Audit Extracts
====================================================
Tracer Starting Engines on all.net by fc.
Wed Mar 13 07:47:13 EST 1996
Copyright (c), 1985-6 Management Analytics
All Rights Reserved
====================================================
...
The following lines indicate possible attempts to forge IP addresses.
This can also result from improperly configured domain name servers.
Mar 7 08:53:08 all in.gopherd[29085]: warning: can't verify hostname: gethostbyname(bannana.dup.devry.edu) failed
Mar 7 16:25:25 all in.gopherd[24852]: warning: can't verify hostname: gethostbyname(r198_213_14_45.etsu.edu) failed
Mar 9 18:20:21 all in.gopherd[4196]: warning: can't verify hostname: gethostbyname(client827a.globalnet.co.uk) failed
Mar 11 10:37:28 all sendmail[20024]: warning: can't verify hostname: gethostbyname(mail.telia.se) failed
Mar 11 19:36:11 all sendmail[15996]: warning: can't verify hostname: gethostbyname(ibmmail.com) failed
Mar 13 01:47:44 all in.rshd[7963]: warning: can't verify hostname: gethostbyname(yuma13.ResComp.Arizona.EDU) failed
Mar 13 04:49:42 all in.telnetd[21583]: warning: can't verify hostname: gethostbyname(max2.41.maxnet.westworld.com) failed
Mar 13 04:50:10 all in.telnetd[21609]: warning: can't verify hostname: gethostbyname(max2.41.maxnet.westworld.com) failed
Mar 13 04:50:27 all in.telnetd[21615]: warning: can't verify hostname: gethostbyname(max2.41.maxnet.westworld.com) failed
Mar 13 04:50:39 all in.telnetd[21627]: warning: can't verify hostname: gethostbyname(max2.41.maxnet.westworld.com) failed
Mar 13 06:05:01 all in.telnetd[25633]: warning: can't verify hostname: gethostbyname(C18159.bl.uk) failed
Note the increased detections starting March 13.
...
The following lines indicate attempted entries that were refused access:
Feb 27 11:24:23 all in.ftpd[18268]: refused connect from pfizergate.pfizer.com
Feb 28 00:57:43 all in.thttpd2[12682]: refused connect from shemp.bucks.edu
Feb 28 06:38:50 all in.thttpd2[16769]: refused connect from galileo.mckinley.com
Feb 28 06:38:57 all in.thttpd2[16794]: refused connect from galileo.mckinley.com
Mar 3 18:06:17 all in.thttpd2[10434]: refused connect from hd71-125.compuserve.com
Mar 3 18:06:36 all in.thttpd2[10472]: refused connect from hd71-125.compuserve.com
Mar 4 03:38:07 all in.telnetd[16226]: refused connect from ebola@terra.igcom.net
Mar 4 08:17:38 all in.gopherd[1331]: refused connect from 205.216.146.178
Mar 4 14:32:57 all in.telnetd[22958]: refused connect from cveley@gunnison.com
Mar 4 19:26:37 all in.ftpd[9914]: refused connect from very.friend.ly.net
Mar 5 14:21:53 all in.telnetd[11449]: refused connect from fc@localhost
Mar 5 22:12:36 all in.telnetd[7960]: refused connect from wfarge@gunnison.com
Mar 5 22:13:22 all in.telnetd[8010]: refused connect from wfarge@gunnison.com
Mar 5 23:59:57 all in.gopherd[13167]: refused connect from 205.216.146.178
Mar 6 13:17:32 all in.ftpd[26482]: refused connect from edmund.cs.andrews.edu
Mar 7 08:53:08 all in.gopherd[29085]: refused connect from 206.69.49.20
Mar 7 11:37:10 all in.ftpd[10231]: refused connect from noc.tor.hookup.net
Mar 7 15:24:12 all in.ftpd[21409]: refused connect from 143.211.156.105
Mar 7 16:25:25 all in.gopherd[24852]: refused connect from 198.213.14.45
Mar 7 16:46:32 all in.ftpd[26084]: refused connect from asdn.on.ca
Mar 8 09:52:26 all in.ftpd[22413]: refused connect from marlowe.physcip.uni-stuttgart.de
Mar 8 20:17:50 all in.telnetd[1057]: refused connect from maxx@osh1.datasync.com
Mar 9 04:48:26 all in.telnetd[25289]: refused connect from dhp.com
Mar 9 12:23:18 all in.gopherd[17060]: refused connect from 205.216.146.178
