Analysis of Snort Alert Log
for the
Project HoneyNet
Scan of the Month #17 (July, 2001)
By Ted Hale ted@tni.net
Nov 2 03:10:09 ids snort[4636]: IDS128 - CVE-1999-0067 - CGI phf attempt: 62.98.12.116:4406 -> 172.16.1.107:80
1 - CGI/PHF attack
This is ancient attack exploits a vulnerable CGI script to execute arbitrary commands.
http://www.nmrc.org/faqs/hackfaq/hackfaq-8.html
http://www.whitehats.com/info/IDS128
Nov 2 05:30:37 ids snort[4636]: IDS128 - CVE-1999-0067 - CGI phf attempt: 62.98.14.40:1402 -> 172.16.1.107:80
2 - CGI/PHF attack
once more from another IP.
Nov 3 01:39:01 ids snort[5031]: IDS13 - RPC - portmap-request-mountd: 64.229.250.79:640 -> 172.16.1.107:111
Nov 3 01:39:01 ids snort[5031]: IDS13 - RPC - portmap-request-mountd: 64.229.250.79:641 -> 172.16.1.107:111
Nov 3 01:39:18 ids snort[5031]: IDS13 - RPC - portmap-request-mountd: 64.229.250.79:642 -> 172.16.1.107:111
Nov 3 01:39:18 ids snort[5031]: IDS13 - RPC - portmap-request-mountd: 64.229.250.79:645 -> 172.16.1.107:111
Nov 3 01:39:30 ids snort[5031]: IDS13 - RPC - portmap-request-mountd: 64.229.250.79:656 -> 172.16.1.107:111
Nov 3 01:39:30 ids snort[5031]: IDS13 - RPC - portmap-request-mountd: 64.229.250.79:657 -> 172.16.1.107:111
3 - Portmap/NFS query
Queries system for info on NFS. May be followed by a rpc.mountd overflow exploit.
http://www.whitehats.com/info/IDS13
Nov 4 18:25:59 ids snort[5240]: spp_portscan: PORTSCAN DETECTED from 203.59.72.172 (STEALTH)
Nov 4 18:25:59 ids snort[5240]: SCAN-SYN FIN: 203.59.72.172:21 -> 172.16.1.103:21
Nov 4 18:25:59 ids snort[5240]: SCAN-SYN FIN: 203.59.72.172:21 -> 172.16.1.101:21
Nov 4 18:25:59 ids snort[5240]: SCAN-SYN FIN: 203.59.72.172:21 -> 172.16.1.102:21
Nov 4 18:25:59 ids snort[5240]: SCAN-SYN FIN: 203.59.72.172:21 -> 172.16.1.105:21
Nov 4 18:25:59 ids snort[5240]: SCAN-SYN FIN: 203.59.72.172:21 -> 172.16.1.104:21
Nov 4 18:25:59 ids snort[5240]: SCAN-SYN FIN: 203.59.72.172:21 -> 172.16.1.106:21
Nov 4 18:25:59 ids snort[5240]: SCAN-SYN FIN: 203.59.72.172:21 -> 172.16.1.107:21
Nov 4 18:25:59 ids snort[5240]: SCAN-SYN FIN: 203.59.72.172:21 -> 172.16.1.108:21
Nov 4 18:25:59 ids snort[5240]: SCAN-SYN FIN: 203.59.72.172:21 -> 172.16.1.109:21
Nov 4 18:26:17 ids snort[5240]: spp_portscan: portscan status from 203.59.72.172: 11 connections across 9 hosts: TCP(11), UDP(0) STEALTH
Nov 4 18:26:33 ids snort[5240]: spp_portscan: End of portscan from 203.59.72.172: TOTAL time(2s) hosts(9) TCP(11) UDP(0) STEALTH
4 - Stealth (syn/fin) port scan
This scan is looking for FTP servers, port 21. The program nmap is commonly used for syn/fin stealth scanning.
http://www.insecure.org/nmap/press/2600_network_scanning_with_nmap.txt
Nov 4 22:29:45 ids snort[5240]: RPC Info Query: 24.69.66.75:738 -> 172.16.1.107:111
Nov 4 22:30:41 ids snort[5240]: IDS15 - RPC - portmap-request-status: 24.69.66.75:851 -> 172.16.1.107:111
Nov 4 22:30:41 ids snort[5240]: IDS362 - MISC - Shellcode X86 NOPS-UDP: 24.69.66.75:852 -> 172.16.1.107:949
5 - Portmap status request and buffer overflow exploit
Attacker requests port info and then sends a buffer overflow to the requested service.
http://www.whitehats.com/info/IDS362
http://project.honeynet.org/scans/scan13/luckstatdx.c is a possible exploit.
Nov 5 09:52:07 ids snort[6147]: IDS152 - PING BSD: 207.239.115.11 -> 172.16.1.101
Nov 5 09:52:08 ids snort[6147]: IDS152 - PING BSD: 207.239.115.11 -> 172.16.1.101
Nov 5 09:52:09 ids snort[6147]: IDS152 - PING BSD: 207.239.115.11 -> 172.16.1.101
Nov 5 09:52:40 ids snort[6147]: IDS08 - TELNET - daemon-active: 172.16.1.101:23 -> 207.239.115.11:1270
6 - Ping and a telnet attempt
Attacker pings to see if host is online, then attempts to telnet to host. The telnet response string can provide useful
info such as system type and version. This black hat returns on Nov. 30.
Nov 5 11:54:40 ids snort[6147]: spp_portscan: PORTSCAN DETECTED from 202.114.208.160 (THRESHOLD 5 connections exceeded in 0 seconds)
Nov 5 11:57:15 ids snort[6147]: spp_portscan: portscan status from 202.114.208.160: 9 connections across 9 hosts: TCP(9), UDP(0)
Nov 5 11:57:33 ids snort[6147]: spp_portscan: End of portscan from 202.114.208.160: TOTAL time(0s) hosts(9) TCP(9) UDP(0)
7 - Port scan
ports scanned are unknown since it isn't reported here and doesn't show up the firewall log.
