Textual Analysis for Network Attack Recognition

Botnet Attack Log

The target host that logged this attack sequence runs Linux, and so it is rather determined to resolve IP addresses to full-qualified domain names as much as possible. The IP address or fully-qualified domain name was looked up with geoiplookup, and the initial summary shows distribution by country. Not all the hostnames resolved back to IP addresses, sbcglobal.net is an obvious offender of not providing useful DNS PTR records. These were manually looked up with whois and those results used if unambiguous.

Summary By Country 

Members   Country
-------   ------------------
     20   US, United States
     11   BR, Brazil
     11   FR, France
     10   DE, Germany
      9   GB, United Kingdom
      9   IT, Italy
      9   PL, Poland
      6   ES, Spain
      5   CZ, Czech Republic
      5   MX, Mexico
      5   RO, Romania
      4   CL, Chile
      4   PE, Peru
      3   BE, Belgium
      2   AR, Argentina
      2   AU, Australia
      2   CO, Colombia
      2   DK, Denmark
      2   EE, Estonia
      2   HU, Hungary
      2   IL, Israel
      2   KR, Korea, Republic of
      2   PA, Panama
      2   RU, Russian Federation
      2   TW, Taiwan
      1   AT, Austria
      1   BF, Burkina Faso
      1   CA, Canada
      1   CH, Switzerland
      1   CI, Cote D'Ivoire
      1   CN, China
      1   ID, Indonesia
      1   IE, Ireland
      1   NL, Netherlands
      1   TR, Turkey
      1   ZA, South Africa

