IP address obtained/matched from the IDS log Win98
IP address inferred from the IDS log RH 6.2
Notable Events Solaris 2.6
NT 4
Firewall Log Snort/IDS Log
Resolved Ips Date Time Service
Windows 98, 172.16.1.105 brought online, Oct 31st 2001
62.98.12.116 02-Nov-00 3:10:08 http Nov 2 03:10:09  IDS128 - CVE-1999-0067 - CGI phf attempt  62.98.12.116:4406 -> 172.16.1.107:80 Hack Attempt
62.98.14.40 02-Nov-00 5:30:36 http Nov 2 05:30:37  IDS128 - CVE-1999-0067 - CGI phf attempt  62.98.14.40:1402 -> 172.16.1.107:80
64.229.250.79 03-Nov-00 1:39:00 sunrpc Nov 3 01:39:01  IDS13 - RPC - portmap-request-mountd  64.229.250.79:640 -> 172.16.1.107:111 RPC Scan
Nov 3 01:39:01  IDS13 - RPC - portmap-request-mountd  64.229.250.79:641 -> 172.16.1.107:111
Nov 3 01:39:18  IDS13 - RPC - portmap-request-mountd  64.229.250.79:642 -> 172.16.1.107:111
Nov 3 01:39:18  IDS13 - RPC - portmap-request-mountd  64.229.250.79:645 -> 172.16.1.107:111
Nov 3 01:39:30  IDS13 - RPC - portmap-request-mountd  64.229.250.79:656 -> 172.16.1.107:111
Nov 3 01:39:30  IDS13 - RPC - portmap-request-mountd  64.229.250.79:657 -> 172.16.1.107:111
RedHat 6.2, 172.16.1.107 brought online, Nov 4th 2001
203.59.72.172 04-Nov-00 18:25:59 ftp Nov 4 18:25:59  spp_portscan  PORTSCAN DETECTED from 203.59.72.172 (STEALTH):: FTP Scan
Nov 4 18:25:59  SCAN-SYN FIN  203.59.72.172:21 -> 172.16.1.103:21
Nov 4 18:25:59  SCAN-SYN FIN  203.59.72.172:21 -> 172.16.1.101:21
Nov 4 18:25:59  SCAN-SYN FIN  203.59.72.172:21 -> 172.16.1.102:21
Nov 4 18:25:59  SCAN-SYN FIN  203.59.72.172:21 -> 172.16.1.105:21
Nov 4 18:25:59  SCAN-SYN FIN  203.59.72.172:21 -> 172.16.1.104:21
Nov 4 18:25:59  SCAN-SYN FIN  203.59.72.172:21 -> 172.16.1.106:21
Nov 4 18:25:59  SCAN-SYN FIN  203.59.72.172:21 -> 172.16.1.107:21
Nov 4 18:25:59  SCAN-SYN FIN  203.59.72.172:21 -> 172.16.1.108:21
Nov 4 18:25:59  SCAN-SYN FIN  203.59.72.172:21 -> 172.16.1.109:21
Nov 4 18:26:17  spp_portscan  portscan status from 203.59.72.172: 11 connections across 9 hosts: TCP(11), UDP(0) STEALTH
Nov 4 18:26:33  spp_portscan  End of portscan from 203.59.72.172: TOTAL time(2s) hosts(9) TCP(11) UDP(0) STEALTH:
24.69.66.75 04-Nov-00 22:24:54 rpc Nov 4 22:29:45  RPC Info Query  24.69.66.75:738 -> 172.16.1.107:111 Hack Attempt
Nov 4 22:30:41  IDS15 - RPC - portmap-request-status  24.69.66.75:851 -> 172.16.1.107:111
Nov 4 22:30:41  IDS362 - MISC - Shellcode X86 NOPS-UDP  24.69.66.75:852 -> 172.16.1.107:949
Solaris 2.6, 172.16.1.101 brought online, Nov 5th 2001
Nov 5 09:52:07  IDS152 - PING BSD  207.239.115.11 -> 172.16.1.101::
Nov 5 09:52:08  IDS152 - PING BSD  207.239.115.11 -> 172.16.1.101::
Nov 5 09:52:09  IDS152 - PING BSD  207.239.115.11 -> 172.16.1.101::
Nov 5 09:52:40  IDS08 - TELNET - daemon-active  172.16.1.101:23 -> 207.239.115.11:1270
Nov 5 11:54:40  spp_portscan  PORTSCAN DETECTED from 202.114.208.160 (THRESHOLD 5 connections exceeded in 0 seconds):: ??? Scan
Nov 5 11:57:15  spp_portscan  portscan status from 202.114.208.160: 9 connections across 9 hosts: TCP(9), UDP(0)
Nov 5 11:57:33  spp_portscan  End of portscan from 202.114.208.160: TOTAL time(0s) hosts(9) TCP(9) UDP(0):
128.121.247.126 06-Nov-00 2:02:06 ftp
61.129.65.42 06-Nov-00 16:44:13 rpc Nov 6 16:44:14  spp_portscan  PORTSCAN DETECTED from 61.129.65.42 (STEALTH):: RPC Scan
Nov 6 16:44:14  SCAN-SYN FIN  61.129.65.42:111 -> 172.16.1.102:111
Nov 6 16:44:14  SCAN-SYN FIN  61.129.65.42:111 -> 172.16.1.103:111
Nov 6 16:44:14  SCAN-SYN FIN  61.129.65.42:111 -> 172.16.1.104:111
Nov 6 16:44:14  SCAN-SYN FIN  61.129.65.42:111 -> 172.16.1.105:111