Nov 6 16:44:14 ids snort[237]: spp_portscan: PORTSCAN DETECTED from 61.129.65.42 (STEALTH)
Nov 6 16:44:14 ids snort[237]: SCAN-SYN FIN: 61.129.65.42:111 -> 172.16.1.102:111
Nov 6 16:44:14 ids snort[237]: SCAN-SYN FIN: 61.129.65.42:111 -> 172.16.1.103:111
Nov 6 16:44:14 ids snort[237]: SCAN-SYN FIN: 61.129.65.42:111 -> 172.16.1.104:111
Nov 6 16:44:14 ids snort[237]: SCAN-SYN FIN: 61.129.65.42:111 -> 172.16.1.105:111
Nov 6 16:44:14 ids snort[237]: SCAN-SYN FIN: 61.129.65.42:111 -> 172.16.1.107:111
Nov 6 16:44:14 ids snort[237]: SCAN-SYN FIN: 61.129.65.42:111 -> 172.16.1.108:111
Nov 6 16:44:14 ids snort[237]: SCAN-SYN FIN: 61.129.65.42:111 -> 172.16.1.109:111
Nov 6 16:44:19 ids snort[237]: RPC Info Query: 61.129.65.42:777 -> 172.16.1.107:111
Nov 6 16:44:36 ids snort[237]: spp_portscan: portscan status from 61.129.65.42: 8 connections across 7 hosts: TCP(8), UDP(0) STEALTH
Nov 6 16:44:52 ids snort[237]: spp_portscan: End of portscan from 61.129.65.42: TOTAL time(4s) hosts(7) TCP(8) UDP(0) STEALTH
8 - Stealth (syn/fin) port scan and an RPC Info query
Scan is looking for portmap. One is found and then queried.
Nov 6 17:02:50 ids snort[237]: spp_portscan: PORTSCAN DETECTED from 62.98.45.141 (STEALTH)
Nov 6 17:02:50 ids snort[237]: SCAN-SYN FIN: 62.98.45.141:111 -> 172.16.1.101:111
Nov 6 17:02:50 ids snort[237]: SCAN-SYN FIN: 62.98.45.141:111 -> 172.16.1.102:111
Nov 6 17:02:50 ids snort[237]: SCAN-SYN FIN: 62.98.45.141:111 -> 172.16.1.103:111
Nov 6 17:02:50 ids snort[237]: SCAN-SYN FIN: 62.98.45.141:111 -> 172.16.1.104:111
Nov 6 17:02:50 ids snort[237]: SCAN-SYN FIN: 62.98.45.141:111 -> 172.16.1.105:111
Nov 6 17:02:50 ids snort[237]: SCAN-SYN FIN: 62.98.45.141:111 -> 172.16.1.106:111
Nov 6 17:02:50 ids snort[237]: SCAN-SYN FIN: 62.98.45.141:111 -> 172.16.1.107:111
Nov 6 17:02:50 ids snort[237]: SCAN-SYN FIN: 62.98.45.141:111 -> 172.16.1.108:111
Nov 6 17:02:50 ids snort[237]: SCAN-SYN FIN: 62.98.45.141:111 -> 172.16.1.109:111
Nov 6 17:02:55 ids snort[237]: RPC Info Query: 62.98.45.141:816 -> 172.16.1.101:111
Nov 6 17:02:58 ids snort[237]: RPC Info Query: 62.98.45.141:826 -> 172.16.1.107:111
Nov 6 17:06:38 ids snort[237]: spp_portscan: portscan status from 62.98.45.141: 11 connections across 9 hosts: TCP(11), UDP(0) STEALTH
Nov 6 17:06:53 ids snort[237]: spp_portscan: End of portscan from 62.98.45.141: TOTAL time(8s) hosts(9) TCP(11) UDP(0) STEALTH
9 - Stealth (syn/fin) port scan and an RPC Info query
Same as #8 above, but this one found both the Linux and Sun boxes. This scan could be accomplished with a script that uses nmap
to do the stealth scan to find portmap and then use a program like
http://packetstormsecurity.org/UNIX/scanners/amdscan.c
to find automount (or some other service.)
Nov 6 20:34:00 ids snort[237]: IDS13 - RPC - portmap-request-mountd: 212.129.5.218:822 -> 172.16.1.107:111
Nov 6 20:34:01 ids snort[237]: IDS13 - RPC - portmap-request-mountd: 212.129.5.218:823 -> 172.16.1.107:111
10 - Mountd requests.
Possibly looking for NFS to exploit.
Nov 7 23:06:47 ids snort[1260]: spp_portscan: PORTSCAN DETECTED from 216.216.74.2 (THRESHOLD 5 connections exceeded in 0 seconds)
Nov 7 23:11:04 ids snort[1260]: spp_portscan: portscan status from 216.216.74.2: 9 connections across 9 hosts: TCP(9), UDP(0)
Nov 7 23:11:05 ids snort[1260]: RPC Info Query: 216.216.74.2:962 -> 172.16.1.101:111
Nov 7 23:11:06 ids snort[1260]: RPC Info Query: 216.216.74.2:963 -> 172.16.1.107:111
Nov 7 23:11:31 ids snort[1260]: spp_portscan: portscan status from 216.216.74.2: 2 connections across 1 hosts: TCP(2), UDP(0)
Nov 7 23:11:31 ids snort[1260]: IDS08 - TELNET - daemon-active: 172.16.1.101:23 -> 216.216.74.2:1209
Nov 7 23:11:34 ids snort[1260]: IDS08 - TELNET - daemon-active: 172.16.1.101:23 -> 216.216.74.2:1210
Nov 7 23:11:47 ids snort[1260]: spp_portscan: portscan status from 216.216.74.2: 2 connections across 2 hosts: TCP(2), UDP(0)
Nov 7 23:11:51 ids snort[1260]: IDS15 - RPC - portmap-request-status: 216.216.74.2:709 -> 172.16.1.107:111
Nov 7 23:11:51 ids snort[1260]: IDS362 - MISC - Shellcode X86 NOPS-UDP: 216.216.74.2:710 -> 172.16.1.107:871
Nov 7 23:12:03 ids snort[1260]: spp_portscan: portscan status from 216.216.74.2: 2 connections across 1 hosts: TCP(0), UDP(2)
Nov 7 23:12:23 ids snort[1260]: spp_portscan: portscan status from 216.216.74.2: 1 connections across 1 hosts: TCP(1), UDP(0)
Nov 7 23:12:47 ids snort[1260]: spp_portscan: End of portscan from 216.216.74.2: TOTAL time(324s) hosts(10) TCP(14) UDP(2)
11 - Scan for portmap, RPC query, Telnet attempt, Buffer overflow exploit.
