SnortSnarf alert page

Source: 24.46.127.157

SnortSnarf v021111.1

Signature section (91123)

Top 20 source IPs

Top 20 dest IPs

32 such alerts found using input module SnortFileInput, with sources:

/home/rivettmj/snort_alertlog/alert

Earliest: 12:55:03.063934 on 05/25/2003
Latest: 00:04:22.350172 on 06/13/2003

6 different signatures are present for 24.46.127.157 as a source

2 instances of WEB-IIS _mem_bin access
2 instances of WEB-FRONTPAGE /_vti_bin/ access
4 instances of WEB-IIS CodeRed v2 root.exe access
7 instances of WEB-IIS multiple decode attempt
7 instances of WEB-IIS cmd.exe access
10 instances of WEB-IIS unicode directory traversal attempt

There are 1 distinct destination IPs in the alerts of the type on this page.

24.46.127.157 Whois lookup at: ARIN RIPE APNIC Geektools

DNS lookup at: Amenesi TRIUMF Princeton

More lookup links: Dshield Sam Spade

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/25-12:55:03.063934 24.46.127.157:4315 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:16280 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0x5C6B3AAD  Ack: 0x6463711A  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/25-12:55:04.061677 24.46.127.157:4339 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:16346 IpLen:20 DgmLen:110 DF
***AP*** Seq: 0x5C820785  Ack: 0x6479549B  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/25-12:55:04.193437 24.46.127.157:4344 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:16361 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x5C85A9A1  Ack: 0x64EBBBB7  Win: 0x4470  TcpLen: 20

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/25-12:55:04.364930 24.46.127.157:4350 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:16373 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x5C8AC6E2  Ack: 0x6456D90C  Win: 0x4470  TcpLen: 20

[**] [1:1945:1] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/25-12:55:04.503206 24.46.127.157:4352 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:16380 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x5C8CC4A4  Ack: 0x650BA52E  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1288:5] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
05/25-12:55:04.652472 24.46.127.157:4354 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:16388 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x5C8F57F5  Ack: 0x649B31DA  Win: 0x4470  TcpLen: 20

[**] [1:1286:5] WEB-IIS _mem_bin access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
05/25-12:55:04.802348 24.46.127.157:4356 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:16399 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x5C914310  Ack: 0x648A0853  Win: 0x4470  TcpLen: 20

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/25-12:55:04.931807 24.46.127.157:4363 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:16415 IpLen:20 DgmLen:185 DF
***AP*** Seq: 0x5C9795B1  Ack: 0x6500686E  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/25-12:55:05.074556 24.46.127.157:4369 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:16432 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x5C9CF4D8  Ack: 0x64F7A358  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/25-12:55:05.221867 24.46.127.157:4372 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:16441 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x5C9FD56C  Ack: 0x646D920F  Win: 0x4470  TcpLen: 20

[**] [1:981:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/25-12:55:14.511547 24.46.127.157:4602 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:16954 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x5D667CEA  Ack: 0x64D65B9B  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:983:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/25-12:55:23.947696 24.46.127.157:4868 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:17427 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x5E28E389  Ack: 0x663D6BEE  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/25-12:55:27.480240 24.46.127.157:3033 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:17590 IpLen:20 DgmLen:138 DF
***AP*** Seq: 0x5E76C027  Ack: 0x661E9C7F  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/25-12:55:27.632576 24.46.127.157:3036 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:17600 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x5E79C642  Ack: 0x65ACDAC4  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/25-12:55:27.790368 24.46.127.157:3039 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:17612 IpLen:20 DgmLen:140 DF
***AP*** Seq: 0x5E7C2E76  Ack: 0x660A8FD8  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/25-12:55:27.948241 24.46.127.157:3044 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:17629 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x5E80A754  Ack: 0x65F2F8CF  Win: 0x4470  TcpLen: 20

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/13-00:03:44.034988 24.46.127.157:3342 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:40104 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0x93A83B6D  Ack: 0xBE5D87BF  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/13-00:03:47.976424 24.46.127.157:3369 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:40505 IpLen:20 DgmLen:110 DF
***AP*** Seq: 0x93BEA6ED  Ack: 0xBEA2EFC0  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/13-00:03:51.940323 24.46.127.157:3604 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:40881 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x94860892  Ack: 0xBF262994  Win: 0x4470  TcpLen: 20

[**] [1:1945:1] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/13-00:03:52.097785 24.46.127.157:3607 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:40900 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x94886717  Ack: 0xBEE5DAEE  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1288:5] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
06/13-00:03:52.418938 24.46.127.157:3611 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:40935 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x948C9B1A  Ack: 0xBF40CBFD  Win: 0x4470  TcpLen: 20

[**] [1:1286:5] WEB-IIS _mem_bin access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
06/13-00:04:01.770054 24.46.127.157:3871 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:41588 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x9565F9D0  Ack: 0xC020595E  Win: 0x4470  TcpLen: 20

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/13-00:04:01.917205 24.46.127.157:3876 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:41604 IpLen:20 DgmLen:185 DF
***AP*** Seq: 0x956A4C13  Ack: 0xBF8BF254  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/13-00:04:02.041953 24.46.127.157:3882 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:41611 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x95704597  Ack: 0xBFA12D64  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/13-00:04:05.497971 24.46.127.157:3953 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:41791 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x95AD19EC  Ack: 0xC0157AD1  Win: 0x4470  TcpLen: 20

[**] [1:981:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/13-00:04:08.876269 24.46.127.157:4056 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:42029 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x96031007  Ack: 0xC0336F18  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:983:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/13-00:04:18.663997 24.46.127.157:4320 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:42736 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x96E38666  Ack: 0xC128A2B3  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/13-00:04:18.802724 24.46.127.157:4328 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:42745 IpLen:20 DgmLen:138 DF
***AP*** Seq: 0x96EACC50  Ack: 0xC128BE52  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/13-00:04:18.926156 24.46.127.157:4331 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:42758 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x96ED3D9C  Ack: 0xC0B650CE  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/13-00:04:21.848045 24.46.127.157:4331 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:43066 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x96ED3D9C  Ack: 0xC0B650CE  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/13-00:04:22.042321 24.46.127.157:4442 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:43084 IpLen:20 DgmLen:140 DF
***AP*** Seq: 0x974D1441  Ack: 0xC1348EFC  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/13-00:04:22.350172 24.46.127.157:4444 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:43104 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x974F1222  Ack: 0xC165A942  Win: 0x4470  TcpLen: 20

SnortSnarf brought to you courtesy of Silicon Defense
Authors: Jim Hoagland and Stuart Staniford
See also the Snort Page by Marty Roesch
Page generated at Tue Jun 17 09:03:53 2003

24.46.127.157	Whois lookup at:	ARIN	RIPE	APNIC	Geektools
	DNS lookup at:	Amenesi	TRIUMF	Princeton
	More lookup links:	Dshield	Sam Spade