What is the Pattern here ?
From: !:?) (_at_*.com)
Date: 07/29/04
- Previous message: !:?): "Re: Norton internet sec pro"
- Next in thread: Wolfgang Kueter: "Re: What is the Pattern here ?"
- Reply: Wolfgang Kueter: "Re: What is the Pattern here ?"
- Reply: Mike: "Re: What is the Pattern here ?"
- Reply: Moe Trin: "Re: What is the Pattern here ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 29 Jul 2004 19:37:49 GMT
Hello,
This is a piece of my Log and would like some comments of the patterns
of hits it logged.
I keep seeing the same Ports hit in the same order every time with a
NetBIOS or other probes added in the end from time to time.
All IP's I checked so far come back to Dialup Accounts although I didn't
check the 445 and ICMP hit IP's.
7/29/04 12:25:16 Rule "Block ICMP Inbound (Echo Request) " blocked
(12.76.80.12,8). Details:
Inbound ICMP request
Local address is (-)
Remote address is (12.76.80.12)
Message type is "Echo Request"
Process name is "N/A"
7/29/04 12:21:09 Rule "Default Block Sokets de Trois v1. Trojan" blocked
(-,5000). Details:
Inbound TCP connection
Local address,service is (-,5000)
Remote address,service is (12.76.202.102,4602)
Process name is "N/A"
7/29/04 12:16:07 Rule "?Default Block MyDoom Ports 3127-3198<" blocked
(-,3127). Details:
Inbound TCP connection
Local address,service is (-,3127)
Remote address,service is (219.156.116.164,2591)
Process name is "N/A"
7/29/04 12:16:01 Rule "?Default Block MyDoom Ports 3127-3198<" blocked
(-,3127). Details:
Inbound TCP connection
Local address,service is (-,3127)
Remote address,service is (219.156.116.164,2591)
Process name is "N/A"
7/29/04 12:15:59 Rule "?Default Block MyDoom Ports 3127-3198<" blocked
(-,3127). Details:
Inbound TCP connection
Local address,service is (-,3127)
Remote address,service is (219.156.116.164,2591)
Process name is "N/A"
7/29/04 12:15:02 Rule "Default Block Sokets de Trois v1. Trojan" blocked
(-,5000). Details:
Inbound TCP connection
Local address,service is (-,5000)
Remote address,service is (12.76.8.76,3698)
Process name is "N/A"
7/29/04 12:07:48 Rule ">Default Block Port 445 Microsoft DS<" blocked
(-,445). Details:
Inbound TCP connection
Local address,service is (-,445)
Remote address,service is (12.76.207.162,4194)
Process name is "N/A"
7/29/04 12:07:45 Rule ">Default Block Port 445 Microsoft DS<" blocked
(-,445). Details:
Inbound TCP connection
Local address,service is (-,445)
Remote address,service is (12.76.207.162,4194)
Process name is "N/A"
7/29/04 12:07:37 Rule ">Default Block Port 445 Microsoft DS<" blocked
(-,445). Details:
Inbound TCP connection
Local address,service is (-,445)
Remote address,service is (12.76.184.147,2554)
Process name is "N/A"
7/29/04 12:07:32 Rule ">Default Block Port 445 Microsoft DS<" blocked
(-,445). Details:
Inbound TCP connection
Local address,service is (-,445)
Remote address,service is (12.76.184.147,2554)
Process name is "N/A"
7/29/04 12:01:27 Rule ">Default Block Kaung 2 The Virus<" blocked
(-,17300). Details:
Inbound TCP connection
Local address,service is (-,17300)
Remote address,service is (12.76.69.219,1989)
Process name is "N/A"
7/29/04 12:01:24 Rule ">Default Block Kaung 2 The Virus<" blocked
(-,17300). Details:
Inbound TCP connection
Local address,service is (-,17300)
Remote address,service is (12.76.69.219,1989)
Process name is "N/A"
7/29/04 11:58:59 Rule ">Default Block Port 445 Microsoft DS<" blocked
(-,445). Details:
Inbound TCP connection
Local address,service is (-,445)
Remote address,service is (12.76.172.189,4020)
Process name is "N/A"
7/29/04 11:58:56 Rule ">Default Block Port 445 Microsoft DS<" blocked
(-,445). Details:
Inbound TCP connection
Local address,service is (-,445)
Remote address,service is (12.76.172.189,4020)