Mar 9 18:20:21 all in.gopherd[4196]: refused connect from 194.126.82.122
Mar 9 18:52:41 all in.telnetd[5561]: refused connect from raven.psc.edu
Mar 10 19:12:08 all in.telnetd[7456]: refused connect from VP24A97S@ubvmsa.cc.buffalo.edu
Nomal loads up till here
Mar 11 08:57:36 all in.telnetd[13321]: refused connect from gryphon.psych.ox.ac.uk
Mar 11 10:37:28 all sendmail[20024]: refused connect from 131.115.15.30
Mar 11 12:02:29 all in.ftpd[24237]: refused connect from mail.healthgate.com
Mar 11 13:25:50 all in.telnetd[27915]: refused connect from dunster-lab4.student.harvard.edu
Mar 11 13:31:42 all in.readonlyd[28220]: refused connect from fc@all.net
Mar 11 13:36:04 all in.readonlyd[28422]: refused connect from fc@all.net
Mar 11 14:21:49 all in.telnetd[781]: refused connect from pm075-00.dialip.mich.net
Mar 11 15:16:27 all in.telnetd[3244]: refused connect from dunster-lab1.student.harvard.edu
Mar 11 15:30:48 all in.telnetd[4020]: refused connect from gh@HELP011.UTCC.UTK.EDU
Mar 11 16:14:52 all in.telnetd[6075]: refused connect from slc118.xmission.com
Mar 11 17:36:53 all in.telnetd[10125]: refused connect from shell.aros.net
Mar 11 17:55:34 all in.telnetd[10899]: refused connect from bifrost.seastrom.com
Mar 11 18:18:11 all in.telnetd[11893]: refused connect from symptom-7.digex.net
Mar 11 18:18:20 all in.telnetd[11913]: refused connect from symptom-7.digex.net
Mar 11 19:36:11 all sendmail[15996]: refused connect from 199.171.26.3
Mar 11 20:55:29 all in.telnetd[20074]: refused connect from bobmacd@netcom21.netcom.com
Mar 11 21:53:22 all in.telnetd[22514]: refused connect from 204.69.200.39
Mar 11 22:53:20 all in.telnetd[25034]: refused connect from remarque.Berkeley.EDU
Mar 11 22:53:51 all in.telnetd[25064]: refused connect from halon.sybase.com
Mar 12 16:30:10 all in.telnetd[11864]: refused connect from dracula.cis.ohio-state.edu
Mar 12 17:56:46 all in.telnetd[15722]: refused connect from ALBATROSS.BBN.COM
Mar 12 18:04:29 all in.telnetd[16053]: refused connect from SCULPEY.BBN.COM
Mar 12 18:04:31 all in.telnetd[16059]: refused connect from nunic.nu.edu
Mar 12 18:11:59 all in.telnetd[16368]: refused connect from mgate.catapent.com
Mar 12 18:19:06 all in.telnetd[16682]: refused connect from emily.la.asu.edu
Mar 12 19:22:38 all in.telnetd[19265]: refused connect from spectre.netseer.com
Mar 12 19:44:07 all in.telnetd[20176]: refused connect from toddw@gol1.gol.com
Mar 12 19:45:11 all in.telnetd[20243]: refused connect from IUS4.IUS.CS.CMU.EDU
Mar 12 19:54:22 all in.telnetd[20700]: refused connect from killian@fusion.leba.net
Mar 12 19:55:35 all in.telnetd[20772]: refused connect from clihost.cli.creaf.com
Mar 12 20:05:42 all in.telnetd[21838]: refused connect from tide02.microsoft.com
Mar 12 20:08:30 all in.telnetd[22380]: refused connect from firewall-user@tide02.microsoft.com
Mar 12 20:27:48 all in.ftpd[23676]: refused connect from pm2-20.ppp.satelnet.org
Mar 12 20:28:45 all in.telnetd[23718]: refused connect from dist@pm2-20.ppp.satelnet.org
Mar 12 21:15:32 all in.telnetd[25586]: refused connect from chelsea.ios.com
Mar 12 22:08:22 all in.telnetd[27772]: refused connect from woodland.digex.net
Mar 12 22:22:32 all in.telnetd[28338]: refused connect from 131.107.2.23
Mar 12 23:42:19 all in.telnetd[1560]: refused connect from UNIX18.ANDREW.CMU.EDU
Mar 12 23:42:45 all in.telnetd[1584]: refused connect from declan@well.com
Mar 13 00:11:42 all in.telnetd[2719]: refused connect from jekyll.piermont.com
Mar 13 00:38:20 all in.telnetd[3766]: refused connect from 206.152.14.3
We had noticed the increased attempts over the last two days, but then, ...