All this occurred in less than 60 seconds. This has to be an automated attack. A mountd scanner can be found here:
http://packetstormsecurity.org/new-exploits/mountdscan.c
Notice that both the Sun and Linux systems got an RPC query, but only the Linux system get the exploit.
A mountd exploit for linux can be found here:
http://packetstormsecurity.org/new-exploits/rpc.mountd.c
Nov 9 22:14:48 ids snort[2197]: spp_portscan: PORTSCAN DETECTED from 24.25.74.35 (THRESHOLD 5 connections exceeded in 0 seconds)
Nov 9 22:15:07 ids snort[2197]: spp_portscan: portscan status from 24.25.74.35: 8 connections across 8 hosts: TCP(0), UDP(8)
Nov 9 22:15:23 ids snort[2197]: spp_portscan: End of portscan from 24.25.74.35: TOTAL time(0s) hosts(8) TCP(0) UDP(8)
12 - Port scan
another scan of unknown ports.
Nov 11 21:25:06 ids snort[3357]: IDS13 - RPC - portmap-request-mountd: 24.42.46.171:635 -> 172.16.1.107:111
Nov 11 21:25:12 ids snort[3357]: IDS13 - RPC - portmap-request-mountd: 24.42.46.171:635 -> 172.16.1.107:111
Nov 11 21:25:21 ids snort[3357]: IDS13 - RPC - portmap-request-mountd: 24.42.46.171:635 -> 172.16.1.107:111
Nov 11 21:25:26 ids snort[3357]: IDS13 - RPC - portmap-request-mountd: 24.42.46.171:635 -> 172.16.1.107:111
Nov 11 21:25:32 ids snort[3357]: IDS13 - RPC - portmap-request-mountd: 24.42.46.171:635 -> 172.16.1.107:111
Nov 11 21:25:36 ids snort[3357]: IDS13 - RPC - portmap-request-mountd: 24.42.46.171:635 -> 172.16.1.107:111
Nov 11 21:25:41 ids snort[3357]: IDS13 - RPC - portmap-request-mountd: 24.42.46.171:635 -> 172.16.1.107:111
Nov 11 21:25:47 ids snort[3357]: IDS13 - RPC - portmap-request-mountd: 24.42.46.171:635 -> 172.16.1.107:111
Nov 11 21:25:51 ids snort[3357]: IDS13 - RPC - portmap-request-mountd: 24.42.46.171:635 -> 172.16.1.107:111
Nov 11 21:25:56 ids snort[3357]: IDS13 - RPC - portmap-request-mountd: 24.42.46.171:635 -> 172.16.1.107:111
Nov 11 21:26:02 ids snort[3357]: IDS13 - RPC - portmap-request-mountd: 24.42.46.171:635 -> 172.16.1.107:111
Nov 11 21:26:07 ids snort[3357]: IDS13 - RPC - portmap-request-mountd: 24.42.46.171:636 -> 172.16.1.107:111
Nov 11 21:26:12 ids snort[3357]: IDS13 - RPC - portmap-request-mountd: 24.42.46.171:636 -> 172.16.1.107:111
Nov 11 21:26:17 ids snort[3357]: IDS13 - RPC - portmap-request-mountd: 24.42.46.171:636 -> 172.16.1.107:111
Nov 11 21:26:22 ids snort[3357]: IDS13 - RPC - portmap-request-mountd: 24.42.46.171:636 -> 172.16.1.107:111
Nov 11 21:26:27 ids snort[3357]: IDS13 - RPC - portmap-request-mountd: 24.42.46.171:636 -> 172.16.1.107:111
Nov 11 21:26:32 ids snort[3357]: IDS13 - RPC - portmap-request-mountd: 24.42.46.171:636 -> 172.16.1.107:111
Nov 11 21:26:37 ids snort[3357]: IDS13 - RPC - portmap-request-mountd: 24.42.46.171:636 -> 172.16.1.107:111
Nov 11 21:26:42 ids snort[3357]: IDS13 - RPC - portmap-request-mountd: 24.42.46.171:636 -> 172.16.1.107:111
Nov 11 21:26:47 ids snort[3357]: IDS13 - RPC - portmap-request-mountd: 24.42.46.171:636 -> 172.16.1.107:111
Nov 11 21:26:52 ids snort[3357]: IDS13 - RPC - portmap-request-mountd: 24.42.46.171:636 -> 172.16.1.107:111
Nov 11 21:26:57 ids snort[3357]: IDS13 - RPC - portmap-request-mountd: 24.42.46.171:636 -> 172.16.1.107:111
Nov 11 21:27:02 ids snort[3357]: IDS13 - RPC - portmap-request-mountd: 24.42.46.171:636 -> 172.16.1.107:111
13 - Portmap mountd requests
every five seconds for two minutes.