Process name is "N/A"
7/29/04 11:58:18 Rule "Default Block NetBIOS Networking Port 139"
blocked (-,nbsession). Details:
Inbound TCP connection
Local address,service is (-,nbsession)
Remote address,service is
(163.cambridge-10rh16rt-11rh15rt.ma.dial-access.att.net,4531)
Process name is "N/A"
7/29/04 11:58:11 Rule "Default Block NetBIOS Networking Port 139"
blocked (-,nbsession). Details:
Inbound TCP connection
Local address,service is (-,nbsession)
Remote address,service is
(163.cambridge-10rh16rt-11rh15rt.ma.dial-access.att.net,4531)
Process name is "N/A"
7/29/04 11:58:10 Rule "Default Block NetBIOS Networking Port 139"
blocked (-,nbsession). Details:
Inbound TCP connection
Local address,service is (-,nbsession)
Remote address,service is
(163.cambridge-10rh16rt-11rh15rt.ma.dial-access.att.net,4531)
Process name is "N/A"
7/29/04 11:57:56 Rule ">Default Block711 Trojan Port 80 http<" blocked
(-,http). Details:
Inbound TCP connection
Local address,service is (-,http)
Remote address,service is
(163.cambridge-10rh16rt-11rh15rt.ma.dial-access.att.net,2322)
Process name is "N/A"
7/29/04 11:57:50 Rule ">Default Block711 Trojan Port 80 http<" blocked
(-,http). Details:
Inbound TCP connection
Local address,service is (-,http)
Remote address,service is
(163.cambridge-10rh16rt-11rh15rt.ma.dial-access.att.net,2322)
Process name is "N/A"
7/29/04 11:57:46 Rule ">Default Block711 Trojan Port 80 http<" blocked
(-,http). Details:
Inbound TCP connection
Local address,service is (-,http)
Remote address,service is
(163.cambridge-10rh16rt-11rh15rt.ma.dial-access.att.net,2322)
Process name is "N/A"
7/29/04 11:57:34 Rule "?Default Block MyDoom Ports 3127-3198<" blocked
(-,3140). Details:
Inbound TCP connection
Local address,service is (-,3140)
Remote address,service is
(163.cambridge-10rh16rt-11rh15rt.ma.dial-access.att.net,4040)
Process name is "N/A"
7/29/04 11:57:29 Rule "?Default Block MyDoom Ports 3127-3198<" blocked
(-,3140). Details:
Inbound TCP connection
Local address,service is (-,3140)
Remote address,service is
(163.cambridge-10rh16rt-11rh15rt.ma.dial-access.att.net,4040)
Process name is "N/A"
7/29/04 11:57:26 Rule "?Default Block MyDoom Ports 3127-3198<" blocked
(-,3140). Details:
Inbound TCP connection
Local address,service is (-,3140)
Remote address,service is
(163.cambridge-10rh16rt-11rh15rt.ma.dial-access.att.net,4040)
Process name is "N/A"
7/29/04 11:57:14 Rule ">Default DameWare Buffer overflow Exploit<"
blocked (-,6129). Details:
Inbound TCP connection
Local address,service is (-,6129)
Remote address,service is
(163.cambridge-10rh16rt-11rh15rt.ma.dial-access.att.net,1961)
Process name is "N/A"
7/29/04 11:57:06 Rule ">Default DameWare Buffer overflow Exploit<"
blocked (-,6129). Details:
Inbound TCP connection
Local address,service is (-,6129)
Remote address,service is
(163.cambridge-10rh16rt-11rh15rt.ma.dial-access.att.net,1961)
Process name is "N/A"
7/29/04 11:56:51 Rule "Default Block Sokets de Trois v1. Trojan" blocked
(-,5000). Details:
Inbound TCP connection
Local address,service is (-,5000)
Remote address,service is
(163.cambridge-10rh16rt-11rh15rt.ma.dial-access.att.net,3553)
Process name is "N/A"
7/29/04 11:56:43 Rule "Default Block Sokets de Trois v1. Trojan" blocked
(-,5000). Details:
Inbound TCP connection
Local address,service is (-,5000)
Remote address,service is
(163.cambridge-10rh16rt-11rh15rt.ma.dial-access.att.net,3553)
Process name is "N/A"
7/29/04 11:56:30 Rule "> Block Bagle/Beagle/Tanx" blocked (-,2745).
Details:
Inbound TCP connection
Local address,service is (-,2745)
Remote address,service is
(163.cambridge-10rh16rt-11rh15rt.ma.dial-access.att.net,1458)
Process name is "N/A"
7/29/04 11:56:21 Rule "> Block Bagle/Beagle/Tanx" blocked (-,2745).