Mar 13 00:45:33 all in.telnetd[4058]: refused connect from sameer@infinity.c2.org
Mar 13 00:46:05 all in.telnetd[4096]: refused connect from sameer@infinity.c2.org
Mar 13 00:46:54 all in.telnetd[4135]: refused connect from windoze.c2.org
Mar 13 00:48:19 all in.telnetd[4211]: refused connect from thad.got.net
Mar 13 00:48:33 all in.telnetd[4230]: refused connect from thad.got.net
Mar 13 00:49:40 all in.telnetd[4282]: refused connect from 7299@halsey.CS.Berkeley.EDU
Mar 13 00:49:57 all in.telnetd[4296]: refused connect from alhazen.CS.Berkeley.EDU
Mar 13 00:51:24 all in.telnetd[4378]: refused connect from windoze.c2.org
Mar 13 00:51:39 all in.telnetd[4398]: refused connect from max2.13.maxnet.westworld.com
Mar 13 00:51:56 all in.telnetd[4432]: refused connect from NUBS65.ccs.itd.umich.edu
Mar 13 00:51:58 all in.telnetd[4419]: refused connect from caribe1-96.caribe.net
Mar 13 00:52:16 all in.telnetd[4454]: refused connect from 164.124.200.11
Mar 13 00:52:39 all in.telnetd[4487]: refused connect from danh@godzilla.EECS.Berkeley.EDU
Mar 13 00:53:07 all in.telnetd[4518]: refused connect from 0.0.0.0
Mar 13 00:53:53 all in.telnetd[4575]: refused connect from 129.71.29.135
Mar 13 00:55:39 all in.telnetd[4654]: refused connect from misf225.cern.ch
Mar 13 00:56:06 all in.telnetd[4679]: refused connect from misf225.cern.ch
Mar 13 01:02:39 all in.telnetd[4977]: refused connect from 199.2.142.52
Mar 13 01:03:55 all in.telnetd[5037]: refused connect from mskatnic.dorms.calpoly.edu
Mar 13 01:03:58 all in.telnetd[5043]: refused connect from pool006.Max10.Detroit.MI.DYNIP.ALTER.NET
Mar 13 01:04:04 all in.telnetd[5070]: refused connect from pool006.Max10.Detroit.MI.DYNIP.ALTER.NET
Mar 13 01:04:29 all in.telnetd[5092]: refused connect from pool006.Max10.Detroit.MI.DYNIP.ALTER.NET
Mar 13 01:05:02 all in.telnetd[5136]: refused connect from ix-hou1-03.ix.netcom.com
Mar 13 01:05:35 all in.telnetd[5158]: refused connect from pool006.Max10.Detroit.MI.DYNIP.ALTER.NET
Mar 13 01:05:48 all in.telnetd[5188]: refused connect from pool006.Max10.Detroit.MI.DYNIP.ALTER.NET
Mar 13 01:06:09 all in.telnetd[5213]: refused connect from pool006.Max10.Detroit.MI.DYNIP.ALTER.NET
Mar 13 01:06:42 all in.telnetd[5244]: refused connect from 199.2.22.68
Mar 13 01:06:58 all in.telnetd[5269]: refused connect from turtle@port24.axs.net
Mar 13 01:07:42 all in.telnetd[5313]: refused connect from turtle@port24.axs.net
Mar 13 01:08:06 all in.telnetd[5340]: refused connect from turtle@port24.axs.net
An event occured at Mar 13 00:45:33 that all of the sudden pumped
up the telnet rate to more than one per minute. It started with what
was probably two test hits by sameer@infinity.c2.org, then as things
start to pick up, two by windoze.c2.org, and from then on, lots of
telnets. Note also that c2.org was detected as the site with the
malicious code later in the day.