Nov 6 16:44:14  SCAN-SYN FIN  61.129.65.42:111 -> 172.16.1.107:111
Nov 6 16:44:14  SCAN-SYN FIN  61.129.65.42:111 -> 172.16.1.108:111
Nov 6 16:44:14  SCAN-SYN FIN  61.129.65.42:111 -> 172.16.1.109:111
Nov 6 16:44:19  RPC Info Query  61.129.65.42:777 -> 172.16.1.107:111
Nov 6 16:44:36  spp_portscan  portscan status from 61.129.65.42: 8 connections across 7 hosts: TCP(8), UDP(0) STEALTH
Nov 6 16:44:52  spp_portscan  End of portscan from 61.129.65.42: TOTAL time(4s) hosts(7) TCP(8) UDP(0) STEALTH:
62.98.45.141 06-Nov-00 17:02:49 rpc Nov 6 17:2:50  spp_portscan  PORTSCAN DETECTED from 62.98.45.141 (STEALTH):: RPC Scan
Nov 6 17:2:50  SCAN-SYN FIN  62.98.45.141:111 -> 172.16.1.101:111
Nov 6 17:2:50  SCAN-SYN FIN  62.98.45.141:111 -> 172.16.1.102:111
Nov 6 17:2:50  SCAN-SYN FIN  62.98.45.141:111 -> 172.16.1.103:111
Nov 6 17:2:50  SCAN-SYN FIN  62.98.45.141:111 -> 172.16.1.104:111
Nov 6 17:2:50  SCAN-SYN FIN  62.98.45.141:111 -> 172.16.1.105:111
Nov 6 17:2:50  SCAN-SYN FIN  62.98.45.141:111 -> 172.16.1.106:111
Nov 6 17:2:50  SCAN-SYN FIN  62.98.45.141:111 -> 172.16.1.107:111
Nov 6 17:2:50  SCAN-SYN FIN  62.98.45.141:111 -> 172.16.1.108:111
Nov 6 17:2:50  SCAN-SYN FIN  62.98.45.141:111 -> 172.16.1.109:111
Nov 6 17:2:55  RPC Info Query  62.98.45.141:816 -> 172.16.1.101:111
Nov 6 17:2:58  RPC Info Query  62.98.45.141:826 -> 172.16.1.107:111
Nov 6 17:6:38  spp_portscan  portscan status from 62.98.45.141: 11 connections across 9 hosts: TCP(11), UDP(0) STEALTH
Nov 6 17:6:53  spp_portscan  End of portscan from 62.98.45.141: TOTAL time(8s) hosts(9) TCP(11) UDP(0) STEALTH:
212.129.5.218 06-Nov-00 20:34:00 sunrpc Nov 6 20:34:00  IDS13 - RPC - portmap-request-mountd  212.129.5.218:822 -> 172.16.1.107:111
Nov 6 20:34:01  IDS13 - RPC - portmap-request-mountd  212.129.5.218:823 -> 172.16.1.107:111
216.216.74.2 07-Nov-00 23:06:45 rpc Nov 7 23:6:47  spp_portscan  PORTSCAN DETECTED from 216.216.74.2 (THRESHOLD 5 connections exceeded in 0 seconds):: RPC Scan VA Scan??
Nov 7 23:11:04  spp_portscan  portscan status from 216.216.74.2: 9 connections across 9 hosts: TCP(9), UDP(0)
Nov 7 23:11:05  RPC Info Query  216.216.74.2:962 -> 172.16.1.101:111
Nov 7 23:11:06  RPC Info Query  216.216.74.2:963 -> 172.16.1.107:111
Nov 7 23:11:31  spp_portscan  portscan status from 216.216.74.2: 2 connections across 1 hosts: TCP(2), UDP(0) Telnet Scan
Nov 7 23:11:31  IDS08 - TELNET - daemon-active  172.16.1.101:23 -> 216.216.74.2:1209
Nov 7 23:11:34  IDS08 - TELNET - daemon-active  172.16.1.101:23 -> 216.216.74.2:1210
Nov 7 23:11:47  spp_portscan  portscan status from 216.216.74.2: 2 connections across 2 hosts: TCP(2), UDP(0) Hack Attempt
Nov 7 23:11:51  IDS15 - RPC - portmap-request-status  216.216.74.2:709 -> 172.16.1.107:111
Nov 7 23:11:51  IDS362 - MISC - Shellcode X86 NOPS-UDP  216.216.74.2:710 -> 172.16.1.107:871
Nov 7 23:12:03  spp_portscan  portscan status from 216.216.74.2: 2 connections across 1 hosts: TCP(0), UDP(2)
Nov 7 23:12:23  spp_portscan  portscan status from 216.216.74.2: 1 connections across 1 hosts: TCP(1), UDP(0)
Nov 7 23:12:47  spp_portscan  End of portscan from 216.216.74.2: TOTAL time(324s) hosts(10) TCP(14) UDP(2):
Windows 98, 172.16.1.102 rebuilt, Nov 8th 2001
24.12.200.186 08-Nov-00 7:31:15 telnet
207.123.161.202 09-Nov-00 14:30:49 telnet
Nov 9 22:14:48  spp_portscan  PORTSCAN DETECTED from 24.25.74.35 (THRESHOLD 5 connections exceeded in 0 seconds):: ??? Scan
Nov 9 22:15:07  spp_portscan  portscan status from 24.25.74.35: 8 connections across 8 hosts: TCP(0), UDP(8)
