SnortSnarf alert page

Source: 24.243.144.13

SnortSnarf v021111.1

Signature section (91123)

Top 20 source IPs

Top 20 dest IPs

20 such alerts found using input module SnortFileInput, with sources:

/home/rivettmj/snort_alertlog/alert

Earliest: 07:28:42.072960 on 05/05/2003
Latest: 07:30:23.233776 on 05/05/2003

6 different signatures are present for 24.243.144.13 as a source

1 instances of WEB-IIS _mem_bin access
1 instances of WEB-FRONTPAGE /_vti_bin/ access
4 instances of WEB-IIS CodeRed v2 root.exe access
4 instances of WEB-IIS cmd.exe access
5 instances of WEB-IIS multiple decode attempt
5 instances of WEB-IIS unicode directory traversal attempt

There are 1 distinct destination IPs in the alerts of the type on this page.

24.243.144.13 Whois lookup at: ARIN RIPE APNIC Geektools

DNS lookup at: Amenesi TRIUMF Princeton

More lookup links: Dshield Sam Spade

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/05-07:28:42.072960 24.243.144.13:2563 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:57599 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0x18B1770E  Ack: 0x766B6D1  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/05-07:28:44.516903 24.243.144.13:2563 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:59311 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0x18B1770E  Ack: 0x766B6D1  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/05-07:28:50.340597 24.243.144.13:2563 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:63491 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0x18B1770E  Ack: 0x766B6D1  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/05-07:28:56.590869 24.243.144.13:1575 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:1602 IpLen:20 DgmLen:110 DF
***AP*** Seq: 0x217FC062  Ack: 0x8413DAA  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/05-07:28:57.537290 24.243.144.13:1819 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:2167 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x223659DC  Ack: 0x81F6A3F  Win: 0x4470  TcpLen: 20

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/05-07:29:07.620306 24.243.144.13:3708 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:8017 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x27D631B5  Ack: 0x8870430  Win: 0x4470  TcpLen: 20

[**] [1:1945:1] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/05-07:29:09.244506 24.243.144.13:3915 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:8929 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x286C9B8F  Ack: 0x8DAB98C  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1288:5] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
05/05-07:29:19.886612 24.243.144.13:2001 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:15421 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x2E87D9A4  Ack: 0x9A08596  Win: 0x4470  TcpLen: 20

[**] [1:1286:5] WEB-IIS _mem_bin access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
05/05-07:29:30.921076 24.243.144.13:4047 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:21595 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x34A21DCA  Ack: 0x9F3C812  Win: 0x4470  TcpLen: 20

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/05-07:29:32.621475 24.243.144.13:4436 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:22636 IpLen:20 DgmLen:185 DF
***AP*** Seq: 0x35C9539A  Ack: 0x9F4E9E8  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/05-07:29:34.312904 24.243.144.13:4757 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:23623 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x36BCC992  Ack: 0xA93100F  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/05-07:29:44.988414 24.243.144.13:2895 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:30448 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x3CF549FD  Ack: 0xB7BC081  Win: 0x4470  TcpLen: 20

[**] [1:981:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/05-07:29:55.466169 24.243.144.13:1096 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:37340 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x436B347A  Ack: 0xC36956D  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:983:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/05-07:30:06.337459 24.243.144.13:2837 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:42779 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x489BDF1B  Ack: 0xC92B78B  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/05-07:30:08.061226 24.243.144.13:3156 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:43678 IpLen:20 DgmLen:138 DF
***AP*** Seq: 0x498FD272  Ack: 0xC137AEE  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/05-07:30:10.541618 24.243.144.13:3156 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:45187 IpLen:20 DgmLen:138 DF
***AP*** Seq: 0x498FD272  Ack: 0xC137AEE  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/05-07:30:13.135887 24.243.144.13:3940 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:46228 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x4BE94016  Ack: 0xCC6D095  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/05-07:30:15.528882 24.243.144.13:3940 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:47740 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x4BE94016  Ack: 0xCC6D095  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/05-07:30:21.530064 24.243.144.13:4786 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:50515 IpLen:20 DgmLen:140 DF
***AP*** Seq: 0x4E6EAF32  Ack: 0xD18C780  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/05-07:30:23.233776 24.243.144.13:1698 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:51411 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x5110FCEB  Ack: 0xCF0EDA7  Win: 0x4470  TcpLen: 20

SnortSnarf brought to you courtesy of Silicon Defense
Authors: Jim Hoagland and Stuart Staniford
See also the Snort Page by Marty Roesch
Page generated at Tue Jun 17 09:03:52 2003

24.243.144.13	Whois lookup at:	ARIN	RIPE	APNIC	Geektools
	DNS lookup at:	Amenesi	TRIUMF	Princeton
	More lookup links:	Dshield	Sam Spade