Nov 18 07:32:06 web7 from mail.moldes.com.pe / PE, Peru
Nov 18 07:35:35 web8 from 217.10.197.26 / RO, Romania
Nov 18 07:39:34 web9 from csd1061.servsystems.net / FR, France
Nov 18 07:42:42 web10 from 12.29.108.7 / US, United States
Nov 18 07:46:17 web11 from 63.200.16.10 / US, United States
Nov 18 07:49:45 web12 from 192.116.243.241 / IL, Israel
Nov 18 08:29:32 web0 from 217.128.133.130 / FR, France
Nov 18 08:33:18 web0 from 80.188.22.2 / CZ, Czech Republic
Nov 18 08:36:48 web0 from cm19182.red.mundo-r.com / ES, Spain
Nov 18 08:40:33 web0 from xd877fac3.ip.e-nt.net / US, United States
Nov 18 08:44:02 web0 from host-148-117-2-96.midco.net / US, United States
Nov 18 08:47:44 web1 from 82.131.195.220 / HU, Hungary
Nov 18 08:51:21 web1 from 200.91.14.32 / CL, Chile
Nov 18 08:58:34 web1 from host33-236-static.123-81-b.business.telecomitalia.it / IT, Italy
Nov 18 09:01:54 web1 from 213-35-211-206-dsl.end.estpak.ee / EE, Estonia
Nov 18 09:05:44 web2 from host81-138-4-120.in-addr.btopenworld.com / GB, United Kingdom
Nov 18 09:09:30 web2 from 85-18-94-139.ip.fastwebnet.it / IT, Italy
Nov 18 09:13:16 web2 from montt.procint.cl / CL, Chile
Nov 18 09:16:40 web2 from adsl-074-229-022-018.sip.mia.bellsouth.net / US, United States
Nov 18 09:20:28 web2 from 220-130-152-234.hinet-ip.hinet.net / TW, Taiwan
Nov 18 09:31:07 web3 from 148.223.0.68 / MX, Mexico
Nov 18 09:35:11 web3 from 81.5.208.61 / AT, Austria
Nov 18 09:42:24 web4 from versiera.demon.co.uk / GB, United Kingdom
Nov 18 09:46:20 web4 from ip-62-105-180-178.dsl.twang.net / GB, United Kingdom
Nov 18 09:49:42 web4 from c9067486.static.spo.virtua.com.br / BR, Brazil
Nov 18 09:57:00 web4 from 213.136.105.130 / CI, Cote D'Ivoire
Nov 18 10:00:42 web5 from sd-4547.dedibox.fr / FR, France
Nov 18 10:05:36 web11 from 81-86-66-131.dsl.pipex.com / GB, United Kingdom
Nov 18 10:09:22 web11 from 81.180.88.6 / RO, Romania
Nov 18 10:12:52 web11 from euaonline.eua.be / BE, Belgium
Nov 18 10:16:38 web11 from mail.rindboel.com / DK, Denmark
Nov 18 10:20:14 web12 from 201.54.15.34 / BR, Brazil
Nov 18 10:23:37 web12 from www.tanaliz.bf / BF, Burkina Faso
Nov 18 10:27:13 web12 from 203-59-234-202.perm.iinet.net.au / AU, Australia
Nov 18 10:30:40 web12 from 201-016-189-058.xf-static.ctbcnetsuper.com.br / BR, Brazil
Nov 18 10:34:07 web13 from 200.138.118.89 / BR, Brazil
Nov 18 10:37:29 web13 from 192.116.243.241 / IL, Israel
Nov 18 10:44:56 web13 from cxr69-1-82-67-54-108.fbx.proxad.net / FR, France
Nov 18 10:48:27 web0 from 84.78.22.164 / ES, Spain
Nov 18 10:52:19 web0 from 200.68.45.66 / CL, Chile
Nov 18 10:55:54 web0 from 200.253.204.130 / BR, Brazil
Nov 18 10:59:58 web0 from p578b3973.dip0.t-ipconnect.de / DE, Germany
Nov 18 11:03:38 web1 from 211.61.130.199 / KR, Korea, Republic of
Nov 18 11:07:28 web1 from 81.72.63.126 / IT, Italy
Nov 18 11:10:47 web1 from 81-86-66-131.dsl.pipex.com / GB, United Kingdom
Nov 18 11:14:20 web1 from 81-86-66-131.dsl.pipex.com / GB, United Kingdom
Nov 18 11:18:00 web2 from 209.77.106.130 / US, United States
Nov 18 11:21:39 web2 from 211.61.130.199 / KR, Korea, Republic of
Nov 18 11:25:46 web2 from 66.240.255.166 / US, United States
Nov 18 11:35:58 gnats from 62.76.246.253 / RU, Russian Federation
Nov 18 11:39:48 gnats from 213-35-211-206-dsl.end.estpak.ee / EE, Estonia
Nov 18 11:43:31 fetchmail from gju190.internetdsl.tpnet.pl / PL, Poland