Then:
...
Mar 13 01:45:38 all in.telnetd[7816]: refused connect from utdppp216.utdallas.edu
Mar 13 01:45:42 all in.telnetd[7824]: refused connect from iww32.mb.Uni-Magdeburg.DE
Mar 13 01:47:06 all in.telnetd[7899]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 01:47:29 all in.telnetd[7936]: refused connect from iww32.mb.Uni-Magdeburg.DE
Mar 13 01:47:37 all in.ftpd[7948]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 01:47:39 all in.telnetd[7949]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 01:47:39 all in.thttpd2[7955]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 01:47:44 all in.rshd[7963]: refused connect from 150.135.28.168
Mar 13 01:47:46 all in.rlogind[7961]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 01:47:55 all in.telnetd[8015]: refused connect from iww32.mb.Uni-Magdeburg.DE
Mar 13 01:48:07 all in.telnetd[8036]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 01:48:17 all in.telnetd[8057]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 01:48:19 all in.telnetd[8061]: refused connect from lafn.ORG
Mar 13 01:48:54 all in.telnetd[8112]: refused connect from ppp101.jetlink.net
Mar 13 01:50:55 all in.telnetd[8204]: refused connect from ppp101.jetlink.net
Mar 13 01:51:29 all in.telnetd[8257]: refused connect from ppp101.jetlink.net
Mar 13 01:52:03 all in.telnetd[8279]: refused connect from ppp101.jetlink.net
Mar 13 01:54:10 all in.telnetd[8375]: refused connect from magicall2.dacom.co.kr
Mar 13 01:54:23 all in.telnetd[8390]: refused connect from arctic-14.vf.pond.com
Mar 13 01:54:33 all in.telnetd[8386]: refused connect from colt10.qad.com
Mar 13 01:55:17 all in.telnetd[8444]: refused connect from colt10.qad.com
Mar 13 01:55:20 all in.telnetd[8463]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 01:55:27 all in.telnetd[8481]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 01:55:35 all in.telnetd[8496]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 01:55:43 all in.telnetd[8524]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 01:55:50 all in.telnetd[8552]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 01:55:58 all in.telnetd[8568]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 01:55:59 all in.telnetd[8545]: refused connect from magicall2.dacom.co.kr
Mar 13 01:56:06 all in.telnetd[8594]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 01:56:08 all in.telnetd[8569]: refused connect from magicall2.dacom.co.kr
Mar 13 01:56:14 all in.telnetd[8616]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 01:56:22 all in.telnetd[8641]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 01:56:29 all in.telnetd[8657]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 01:56:33 all in.telnetd[8642]: refused connect from magicall2.dacom.co.kr
Mar 13 01:56:37 all in.telnetd[8685]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 01:56:45 all in.telnetd[8712]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 01:56:53 all in.telnetd[8726]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 01:57:01 all in.telnetd[8749]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 01:57:08 all in.telnetd[8773]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 01:57:16 all in.telnetd[8796]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 01:57:24 all in.telnetd[8816]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 01:57:31 all in.telnetd[8835]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 01:57:40 all in.telnetd[8857]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 01:57:49 all in.telnetd[8879]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 01:58:07 all in.telnetd[8907]: refused connect from 204.244.101.147
Mar 13 01:58:16 all in.telnetd[8928]: refused connect from 166.82.247.6
Mar 13 01:58:39 all in.telnetd[8967]: refused connect from 204.244.101.147
Mar 13 01:58:41 all in.telnetd[8966]: refused connect from colt10.qad.com
Mar 13 01:59:09 all in.telnetd[8997]: refused connect from colt10.qad.com
Mar 13 01:59:51 all in.telnetd[9034]: refused connect from colt10.qad.com
Mar 13 02:00:09 all in.telnetd[9056]: refused connect from colt10.qad.com
Mar 13 02:01:04 all in.telnetd[9106]: refused connect from colt10.qad.com
Mar 13 02:01:17 all in.telnetd[9136]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:01:24 all in.telnetd[9135]: refused connect from colt10.qad.com
Mar 13 02:02:02 all in.telnetd[9182]: refused connect from colt10.qad.com
Mar 13 02:02:06 all in.telnetd[9197]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:02:55 all in.telnetd[9251]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:03:26 all in.telnetd[9293]: refused connect from sr-tty11-ppp.well.com
Mar 13 02:03:56 all in.telnetd[9324]: refused connect from colt10.qad.com
Mar 13 02:04:01 all in.telnetd[9333]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:04:04 all in.telnetd[9342]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:04:05 all in.telnetd[9351]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:04:07 all in.telnetd[9366]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:04:10 all in.telnetd[9379]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:04:13 all in.telnetd[9393]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:04:15 all in.telnetd[9406]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:04:16 all in.telnetd[9417]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:04:20 all in.telnetd[9433]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:04:24 all in.telnetd[9440]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:04:28 all in.telnetd[9470]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:04:30 all in.telnetd[9452]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:04:33 all in.telnetd[9479]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:04:37 all in.telnetd[9506]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:04:40 all in.telnetd[9487]: refused connect from sr-tty11-ppp.well.com