Nov 9 22:15:23  spp_portscan  End of portscan from 24.25.74.35: TOTAL time(0s) hosts(8) TCP(0) UDP(8):
24.12.200.186 10-Nov-00 10:37:31 ssh
194.38.76.99 10-Nov-00 16:49:30 ssh
24.42.46.171 11-Nov-00 21:25:06 sunrpc Nov 11 21:25:06  IDS13 - RPC - portmap-request-mountd  24.42.46.171:635 -> 172.16.1.107:111 Lots of RPC Queries…
Nov 11 21:25:12  IDS13 - RPC - portmap-request-mountd  24.42.46.171:635 -> 172.16.1.107:111
Nov 11 21:25:21  IDS13 - RPC - portmap-request-mountd  24.42.46.171:635 -> 172.16.1.107:111
Nov 11 21:25:26  IDS13 - RPC - portmap-request-mountd  24.42.46.171:635 -> 172.16.1.107:111
Nov 11 21:25:32  IDS13 - RPC - portmap-request-mountd  24.42.46.171:635 -> 172.16.1.107:111
Nov 11 21:25:36  IDS13 - RPC - portmap-request-mountd  24.42.46.171:635 -> 172.16.1.107:111
Nov 11 21:25:41  IDS13 - RPC - portmap-request-mountd  24.42.46.171:635 -> 172.16.1.107:111
Nov 11 21:25:47  IDS13 - RPC - portmap-request-mountd  24.42.46.171:635 -> 172.16.1.107:111
Nov 11 21:25:51  IDS13 - RPC - portmap-request-mountd  24.42.46.171:635 -> 172.16.1.107:111
Nov 11 21:25:56  IDS13 - RPC - portmap-request-mountd  24.42.46.171:635 -> 172.16.1.107:111
Nov 11 21:26:02  IDS13 - RPC - portmap-request-mountd  24.42.46.171:635 -> 172.16.1.107:111
Nov 11 21:26:07  IDS13 - RPC - portmap-request-mountd  24.42.46.171:636 -> 172.16.1.107:111
Nov 11 21:26:12  IDS13 - RPC - portmap-request-mountd  24.42.46.171:636 -> 172.16.1.107:111
Nov 11 21:26:17  IDS13 - RPC - portmap-request-mountd  24.42.46.171:636 -> 172.16.1.107:111
Nov 11 21:26:22  IDS13 - RPC - portmap-request-mountd  24.42.46.171:636 -> 172.16.1.107:111
Nov 11 21:26:27  IDS13 - RPC - portmap-request-mountd  24.42.46.171:636 -> 172.16.1.107:111
Nov 11 21:26:32  IDS13 - RPC - portmap-request-mountd  24.42.46.171:636 -> 172.16.1.107:111
Nov 11 21:26:37  IDS13 - RPC - portmap-request-mountd  24.42.46.171:636 -> 172.16.1.107:111
Nov 11 21:26:42  IDS13 - RPC - portmap-request-mountd  24.42.46.171:636 -> 172.16.1.107:111
Nov 11 21:26:47  IDS13 - RPC - portmap-request-mountd  24.42.46.171:636 -> 172.16.1.107:111
Nov 11 21:26:52  IDS13 - RPC - portmap-request-mountd  24.42.46.171:636 -> 172.16.1.107:111
Nov 11 21:26:57  IDS13 - RPC - portmap-request-mountd  24.42.46.171:636 -> 172.16.1.107:111
Nov 11 21:27:02  IDS13 - RPC - portmap-request-mountd  24.42.46.171:636 -> 172.16.1.107:111
139.130.83.56 13-Nov-00 1:53:40 http Nov 13 01:53:41  spp_portscan  PORTSCAN DETECTED from 139.130.83.56 (STEALTH):: HTTP Scan
Nov 13 01:53:41  SCAN-SYN FIN  139.130.83.56:8828 -> 172.16.1.107:80
Nov 13 04:16:57  spp_portscan  portscan status from 139.130.83.56: 3 connections across 2 hosts: TCP(3), UDP(0) STEALTH
Nov 13 04:17:13  spp_portscan  End of portscan from 139.130.83.56: TOTAL time(1s) hosts(2) TCP(3) UDP(0) STEALTH:
140.211.15.190 13-Nov-00 12:56:42 ftp
24.12.200.186 14-Nov-00 0:58:36 ftp Nov 14 00:58:40  spp_portscan  PORTSCAN DETECTED from 24.12.200.186 (THRESHOLD 5 connections exceeded in 3 seconds):: FTP Scan
Nov 14 01:0:27  spp_portscan  portscan status from 24.12.200.186: 8 connections across 8 hosts: TCP(8), UDP(0)
Nov 14 01:0:44  spp_portscan  End of portscan from 24.12.200.186: TOTAL time(8s) hosts(8) TCP(8) UDP(0):
www.baf-fiscal.com.mx 15-Nov-00 10:40:20 rpc
24.42.46.171 16-Nov-00 16:49:51 http
194.38.76.99 16-Nov-00 20:48:43 ssh
216.84.199.xx 17-Nov-00 9:11:42 domain-tcp
194.38.76.99 17-Nov-00 14:17:10 ssh
216.199.92.4 18-Nov-00 6:56:53 rpc Nov 18 06:56:54  spp_portscan  PORTSCAN DETECTED from 216.199.92.4 (THRESHOLD 5 connections exceeded in 0 seconds):: RPC Scan