Nov 13 01:53:41 ids snort[3991]: spp_portscan: PORTSCAN DETECTED from 139.130.83.56 (STEALTH)
Nov 13 01:53:41 ids snort[3991]: SCAN-SYN FIN: 139.130.83.56:8828 -> 172.16.1.107:80
Nov 13 04:16:57 ids snort[3991]: spp_portscan: portscan status from 139.130.83.56: 3 connections across 2 hosts: TCP(3), UDP(0) STEALTH
Nov 13 04:17:13 ids snort[3991]: spp_portscan: End of portscan from 139.130.83.56: TOTAL time(1s) hosts(2) TCP(3) UDP(0) STEALTH
14 - Port Scan
searching for a web server (port 80)
Nov 14 00:58:40 ids snort[4293]: spp_portscan: PORTSCAN DETECTED from 24.12.200.186 (THRESHOLD 5 connections exceeded in 3 seconds)
Nov 14 01:00:27 ids snort[4293]: spp_portscan: portscan status from 24.12.200.186: 8 connections across 8 hosts: TCP(8), UDP(0)
Nov 14 01:00:44 ids snort[4293]: spp_portscan: End of portscan from 24.12.200.186: TOTAL time(8s) hosts(8) TCP(8) UDP(0)
15 - Port scan
firewall log says FTP
Nov 18 06:56:54 ids snort[5382]: spp_portscan: PORTSCAN DETECTED from 216.199.92.4 (THRESHOLD 5 connections exceeded in 0 seconds)
Nov 18 06:56:54 ids snort[5382]: RPC Info Query: 216.199.92.4:990 -> 172.16.1.101:111
Nov 18 07:32:06 ids snort[5382]: spp_portscan: portscan status from 216.199.92.4: 9 connections across 8 hosts: TCP(9), UDP(0)
Nov 18 08:15:44 ids snort[5382]: spp_portscan: End of portscan from 216.199.92.4: TOTAL time(2113s) hosts(8) TCP(9) UDP(0)
16 - Portmap scan and RPC query
Nov 18 10:22:11 ids snort[5382]: spp_portscan: PORTSCAN DETECTED from 194.152.124.142 (THRESHOLD 5 connections exceeded in 0 seconds)
Nov 18 11:31:35 ids snort[5382]: spp_portscan: portscan status from 194.152.124.142: 8 connections across 8 hosts: TCP(8), UDP(0)
Nov 18 11:31:52 ids snort[5382]: spp_portscan: End of portscan from 194.152.124.142: TOTAL time(9s) hosts(8) TCP(8) UDP(0)
17 - Port scan
firewall log says FTP
Nov 18 17:00:27 ids snort[5382]: spp_portscan: PORTSCAN DETECTED from 24.29.162.158 (THRESHOLD 5 connections exceeded in 0 seconds)
Nov 18 17:16:18 ids snort[5382]: spp_portscan: portscan status from 24.29.162.158: 8 connections across 8 hosts: TCP(8), UDP(0)
Nov 18 17:16:39 ids snort[5382]: spp_portscan: End of portscan from 24.29.162.158: TOTAL time(0s) hosts(8) TCP(8) UDP(0)
18 - Port scan
unknown ports.
Nov 18 22:06:13 ids snort[5382]: spp_portscan: PORTSCAN DETECTED from 62.161.77.94 (THRESHOLD 5 connections exceeded in 2 seconds)
Nov 18 22:10:11 ids snort[5382]: spp_portscan: portscan status from 62.161.77.94: 8 connections across 8 hosts: TCP(8), UDP(0)
Nov 18 22:10:27 ids snort[5382]: spp_portscan: End of portscan from 62.161.77.94: TOTAL time(11s) hosts(8) TCP(8) UDP(0)
19 - Port Scan
firewall log says FTP
Nov 19 11:13:15 ids snort[6009]: spp_portscan: PORTSCAN DETECTED from 24.141.204.189 (THRESHOLD 5 connections exceeded in 0 seconds)
Nov 19 11:26:00 ids snort[6009]: spp_portscan: portscan status from 24.141.204.189: 8 connections across 8 hosts: TCP(8), UDP(0)
Nov 19 14:56:59 ids snort[6009]: spp_portscan: End of portscan from 24.141.204.189: TOTAL time(0s) hosts(8) TCP(8) UDP(0)
20 - Port Scan
unknown ports
Nov 19 14:56:59 ids snort[6009]: IDS7 - MISC-Source Port Traffic 53 TCP: 202.141.26.165:53 -> 172.16.1.107:111
Nov 19 14:56:59 ids snort[6009]: IDS7 - MISC-Source Port Traffic 53 TCP: 202.141.26.165:53 -> 172.16.1.101:111
21 - Port scan for portmap
Using a source port of 53 (DNS) can sometimes get you past a firewall. Notice that only the two unix systems are scanned, not
the whole net. This attacker must have had info from a previous scan.
Nov 20 10:08:04 ids snort[6484]: IDS13 - RPC - portmap-request-mountd: 203.146.85.84:1104 -> 172.16.1.107:111
Nov 20 10:08:34 ids snort[6484]: IDS13 - RPC - portmap-request-mountd: 203.146.85.84:1104 -> 172.16.1.107:111
Nov 20 10:09:04 ids snort[6484]: IDS13 - RPC - portmap-request-mountd: 203.146.85.84:1104 -> 172.16.1.107:111
22 - Portmap mountd requests
Nov 20 13:11:06 ids snort[6484]: spp_portscan: PORTSCAN DETECTED from 131.215.30.2 (THRESHOLD 5 connections exceeded in 0 seconds)
Nov 20 13:11:06 ids snort[6484]: IDS8 - TELNET - daemon-active: 172.16.1.101:23 -> 131.215.30.2:4113
Nov 20 13:11:06 ids snort[6484]: RPC Info Query: 131.215.30.2:741 -> 172.16.1.101:111
Nov 20 13:12:30 ids snort[6484]: spp_portscan: portscan status from 131.215.30.2: 10 connections across 8 hosts: TCP(10), UDP(0)
Nov 20 13:12:47 ids snort[6484]: spp_portscan: End of portscan from 131.215.30.2: TOTAL time(9s) hosts(8) TCP(10) UDP(0)
23 - Port scan, telnet attempt, RPC query
Nov 20 14:04:57 ids snort[6484]: IDS212 - MISC - DNS Zone Transfer: 207.20.109.228:1343 -> 172.16.1.107:53
24 - DNS zone transfer
provides host names and IP addresses for the network supported by the DNS server. This can be done with a utility like "Sam Spade"
http://www.samspade.org/ssw/
Nov 20 20:46:03 ids snort[6484]: IDS8 - TELNET - daemon-active: 172.16.1.101:23 -> 24.21.157.47:1630
Nov 20 20:46:03 ids snort[6484]: spp_portscan: PORTSCAN DETECTED from 24.21.157.47 (THRESHOLD 5 connections exceeded in 1 seconds)
Nov 20 20:48:45 ids snort[6484]: spp_portscan: portscan status from 24.21.157.47: 8 connections across 8 hosts: TCP(8), UDP(0)
Nov 20 20:57:37 ids snort[6484]: spp_portscan: End of portscan from 24.21.157.47: TOTAL time(10s) hosts(8) TCP(8) UDP(0)
25 - Scanning for telnet
Nov 21 12:41:26 ids snort[15035]: IDS128 - CVE-1999-0067 - CGI phf attempt: 203.146.64.167:7850 -> 172.16.1.107:80
26 - Another CGI/PHF attempt
how lame! Shame on anyone who still has this vulnerability.
