Snort Alerts

Windows NT Noise

[**] IDS10 - RPC - portmap-request-rstatd [**]
02/01-15:39:11.371120 0:B0:D0:72:2F:E8 -> FF:FF:FF:FF:FF:FF type:0x800 len:0x7E
167.53.53.14:3005 -> 167.53.53.63:111 UDP TTL:128 TOS:0x0 ID:59252 IpLen:20 DgmLen:112
Len: 92

[**] IDS10 - RPC - portmap-request-rstatd [**]
02/01-15:39:14.372867 0:B0:D0:72:2F:E8 -> FF:FF:FF:FF:FF:FF type:0x800 len:0x7E
167.53.53.14:3005 -> 167.53.53.63:111 UDP TTL:128 TOS:0x0 ID:60020 IpLen:20 DgmLen:112
Len: 92     

[**] IDS10 - RPC - portmap-request-rstatd [**]
02/01-17:41:54.749502 0:B0:D0:72:2F:E8 -> FF:FF:FF:FF:FF:FF type:0x800 len:0x7E
167.53.53.14:3019 -> 167.53.53.63:111 UDP TTL:128 TOS:0x0 ID:25761 IpLen:20 DgmLen:112
Len: 92

[**] IDS10 - RPC - portmap-request-rstatd [**]
02/01-17:41:57.751326 0:B0:D0:72:2F:E8 -> FF:FF:FF:FF:FF:FF type:0x800 len:0x7E
167.53.53.14:3019 -> 167.53.53.63:111 UDP TTL:128 TOS:0x0 ID:29601 IpLen:20 DgmLen:112
Len: 92

Possible Firewalk from sdn-bb10-fw-9-0.dialsprint.net

[**] ICMP Destination Unreachable (Undefined Code!) [**]
02/05-19:17:35.287617 0:60:3E:87:FA:41 -> FF:FF:FF:FF:FF:FF type:0x800 len:0x46
207.143.45.37 -> 167.53.53.63 ICMP TTL:243 TOS:0x0 ID:0 IpLen:20 DgmLen:56
Type:3  Code:1  DESTINATION UNREACHABLE: HOST UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
167.53.53.63:21827 -> 168.191.122.27:15163 TCP TTL:243 TOS:0x8 ID:9147 IpLen:20 DgmLen:40
**UA*R** Seq: 0xEB9CC461  Ack: 0x460000  Win: 0x0  TcpLen: 0  UrgPtr: 0x0
** END OF DUMP

FTP Login and Password Capture

[**] fP-Login [**]
02/06-05:46:06.332762 0:60:3E:87:FA:41 -> 8:0:20:89:B6:8D type:0x800 len:0x45
192.45.100.61:43089 -> 167.53.53.29:21 TCP TTL:251 TOS:0x0 ID:50384 IpLen:20 DgmLen:55 DF
***AP*** Seq: 0xC5CAADA3  Ack: 0x92B87A6A  Win: 0x2238  TcpLen: 20

[**] FTP-Password [**]
02/06-05:46:09.591100 0:60:3E:87:FA:41 -> 8:0:20:89:B6:8D type:0x800 len:0x45
192.45.100.61:43089 -> 167.53.53.29:21 TCP TTL:251 TOS:0x0 ID:50386 IpLen:20 DgmLen:55 DF
***AP*** Seq: 0xC5CAADB2  Ack: 0x92B87A8F  Win: 0x2238  TcpLen: 20

Nmap Scan

[**] BETA - IDS162 - PING Nmap2.36BETA or HPING2 Echo from LINUX/*BSD [**]
02/07-18:09:18.784062 8:0:20:89:B6:8D -> 0:A0:CC:54:DE:7A type:0x800 len:0x2A
167.53.53.29 -> 167.53.53.7 ICMP TTL:44 TOS:0x0 ID:65185 IpLen:20 DgmLen:28 DF
Type:8  Code:0  ID:905   Seq:0  ECHO

[**] ICMP Unknown Type [**]
02/07-18:09:18.784511 0:A0:CC:54:DE:7A -> 8:0:20:89:B6:8D type:0x800 len:0x3C
167.53.53.7 -> 167.53.53.29 ICMP TTL:255 TOS:0x0 ID:61095 IpLen:20 DgmLen:28 DF
Type:0  Code:0  ID:905  Seq:0  ECHO REPLY