Nov 18 11:47:24 fetchmail from 200.172.220.56 / BR, Brazil
Nov 18 11:51:20 fetchmail from 217.67.139.253 / IE, Ireland
Nov 18 11:56:52 cyrus from 194.206.246.114 / FR, France
Nov 18 12:02:50 dhcpd from mail.moldes.com.pe / PE, Peru
Nov 18 12:06:04 suse-ncc from 217.244.10.62 / DE, Germany
Nov 18 12:10:56 games from ppb132.cc.jl.cn / CN, China
Nov 18 12:14:32 games from pd907c5bf.dip0.t-ipconnect.de / DE, Germany
Nov 18 12:18:10 games from mail.moldes.com.pe / PE, Peru
Nov 18 12:22:06 games from client-novita-5.zgora.dialog.net.pl / PL, Poland
Nov 18 12:25:47 games from 62.76.246.253 / RU, Russian Federation
Nov 18 12:29:22 squid from 200.93.164.53 / CO, Colombia
Nov 18 12:32:58 squid from websrv01.przymedyku.pl / PL, Poland
Nov 18 12:37:04 squid from 200.153.48.18 / BR, Brazil
Nov 18 12:40:04 squid from h216.dkm.cz / CZ, Czech Republic
Nov 18 12:43:34 squid from ip-62-105-180-178.dsl.twang.net / GB, United Kingdom
Nov 18 12:47:32 cyrus from 81.180.88.6 / RO, Romania
Nov 18 12:51:07 cyrus from 62.43.205.67.static.user.ono.com / ES, Spain
Nov 18 12:55:16 cyrus from 66.184.240.3 / US, United States
Nov 18 13:02:30 cyrus from p578b3973.dip0.t-ipconnect.de / DE, Germany
Nov 18 13:06:06 www from adsl-074-229-022-018.sip.mia.bellsouth.net / US, United States
Nov 18 13:20:52 www from 201.54.15.34 / BR, Brazil
Nov 18 13:24:22 _blank_ from ip-213-49-15-90.dsl-static.scarlet.be / BE, Belgium
Nov 18 13:27:40 _blank_ from 139.slipi-4.colocation.telkom.net.id / ID, Indonesia
Nov 18 13:30:44 _blank_ from 212.158.45.125 / GB, United Kingdom
Nov 18 13:32:53 games from 63.200.16.10 / US, United States
Nov 18 13:36:43 squid from pd907c5bf.dip0.t-ipconnect.de / DE, Germany
Nov 18 13:40:13 cyrus from pd95b4140.dip0.t-ipconnect.de / DE, Germany
Nov 18 13:44:12 www from 84.78.22.164 / ES, Spain
Nov 18 13:47:35 news from 217-133-170-77.b2b.tiscali.it / IT, Italy
Nov 18 13:51:22 www from 200.93.164.53 / CO, Colombia
Nov 18 13:54:34 wwwrun from cxr69-1-82-67-54-108.fbx.proxad.net / FR, France
Nov 18 13:58:18 demo from 194.206.246.114 / FR, France
Nov 18 14:02:20 demo from 206.171.59.245 / US, United States
Nov 18 14:05:58 demo from 201.224.76.75 / PA, Panama
Nov 18 14:10:04 student from v413.ncsrv.de / DE, Germany
Nov 18 14:16:55 student from cro10-1-82-241-176-151.fbx.proxad.net / FR, France
Nov 18 14:20:30 guest from hg242.internetdsl.tpnet.pl / PL, Poland
Nov 18 14:24:04 guest from hg242.internetdsl.tpnet.pl / PL, Poland
Nov 18 14:27:41 guest from 63.200.16.10 / US, United States
Nov 18 14:47:09 user from host81-138-4-120.in-addr.btopenworld.com / GB, United Kingdom
Nov 18 15:14:34 demo1 from jhb.acuo.co.za / ZA, South Africa
Nov 18 15:18:09 demo1 from 194.116.131.6 / PL, Poland
Nov 18 15:21:38 demo1 from webserver.janel.com.mx / MX, Mexico
Nov 18 15:25:39 demo1 from 201.30.4.2 / BR, Brazil
Nov 18 15:29:45 user1 from host242-209-static.41-85-b.business.telecomitalia.it / IT, Italy
Nov 18 15:32:46 user1 from clube.cruzeiro.com.br / BR, Brazil
Nov 18 15:36:02 user1 from 62-167-3-222.static.adslpremium.ch / CH, Switzerland
Nov 18 15:40:25 user1 from host230-153-static.183-80-b.business.telecomitalia.it / IT, Italy
Nov 18 15:50:17 demo3 from 217.220.25.241 / IT, Italy
Nov 18 15:57:42 demo3 from 147.135.0.18 / US, United States
Nov 18 16:01:50 test3 from dsl-200-67-193-252.prod-empresarial.com.mx / MX, Mexico