Mar 13 02:04:40 all in.telnetd[9486]: refused connect from colt10.qad.com
Mar 13 02:04:44 all in.telnetd[9536]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:04:46 all in.telnetd[9550]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:04:48 all in.telnetd[9576]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:04:54 all in.telnetd[9597]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:04:58 all in.telnetd[9605]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:05:00 all in.telnetd[9617]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:05:01 all in.telnetd[9631]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:05:07 all in.telnetd[9655]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:05:10 all in.telnetd[9668]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:05:13 all in.telnetd[9683]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:05:15 all in.telnetd[9695]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:05:21 all in.telnetd[9709]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:05:20 all in.telnetd[9724]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:05:21 all in.telnetd[9729]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:05:25 all in.telnetd[9752]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:05:28 all in.telnetd[9719]: refused connect from colt10.qad.com
Mar 13 02:05:30 all in.telnetd[9770]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:05:31 all in.telnetd[9776]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:05:34 all in.telnetd[9794]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:05:35 all in.telnetd[9805]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:05:42 all in.telnetd[9820]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:05:52 all in.telnetd[9868]: refused connect from gatekeeper.us.oracle.com
Mar 13 02:05:55 all in.telnetd[9854]: refused connect from colt10.qad.com
Mar 13 02:05:57 all in.telnetd[9888]: refused connect from bhb28.acadia.net
Mar 13 02:06:13 all in.telnetd[9915]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:06:15 all in.telnetd[9923]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:06:17 all in.telnetd[9935]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:06:19 all in.telnetd[9946]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:06:21 all in.telnetd[9959]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:06:23 all in.telnetd[9974]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:06:25 all in.telnetd[9984]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:06:29 all in.telnetd[9999]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:06:31 all in.telnetd[10009]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:06:33 all in.telnetd[10022]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:06:34 all in.telnetd[10035]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:06:37 all in.telnetd[10042]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:06:39 all in.telnetd[10054]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:06:41 all in.telnetd[10067]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:06:42 all in.telnetd[10068]: refused connect from gatekeeper.us.oracle.com
Mar 13 02:06:44 all in.telnetd[10080]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:06:46 all in.telnetd[10093]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:06:47 all in.telnetd[10105]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:06:49 all in.telnetd[10119]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:06:52 all in.telnetd[10129]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:06:55 all in.telnetd[10139]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:06:59 all in.telnetd[10164]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:07:01 all in.telnetd[10181]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:07:01 all in.telnetd[10155]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:07:04 all in.telnetd[10212]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:07:06 all in.telnetd[10168]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:07:07 all in.telnetd[10205]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:07:09 all in.telnetd[10187]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:07:11 all in.telnetd[10220]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:07:13 all in.telnetd[10236]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:07:18 all in.telnetd[10257]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:07:21 all in.telnetd[10279]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:07:19 all in.telnetd[10249]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:07:21 all in.telnetd[10265]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:07:21 all in.telnetd[10274]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:07:22 all in.telnetd[10252]: refused connect from sr-tty11-ppp.well.com
