[Silicon Defense logo]

SnortSnarf alert page

Source: 24.112.68.208

SnortSnarf v021111.1

Signature section (91123)Top 20 source IPsTop 20 dest IPs

16 such alerts found using input module SnortFileInput, with sources:
Earliest: 23:59:37.163239 on 04/22/2003
Latest: 00:00:36.724668 on 04/23/2003

6 different signatures are present for 24.112.68.208 as a source

There are 1 distinct destination IPs in the alerts of the type on this page.

24.112.68.208 Whois lookup at: ARIN RIPE APNIC Geektools
DNS lookup at: Amenesi TRIUMF Princeton
More lookup links: Dshield Sam Spade

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
04/22-23:59:37.163239 24.112.68.208:5835 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:33924 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0x55A97E65 Ack: 0x6B6D006B Win: 0x4470 TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]
[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
04/22-23:59:38.663615 24.112.68.208:5962 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:34241 IpLen:20 DgmLen:110 DF
***AP*** Seq: 0x560F2912 Ack: 0x6B16E2DB Win: 0x4470 TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]
[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
04/22-23:59:39.659538 24.112.68.208:6004 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:34449 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x56319AE7 Ack: 0x6B292AE5 Win: 0x4470 TcpLen: 20
[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
04/22-23:59:49.673259 24.112.68.208:6543 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:36481 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x57E9CFDB Ack: 0x6B8655B8 Win: 0x4470 TcpLen: 20
[**] [1:1945:1] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1]
04/22-23:59:50.673574 24.112.68.208:6594 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:36649 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x58156F22 Ack: 0x6C310CDE Win: 0x4470 TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]
[**] [1:1288:5] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2]
04/22-23:59:52.182312 24.112.68.208:6680 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:36925 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x5857E9E9 Ack: 0x6C299AD6 Win: 0x4470 TcpLen: 20
[**] [1:1286:5] WEB-IIS _mem_bin access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2]
04/22-23:59:53.175223 24.112.68.208:6754 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:37132 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x5896BAF4 Ack: 0x6C961531 Win: 0x4470 TcpLen: 20
[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1]
04/22-23:59:57.174755 24.112.68.208:6786 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:37738 IpLen:20 DgmLen:185 DF
***AP*** Seq: 0x58B1E784 Ack: 0x6C97D26E Win: 0x4470 TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]
[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1]
04/22-23:59:59.167451 24.112.68.208:7035 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:38133 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x5982E5A6 Ack: 0x6C0AB6DA Win: 0x4470 TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]
[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
04/23-00:00:00.195515 24.112.68.208:7082 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:38230 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x59A96CCF Ack: 0x6C16823C Win: 0x4470 TcpLen: 20
[**] [1:981:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1]
04/23-00:00:01.181100 24.112.68.208:7096 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:38493 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x59B83551 Ack: 0x6CCFB7A3 Win: 0x4470 TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]
[**] [1:983:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1]
04/23-00:00:14.184252 24.112.68.208:7609 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:40534 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x5B5BD7F4 Ack: 0x6DA30AE3 Win: 0x4470 TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]
[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1]
04/23-00:00:15.695423 24.112.68.208:7845 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:40772 IpLen:20 DgmLen:138 DF
***AP*** Seq: 0x5C162C77 Ack: 0x6D28973B Win: 0x4470 TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]
[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1]
04/23-00:00:25.236404 24.112.68.208:7859 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:42576 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x5C22BEA8 Ack: 0x6D542FA2 Win: 0x4470 TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]
[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1]
04/23-00:00:26.215962 24.112.68.208:8409 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:42743 IpLen:20 DgmLen:140 DF
***AP*** Seq: 0x5DD75F7B Ack: 0x6DE3B93A Win: 0x4470 TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]
[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
04/23-00:00:36.724668 24.112.68.208:8996 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:44968 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x5FAC64AB Ack: 0x6EC70737 Win: 0x4470 TcpLen: 20
SnortSnarf brought to you courtesy of Silicon Defense
Authors: Jim Hoagland and Stuart Staniford
See also the Snort Page by Marty Roesch
Page generated at Tue Jun 17 09:03:52 2003