SnortSnarf alert page

Source: 24.112.153.44

SnortSnarf v021111.1

Signature section (91123)

Top 20 source IPs

Top 20 dest IPs

33 such alerts found using input module SnortFileInput, with sources:

/home/rivettmj/snort_alertlog/alert

Earliest: 22:59:46.380125 on 05/31/2003
Latest: 00:21:51.100104 on 06/01/2003

6 different signatures are present for 24.112.153.44 as a source

2 instances of WEB-IIS _mem_bin access
2 instances of WEB-FRONTPAGE /_vti_bin/ access
4 instances of WEB-IIS CodeRed v2 root.exe access
7 instances of WEB-IIS multiple decode attempt
8 instances of WEB-IIS cmd.exe access
10 instances of WEB-IIS unicode directory traversal attempt

There are 1 distinct destination IPs in the alerts of the type on this page.

24.112.153.44 Whois lookup at: ARIN RIPE APNIC Geektools

DNS lookup at: Amenesi TRIUMF Princeton

More lookup links: Dshield Sam Spade

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/31-22:59:46.380125 24.112.153.44:4332 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:40916 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0x5E33ABA  Ack: 0xCF86B125  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/31-22:59:47.382630 24.112.153.44:4366 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:40974 IpLen:20 DgmLen:110 DF
***AP*** Seq: 0x600A034  Ack: 0xD04CE838  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/31-22:59:57.241156 24.112.153.44:4511 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:41422 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x692468C  Ack: 0xD0E160B9  Win: 0x4470  TcpLen: 20

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/31-23:00:06.985412 24.112.153.44:4649 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:41862 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x71D2239  Ack: 0xD165C550  Win: 0x4470  TcpLen: 20

[**] [1:1945:1] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/31-23:00:16.735783 24.112.153.44:4783 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:42246 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x7A6C0F5  Ack: 0xD16DE100  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1288:5] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
05/31-23:00:17.192151 24.112.153.44:4787 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:42256 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x7AB9E91  Ack: 0xD1ECB375  Win: 0x4470  TcpLen: 20

[**] [1:1286:5] WEB-IIS _mem_bin access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
05/31-23:00:17.690109 24.112.153.44:4793 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:42279 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x7B1C6A1  Ack: 0xD1A022DB  Win: 0x4470  TcpLen: 20

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/31-23:00:18.194012 24.112.153.44:4796 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:42307 IpLen:20 DgmLen:185 DF
***AP*** Seq: 0x7B5FA0B  Ack: 0xD1CC7BF1  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/31-23:00:21.908388 24.112.153.44:4846 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:42425 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x7E6BA8C  Ack: 0xD24CDE60  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/31-23:00:22.430015 24.112.153.44:4851 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:42449 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x7EB6E37  Ack: 0xD2639D36  Win: 0x4470  TcpLen: 20

[**] [1:981:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/31-23:00:35.426867 24.112.153.44:3037 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:42921 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x8721948  Ack: 0xD2D4D01C  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:983:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/31-23:00:35.949500 24.112.153.44:3069 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:42942 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x897649F  Ack: 0xD2EC4839  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/31-23:00:37.137345 24.112.153.44:3101 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:43004 IpLen:20 DgmLen:138 DF
***AP*** Seq: 0x8B2C63C  Ack: 0xD3524BC9  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/31-23:00:37.557718 24.112.153.44:3105 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:43019 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x8B60E7C  Ack: 0xD365257E  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/31-23:00:37.935222 24.112.153.44:3110 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:43043 IpLen:20 DgmLen:140 DF
***AP*** Seq: 0x8BC3F9B  Ack: 0xD360248B  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/31-23:00:38.409970 24.112.153.44:3113 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:43066 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x8C063C9  Ack: 0xD3437396  Win: 0x4470  TcpLen: 20

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/01-00:20:28.900530 24.112.153.44:3198 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:5064 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0x7E0E975  Ack: 0x55527D  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/01-00:20:38.507877 24.112.153.44:3299 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:5572 IpLen:20 DgmLen:110 DF
***AP*** Seq: 0x8439134  Ack: 0xCABC47  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/01-00:20:44.969986 24.112.153.44:3416 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:5890 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x8BEA237  Ack: 0x1D2A2F1  Win: 0x4470  TcpLen: 20

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/01-00:20:47.322085 24.112.153.44:3462 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:6014 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x8EBDBA3  Ack: 0x13576A8  Win: 0x4470  TcpLen: 20

[**] [1:1945:1] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/01-00:20:50.321844 24.112.153.44:3490 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:6142 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x9095632  Ack: 0x1768036  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1288:5] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
06/01-00:20:56.658650 24.112.153.44:3580 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:6499 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x963D8F5  Ack: 0x294C622  Win: 0x4470  TcpLen: 20

[**] [1:1286:5] WEB-IIS _mem_bin access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
06/01-00:20:59.244366 24.112.153.44:3616 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:6632 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x98842AC  Ack: 0x2C70756  Win: 0x4470  TcpLen: 20

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/01-00:21:01.771658 24.112.153.44:3657 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:6764 IpLen:20 DgmLen:185 DF
***AP*** Seq: 0x9AF886E  Ack: 0x2CE1E74  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/01-00:21:04.201287 24.112.153.44:3691 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:6900 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x9D1292D  Ack: 0x22FF04F  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/01-00:21:06.637641 24.112.153.44:3724 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:7029 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x9F4610A  Ack: 0x29BBDB8  Win: 0x4470  TcpLen: 20

[**] [1:981:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/01-00:21:17.341678 24.112.153.44:3891 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:7605 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0xA9BE363  Ack: 0x3634FA9  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:983:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/01-00:21:23.131947 24.112.153.44:3915 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:7899 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0xAB329A7  Ack: 0x350BC18  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/01-00:21:35.036660 24.112.153.44:4114 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:8514 IpLen:20 DgmLen:138 DF
***AP*** Seq: 0xB7DCE0C  Ack: 0x45BC90A  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/01-00:21:37.322602 24.112.153.44:4147 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:8632 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0xB9EF374  Ack: 0x4AE1490  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/01-00:21:39.652474 24.112.153.44:4147 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:8753 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0xB9EF374  Ack: 0x4AE1490  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/01-00:21:42.486646 24.112.153.44:4219 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:8882 IpLen:20 DgmLen:140 DF
***AP*** Seq: 0xBE6D54E  Ack: 0x56C4D3B  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/01-00:21:51.100104 24.112.153.44:4292 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:9326 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0xC33561B  Ack: 0x5463692  Win: 0x4470  TcpLen: 20

SnortSnarf brought to you courtesy of Silicon Defense
Authors: Jim Hoagland and Stuart Staniford
See also the Snort Page by Marty Roesch
Page generated at Tue Jun 17 09:03:54 2003

24.112.153.44	Whois lookup at:	ARIN	RIPE	APNIC	Geektools
	DNS lookup at:	Amenesi	TRIUMF	Princeton
	More lookup links:	Dshield	Sam Spade