Mar 13 02:07:27 all in.telnetd[10290]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:07:30 all in.telnetd[10311]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:07:31 all in.telnetd[10330]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:07:32 all in.telnetd[10334]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:07:36 all in.telnetd[10320]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:07:36 all in.telnetd[10361]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:07:39 all in.telnetd[10355]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:07:40 all in.telnetd[10343]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:07:43 all in.telnetd[10389]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:07:42 all in.telnetd[10395]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:07:44 all in.telnetd[10371]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:07:45 all in.telnetd[10379]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:07:57 all in.telnetd[10447]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:07:59 all in.telnetd[10457]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:07:59 all in.telnetd[10437]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:08:01 all in.telnetd[10439]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:08:01 all in.telnetd[10452]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:08:02 all in.telnetd[10460]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:08:04 all in.telnetd[10473]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:08:08 all in.telnetd[10502]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:08:11 all in.telnetd[10481]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:08:14 all in.telnetd[10511]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:08:13 all in.telnetd[10523]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:08:14 all in.telnetd[10518]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:08:19 all in.telnetd[10532]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:08:23 all in.telnetd[10566]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:08:24 all in.telnetd[10540]: refused connect from 3tsp11.calypso.com
Mar 13 02:08:25 all in.telnetd[10572]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:08:27 all in.telnetd[10585]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:08:29 all in.telnetd[10597]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:08:31 all in.telnetd[10604]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:08:31 all in.telnetd[10578]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:08:37 all in.telnetd[10626]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:08:38 all in.telnetd[10616]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:08:41 all in.telnetd[10636]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:08:44 all in.telnetd[10654]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:08:45 all in.telnetd[10663]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:08:45 all in.telnetd[10670]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:08:47 all in.telnetd[10641]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:08:53 all in.telnetd[10653]: refused connect from colt10.qad.com
Mar 13 02:08:56 all in.telnetd[10712]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:08:56 all in.telnetd[10707]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:08:57 all in.telnetd[10720]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:08:58 all in.telnetd[10719]: refused connect from 3tsp11.calypso.com
Mar 13 02:08:59 all in.telnetd[10727]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:09:00 all in.telnetd[10742]: refused connect from 0.0.0.0
Mar 13 02:09:02 all in.telnetd[10737]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:09:04 all in.telnetd[10749]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:09:08 all in.telnetd[10772]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:09:09 all in.telnetd[10758]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:09:10 all in.telnetd[10788]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:09:11 all in.telnetd[10780]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:09:15 all in.telnetd[10816]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:09:17 all in.telnetd[10822]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:09:19 all in.telnetd[10840]: refused connect from 0.0.0.0
Mar 13 02:09:20 all in.telnetd[10809]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:09:26 all in.telnetd[10856]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:09:29 all in.telnetd[10864]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:09:30 all in.telnetd[10869]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:09:30 all in.telnetd[10876]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:09:33 all in.telnetd[10881]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:09:34 all in.telnetd[10891]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:09:36 all in.telnetd[10903]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:09:40 all in.telnetd[10922]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:09:42 all in.telnetd[10909]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:09:44 all in.telnetd[10931]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:09:45 all in.telnetd[10945]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:09:46 all in.telnetd[10934]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:09:50 all in.telnetd[10956]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:09:57 all in.telnetd[10989]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:09:58 all in.telnetd[11002]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:09:59 all in.telnetd[10996]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:09:59 all in.telnetd[11011]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:10:01 all in.telnetd[11016]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:10:03 all in.telnetd[11031]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:10:05 all in.telnetd[11043]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:10:09 all in.telnetd[11053]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:10:11 all in.telnetd[11062]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:10:15 