Nov 21 13:09:53 ids snort[15035]: IDS13 - RPC - portmap-request-mountd: 203.146.85.92:1267 -> 172.16.1.107:111
Nov 21 13:09:58 ids snort[15035]: IDS13 - RPC - portmap-request-mountd: 203.146.85.92:1267 -> 172.16.1.107:111
Nov 21 13:10:24 ids snort[15035]: IDS13 - RPC - portmap-request-mountd: 203.146.85.92:1267 -> 172.16.1.107:111
Nov 21 13:10:29 ids snort[15035]: IDS13 - RPC - portmap-request-mountd: 203.146.85.92:1267 -> 172.16.1.107:111
Nov 21 13:10:34 ids snort[15035]: IDS13 - RPC - portmap-request-mountd: 203.146.85.92:1267 -> 172.16.1.107:111
Nov 21 13:10:39 ids snort[15035]: IDS13 - RPC - portmap-request-mountd: 203.146.85.92:1267 -> 172.16.1.107:111
Nov 21 13:10:43 ids snort[15035]: IDS13 - RPC - portmap-request-mountd: 203.146.85.92:1267 -> 172.16.1.107:111
Nov 21 13:10:49 ids snort[15035]: IDS13 - RPC - portmap-request-mountd: 203.146.85.92:1267 -> 172.16.1.107:111
Nov 21 13:10:54 ids snort[15035]: IDS13 - RPC - portmap-request-mountd: 203.146.85.92:1267 -> 172.16.1.107:111
Nov 21 13:10:59 ids snort[15035]: IDS13 - RPC - portmap-request-mountd: 203.146.85.92:1267 -> 172.16.1.107:111
Nov 21 13:11:04 ids snort[15035]: IDS13 - RPC - portmap-request-mountd: 203.146.85.92:1267 -> 172.16.1.107:111
Nov 21 13:11:09 ids snort[15035]: IDS13 - RPC - portmap-request-mountd: 203.146.85.92:1267 -> 172.16.1.107:111
Nov 21 13:11:14 ids snort[15035]: IDS13 - RPC - portmap-request-mountd: 203.146.85.92:1267 -> 172.16.1.107:111
Nov 21 13:11:19 ids snort[15035]: IDS13 - RPC - portmap-request-mountd: 203.146.85.92:1267 -> 172.16.1.107:111
Nov 21 13:11:24 ids snort[15035]: IDS13 - RPC - portmap-request-mountd: 203.146.85.92:1267 -> 172.16.1.107:111
Nov 21 13:11:34 ids snort[15035]: IDS13 - RPC - portmap-request-mountd: 203.146.85.92:1267 -> 172.16.1.107:111
Nov 21 13:11:39 ids snort[15035]: IDS13 - RPC - portmap-request-mountd: 203.146.85.92:1267 -> 172.16.1.107:111
Nov 21 13:11:43 ids snort[15035]: IDS13 - RPC - portmap-request-mountd: 203.146.85.92:1267 -> 172.16.1.107:111
27 - Portmap mountd requests
every five seconds again.
Nov 21 18:59:36 ids snort[15035]: RPC Info Query: 207.156.136.5:2828 -> 172.16.1.101:111
28 - RPC query
Nov 22 07:55:20 ids snort[15248]: spp_portscan: PORTSCAN DETECTED from 217.1.30.70 (THRESHOLD 5 connections exceeded in 3 seconds)
Nov 22 08:16:29 ids snort[15248]: spp_portscan: portscan status from 217.1.30.70: 6 connections across 6 hosts: TCP(6), UDP(0)
Nov 22 08:16:47 ids snort[15248]: spp_portscan: End of portscan from 217.1.30.70: TOTAL time(3s) hosts(6) TCP(6) UDP(0)
29 - Port scan
firewall log says FTP
Nov 22 08:16:34 ids snort[15248]: spp_portscan: PORTSCAN DETECTED from 213.120.237.178 (THRESHOLD 5 connections exceeded in 6 seconds)
Nov 22 08:16:51 ids snort[15248]: spp_portscan: portscan status from 213.120.237.178: 8 connections across 8 hosts: TCP(8), UDP(0)
Nov 22 08:17:22 ids snort[15248]: spp_portscan: portscan status from 213.120.237.178: 4 connections across 4 hosts: TCP(4), UDP(0)
Nov 22 08:18:36 ids snort[15248]: spp_portscan: End of portscan from 213.120.237.178: TOTAL time(31s) hosts(11) TCP(12) UDP(0)
30 - Port scan
FTP again
Nov 22 19:55:28 ids snort[15248]: spp_portscan: PORTSCAN DETECTED from 62.136.60.95 (THRESHOLD 5 connections exceeded in 0 seconds)
Nov 22 21:37:47 ids snort[15248]: spp_portscan: portscan status from 62.136.60.95: 8 connections across 8 hosts: TCP(8), UDP(0)
Nov 22 21:38:03 ids snort[15248]: spp_portscan: End of portscan from 62.136.60.95: TOTAL time(8s) hosts(8) TCP(8) UDP(0)
31 - Port Scan
FTP again
Nov 22 21:55:12 ids snort[15248]: IDS13 - RPC - portmap-request-mountd: 208.133.204.1:855 -> 172.16.1.107:111