[**] IIS - Possible Attempt at NT INETINFO.EXE 100% CPU Utilization [**]
02/07-18:09:19.500703 8:0:20:89:B6:8D -> 0:A0:CC:54:DE:7A type:0x800 len:0x3E
167.53.53.29:51194 -> 167.53.53.7:1031 TCP TTL:64 TOS:0x0 ID:26 IpLen:20 DgmLen:48 DF
******S* Seq: 0xF000365  Ack: 0x0  Win: 0x60F4  TcpLen: 28
TCP Options (4) => NOP NOP SackOK MSS: 1460 

[**] IIS - Possible Attempt at NT INETINFO.EXE 100% CPU Utilization [**]
02/07-18:09:19.555806 8:0:20:89:B6:8D -> 0:A0:CC:54:DE:7A type:0x800 len:0x3E
167.53.53.29:51264 -> 167.53.53.7:1032 TCP TTL:64 TOS:0x0 ID:96 IpLen:20 DgmLen:48 DF
******S* Seq: 0xF85368C  Ack: 0x0  Win: 0x60F4  TcpLen: 28
TCP Options (4) => NOP NOP SackOK MSS: 1460 

[**] MISC-Attempted Sun RPC high port access [**]
02/07-18:09:19.674585 8:0:20:89:B6:8D -> 0:A0:CC:54:DE:7A type:0x800 len:0x3E
167.53.53.29:51353 -> 167.53.53.7:32771 TCP TTL:64 TOS:0x0 ID:185 IpLen:20 DgmLen:48 DF
******S* Seq: 0x102F0557  Ack: 0x0  Win: 0x60F4  TcpLen: 28
TCP Options (4) => NOP NOP SackOK MSS: 1460 

[**] AOL Chat Data Logged [**]
02/07-18:09:20.086155 8:0:20:89:B6:8D -> 0:A0:CC:54:DE:7A type:0x800 len:0x3E
167.53.53.29:51733 -> 167.53.53.7:5190 TCP TTL:64 TOS:0x0 ID:573 IpLen:20 DgmLen:48 DF
******S* Seq: 0x1305FBF1  Ack: 0x0  Win: 0x60F4  TcpLen: 28
TCP Options (4) => NOP NOP SackOK MSS: 1460 

[**] AOL Chat Data Logged [**]
02/07-18:09:20.086645 0:A0:CC:54:DE:7A -> 8:0:20:89:B6:8D type:0x800 len:0x3C
167.53.53.7:5190 -> 167.53.53.29:51733 TCP TTL:64 TOS:0x0 ID:63841 IpLen:20 DgmLen:40
***A*R** Seq: 0x0  Ack: 0x1305FBF2  Win: 0x0  TcpLen: 20

[**] MISC-WinGate-1080-Attempt [**]
02/07-18:09:20.158068 8:0:20:89:B6:8D -> 0:A0:CC:54:DE:7A type:0x800 len:0x3E
167.53.53.29:51792 -> 167.53.53.7:1080 TCP TTL:64 TOS:0x0 ID:633 IpLen:20 DgmLen:48 DF
******S* Seq: 0x137557EE  Ack: 0x0  Win: 0x60F4  TcpLen: 28
TCP Options (4) => NOP NOP SackOK MSS: 1460 

[**] IDS126 - Outgoing Xterm [**]
02/07-18:09:20.398280 0:A0:CC:54:DE:7A -> 8:0:20:89:B6:8D type:0x800 len:0x3E
167.53.53.7:6000 -> 167.53.53.29:52018 TCP TTL:64 TOS:0x0 ID:50514 IpLen:20 DgmLen:48
***A**S* Seq: 0x899E5CE8  Ack: 0x1525FB32  Win: 0x4470  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

[**] IDS05 - SCAN-Possible NMAP Fingerprint attempt [**]
02/07-18:09:20.681996 8:0:20:89:B6:8D -> 0:A0:CC:54:DE:7A type:0x800 len:0x4A
167.53.53.29:61342 -> 167.53.53.7:13 TCP TTL:43 TOS:0x0 ID:1223 IpLen:20 DgmLen:60 DF
**U*P*SF Seq: 0x49937215  Ack: 0x0  Win: 0x1000  TcpLen: 40  UrgPtr: 0x0
TCP Options (5) => WS: 10 NOP MSS: 265 TS: 1061109567 0 EOL 