Nov 18 16:05:20 test3 from webserver.janel.com.mx / MX, Mexico
Nov 18 16:09:09 test3 from 220-130-152-234.hinet-ip.hinet.net / TW, Taiwan
Nov 18 16:16:04 clamav from static-70-107-224-252.ny325.east.verizon.net / US, United States
Nov 18 16:21:08 clamav from static-70-107-224-252.ny325.east.verizon.net / US, United States
Nov 18 16:24:11 clamav from lvps80-237-163-79.dedicated.hosteurope.de / DE, Germany
Nov 18 16:27:26 clamav from 81.180.88.6 / RO, Romania
Nov 18 16:33:04 clamav from 217.128.133.130 / FR, France
Nov 18 16:35:50 clamav from xd877fac3.ip.e-nt.net / US, United States
Nov 18 16:38:54 clamav from 82.77.126.238 / RO, Romania
Nov 18 16:41:57 clamav from 200.62.227.204 / PE, Peru
Nov 18 16:45:05 amavisd from 200-207-85-162.dsl.telesp.net.br / BR, Brazil
Nov 18 16:47:46 amavisd from 62.12.1.188 / NL, Netherlands
Nov 18 16:51:07 amavisd from 162.23.broadband2.iol.cz / CZ, Czech Republic
Nov 18 16:54:12 amavisd from 200.68.45.66 / CL, Chile
Nov 18 16:57:09 amavisd from 81-208-64-254.ip.fastwebnet.it / IT, Italy
Nov 18 17:00:17 amavisd from dsl-200-67-193-252.prod-empresarial.com.mx / MX, Mexico
Nov 18 17:03:19 amavisd from 88.247.87.69 / TR, Turkey
Nov 18 17:06:12 amavisd from hg242.internetdsl.tpnet.pl / PL, Poland
Nov 18 17:09:17 amavis from xdsl-9495.wroclaw.dialog.net.pl / PL, Poland
Nov 18 17:12:21 amavis from 201.224.76.75 / PA, Panama
Nov 18 17:15:50 amavis from mail.sasllp.com / US, United States
Nov 18 17:18:56 amavis from 82.131.195.220 / HU, Hungary
Nov 18 17:21:57 amavis from xdsl-9495.wroclaw.dialog.net.pl / PL, Poland
Nov 18 17:24:11 vscan from ip-213-49-15-90.dsl-static.scarlet.be / BE, Belgium
Nov 18 17:29:23 spam from 195.120.101.75 / IT, Italy
Nov 18 17:35:13 mail from 193.179.134.203 / CZ, Czech Republic
Nov 18 17:38:20 contacts from 206.171.59.245 / US, United States
Nov 18 17:41:06 contacts from z-a2-0-1-196-s1.tls2.mtl1.rogerstelecom.net / CA, Canada
Nov 18 17:43:32 contacts from 203-59-234-202.perm.iinet.net.au / AU, Australia
Nov 18 17:48:48 stunnel from 88.red-80-34-55.staticip.rima-tde.net / ES, Spain
Nov 18 17:51:06 stunnel from 193.158.0.195 / DE, Germany
Nov 18 17:53:19 stunnel from csd1061.servsystems.net / FR, France
Nov 18 17:55:48 stunnel from 80.188.22.2 / CZ, Czech Republic
Nov 18 17:58:04 tcpdump from 12.160.119.2 / US, United States
Nov 18 18:03:16 tcpdump from lvps80-237-163-79.dedicated.hosteurope.de / DE, Germany
Nov 18 18:05:41 tcpdump from 209.77.106.130 / US, United States
Nov 18 18:08:27 apache from 200.68.84.107 / AR, Argentina
Nov 18 18:10:42 apache from lneuilly-152-21-116-168.w193-253.abo.wanadoo.fr / FR, France
Nov 18 18:13:00 apache from 85.235.253.200 / DK, Denmark
Nov 18 18:15:30 apache from 84.78.22.164 / ES, Spain
Nov 18 18:41:57 lp from 200.81.233.18 / AR, Argentina

Back to the Application to Real Data

To The Security Page

Click here to inquire about advertising on this or any page on this site.
Home Unix/Linux Networking Cybersecurity Travel Technical Radio Site Map Contact


Use /bin/vi! Manipulate images with ImageMagick! Hosted on OpenBSD
Hosted on Apache This site is viewable with any browser Valid XHTML 1.0! Valid CSS!
© Bob Cromwell May 2012. Created with /bin/vi and ImageMagick, hosted on OpenBSD with Apache.    Root password available here, privacy policy here.