Nov 22 21:55:17 ids snort[15248]: IDS13 - RPC - portmap-request-mountd: 208.133.204.1:855 -> 172.16.1.107:111
Nov 22 21:55:47 ids snort[15248]: IDS13 - RPC - portmap-request-mountd: 208.133.204.1:855 -> 172.16.1.107:111
Nov 22 21:56:12 ids snort[15248]: IDS13 - RPC - portmap-request-mountd: 208.133.204.1:856 -> 172.16.1.107:111
Nov 22 21:56:17 ids snort[15248]: IDS13 - RPC - portmap-request-mountd: 208.133.204.1:856 -> 172.16.1.107:111
Nov 22 21:56:47 ids snort[15248]: IDS13 - RPC - portmap-request-mountd: 208.133.204.1:856 -> 172.16.1.107:111
Nov 22 21:57:07 ids snort[15248]: IDS13 - RPC - portmap-request-mountd: 208.133.204.1:856 -> 172.16.1.107:111
32 - Portmap/NFS query
Nov 23 00:44:41 ids snort[16083]: spp_portscan: PORTSCAN DETECTED from 209.237.67.12 (THRESHOLD 5 connections exceeded in 0 seconds)
Nov 23 02:02:07 ids snort[16083]: spp_portscan: portscan status from 209.237.67.12: 8 connections across 8 hosts: TCP(8), UDP(0)
Nov 23 02:02:23 ids snort[16083]: spp_portscan: End of portscan from 209.237.67.12: TOTAL time(0s) hosts(8) TCP(8) UDP(0)
33 - Port scan
unknown ports
Nov 23 19:46:57 ids snort[16083]: spp_portscan: PORTSCAN DETECTED from 206.77.188.15 (STEALTH)
Nov 23 19:46:57 ids snort[16083]: SCAN-SYN FIN: 206.77.188.15:53 -> 172.16.1.101:53
Nov 23 19:46:57 ids snort[16083]: SCAN-SYN FIN: 206.77.188.15:53 -> 172.16.1.102:53
Nov 23 19:46:57 ids snort[16083]: SCAN-SYN FIN: 206.77.188.15:53 -> 172.16.1.103:53
Nov 23 19:46:57 ids snort[16083]: SCAN-SYN FIN: 206.77.188.15:53 -> 172.16.1.104:53
Nov 23 19:46:57 ids snort[16083]: SCAN-SYN FIN: 206.77.188.15:53 -> 172.16.1.105:53
Nov 23 19:46:57 ids snort[16083]: SCAN-SYN FIN: 206.77.188.15:53 -> 172.16.1.106:53
Nov 23 19:46:57 ids snort[16083]: SCAN-SYN FIN: 206.77.188.15:53 -> 172.16.1.107:53
Nov 23 19:46:57 ids snort[16083]: SCAN-SYN FIN: 206.77.188.15:53 -> 172.16.1.108:53
Nov 23 19:46:57 ids snort[16083]: PING-ICMP Time Exceeded: 205.171.25.58 -> 172.16.1.101
Nov 23 19:46:57 ids snort[16083]: IDS277 - NAMED Iquery Probe: 206.77.188.15:3243 -> 172.16.1.107:53
Nov 23 19:46:57 ids snort[16083]: IDS278 - SCAN -named Version probe: 206.77.188.15:3243 -> 172.16.1.107:53
Nov 23 20:34:09 ids snort[16083]: spp_portscan: portscan status from 206.77.188.15: 10 connections across 8 hosts: TCP(9), UDP(1) STEALTH
Nov 23 20:34:24 ids snort[16083]: spp_portscan: End of portscan from 206.77.188.15: TOTAL time(1s) hosts(8) TCP(9) UDP(1) STEALTH
34 - DNS scan and probe
scan for DNS, finds one, checks if it supports IQUERY, asks for its version.
http://www.whitehats.com/info/IDS277
http://www.whitehats.com/info/IDS278
could be followed by an exploit such as: http://packetstormsecurity.org/Exploit_Code_Archive/namedsploit.c
Nov 24 07:34:14 ids snort[16609]: spp_portscan: PORTSCAN DETECTED from 217.5.83.235 (THRESHOLD 5 connections exceeded in 6 seconds)
Nov 24 07:34:29 ids snort[16609]: spp_portscan: portscan status from 217.5.83.235: 8 connections across 8 hosts: TCP(8), UDP(0)
Nov 24 08:04:16 ids snort[16609]: spp_portscan: portscan status from 217.5.83.235: 4 connections across 4 hosts: TCP(4), UDP(0)
Nov 24 08:04:32 ids snort[16609]: spp_portscan: End of portscan from 217.5.83.235: TOTAL time(30s) hosts(11) TCP(12) UDP(0)
35 - Port scan
FTP seems to be very popular.
Nov 24 09:51:56 ids snort[16609]: spp_portscan: PORTSCAN DETECTED from 64.45.218.3 (THRESHOLD 5 connections exceeded in 0 seconds)
Nov 24 12:52:29 ids snort[16609]: spp_portscan: portscan status from 64.45.218.3: 8 connections across 8 hosts: TCP(8), UDP(0)
Nov 24 12:52:45 ids snort[16609]: spp_portscan: End of portscan from 64.45.218.3: TOTAL time(9s) hosts(8) TCP(8) UDP(0)
36 - Port scan
Yes, FTP is VERY popular.
