SnortSnarf alert page

Source: 24.114.34.24

SnortSnarf v021111.1

Signature section (91123)

Top 20 source IPs

Top 20 dest IPs

18 such alerts found using input module SnortFileInput, with sources:

/home/rivettmj/snort_alertlog/alert

Earliest: 10:58:54.794183 on 06/02/2003
Latest: 10:59:57.489989 on 06/02/2003

6 different signatures are present for 24.114.34.24 as a source

1 instances of WEB-IIS _mem_bin access
1 instances of WEB-FRONTPAGE /_vti_bin/ access
2 instances of WEB-IIS CodeRed v2 root.exe access
4 instances of WEB-IIS cmd.exe access
5 instances of WEB-IIS multiple decode attempt
5 instances of WEB-IIS unicode directory traversal attempt

There are 1 distinct destination IPs in the alerts of the type on this page.

24.114.34.24 Whois lookup at: ARIN RIPE APNIC Geektools

DNS lookup at: Amenesi TRIUMF Princeton

More lookup links: Dshield Sam Spade

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/02-10:58:54.794183 24.114.34.24:2905 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:25749 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0xD2722A27  Ack: 0xAC8789DE  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/02-10:58:56.458249 24.114.34.24:2965 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:25926 IpLen:20 DgmLen:110 DF
***AP*** Seq: 0xD2A4B6BF  Ack: 0xAC8389B6  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/02-10:59:06.634967 24.114.34.24:3265 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:27000 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0xD3A49380  Ack: 0xACC61CAD  Win: 0x4470  TcpLen: 20

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/02-10:59:07.562917 24.114.34.24:3299 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:27129 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0xD3C069D4  Ack: 0xAD35FE03  Win: 0x4470  TcpLen: 20

[**] [1:1945:1] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/02-10:59:11.779198 24.114.34.24:3434 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:27626 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0xD4351CE0  Ack: 0xADA56CC3  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1288:5] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
06/02-10:59:12.613141 24.114.34.24:3468 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:27749 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0xD451BD27  Ack: 0xAD5492E3  Win: 0x4470  TcpLen: 20

[**] [1:1286:5] WEB-IIS _mem_bin access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
06/02-10:59:16.881354 24.114.34.24:3599 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:28216 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0xD4BFD77D  Ack: 0xAE122295  Win: 0x4470  TcpLen: 20

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/02-10:59:21.428099 24.114.34.24:3722 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:28680 IpLen:20 DgmLen:185 DF
***AP*** Seq: 0xD5282A1E  Ack: 0xADA7EC8E  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/02-10:59:22.927820 24.114.34.24:3767 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:28849 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0xD550C5DC  Ack: 0xADE64D5E  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/02-10:59:24.301771 24.114.34.24:3806 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:28998 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0xD574C550  Ack: 0xADFB9587  Win: 0x4470  TcpLen: 20

[**] [1:981:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/02-10:59:34.718493 24.114.34.24:4110 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:30147 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0xD67BD66D  Ack: 0xAEF14088  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:983:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/02-10:59:36.254415 24.114.34.24:4158 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:30298 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0xD6A57BBE  Ack: 0xAF2CE713  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/02-10:59:37.496683 24.114.34.24:4203 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:30445 IpLen:20 DgmLen:138 DF
***AP*** Seq: 0xD6CCE8B5  Ack: 0xAECF6C76  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/02-10:59:40.549897 24.114.34.24:4203 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:30757 IpLen:20 DgmLen:138 DF
***AP*** Seq: 0xD6CCE8B5  Ack: 0xAECF6C76  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/02-10:59:48.247249 24.114.34.24:4483 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:31446 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0xD7BD849B  Ack: 0xAF6304D0  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/02-10:59:51.323839 24.114.34.24:4483 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:31700 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0xD7BD849B  Ack: 0xAF6304D0  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/02-10:59:52.821585 24.114.34.24:4604 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:31871 IpLen:20 DgmLen:140 DF
***AP*** Seq: 0xD829ED15  Ack: 0xAFA0FB23  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/02-10:59:57.489989 24.114.34.24:4731 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:32300 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0xD896F640  Ack: 0xAFCB1233  Win: 0x4470  TcpLen: 20

SnortSnarf brought to you courtesy of Silicon Defense
Authors: Jim Hoagland and Stuart Staniford
See also the Snort Page by Marty Roesch
Page generated at Tue Jun 17 09:03:52 2003

24.114.34.24	Whois lookup at:	ARIN	RIPE	APNIC	Geektools
	DNS lookup at:	Amenesi	TRIUMF	Princeton
	More lookup links:	Dshield	Sam Spade