Nov 18 06:56:54  RPC Info Query  216.199.92.4:990 -> 172.16.1.101:111
Nov 18 07:32:06  spp_portscan  portscan status from 216.199.92.4: 9 connections across 8 hosts: TCP(9), UDP(0)
Nov 18 08:15:44  spp_portscan  End of portscan from 216.199.92.4: TOTAL time(2113s) hosts(8) TCP(9) UDP(0):
194.152.124.142 18-Nov-00 10:22:11 ftp Nov 18 10:22:11  spp_portscan  PORTSCAN DETECTED from 194.152.124.142 (THRESHOLD 5 connections exceeded in 0 seconds):: FTP Scan
Nov 18 11:31:35  spp_portscan  portscan status from 194.152.124.142: 8 connections across 8 hosts: TCP(8), UDP(0)
Nov 18 11:31:52  spp_portscan  End of portscan from 194.152.124.142: TOTAL time(9s) hosts(8) TCP(8) UDP(0):
Nov 18 17:0:27  spp_portscan  PORTSCAN DETECTED from 24.29.162.158 (THRESHOLD 5 connections exceeded in 0 seconds):: ??? Scan
Nov 18 17:16:18  spp_portscan  portscan status from 24.29.162.158: 8 connections across 8 hosts: TCP(8), UDP(0)
Nov 18 17:16:39  spp_portscan  End of portscan from 24.29.162.158: TOTAL time(0s) hosts(8) TCP(8) UDP(0):
62.161.77.94 18-Nov-00 22:05:57 ftp Nov 18 22:6:13  spp_portscan  PORTSCAN DETECTED from 62.161.77.94 (THRESHOLD 5 connections exceeded in 2 seconds):: FTP Scan
Nov 18 22:10:11  spp_portscan  portscan status from 62.161.77.94: 8 connections across 8 hosts: TCP(8), UDP(0)
Nov 18 22:10:27  spp_portscan  End of portscan from 62.161.77.94: TOTAL time(11s) hosts(8) TCP(8) UDP(0):
24.29.162.158 19-Nov-00 0:10:12 ftp
Nov 19 11:13:15  spp_portscan  PORTSCAN DETECTED from 24.141.204.189 (THRESHOLD 5 connections exceeded in 0 seconds):: FTP Scan
Nov 19 11:26:00  spp_portscan  portscan status from 24.141.204.189: 8 connections across 8 hosts: TCP(8), UDP(0)
202.141.26.165 19-Nov-00 14:56:58 rpc Nov 19 14:56:59  spp_portscan  End of portscan from 24.141.204.189: TOTAL time(0s) hosts(8) TCP(8) UDP(0):
Nov 19 14:56:59  IDS7 - MISC-Source Port Traffic 53 TCP  202.141.26.165:53 -> 172.16.1.107:111 RPC Scan
Nov 19 14:56:59  IDS7 - MISC-Source Port Traffic 53 TCP  202.141.26.165:53 -> 172.16.1.101:111
chem.iitm.ernet.in 19-Nov-00 14:57:00 rpc
211.42.135.14 19-Nov-00 21:27:34 rpc
203.146.85.84 20-Nov-00 10:08:03 sunrpc Nov 20 10:8:04  IDS13 - RPC - portmap-request-mountd  203.146.85.84:1104 -> 172.16.1.107:111 RPC Queries
Nov 20 10:8:34  IDS13 - RPC - portmap-request-mountd  203.146.85.84:1104 -> 172.16.1.107:111
Nov 20 10:9:04  IDS13 - RPC - portmap-request-mountd  203.146.85.84:1104 -> 172.16.1.107:111
131.215.30.2 20-Nov-00 13:11:06 telnet Nov 20 13:11:06  spp_portscan  PORTSCAN DETECTED from 131.215.30.2 (THRESHOLD 5 connections exceeded in 0 seconds):: Telnet Scan
Nov 20 13:11:06  IDS8 - TELNET - daemon-active  172.16.1.101:23 -> 131.215.30.2:4113
Nov 20 13:11:06  RPC Info Query  131.215.30.2:741 -> 172.16.1.101:111
Nov 20 13:12:30  spp_portscan  portscan status from 131.215.30.2: 10 connections across 8 hosts: TCP(10), UDP(0) Telnet Scan
Nov 20 13:12:47  spp_portscan  End of portscan from 131.215.30.2: TOTAL time(9s) hosts(8) TCP(10) UDP(0):
64.71.163.201 20-Nov-00 14:04:55 domain-tcp Nov 20 14:4:57  IDS212 - MISC - DNS Zone Transfer  207.20.109.228:1343 -> 172.16.1.107:53
24.21.157.47 20-Nov-00 20:46:02 telnet Nov 20 20:46:03  IDS8 - TELNET - daemon-active  172.16.1.101:23 -> 24.21.157.47:1630 Telnet Scan
Nov 20 20:46:03  spp_portscan  PORTSCAN DETECTED from 24.21.157.47 (THRESHOLD 5 connections exceeded in 1 seconds)::
Nov 20 20:48:45  spp_portscan  portscan status from 24.21.157.47: 8 connections across 8 hosts: TCP(8), UDP(0)
