From valankar@mydomain.com Tue May 1 10:32:44 2001 Date: Tue, 1 May 2001 10:13:23 -0400 From: Viraj Alankar To: a000@music.ferris.edu, campbelc@ferris.edu, deanc@ferris.edu, maatj@ferris.edu, root@ferris.edu, postmaster@ferris.edu, webmaster@ferris.edu, abuse@ferris.edu Cc: security-alert@mydomain.com Subject: Possible attack from your system - ferris.edu - Incident #: 20010501101155 System Administrators, We noticed what is most likely an attempted attack on our computers which has been logged from the address: 161.57.10.11 We ask that you please look into this matter as soon as possible. Attached below is our logs which show evidence of the attack. The date and times of the requests are listed below. Please let us know how we can be of further assistance tracking this down. We consider this a very serious threat to our company systems. Thank you for your cooperation in this matter. Note that all hostnames listed below are all in the mydomain.com domain, and all times are Eastern US time - GMT -0400. Please keep the Subject of this message intact on all correspondence. -- Viraj Alankar Email: valankar@mydomain.com (my signature) Date of this report: Tue May 1 10:11:55 EDT 2001 Description of this attack: Scan of our network for vulnerable print services. Logs of attack: May 1 04:22:59 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:4936 -> 1.2.3.2:515 May 1 04:22:59 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:4999 -> 1.2.3.65:515 May 1 04:22:59 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1033 -> 1.2.3.74:515 May 1 04:22:59 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:4998 -> 1.2.3.64:515 May 1 04:22:59 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1101 -> 1.2.3.142:515 May 1 04:22:59 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1102 -> 1.2.3.143:515 May 1 04:22:59 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1104 -> 1.2.3.145:515 May 1 04:22:59 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1108 -> 1.2.3.149:515 May 1 04:22:59 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1120 -> 1.2.3.161:515 May 1 04:22:59 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1122 -> 1.2.3.163:515 May 1 04:22:59 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1111 -> 1.2.3.152:515 May 1 04:22:59 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1112 -> 1.2.3.153:515 May 1 04:22:59 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1113 -> 1.2.3.154:515 May 1 04:22:59 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1116 -> 1.2.3.157:515 May 1 04:22:59 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1140 -> 1.2.3.181:515 May 1 04:22:59 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1132 -> 1.2.3.173:515 May 1 04:22:59 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1100 -> 1.2.3.141:515 May 1 04:22:59 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1136 -> 1.2.3.177:515 May 1 04:22:59 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1103 -> 1.2.3.144:515 May 1 04:22:59 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1138 -> 1.2.3.179:515 May 1 04:22:59 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1105 -> 1.2.3.146:515 May 1 04:22:59 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1106 -> 1.2.3.147:515 May 1 04:22:59 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1107 -> 1.2.3.148:515 May 1 04:22:59 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1109 -> 1.2.3.150:515 May 1 04:22:59 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1110 -> 1.2.3.151:515 May 1 04:22:59 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1114 -> 1.2.3.155:515 May 1 04:22:59 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1115 -> 1.2.3.156:515 May 1 04:22:59 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1150 -> 1.2.3.191:515 May 1 04:22:59 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1117 -> 1.2.3.158:515 May 1 04:22:59 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1158 -> 1.2.3.199:515 May 1 04:22:59 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1118 -> 1.2.3.159:515 May 1 04:22:59 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1119 -> 1.2.3.160:515 May 1 04:22:59 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1152 -> 1.2.3.193:515 May 1 04:22:59 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1121 -> 1.2.3.162:515 May 1 04:22:59 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1154 -> 1.2.3.195:515 May 1 04:22:59 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1123 -> 1.2.3.164:515 May 1 04:22:59 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1126 -> 1.2.3.167:515 May 1 04:22:59 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1127 -> 1.2.3.168:515 May 1 04:22:59 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1128 -> 1.2.3.169:515 May 1 04:22:59 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1129 -> 1.2.3.170:515 May 1 04:22:59 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1130 -> 1.2.3.171:515 May 1 04:22:59 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1142 -> 1.2.3.183:515 May 1 04:22:59 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1145 -> 1.2.3.186:515 May 1 04:22:59 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1149 -> 1.2.3.190:515 May 1 04:22:59 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1151 -> 1.2.3.192:515 May 1 04:22:59 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1165 -> 1.2.3.206:515 May 1 04:22:59 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1166 -> 1.2.3.207:515 May 1 04:22:59 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1163 -> 1.2.3.204:515 May 1 04:22:59 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1167 -> 1.2.3.208:515 May 1 04:22:59 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1168 -> 1.2.3.209:515 May 1 04:22:59 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1164 -> 1.2.3.205:515 May 1 04:23:02 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:4936 -> 1.2.3.2:515 May 1 04:23:02 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:4998 -> 1.2.3.64:515 May 1 04:23:02 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:4999 -> 1.2.3.65:515 May 1 04:23:02 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1033 -> 1.2.3.74:515 May 1 04:23:02 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1035 -> 1.2.3.76:515 May 1 04:23:02 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1037 -> 1.2.3.78:515 May 1 04:23:02 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1100 -> 1.2.3.141:515 May 1 04:23:02 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1101 -> 1.2.3.142:515 May 1 04:23:02 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1102 -> 1.2.3.143:515 May 1 04:23:02 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1103 -> 1.2.3.144:515 May 1 04:23:02 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1104 -> 1.2.3.145:515 May 1 04:23:02 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1105 -> 1.2.3.146:515 May 1 04:23:02 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1106 -> 1.2.3.147:515 May 1 04:23:02 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1107 -> 1.2.3.148:515 May 1 04:23:02 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1108 -> 1.2.3.149:515 May 1 04:23:02 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1109 -> 1.2.3.150:515 May 1 04:23:02 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1110 -> 1.2.3.151:515 May 1 04:23:02 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1111 -> 1.2.3.152:515 May 1 04:23:02 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1113 -> 1.2.3.154:515 May 1 04:23:02 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1112 -> 1.2.3.153:515 May 1 04:23:02 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1115 -> 1.2.3.156:515 May 1 04:23:02 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1114 -> 1.2.3.155:515 May 1 04:23:02 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1116 -> 1.2.3.157:515 May 1 04:23:02 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1117 -> 1.2.3.158:515 May 1 04:23:02 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1118 -> 1.2.3.159:515 May 1 04:23:02 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1119 -> 1.2.3.160:515 May 1 04:23:02 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1120 -> 1.2.3.161:515 May 1 04:23:02 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1121 -> 1.2.3.162:515 May 1 04:23:02 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1122 -> 1.2.3.163:515 May 1 04:23:02 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1123 -> 1.2.3.164:515 May 1 04:23:02 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1124 -> 1.2.3.165:515 May 1 04:23:02 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1125 -> 1.2.3.166:515 May 1 04:23:02 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1126 -> 1.2.3.167:515 May 1 04:23:02 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1127 -> 1.2.3.168:515 May 1 04:23:02 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1128 -> 1.2.3.169:515 May 1 04:23:02 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1129 -> 1.2.3.170:515 May 1 04:23:02 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1130 -> 1.2.3.171:515 May 1 04:23:02 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1131 -> 1.2.3.172:515 May 1 04:23:02 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1132 -> 1.2.3.173:515 May 1 04:23:02 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1133 -> 1.2.3.174:515 May 1 04:23:02 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1134 -> 1.2.3.175:515 May 1 04:23:02 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1135 -> 1.2.3.176:515 May 1 04:23:02 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1136 -> 1.2.3.177:515 May 1 04:23:02 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1137 -> 1.2.3.178:515 May 1 04:23:02 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1138 -> 1.2.3.179:515 May 1 04:23:02 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1139 -> 1.2.3.180:515 May 1 04:23:02 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1140 -> 1.2.3.181:515 May 1 04:23:02 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1141 -> 1.2.3.182:515 May 1 04:23:02 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1142 -> 1.2.3.183:515 May 1 04:23:02 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1143 -> 1.2.3.184:515 May 1 04:23:02 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1144 -> 1.2.3.185:515 May 1 04:23:02 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1145 -> 1.2.3.186:515 May 1 04:23:02 fwml-off.mydomain.com snort[86706]: OVERFLOW - Possible attempt at MS Print Services: 161.57.10.11:1146 -> 1.2.3.187:515 Address: 161.57.10.11 [whois.arin.net] Ferris State University (NET-FERRIS) I.S. & T Dept Ferris State University 901 S. State St Big Rapids MI 49307 US Netname: FERRIS Netblock: 161.57.0.0 - 161.57.255.255 Coordinator: Poole, Trevor (TP4-ARIN) A000@MUSIC.FERRIS.EDU (616) 592-2143 Domain System inverse mapping provided by: WHEEL.FERRIS.EDU 161.57.5.2 WHEEL2.FERRIS.EDU 161.57.5.3 Record last updated on 28-Apr-1994. Database last updated on 30-Apr-2001 22:35:39 EDT. The ARIN Registration Services Host contains ONLY Internet Network Information: Networks, ASN's, and related POC's. Please use the whois server at rs.internic.net for DOMAIN related Information and whois.nic.mil for NIPRNET Information. ferris.edu Request: ferris.edu Registrant: Ferris State University (FERRIS-DOM) Telecommunications Masselink Complex 713 Campus Drive Big Rapids, MI 49307 US Domain Name: FERRIS.EDU Administrative Contact: Dean, Calla (CD5474) deanc@FERRIS.EDU Ferris State University Masselink Complex 713 Campus Drive Big Rapids, MI 49307 (231) 591-2073 (FAX) (231) 591-2990 Technical Contact: Maat, Jim (JM22022) maatj@FERRIS.EDU Ferris State University Masselink Complex 713 Campus Drive Big Rapids, MI 49307 (231) 591-2905 (FAX) (231) 591-2990 Billing Contact: Campbell, Cathy (CC9801) campbelc@FERRIS.EDU Ferris State University Masselink Complex 713 Campus Drive Big Rapids, MI 49307 (231) 591-3867 (FAX) (231) 591-2990 Record last updated on 01-Nov-2000. Record created on 11-Jan-1994. Database last updated on 30-Apr-2001 23:34:00 EDT. Domain servers in listed order: WHEEL.FERRIS.EDU 161.57.5.2 WHEEL2.FERRIS.EDU 161.57.5.3 TCP CONNECT TO 161.57.10.11:22 succeeded SSH-1.99-OpenSSH_2.1.1 Connection closed. TCP CONNECT TO 161.57.10.11:23 succeeded Red Hat Linux release 7.0 (Guinness) Kernel 2.2.16-22smp on a 2-processor i686 login: Connection closed. TCP CONNECT TO 161.57.10.11:25 succeeded 220 localhost.localdomain ESMTP Sendmail 8.11.0/8.11.0; Tue, 1 May 2001 10:12:55 -0400 Connection closed. TCP CONNECT TO 161.57.10.11:79 succeeded Connection closed. TCP CONNECT TO 161.57.10.11:6000 succeeded Connection closed. FINGER @161.57.10.11 [161.57.10.11] Login Name Tty Idle Login Time Office Office Phone root root tty1 13d Apr 17 13:09 root root pts/0 19:35 Apr 26 14:35 (:0)