Having mentioned the interesting correlation between attacks and people visiting my web site to check if they made it into the daily IDS summary I thought I'd write it up properly including all the gory details.
As it is in preformatted mode I'm afraid it is not as pretty as properly done HTML pages but the data is all there (except for the raw packets but these you can get from the web site).
The format is in temporal order, oldest first. I give you the IP address, whois record, Snort output, Apache log (in Combined log format). From the Apache Agent field it is pretty clear that either the same script or a similar one has been used in each case. Note also the "evolution" in the attack attempts.
It is also interesting that the first "client" attempted a recon vist of the daily Snort logs, the others went straight.
218.62.92.153
inetnum: 218.62.0.0 - 218.62.127.255
netname: CHINANET-JL
descr: CHINANET jilin province network
descr: China Telecom
descr: A12,Xin-Jie-Kou-Wai Street
descr: Beijing 100088
country: CN
Mar 18 03:57:54 tempest snort: IDS296/web-misc_http-whisker-splicing-attack-space: {TCP} 218.62.92.153:4767 -> 195.82.120.100:80
Mar 18 03:57:54 tempest snort: IDS243/web-cgi_http-cgi-pipe: {TCP} 218.62.92.153:4767 -> 195.82.120.100:80
Mar 18 03:57:55 tempest snort: IDS243/web-cgi_http-cgi-pipe: {TCP} 218.62.92.153:4767 -> 195.82.120.100:80
218.62.92.153 - - [16/Mar/2002:16:12:43 +0000] "GET /data/snort_daily.html HTTP/1.0" 200 63461 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)"
218.62.92.153 - - [18/Mar/2002:17:02:20 +0000] "GET /data/snort_daily.html HTTP/1.0" 200 73461 "-" "libwww-perl/5.21"
203.149.250.59,61
inetnum: 203.149.250.0 - 203.149.250.63
netname: MARYNET
descr: We are a internet access company
country: TW
admin-c: MC137-AP
tech-c: JYB1-AP
mnt-by: IS-NCD
May 29 15:48:04 tempest snort: spp_portscan: PORTSCAN DETECTED from 203.149.250.59 (THRESHOLD 5 connections exceeded in 0 seconds)
May 29 15:48:04 tempest snort: MS/SQL connection attempt: {TCP} 203.149.250.59:2741 -> 195.82.120.99:1433
May 29 15:48:04 tempest snort: MS/SQL connection attempt: {TCP} 203.149.250.59:2740 -> 195.82.120.98:1433
May 29 15:48:04 tempest snort: MS/SQL connection attempt: {TCP} 203.149.250.59:2742 -> 195.82.120.100:1433
May 29 15:48:04 tempest snort: MS/SQL connection attempt: {TCP} 203.149.250.59:2744 -> 195.82.120.102:1433
May 29 15:48:04 tempest snort: MS/SQL connection attempt: {TCP} 203.149.250.59:2745 -> 195.82.120.103:1433
May 29 15:48:05 tempest snort: MS/SQL connection attempt: {TCP} 203.149.250.59:2747 -> 195.82.120.105:1433
May 29 15:48:05 tempest snort: MS/SQL connection attempt: {TCP} 203.149.250.59:2748 -> 195.82.120.106:1433
May 29 15:48:05 tempest snort: MS/SQL connection attempt: {TCP} 203.149.250.59:2751 -> 195.82.120.109:1433
May 29 15:48:05 tempest snort: MS/SQL connection attempt: {TCP} 203.149.250.59:2752 -> 195.82.120.110:1433
May 29 15:48:49 tempest snort: spp_portscan: portscan status from 203.149.250.59: 9 connections across 9 hosts: TCP(9), UDP(0)
May 29 15:49:18 tempest snort: spp_portscan: End of portscan from 203.149.250.59: TOTAL time(3s) hosts(9) TCP(9) UDP(0)
203.149.250.61 - - [30/May/2002:18:03:01 +0100] "GET /data/snort_daily.html HTTP/1.0" 200 54371 "-" "libwww-perl/5.21"
203.149.33.127
inetnum: 203.149.32.0 - 203.149.63.255
netname: SAMART-TH
descr: Samart Corporation Co., Ltd.
descr: 99/6 Software Park Tower,30th Fl. Chaengwattana Rd.