Nov 20 20:57:37  spp_portscan  End of portscan from 24.21.157.47: TOTAL time(10s) hosts(8) TCP(8) UDP(0):
203.146.64.180 21-Nov-00 12:41:25 http Nov 21 12:41:26  IDS128 - CVE-1999-0067 - CGI phf attempt  203.146.64.167:7850 -> 172.16.1.107:80 Hack Attempt
203.146.85.92 21-Nov-00 13:09:53 sunrpc Nov 21 13:9:53  IDS13 - RPC - portmap-request-mountd  203.146.85.92:1267 -> 172.16.1.107:111 Lots of RPC Queries…
Nov 21 13:9:58  IDS13 - RPC - portmap-request-mountd  203.146.85.92:1267 -> 172.16.1.107:111
Nov 21 13:10:24  IDS13 - RPC - portmap-request-mountd  203.146.85.92:1267 -> 172.16.1.107:111
Nov 21 13:10:29  IDS13 - RPC - portmap-request-mountd  203.146.85.92:1267 -> 172.16.1.107:111
Nov 21 13:10:34  IDS13 - RPC - portmap-request-mountd  203.146.85.92:1267 -> 172.16.1.107:111
Nov 21 13:10:39  IDS13 - RPC - portmap-request-mountd  203.146.85.92:1267 -> 172.16.1.107:111
Nov 21 13:10:43  IDS13 - RPC - portmap-request-mountd  203.146.85.92:1267 -> 172.16.1.107:111
Nov 21 13:10:49  IDS13 - RPC - portmap-request-mountd  203.146.85.92:1267 -> 172.16.1.107:111
Nov 21 13:10:54  IDS13 - RPC - portmap-request-mountd  203.146.85.92:1267 -> 172.16.1.107:111
Nov 21 13:10:59  IDS13 - RPC - portmap-request-mountd  203.146.85.92:1267 -> 172.16.1.107:111
Nov 21 13:11:04  IDS13 - RPC - portmap-request-mountd  203.146.85.92:1267 -> 172.16.1.107:111
Nov 21 13:11:09  IDS13 - RPC - portmap-request-mountd  203.146.85.92:1267 -> 172.16.1.107:111
Nov 21 13:11:14  IDS13 - RPC - portmap-request-mountd  203.146.85.92:1267 -> 172.16.1.107:111
Nov 21 13:11:19  IDS13 - RPC - portmap-request-mountd  203.146.85.92:1267 -> 172.16.1.107:111
Nov 21 13:11:24  IDS13 - RPC - portmap-request-mountd  203.146.85.92:1267 -> 172.16.1.107:111
Nov 21 13:11:34  IDS13 - RPC - portmap-request-mountd  203.146.85.92:1267 -> 172.16.1.107:111
Nov 21 13:11:39  IDS13 - RPC - portmap-request-mountd  203.146.85.92:1267 -> 172.16.1.107:111
Nov 21 13:11:43  IDS13 - RPC - portmap-request-mountd  203.146.85.92:1267 -> 172.16.1.107:111
207.156.136.5 21-Nov-00 18:59:36 rpc Nov 21 18:59:36  RPC Info Query  207.156.136.5:2828 -> 172.16.1.101:111
195.199.7.93 22-Nov-00 1:52:15 ssh
217.1.30.70 22-Nov-00 7:55:16 ftp Nov 22 07:55:20  spp_portscan  PORTSCAN DETECTED from 217.1.30.70 (THRESHOLD 5 connections exceeded in 3 seconds):: FTP Scan
213.120.237.178 22-Nov-00 8:16:23 ftp Nov 22 08:16:29  spp_portscan  portscan status from 217.1.30.70: 6 connections across 6 hosts: TCP(6), UDP(0)
Nov 22 08:16:34  spp_portscan  PORTSCAN DETECTED from 213.120.237.178 (THRESHOLD 5 connections exceeded in 6 seconds):: FTP Scan
Nov 22 08:16:47  spp_portscan  End of portscan from 217.1.30.70: TOTAL time(3s) hosts(6) TCP(6) UDP(0):
Nov 22 08:16:51  spp_portscan  portscan status from 213.120.237.178: 8 connections across 8 hosts: TCP(8), UDP(0)
Nov 22 08:17:22  spp_portscan  portscan status from 213.120.237.178: 4 connections across 4 hosts: TCP(4), UDP(0)
Nov 22 08:18:36  spp_portscan  End of portscan from 213.120.237.178: TOTAL time(31s) hosts(11) TCP(12) UDP(0):
63.202.184.4 22-Nov-00 17:44:24 IKE
62.136.60.95 22-Nov-00 19:55:28 ftp Nov 22 19:55:28  spp_portscan  PORTSCAN DETECTED from 62.136.60.95 (THRESHOLD 5 connections exceeded in 0 seconds):: FTP Scan
Nov 22 21:37:47  spp_portscan  portscan status from 62.136.60.95: 8 connections across 8 hosts: TCP(8), UDP(0)
Nov 22 21:38:03  spp_portscan  End of portscan from 62.136.60.95: TOTAL time(8s) hosts(8) TCP(8) UDP(0):