Nov 25 09:01:12 ids snort[17159]: MISC-WinGate-1080-Attempt: 24.42.178.243:4881 -> 172.16.1.101:1080
Nov 25 09:01:12 ids snort[17159]: MISC-WinGate-1080-Attempt: 24.42.178.243:4882 -> 172.16.1.102:1080
Nov 25 09:01:12 ids snort[17159]: MISC-WinGate-1080-Attempt: 24.42.178.243:4883 -> 172.16.1.103:1080
Nov 25 09:01:12 ids snort[17159]: MISC-WinGate-1080-Attempt: 24.42.178.243:4884 -> 172.16.1.104:1080
Nov 25 09:01:12 ids snort[17159]: MISC-WinGate-1080-Attempt: 24.42.178.243:4885 -> 172.16.1.105:1080
Nov 25 09:01:12 ids snort[17159]: spp_portscan: PORTSCAN DETECTED from 24.42.178.243 (THRESHOLD 5 connections exceeded in 0 seconds)
Nov 25 09:01:12 ids snort[17159]: MISC-WinGate-1080-Attempt: 24.42.178.243:4886 -> 172.16.1.106:1080
Nov 25 09:01:12 ids snort[17159]: MISC-WinGate-1080-Attempt: 24.42.178.243:4887 -> 172.16.1.107:1080
Nov 25 09:01:12 ids snort[17159]: MISC-WinGate-1080-Attempt: 24.42.178.243:4888 -> 172.16.1.108:1080
Nov 25 09:01:13 ids snort[17159]: MISC-WinGate-1080-Attempt: 24.42.178.243:4881 -> 172.16.1.101:1080
Nov 25 09:01:13 ids snort[17159]: MISC-WinGate-1080-Attempt: 24.42.178.243:4887 -> 172.16.1.107:1080
Nov 25 09:01:13 ids snort[17159]: MISC-WinGate-1080-Attempt: 24.42.178.243:4881 -> 172.16.1.101:1080
Nov 25 09:01:13 ids snort[17159]: MISC-WinGate-1080-Attempt: 24.42.178.243:4887 -> 172.16.1.107:1080
Nov 25 09:01:14 ids snort[17159]: MISC-WinGate-1080-Attempt: 24.42.178.243:4881 -> 172.16.1.101:1080
Nov 25 09:01:14 ids snort[17159]: MISC-WinGate-1080-Attempt: 24.42.178.243:4887 -> 172.16.1.107:1080
Nov 25 09:01:15 ids snort[17159]: MISC-WinGate-1080-Attempt: 24.42.178.243:4882 -> 172.16.1.102:1080
Nov 25 09:01:15 ids snort[17159]: MISC-WinGate-1080-Attempt: 24.42.178.243:4883 -> 172.16.1.103:1080
Nov 25 09:01:15 ids snort[17159]: MISC-WinGate-1080-Attempt: 24.42.178.243:4884 -> 172.16.1.104:1080
Nov 25 09:01:15 ids snort[17159]: MISC-WinGate-1080-Attempt: 24.42.178.243:4885 -> 172.16.1.105:1080
Nov 25 09:01:15 ids snort[17159]: MISC-WinGate-1080-Attempt: 24.42.178.243:4888 -> 172.16.1.108:1080
Nov 25 09:06:19 ids snort[17159]: spp_portscan: portscan status from 24.42.178.243: 8 connections across 8 hosts: TCP(8), UDP(0)
Nov 25 09:06:53 ids snort[17159]: spp_portscan: End of portscan from 24.42.178.243: TOTAL time(3s) hosts(8) TCP(8) UDP(0)
37 - WinGate scan
Searching for an open WinGate server. Useful for anonymity on the net.
http://members.tripod.com/lycos_webmaster/wingate.html
Nov 25 12:13:19 ids snort[17159]: spp_portscan: PORTSCAN DETECTED from 152.2.48.83 (THRESHOLD 5 connections exceeded in 0 seconds)
Nov 25 12:34:45 ids snort[17159]: spp_portscan: portscan status from 152.2.48.83: 8 connections across 8 hosts: TCP(8), UDP(0)
Nov 25 12:35:02 ids snort[17159]: spp_portscan: End of portscan from 152.2.48.83: TOTAL time(0s) hosts(8) TCP(8) UDP(0)
38 - Port Scan
FTP again
Nov 25 21:25:26 ids snort[17159]: spp_portscan: PORTSCAN DETECTED from 172.155.157.149 (THRESHOLD 5 connections exceeded in 0 seconds)
Nov 25 21:31:17 ids snort[17159]: spp_portscan: portscan status from 172.155.157.149: 7 connections across 7 hosts: TCP(7), UDP(0)
Nov 25 21:31:34 ids snort[17159]: spp_portscan: End of portscan from 172.155.157.149: TOTAL time(0s) hosts(7) TCP(7) UDP(0)
39 - Port Scan
unknown ports
Nov 26 07:35:34 ids snort[17488]: spp_portscan: PORTSCAN DETECTED from 128.84.246.7 (THRESHOLD 5 connections exceeded in 0 seconds)
Nov 26 07:41:13 ids snort[17488]: spp_portscan: portscan status from 128.84.246.7: 9 connections across 8 hosts: TCP(9), UDP(0)
Nov 26 07:41:13 ids snort[17488]: IDS8 - TELNET - daemon-active: 172.16.1.101:23 -> 128.84.246.7:3913
Nov 26 09:00:02 ids snort[17488]: spp_portscan: End of portscan from 128.84.246.7: TOTAL time(339s) hosts(8) TCP(9) UDP(0)
40 - Port Scan and telnet access
search for telnet and then connect to it.
Nov 26 19:51:53 ids snort[17488]: spp_portscan: PORTSCAN DETECTED from 208.185.167.115 (THRESHOLD 5 connections exceeded in 4 seconds)
Nov 26 20:49:24 ids snort[17488]: spp_portscan: portscan status from 208.185.167.115: 8 connections across 8 hosts: TCP(8), UDP(0)
Nov 26 21:15:10 ids snort[17488]: spp_portscan: portscan status from 208.185.167.115: 1 connections across 1 hosts: TCP(1), UDP(0)
Nov 26 21:35:31 ids snort[17488]: spp_portscan: portscan status from 208.185.167.115: 7 connections across 7 hosts: TCP(7), UDP(0)
Nov 26 21:35:47 ids snort[17488]: spp_portscan: End of portscan from 208.185.167.115: TOTAL time(5001s) hosts(14) TCP(16) UDP(0)
41 - Port Scan
unknown ports
Nov 28 01:21:50 ids snort[17917]: spp_portscan: PORTSCAN DETECTED from 63.165.207.14 (THRESHOLD 5 connections exceeded in 3 seconds)
Nov 28 01:22:07 ids snort[17917]: spp_portscan: portscan status from 63.165.207.14: 8 connections across 8 hosts: TCP(8), UDP(0)
Nov 28 01:22:23 ids snort[17917]: spp_portscan: End of portscan from 63.165.207.14: TOTAL time(3s) hosts(8) TCP(8) UDP(0)
42 - Port scan
searching for telnet.