all in.telnetd[11066]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:10:15 all in.telnetd[11074]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:10:15 all in.telnetd[11083]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:10:21 all in.telnetd[11086]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:10:21 all in.telnetd[11106]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:10:23 all in.telnetd[11115]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:10:24 all in.telnetd[11112]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:10:29 all in.telnetd[11127]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:10:30 all in.telnetd[11148]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:10:29 all in.telnetd[11138]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:10:33 all in.telnetd[11153]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:10:34 all in.telnetd[11164]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:10:38 all in.telnetd[11196]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:10:40 all in.telnetd[11185]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:10:41 all in.telnetd[11201]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:10:42 all in.telnetd[11175]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:10:44 all in.telnetd[11209]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:10:50 all in.telnetd[11226]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:10:52 all in.telnetd[11236]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:10:53 all in.telnetd[11241]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:10:53 all in.telnetd[11227]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:10:58 all in.telnetd[11250]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:11:00 all in.telnetd[11253]: refused connect from root@abel-jhaumont.unl.edu
Mar 13 02:11:01 all in.telnetd[11258]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:11:01 all in.telnetd[11281]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:11:05 all in.telnetd[11288]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:11:05 all in.telnetd[11300]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:11:06 all in.telnetd[11270]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:11:09 all in.telnetd[11285]: refused connect from operator@abel-jhaumont.unl.edu
Mar 13 02:11:13 all in.telnetd[11311]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:11:15 all in.telnetd[11317]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:11:14 all in.telnetd[11331]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:11:17 all in.telnetd[11346]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:11:15 all in.telnetd[11335]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:11:17 all in.telnetd[11364]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:11:20 all in.telnetd[11361]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:11:23 all in.telnetd[11387]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:11:27 all in.telnetd[11372]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:11:32 all in.telnetd[11399]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:11:32 all in.telnetd[11412]: refused connect from operator@abel-jhaumont.unl.edu
Mar 13 02:11:33 all in.telnetd[11435]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:11:33 all in.telnetd[11406]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:11:38 all in.telnetd[11414]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:11:38 all in.telnetd[11423]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:11:40 all in.telnetd[11446]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:11:40 all in.telnetd[11442]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:11:42 all in.telnetd[11452]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:11:45 all in.telnetd[11475]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:11:48 all in.telnetd[11502]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:11:50 all in.telnetd[11484]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:11:53 all in.telnetd[11508]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:11:54 all in.telnetd[11516]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:11:54 all in.telnetd[11527]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:11:56 all in.telnetd[11471]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:11:57 all in.telnetd[11537]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:12:00 all in.telnetd[11551]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:11:59 all in.telnetd[11541]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:12:03 all in.telnetd[11558]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:12:07 all in.telnetd[11569]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:12:12 all in.telnetd[11579]: refused connect from yuma13.ResComp.Arizona.EDU
Mar 13 02:14:25 all in.telnetd[11723]: refused connect from oliwall.olivetti.dk
Mar 13 02:14:29 all in.telnetd[11717]: refused connect from wsketola.ntc.nokia.com
Mar 13 02:14:38 all in.telnetd[11745]: refused connect from ip93-70.tor.interlog.com
Mar 13 02:14:58 all in.telnetd[11774]: refused connect from ip93-70.tor.interlog.com
Mar 13 02:15:14 all in.telnetd[11805]: refused connect from oliwall.olivetti.dk
Mar 13 02:15:46 all in.telnetd[11840]: refused connect from sir.univ-rennes1.fr
...
Note the attempts from Arizona. And look at the port scan later
on, also from Arizona. This was a malicious attacker piggybacking on
the ongoing incident, and trying to overwhealm our defenses.
The following lines indicate possible attempts to forge IP addresses.
This can also result from improperly configured domain name servers.