Details:
Inbound TCP connection
Local address,service is (-,2745)
Remote address,service is
(163.cambridge-10rh16rt-11rh15rt.ma.dial-access.att.net,1458)
Process name is "N/A"
7/29/04 11:56:08 Rule ">Default Block Port 445 Microsoft DS<" blocked
(-,445). Details:
Inbound TCP connection
Local address,service is (-,445)
Remote address,service is
(163.cambridge-10rh16rt-11rh15rt.ma.dial-access.att.net,3019)
Process name is "N/A"
7/29/04 11:56:02 Rule ">Default Block Port 445 Microsoft DS<" blocked
(-,445). Details:
Inbound TCP connection
Local address,service is (-,445)
Remote address,service is
(163.cambridge-10rh16rt-11rh15rt.ma.dial-access.att.net,3019)
Process name is "N/A"
7/29/04 11:55:58 Rule ">Default Block Kaung 2 The Virus<" blocked
(-,17300). Details:
Inbound TCP connection
Local address,service is (-,17300)
Remote address,service is (12.76.100.241,2756)
Process name is "N/A"
7/29/04 11:55:55 Rule ">Default Block Kaung 2 The Virus<" blocked
(-,17300). Details:
Inbound TCP connection
Local address,service is (-,17300)
Remote address,service is (12.76.100.241,2756)
Process name is "N/A"
7/29/04 11:55:31 Rule ">Default Block Port 445 Microsoft DS<" blocked
(-,445). Details:
Inbound TCP connection
Local address,service is (-,445)
Remote address,service is (12.76.172.189,3687)
Process name is "N/A"
7/29/04 11:55:29 Rule ">Default Block Port 445 Microsoft DS<" blocked
(-,445). Details:
Inbound TCP connection
Local address,service is (-,445)
Remote address,service is (12.76.172.189,3687)
Process name is "N/A"
7/29/04 11:54:49 Rule ">Default Block Port 445 Microsoft DS<" blocked
(-,445). Details:
Inbound TCP connection
Local address,service is (-,445)
Remote address,service is (12.76.187.217,1847)
Process name is "N/A"
7/29/04 11:54:48 Rule ">Default Block Port 445 Microsoft DS<" blocked
(-,445). Details:
Inbound TCP connection
Local address,service is (-,445)
Remote address,service is (12.76.198.93,2106)
Process name is "N/A"
7/29/04 11:54:43 Rule ">Default Block Port 445 Microsoft DS<" blocked
(-,445). Details:
Inbound TCP connection
Local address,service is (-,445)
Remote address,service is (12.76.187.217,1847)
Process name is "N/A"
7/29/04 11:54:42 Rule ">Default Block Port 445 Microsoft DS<" blocked
(-,445). Details:
Inbound TCP connection
Local address,service is (-,445)
Remote address,service is (12.76.198.93,2106)
Process name is "N/A"
7/29/04 11:54:40 Rule ">Default Block Port 445 Microsoft DS<" blocked
(-,445). Details:
Inbound TCP connection
Local address,service is (-,445)
Remote address,service is (12.76.187.217,1847)
Process name is "N/A"
7/29/04 11:54:39 Rule ">Default Block Port 445 Microsoft DS<" blocked
(-,445). Details:
Inbound TCP connection
Local address,service is (-,445)
Remote address,service is (12.76.198.93,2106)
Process name is "N/A"
7/29/04 11:53:06 Rule ">Default Block Port 445 Microsoft DS<" blocked
(-,445). Details:
Inbound TCP connection
Local address,service is (-,445)
Remote address,service is (12.76.168.39,2593)
Process name is "N/A"
7/29/04 11:53:03 Rule ">Default Block Port 445 Microsoft DS<" blocked
(-,445). Details:
Inbound TCP connection
Local address,service is (-,445)
Remote address,service is (12.76.168.39,2593)
Process name is "N/A"
Sorry it's so long.
Any Ideas ?
Kevin
- Previous message: !:?): "Re: Norton internet sec pro"
- Next in thread: Wolfgang Kueter: "Re: What is the Pattern here ?"
- Reply: Wolfgang Kueter: "Re: What is the Pattern here ?"
- Reply: Mike: "Re: What is the Pattern here ?"
- Reply: Moe Trin: "Re: What is the Pattern here ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