descr: Klong Gluar, Pak-Kred, Nonthaburi 11120 Thailand
country: TH
Oct 14 08:01:36 tempest snort: IDS177/netbios_netbios-name-query: {UDP} 203.149.33.127:1024 -> 195.82.120.98:137
Oct 14 08:01:36 tempest snort: IDS177/netbios_netbios-name-query: {UDP} 203.149.33.127:1024 -> 195.82.120.99:137
Oct 14 08:01:36 tempest snort: IDS177/netbios_netbios-name-query: {UDP} 203.149.33.127:1024 -> 195.82.120.100:137
Oct 14 08:01:36 tempest snort: IDS177/netbios_netbios-name-query: {UDP} 203.149.33.127:1024 -> 195.82.120.102:137
Oct 14 08:01:37 tempest snort: IDS177/netbios_netbios-name-query: {UDP} 203.149.33.127:1024 -> 195.82.120.103:137
Oct 14 08:01:37 tempest snort: IDS177/netbios_netbios-name-query: {UDP} 203.149.33.127:1024 -> 195.82.120.105:137
Oct 14 08:01:37 tempest snort: IDS177/netbios_netbios-name-query: {UDP} 203.149.33.127:1024 -> 195.82.120.106:137
Oct 14 08:01:37 tempest snort: IDS177/netbios_netbios-name-query: {UDP} 203.149.33.127:1024 -> 195.82.120.109:137
Oct 14 08:01:38 tempest snort: IDS177/netbios_netbios-name-query: {UDP} 203.149.33.127:1024 -> 195.82.120.110:137
203.149.33.127 - - [14/Oct/2002:16:12:38 +0100] "GET /data/snort_daily.html HTTP/1.0" 200 65378 "-" "libwww-perl/5.21"
210.52.79.148
inetnum: 210.52.79.144 - 210.52.79.151
netname: LUTENG-GARDEN
descr: xiamen city
country: CN
Jan 16 02:58:15 tempest snort: MS/SQL connection attempt: {TCP} 210.52.79.148:3408 -> 195.82.120.98:1433
Jan 16 02:58:15 tempest snort: MS/SQL connection attempt: {TCP} 210.52.79.148:3412 -> 195.82.120.102:1433
Jan 16 02:58:15 tempest snort: MS/SQL connection attempt: {TCP} 210.52.79.148:3413 -> 195.82.120.103:1433
Jan 16 02:58:15 tempest snort: MS/SQL connection attempt: {TCP} 210.52.79.148:3409 -> 195.82.120.99:1433
Jan 16 02:58:15 tempest snort: MS/SQL connection attempt: {TCP} 210.52.79.148:3410 -> 195.82.120.100:1433
Jan 16 02:58:15 tempest snort: MS/SQL connection attempt: {TCP} 210.52.79.148:3415 -> 195.82.120.105:1433
Jan 16 02:58:15 tempest snort: MS/SQL connection attempt: {TCP} 210.52.79.148:3416 -> 195.82.120.106:1433
Jan 16 02:58:15 tempest snort: MS/SQL connection attempt: {TCP} 210.52.79.148:3420 -> 195.82.120.110:1433
Jan 16 02:58:15 tempest snort: MS/SQL connection attempt: {TCP} 210.52.79.148:3419 -> 195.82.120.109:1433
Jan 16 02:58:16 tempest snort: MS/SQL connection attempt: {TCP} 210.52.79.148:3408 -> 195.82.120.98:1433
Jan 16 02:58:16 tempest snort: MS/SQL connection attempt: {TCP} 210.52.79.148:3412 -> 195.82.120.102:1433
Jan 16 02:58:16 tempest snort: MS/SQL connection attempt: {TCP} 210.52.79.148:3413 -> 195.82.120.103:1433
Jan 16 02:58:16 tempest snort: MS/SQL connection attempt: {TCP} 210.52.79.148:3409 -> 195.82.120.99:1433
Jan 16 02:58:16 tempest snort: MS/SQL connection attempt: {TCP} 210.52.79.148:3410 -> 195.82.120.100:1433
Jan 16 02:58:16 tempest snort: MS/SQL connection attempt: {TCP} 210.52.79.148:3415 -> 195.82.120.105:1433
Jan 16 02:58:17 tempest snort: MS/SQL connection attempt: {TCP} 210.52.79.148:3416 -> 195.82.120.106:1433
Jan 16 02:58:17 tempest snort: MS/SQL connection attempt: {TCP} 210.52.79.148:3420 -> 195.82.120.110:1433
Jan 16 02:58:17 tempest snort: MS/SQL connection attempt: {TCP}
210.52.79.148:3419 -> 195.82.120.109:1433
210.52.79.148 - - [16/Jan/2003:15:34:24 +0000] "GET /data/snort_daily.html HTTP/1.0" 200 41567 "-" "libwww-perl/5.21"
That's all folks!
Posted by arrigo at January 27, 2003 12:23 PM