07)