208.133.204.1 22-Nov-00 21:55:12 sunrpc Nov 22 21:55:12  IDS13 - RPC - portmap-request-mountd  208.133.204.1:855 -> 172.16.1.107:111 Lots of RPC Queries…
Nov 22 21:55:17  IDS13 - RPC - portmap-request-mountd  208.133.204.1:855 -> 172.16.1.107:111
Nov 22 21:55:47  IDS13 - RPC - portmap-request-mountd  208.133.204.1:855 -> 172.16.1.107:111
Nov 22 21:56:12  IDS13 - RPC - portmap-request-mountd  208.133.204.1:856 -> 172.16.1.107:111
Nov 22 21:56:17  IDS13 - RPC - portmap-request-mountd  208.133.204.1:856 -> 172.16.1.107:111
Nov 22 21:56:47  IDS13 - RPC - portmap-request-mountd  208.133.204.1:856 -> 172.16.1.107:111
Nov 22 21:57:07  IDS13 - RPC - portmap-request-mountd  208.133.204.1:856 -> 172.16.1.107:111
Nov 23 00:44:41  spp_portscan  PORTSCAN DETECTED from 209.237.67.12 (THRESHOLD 5 connections exceeded in 0 seconds):: ??? Scan
Nov 23 02:2:07  spp_portscan  portscan status from 209.237.67.12: 8 connections across 8 hosts: TCP(8), UDP(0)
Nov 23 02:2:23  spp_portscan  End of portscan from 209.237.67.12: TOTAL time(0s) hosts(8) TCP(8) UDP(0):
alpha.mslc.ohio-state.edu 23-Nov-00 18:42:21 IKE
206.77.188.15 23-Nov-00 19:46:56 domain-tcp Nov 23 19:46:57  spp_portscan  PORTSCAN DETECTED from 206.77.188.15 (STEALTH):: Named Scan
Nov 23 19:46:57  SCAN-SYN FIN  206.77.188.15:53 -> 172.16.1.101:53
Nov 23 19:46:57  SCAN-SYN FIN  206.77.188.15:53 -> 172.16.1.102:53
Nov 23 19:46:57  SCAN-SYN FIN  206.77.188.15:53 -> 172.16.1.103:53
Nov 23 19:46:57  SCAN-SYN FIN  206.77.188.15:53 -> 172.16.1.104:53
Nov 23 19:46:57  SCAN-SYN FIN  206.77.188.15:53 -> 172.16.1.105:53
Nov 23 19:46:57  SCAN-SYN FIN  206.77.188.15:53 -> 172.16.1.106:53
Nov 23 19:46:57  SCAN-SYN FIN  206.77.188.15:53 -> 172.16.1.107:53
Nov 23 19:46:57  SCAN-SYN FIN  206.77.188.15:53 -> 172.16.1.108:53
Nov 23 19:46:57  PING-ICMP Time Exceeded  205.171.25.58 -> 172.16.1.101::
Nov 23 19:46:57  IDS277 - NAMED Iquery Probe  206.77.188.15:3243 -> 172.16.1.107:53
Nov 23 19:46:57  IDS278 - SCAN -named Version probe  206.77.188.15:3243 -> 172.16.1.107:53
Nov 23 20:34:09  spp_portscan  portscan status from 206.77.188.15: 10 connections across 8 hosts: TCP(9), UDP(1) STEALTH
Nov 23 20:34:24  spp_portscan  End of portscan from 206.77.188.15: TOTAL time(1s) hosts(8) TCP(9) UDP(1) STEALTH:
217.5.83.235 24-Nov-00 7:34:04 ftp Nov 24 07:34:14  spp_portscan  PORTSCAN DETECTED from 217.5.83.235 (THRESHOLD 5 connections exceeded in 6 seconds):: FTP Scan
Nov 24 07:34:29  spp_portscan  portscan status from 217.5.83.235: 8 connections across 8 hosts: TCP(8), UDP(0)
Nov 24 08:4:16  spp_portscan  portscan status from 217.5.83.235: 4 connections across 4 hosts: TCP(4), UDP(0)
Nov 24 08:4:32  spp_portscan  End of portscan from 217.5.83.235: TOTAL time(30s) hosts(11) TCP(12) UDP(0):
64.45.218.3 24-Nov-00 9:51:55 ftp Nov 24 09:51:56  spp_portscan  PORTSCAN DETECTED from 64.45.218.3 (THRESHOLD 5 connections exceeded in 0 seconds):: FTP Scan
Nov 24 12:52:29  spp_portscan  portscan status from 64.45.218.3: 8 connections across 8 hosts: TCP(8), UDP(0)
Nov 24 12:52:45  spp_portscan  End of portscan from 64.45.218.3: TOTAL time(9s) hosts(8) TCP(8) UDP(0):
Nov 25 09:1:12  MISC-WinGate-1080-Attempt  24.42.178.243:4881 -> 172.16.1.101:1080 WinGate/Socks Scan
Nov 25 09:1:12  MISC-WinGate-1080-Attempt  24.42.178.243:4882 -> 172.16.1.102:1080
Nov 25 09:1:12  MISC-WinGate-1080-Attempt  24.42.178.243:4883 -> 172.16.1.103:1080
Nov 25 09:1:12  MISC-WinGate-1080-Attempt  24.42.178.243:4884 -> 172.16.1.104:1080
Nov 25 09:1:12  MISC-WinGate-1080-Attempt  24.42.178.243:4885 -> 172.16.1.105:1080
