SnortSnarf alert page

Source: 24.126.254.13

SnortSnarf v021111.1

Signature section (91123)

Top 20 source IPs

Top 20 dest IPs

17 such alerts found using input module SnortFileInput, with sources:

/home/rivettmj/snort_alertlog/alert

Earliest: 10:52:09.205232 on 05/21/2003
Latest: 10:53:13.953010 on 05/21/2003

6 different signatures are present for 24.126.254.13 as a source

1 instances of WEB-IIS _mem_bin access
1 instances of WEB-FRONTPAGE /_vti_bin/ access
2 instances of WEB-IIS CodeRed v2 root.exe access
4 instances of WEB-IIS multiple decode attempt
4 instances of WEB-IIS cmd.exe access
5 instances of WEB-IIS unicode directory traversal attempt

There are 1 distinct destination IPs in the alerts of the type on this page.

24.126.254.13 Whois lookup at: ARIN RIPE APNIC Geektools

DNS lookup at: Amenesi TRIUMF Princeton

More lookup links: Dshield Sam Spade

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/21-10:52:09.205232 24.126.254.13:1657 -> 192.168.1.6:80
TCP TTL:105 TOS:0x0 ID:29515 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0x391C77EE  Ack: 0x9547483D  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/21-10:52:17.607737 24.126.254.13:1867 -> 192.168.1.6:80
TCP TTL:105 TOS:0x0 ID:30319 IpLen:20 DgmLen:110 DF
***AP*** Seq: 0x39D704F7  Ack: 0x95764EFC  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/21-10:52:19.792071 24.126.254.13:1928 -> 192.168.1.6:80
TCP TTL:105 TOS:0x0 ID:30548 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x3A09DE31  Ack: 0x95AF7AF0  Win: 0x4470  TcpLen: 20

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/21-10:52:25.989516 24.126.254.13:2077 -> 192.168.1.6:80
TCP TTL:105 TOS:0x0 ID:31142 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x3A86BBC4  Ack: 0x9634C4DA  Win: 0x4470  TcpLen: 20

[**] [1:1945:1] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/21-10:52:28.082909 24.126.254.13:2153 -> 192.168.1.6:80
TCP TTL:105 TOS:0x0 ID:31372 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x3AC6E83D  Ack: 0x95DD2B18  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1288:5] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
05/21-10:52:32.920443 24.126.254.13:2312 -> 192.168.1.6:80
TCP TTL:105 TOS:0x0 ID:31982 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x3B4DDABB  Ack: 0x96840785  Win: 0x4470  TcpLen: 20

[**] [1:1286:5] WEB-IIS _mem_bin access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
05/21-10:52:35.088771 24.126.254.13:2360 -> 192.168.1.6:80
TCP TTL:105 TOS:0x0 ID:32235 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x3B78DA0D  Ack: 0x96B32FA0  Win: 0x4470  TcpLen: 20

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/21-10:52:36.311809 24.126.254.13:2419 -> 192.168.1.6:80
TCP TTL:105 TOS:0x0 ID:32377 IpLen:20 DgmLen:185 DF
***AP*** Seq: 0x3BABABC7  Ack: 0x96A98941  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/21-10:52:38.438555 24.126.254.13:2457 -> 192.168.1.6:80
TCP TTL:105 TOS:0x0 ID:32583 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x3BC9D019  Ack: 0x96E4DBDB  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/21-10:52:43.663227 24.126.254.13:2587 -> 192.168.1.6:80
TCP TTL:105 TOS:0x0 ID:33090 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x3C4047A9  Ack: 0x96B701E7  Win: 0x4470  TcpLen: 20

[**] [1:981:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/21-10:52:49.210164 24.126.254.13:2726 -> 192.168.1.6:80
TCP TTL:105 TOS:0x0 ID:33629 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x3CB90873  Ack: 0x9743EF79  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:983:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/21-10:52:54.340540 24.126.254.13:2797 -> 192.168.1.6:80
TCP TTL:105 TOS:0x0 ID:34189 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x3CF87FFC  Ack: 0x97EDD721  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/21-10:52:56.393847 24.126.254.13:2932 -> 192.168.1.6:80
TCP TTL:105 TOS:0x0 ID:34396 IpLen:20 DgmLen:138 DF
***AP*** Seq: 0x3D72E457  Ack: 0x981F582C  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/21-10:52:57.673378 24.126.254.13:2987 -> 192.168.1.6:80
TCP TTL:105 TOS:0x0 ID:34546 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x3DA057D1  Ack: 0x9847F234  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/21-10:53:00.741978 24.126.254.13:2987 -> 192.168.1.6:80
TCP TTL:105 TOS:0x0 ID:34847 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x3DA057D1  Ack: 0x9847F234  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/21-10:53:02.366671 24.126.254.13:3104 -> 192.168.1.6:80
TCP TTL:105 TOS:0x0 ID:35041 IpLen:20 DgmLen:140 DF
***AP*** Seq: 0x3E06C5E3  Ack: 0x980AB9DC  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/21-10:53:13.953010 24.126.254.13:3389 -> 192.168.1.6:80
TCP TTL:105 TOS:0x0 ID:36153 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x3F031571  Ack: 0x98C97F34  Win: 0x4470  TcpLen: 20

SnortSnarf brought to you courtesy of Silicon Defense
Authors: Jim Hoagland and Stuart Staniford
See also the Snort Page by Marty Roesch
Page generated at Tue Jun 17 09:09:28 2003

24.126.254.13	Whois lookup at:	ARIN	RIPE	APNIC	Geektools
	DNS lookup at:	Amenesi	TRIUMF	Princeton
	More lookup links:	Dshield	Sam Spade