[**] IDS28 - PING NMAP TCP [**]
02/07-18:09:20.682126 8:0:20:89:B6:8D -> 0:A0:CC:54:DE:7A type:0x800 len:0x4A
167.53.53.29:61343 -> 167.53.53.7:13 TCP TTL:43 TOS:0x0 ID:1224 IpLen:20 DgmLen:60 DF
***A**** Seq: 0x49937215  Ack: 0x0  Win: 0x1000  TcpLen: 40
TCP Options (5) => WS: 10 NOP MSS: 265 TS: 1061109567 0 EOL 

[**] IDS28 - PING NMAP TCP [**]
02/07-18:09:20.682587 8:0:20:89:B6:8D -> 0:A0:CC:54:DE:7A type:0x800 len:0x4A
167.53.53.29:61345 -> 167.53.53.7:1 TCP TTL:43 TOS:0x0 ID:1227 IpLen:20 DgmLen:60 DF
***A**** Seq: 0x49937215  Ack: 0x0  Win: 0x1000  TcpLen: 40
TCP Options (5) => WS: 10 NOP MSS: 265 TS: 1061109567 0 EOL 

[**] ICMP Destination Unreachable (Undefined Code!) [**]
02/07-18:09:20.684210 0:A0:CC:54:DE:7A -> 8:0:20:89:B6:8D type:0x800 len:0x46
167.53.53.7 -> 167.53.53.29 ICMP TTL:255 TOS:0x0 ID:65008 IpLen:20 DgmLen:56
Type:3  Code:3  DESTINATION UNREACHABLE: PORT UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
167.53.53.29:61333 -> 167.53.53.7:1 UDP TTL:55 TOS:0x0 ID:1230 IpLen:20 DgmLen:308
Len: 308
** END OF DUMP

Possible Firewalk from pos8-0.core2.SanJose1.level3.net

[**] ICMP Destination Unreachable (Undefined Code!) [**]
02/08-15:46:41.321627 0:60:3E:87:FA:41 -> 0:5:2:4B:29:3F type:0x800 len:0x46
209.247.11.6 -> 167.53.53.17 ICMP TTL:246 TOS:0x0 ID:0 IpLen:20 DgmLen:56
Type:3  Code:1  DESTINATION UNREACHABLE: HOST UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
167.53.53.17:10672 -> 209.81.232.66:6667 TCP TTL:251 TOS:0x8 ID:33526 IpLen:20 DgmLen:40
**UA*R** Seq: 0x2D2EDD74  Ack: 0x460000  Win: 0x0  TcpLen: 0  UrgPtr: 0x0
** END OF DUMP

Possible Firewalk from an IP in Italy

[**] ICMP Destination Unreachable (Undefined Code!) [**]
02/10-11:25:23.181723 0:60:3E:87:FA:41 -> 0:4:0:10:89:38 type:0x800 len:0x46
212.131.140.129 -> 167.53.53.44 ICMP TTL:236 TOS:0x0 ID:45645 IpLen:20 DgmLen:56
Type:3  Code:13  DESTINATION UNREACHABLE: PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
167.53.53.44:1674 -> 24.183.126.167:21 TCP TTL:29 TOS:0x0 ID:656 IpLen:20 DgmLen:40
**UA*R** Seq: 0x191084C9  Ack: 0x460000  Win: 0x0  TcpLen: 0  UrgPtr: 0x0
** END OF DUMP

Possible Firewalk from Serial2-3.GW5.PHL1.ALTER.NET

[**] ICMP Destination Unreachable (Undefined Code!) [**]
02/11-23:11:49.597854 0:60:3E:87:FA:41 -> 0:4:0:10:89:38 type:0x800 len:0x46
157.130.16.65 -> 167.53.53.44 ICMP TTL:240 TOS:0x0 ID:0 IpLen:20 DgmLen:56
Type:3  Code:1  DESTINATION UNREACHABLE: HOST UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
167.53.53.44:49371 -> 160.94.151.137:21248 TCP TTL:253 TOS:0x8 ID:37137 IpLen:20 DgmLen:40
**UA*R** Seq: 0x317DFC12  Ack: 0x460000  Win: 0x0  TcpLen: 0  UrgPtr: 0x0
** END OF DUMP

shrdlu AT deaddrop DOT org

Last modified: Sat Oct 30 23:21:42 PDT 2004