Nov 25 09:1:12  spp_portscan  PORTSCAN DETECTED from 24.42.178.243 (THRESHOLD 5 connections exceeded in 0 seconds)::
Nov 25 09:1:12  MISC-WinGate-1080-Attempt  24.42.178.243:4886 -> 172.16.1.106:1080
Nov 25 09:1:12  MISC-WinGate-1080-Attempt  24.42.178.243:4887 -> 172.16.1.107:1080
Nov 25 09:1:12  MISC-WinGate-1080-Attempt  24.42.178.243:4888 -> 172.16.1.108:1080
Nov 25 09:1:13  MISC-WinGate-1080-Attempt  24.42.178.243:4881 -> 172.16.1.101:1080
Nov 25 09:1:13  MISC-WinGate-1080-Attempt  24.42.178.243:4887 -> 172.16.1.107:1080
Nov 25 09:1:13  MISC-WinGate-1080-Attempt  24.42.178.243:4881 -> 172.16.1.101:1080
Nov 25 09:1:13  MISC-WinGate-1080-Attempt  24.42.178.243:4887 -> 172.16.1.107:1080
Nov 25 09:1:14  MISC-WinGate-1080-Attempt  24.42.178.243:4881 -> 172.16.1.101:1080
Nov 25 09:1:14  MISC-WinGate-1080-Attempt  24.42.178.243:4887 -> 172.16.1.107:1080
Nov 25 09:1:15  MISC-WinGate-1080-Attempt  24.42.178.243:4882 -> 172.16.1.102:1080
Nov 25 09:1:15  MISC-WinGate-1080-Attempt  24.42.178.243:4883 -> 172.16.1.103:1080
Nov 25 09:1:15  MISC-WinGate-1080-Attempt  24.42.178.243:4884 -> 172.16.1.104:1080
Nov 25 09:1:15  MISC-WinGate-1080-Attempt  24.42.178.243:4885 -> 172.16.1.105:1080
Nov 25 09:1:15  MISC-WinGate-1080-Attempt  24.42.178.243:4888 -> 172.16.1.108:1080
Nov 25 09:6:19  spp_portscan  portscan status from 24.42.178.243: 8 connections across 8 hosts: TCP(8), UDP(0)
Nov 25 09:6:53  spp_portscan  End of portscan from 24.42.178.243: TOTAL time(3s) hosts(8) TCP(8) UDP(0):
152.2.48.83 25-Nov-00 12:13:19 ftp Nov 25 12:13:19  spp_portscan  PORTSCAN DETECTED from 152.2.48.83 (THRESHOLD 5 connections exceeded in 0 seconds):: FTP Scan
Nov 25 12:34:45  spp_portscan  portscan status from 152.2.48.83: 8 connections across 8 hosts: TCP(8), UDP(0)
Nov 25 12:35:02  spp_portscan  End of portscan from 152.2.48.83: TOTAL time(0s) hosts(8) TCP(8) UDP(0):
209.148.83.51 25-Nov-00 15:40:12 ftp
Nov 25 21:25:26  spp_portscan  PORTSCAN DETECTED from 172.155.157.149 (THRESHOLD 5 connections exceeded in 0 seconds):: FTP Scan
Nov 25 21:31:17  spp_portscan  portscan status from 172.155.157.149: 7 connections across 7 hosts: TCP(7), UDP(0)
Nov 25 21:31:34  spp_portscan  End of portscan from 172.155.157.149: TOTAL time(0s) hosts(7) TCP(7) UDP(0):
Solaris 2.6, 172.16.1.103 brought online, Nov 26th 2001
RedHat 6.2, 172.16.1.104 brought online, Nov 26th 2001
Windows NT SP4, 172.16.1.106 brought online, Nov 26th 2001
128.84.246.7 26-Nov-00 7:41:13 telnet Nov 26 07:35:34  spp_portscan  PORTSCAN DETECTED from 128.84.246.7 (THRESHOLD 5 connections exceeded in 0 seconds):: Telnet Scan
Nov 26 07:41:13  spp_portscan  portscan status from 128.84.246.7: 9 connections across 8 hosts: TCP(9), UDP(0)
Nov 26 07:41:13  IDS8 - TELNET - daemon-active  172.16.1.101:23 -> 128.84.246.7:3913
Nov 26 09:0:02  spp_portscan  End of portscan from 128.84.246.7: TOTAL time(339s) hosts(8) TCP(9) UDP(0):
207.38.118.172 26-Nov-00 17:07:19 imap
Nov 26 19:51:53  spp_portscan  PORTSCAN DETECTED from 208.185.167.115 (THRESHOLD 5 connections exceeded in 4 seconds):: IMAP Scan
Nov 26 20:49:24  spp_portscan  portscan status from 208.185.167.115: 8 connections across 8 hosts: TCP(8), UDP(0)
Nov 26 21:15:10  spp_portscan  portscan status from 208.185.167.115: 1 connections across 1 hosts: TCP(1), UDP(0)
Nov 26 21:35:31  spp_portscan  portscan status from 208.185.167.115: 7 connections across 7 hosts: TCP(7), UDP(0)
Nov 26 21:35:47  spp_portscan  End of portscan from 208.185.167.115: TOTAL time(5001s) hosts(14) TCP(16) UDP(0):