Nov 29 11:13:29 ids snort[18432]: spp_portscan: PORTSCAN DETECTED from 12.24.136.201 (STEALTH)
Nov 29 11:13:29 ids snort[18432]: SCAN-SYN FIN: 12.24.136.201:511 -> 172.16.1.101:511
Nov 29 11:13:29 ids snort[18432]: SCAN-SYN FIN: 12.24.136.201:511 -> 172.16.1.102:511
Nov 29 11:13:29 ids snort[18432]: SCAN-SYN FIN: 12.24.136.201:511 -> 172.16.1.103:511
Nov 29 11:13:29 ids snort[18432]: SCAN-SYN FIN: 12.24.136.201:511 -> 172.16.1.104:511
Nov 29 11:13:29 ids snort[18432]: SCAN-SYN FIN: 12.24.136.201:511 -> 172.16.1.105:511
Nov 29 11:13:29 ids snort[18432]: SCAN-SYN FIN: 12.24.136.201:511 -> 172.16.1.106:511
Nov 29 11:13:29 ids snort[18432]: SCAN-SYN FIN: 12.24.136.201:511 -> 172.16.1.107:511
Nov 29 11:13:29 ids snort[18432]: SCAN-SYN FIN: 12.24.136.201:511 -> 172.16.1.108:511
Nov 29 11:14:24 ids snort[18432]: spp_portscan: portscan status from 12.24.136.201: 8 connections across 8 hosts: TCP(8), UDP(0) STEALTH
Nov 29 11:14:42 ids snort[18432]: spp_portscan: End of portscan from 12.24.136.201: TOTAL time(0s) hosts(8) TCP(8) UDP(0) STEALTH
43 - Port Scan
searching for a system with port 511 open. According to
http://www.iana.org/assignments/port-numbers
port 511 is "passgo" which I found is a single sign on product.
http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=55
Nov 29 15:04:04 ids snort[18432]: spp_portscan: PORTSCAN DETECTED from 213.56.229.206 (THRESHOLD 5 connections exceeded in 1 seconds)
Nov 29 16:09:50 ids snort[18432]: spp_portscan: portscan status from 213.56.229.206: 8 connections across 8 hosts: TCP(8), UDP(0)
Nov 29 16:10:07 ids snort[18432]: spp_portscan: End of portscan from 213.56.229.206: TOTAL time(4s) hosts(8) TCP(8) UDP(0)
44 - Port scan
FTP
Nov 30 04:58:53 ids snort[18951]: spp_portscan: PORTSCAN DETECTED from 144.132.223.204 (THRESHOLD 5 connections exceeded in 7 seconds)
Nov 30 04:59:12 ids snort[18951]: spp_portscan: portscan status from 144.132.223.204: 8 connections across 8 hosts: TCP(8), UDP(0)
Nov 30 06:45:46 ids snort[18951]: spp_portscan: portscan status from 144.132.223.204: 2 connections across 2 hosts: TCP(2), UDP(0)
Nov 30 09:36:09 ids snort[18951]: spp_portscan: End of portscan from 144.132.223.204: TOTAL time(29s) hosts(9) TCP(10) UDP(0)
45- Port scan
FTP
Nov 30 09:36:09 ids snort[18951]: spp_portscan: PORTSCAN DETECTED from 149.225.118.255 (THRESHOLD 5 connections exceeded in 0 seconds)
Nov 30 09:37:19 ids snort[18951]: spp_portscan: portscan status from 149.225.118.255: 8 connections across 8 hosts: TCP(8), UDP(0)
Nov 30 09:37:36 ids snort[18951]: spp_portscan: End of portscan from 149.225.118.255: TOTAL time(3s) hosts(8) TCP(8) UDP(0)
46- Port scan
FTP
Nov 30 15:42:39 ids snort[18951]: spp_portscan: PORTSCAN DETECTED from 216.78.181.149 (THRESHOLD 5 connections exceeded in 0 seconds)
Nov 30 17:00:01 ids snort[18951]: spp_portscan: portscan status from 216.78.181.149: 8 connections across 8 hosts: TCP(8), UDP(0)
Nov 30 17:00:19 ids snort[18951]: spp_portscan: End of portscan from 216.78.181.149: TOTAL time(1s) hosts(8) TCP(8) UDP(0)
47- Port scan
FTP, Yes, FTP seems to be extremely popular.
Nov 30 20:43:01 ids snort[18951]: spp_portscan: PORTSCAN DETECTED from 141.223.222.143 (THRESHOLD 5 connections exceeded in 2 seconds)
Nov 30 21:55:43 ids snort[18951]: spp_portscan: portscan status from 141.223.222.143: 8 connections across 8 hosts: TCP(8), UDP(0)
Nov 30 21:55:44 ids snort[18951]: IDS287 - FTP - Wuftp260 venglin linux: 141.223.222.143:4761 -> 172.16.1.104:21
Nov 30 21:55:47 ids snort[18951]: IDS317 - FTP-site-exec: 141.223.222.143:4761 -> 172.16.1.104:21
Nov 30 22:00:32 ids snort[18951]: spp_portscan: End of portscan from 141.223.222.143: TOTAL time(4365s) hosts(8) TCP(8) UDP(0)
48 - Port scan and FTP exploit
Now we see why FTP is so popular. Here is a link to a very popular WUFTP exploit.
http://packetstormsecurity.org/0006-exploits/bobek.c
Nov 30 22:30:56 ids snort[18951]: IDS8 - TELNET - daemon-active: 172.16.1.103:23 -> 207.239.115.11:1947
49 - Telnet access
We saw this IP earlier in the month. She's back, but connecting straight away to the newly rebuilt Sun box.
Either she found this new box in an earlier scan or something more devious is going on.
By the way - Why didn't this show up in the firewall log?