Mar 4 08:17:38 all in.gopherd[1331]: warning: host name/name mismatch: dialup-b.mv.opentext.com != j.mv.opentext.com
Mar 5 23:59:57 all in.gopherd[13167]: warning: host name/name mismatch: dialup-b.mv.opentext.com != j.mv.opentext.com
Mar 9 12:23:18 all in.gopherd[17060]: warning: host name/name mismatch: dialup-b.mv.opentext.com != j.mv.opentext.com
Mar 13 00:53:07 all in.telnetd[4518]: warning: getsockname: Invalid argument
Mar 13 01:12:59 all in.telnetd[5618]: warning: can't get client address: Connection reset by peer
Mar 13 01:24:35 all in.telnetd[6464]: warning: can't get client address: Connection reset by peer
Mar 13 01:26:53 all in.telnetd[6584]: warning: getsockname: Invalid argument
Mar 13 02:08:59 all in.telnetd[10742]: warning: getsockname: Invalid argument
Mar 13 02:09:17 all in.telnetd[10840]: warning: getsockname: Invalid argument
Mar 13 02:21:07 all in.telnetd[12496]: warning: getsockname: Invalid argument
Mar 13 02:52:19 all in.telnetd[14921]: warning: getsockname: Invalid argument
Mar 13 05:08:46 all in.telnetd[22556]: warning: can't get client address: Connection reset by peer
Mar 13 05:08:54 all in.telnetd[22578]: warning: can't get client address: Connection reset by peer
Mar 13 06:31:29 all in.telnetd[27145]: warning: can't get client address: Connection reset by peer
Mar 13 06:31:30 all in.telnetd[27154]: warning: getsockname: Invalid argument
Mar 13 07:35:59 all sendmail[2348]: warning: host name/address mismatch: 192.215.247.1 != ni1.ni.net
Mar 13 07:36:29 all sendmail[2389]: warning: host name/address mismatch: 192.215.247.1 != ni1.ni.net
...
Size reduction = 86883 / 6126572 = 1.41813399075372%
Done checking /var/log/syslog
...
The following entries indicate errors produced
by attempts to probe ports prohibited from outside access. This is
normally indicative of a malicious port scan of your site.
...
2/4-07:55:54-155 udp 204.7.229.104/echo <- 138.23.203.100/42795 29 !pass(17)
3/4-03:38:37-17613 tcp 204.7.229.1/sunrpc <- 206.98.13.66/2370 60 syn !pass(11)
3/4-03:38:43-17613 tcp 204.7.229.1/sunrpc <- 206.98.13.66/2370 60 syn !pass(11)
3/13-01:47:30-17613 tcp 204.7.229.1/3 <- 150.135.28.168/1502 44 syn !pass(9)
3/13-01:47:31-17613 tcp 204.7.229.1/5 <- 150.135.28.168/1503 44 syn !pass(9)
3/13-01:47:32-17613 tcp 204.7.229.1/sunrpc <- 150.135.28.168/1607 44 syn !pass(11)
3/13-01:47:33-17613 tcp 204.7.229.1/3 <- 150.135.28.168/1502 44 syn !pass(9)
3/13-01:47:33-17613 tcp 204.7.229.1/5 <- 150.135.28.168/1503 44 syn !pass(9)
3/13-01:47:35-17613 tcp 204.7.229.1/sunrpc <- 150.135.28.168/1607 44 syn !pass(11)
3/13-01:47:39-17613 tcp 204.7.229.1/3 <- 150.135.28.168/1502 44 syn !pass(9)
3/13-01:47:39-17613 tcp 204.7.229.1/5 <- 150.135.28.168/1503 44 syn !pass(9)
3/13-01:47:41-17613 tcp 204.7.229.1/sunrpc <- 150.135.28.168/1607 44 syn !pass(11)
3/13-01:47:53-17613 tcp 204.7.229.1/sunrpc <- 150.135.28.168/1607 44 syn !pass(11)
150.135.28.168 is the same site at Arizona.
Size reduction = 11532 / 459600 = 2.50924717145344%
Done checking /var/adm/pppd.log
<<=== End:Done checking audit file contents.
====================================================
Tracer done - Wed Mar 13 07:57:45 EST 1996
====================================================