63.165.207.14 28-Nov-00 1:21:47 telnet Nov 28 01:21:50  spp_portscan  PORTSCAN DETECTED from 63.165.207.14 (THRESHOLD 5 connections exceeded in 3 seconds):: Telnet Scan
Nov 28 01:22:07  spp_portscan  portscan status from 63.165.207.14: 8 connections across 8 hosts: TCP(8), UDP(0)
Nov 28 01:22:23  spp_portscan  End of portscan from 63.165.207.14: TOTAL time(3s) hosts(8) TCP(8) UDP(0):
Nov 29 11:13:29  spp_portscan  PORTSCAN DETECTED from 12.24.136.201 (STEALTH):: ??? Scan
Nov 29 11:13:29  SCAN-SYN FIN  12.24.136.201:511 -> 172.16.1.101:511
Nov 29 11:13:29  SCAN-SYN FIN  12.24.136.201:511 -> 172.16.1.102:511
Nov 29 11:13:29  SCAN-SYN FIN  12.24.136.201:511 -> 172.16.1.103:511
Nov 29 11:13:29  SCAN-SYN FIN  12.24.136.201:511 -> 172.16.1.104:511
Nov 29 11:13:29  SCAN-SYN FIN  12.24.136.201:511 -> 172.16.1.105:511
Nov 29 11:13:29  SCAN-SYN FIN  12.24.136.201:511 -> 172.16.1.106:511
Nov 29 11:13:29  SCAN-SYN FIN  12.24.136.201:511 -> 172.16.1.107:511
Nov 29 11:13:29  SCAN-SYN FIN  12.24.136.201:511 -> 172.16.1.108:511
Nov 29 11:14:24  spp_portscan  portscan status from 12.24.136.201: 8 connections across 8 hosts: TCP(8), UDP(0) STEALTH
Nov 29 11:14:42  spp_portscan  End of portscan from 12.24.136.201: TOTAL time(0s) hosts(8) TCP(8) UDP(0) STEALTH:
213.56.229.206 29-Nov-00 15:04:03 ftp Nov 29 15:4:04  spp_portscan  PORTSCAN DETECTED from 213.56.229.206 (THRESHOLD 5 connections exceeded in 1 seconds):: FTP Scan
Nov 29 16:9:50  spp_portscan  portscan status from 213.56.229.206: 8 connections across 8 hosts: TCP(8), UDP(0)
Nov 29 16:10:07  spp_portscan  End of portscan from 213.56.229.206: TOTAL time(4s) hosts(8) TCP(8) UDP(0):
144.132.223.204 30-Nov-00 4:58:45 ftp Nov 30 04:58:53  spp_portscan  PORTSCAN DETECTED from 144.132.223.204 (THRESHOLD 5 connections exceeded in 7 seconds):: FTP Scan
Nov 30 04:59:12  spp_portscan  portscan status from 144.132.223.204: 8 connections across 8 hosts: TCP(8), UDP(0)
Nov 30 06:45:46  spp_portscan  portscan status from 144.132.223.204: 2 connections across 2 hosts: TCP(2), UDP(0)
149.225.118.255 30-Nov-00 9:36:09 ftp Nov 30 09:36:09  spp_portscan  End of portscan from 144.132.223.204: TOTAL time(29s) hosts(9) TCP(10) UDP(0):
Nov 30 09:36:09  spp_portscan  PORTSCAN DETECTED from 149.225.118.255 (THRESHOLD 5 connections exceeded in 0 seconds):: FTP Scan
Nov 30 09:37:19  spp_portscan  portscan status from 149.225.118.255: 8 connections across 8 hosts: TCP(8), UDP(0)
Nov 30 09:37:36  spp_portscan  End of portscan from 149.225.118.255: TOTAL time(3s) hosts(8) TCP(8) UDP(0):
Nov 30 15:42:39  spp_portscan  PORTSCAN DETECTED from 216.78.181.149 (THRESHOLD 5 connections exceeded in 0 seconds):: FTP Scan
Nov 30 17:0:01  spp_portscan  portscan status from 216.78.181.149: 8 connections across 8 hosts: TCP(8), UDP(0)
Nov 30 17:0:19  spp_portscan  End of portscan from 216.78.181.149: TOTAL time(1s) hosts(8) TCP(8) UDP(0):
141.223.222.143 30-Nov-00 20:42:58 ftp Nov 30 20:43:01  spp_portscan  PORTSCAN DETECTED from 141.223.222.143 (THRESHOLD 5 connections exceeded in 2 seconds):: Hack Attempt
Nov 30 21:55:43  spp_portscan  portscan status from 141.223.222.143: 8 connections across 8 hosts: TCP(8), UDP(0)
Nov 30 21:55:44  IDS287 - FTP - Wuftp260 venglin linux  141.223.222.143:4761 -> 172.16.1.104:21
Nov 30 21:55:47  IDS317 - FTP-site-exec  141.223.222.143:4761 -> 172.16.1.104:21
Nov 30 22:0:32  spp_portscan  End of portscan from 141.223.222.143: TOTAL time(4365s) hosts(8) TCP(8) UDP(0):
Nov 30 22:30:56  IDS8 - TELNET - daemon-active  172.16.1.103:23 -> 207.239.115.11:1947