SnortSnarf alert page

Source: 24.114.7.121

SnortSnarf v021111.1

Signature section (91123)

Top 20 source IPs

Top 20 dest IPs

25 such alerts found using input module SnortFileInput, with sources:

/home/rivettmj/snort_alertlog/alert

Earliest: 19:57:05.581796 on 06/05/2003
Latest: 00:39:45.075645 on 06/06/2003

6 different signatures are present for 24.114.7.121 as a source

1 instances of WEB-IIS _mem_bin access
1 instances of WEB-FRONTPAGE /_vti_bin/ access
4 instances of WEB-IIS multiple decode attempt
5 instances of WEB-IIS CodeRed v2 root.exe access
6 instances of WEB-IIS unicode directory traversal attempt
8 instances of WEB-IIS cmd.exe access

There are 1 distinct destination IPs in the alerts of the type on this page.

24.114.7.121 Whois lookup at: ARIN RIPE APNIC Geektools

DNS lookup at: Amenesi TRIUMF Princeton

More lookup links: Dshield Sam Spade

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/05-19:57:05.581796 24.114.7.121:4475 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:11620 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0x8E9825D0  Ack: 0x5CF526C8  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/05-19:57:11.161978 24.114.7.121:4593 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:12095 IpLen:20 DgmLen:110 DF
***AP*** Seq: 0x8F00A2BA  Ack: 0x5D48FE0B  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/05-19:57:19.606026 24.114.7.121:4791 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:12915 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x8FAA6AB7  Ack: 0x5CF0C51B  Win: 0x4470  TcpLen: 20

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/05-19:57:29.076647 24.114.7.121:3100 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:13819 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x905B7DA9  Ack: 0x5DB6DF36  Win: 0x4470  TcpLen: 20

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/05-19:57:33.035258 24.114.7.121:3100 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:14160 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x905B7DA9  Ack: 0x5DB6DF36  Win: 0x4470  TcpLen: 20

[**] [1:1945:1] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/05-19:57:38.340869 24.114.7.121:3229 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:14606 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x90D15517  Ack: 0x5E26C223  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/06-00:39:11.342030 24.114.7.121:4651 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:3033 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0x6ACD0D70  Ack: 0x86E56B18  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/06-00:39:14.322657 24.114.7.121:4651 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:3187 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0x6ACD0D70  Ack: 0x86E56B18  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/06-00:39:15.963261 24.114.7.121:4707 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:3279 IpLen:20 DgmLen:110 DF
***AP*** Seq: 0x6B0801EE  Ack: 0x879AF63B  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/06-00:39:16.224137 24.114.7.121:4711 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:3304 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x6B0BCD56  Ack: 0x878D6D1F  Win: 0x4470  TcpLen: 20

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/06-00:39:16.488833 24.114.7.121:4718 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:3328 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x6B1195B7  Ack: 0x872C8F4C  Win: 0x4470  TcpLen: 20

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/06-00:39:19.433034 24.114.7.121:4718 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:3471 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x6B1195B7  Ack: 0x872C8F4C  Win: 0x4470  TcpLen: 20

[**] [1:1945:1] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/06-00:39:19.937577 24.114.7.121:4766 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:3485 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x6B417700  Ack: 0x86FED93D  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1288:5] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
06/06-00:39:20.200961 24.114.7.121:4770 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:3496 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x6B45EB01  Ack: 0x87CE3005  Win: 0x4470  TcpLen: 20

[**] [1:1286:5] WEB-IIS _mem_bin access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
06/06-00:39:20.471762 24.114.7.121:4772 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:3513 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x6B483798  Ack: 0x87763205  Win: 0x4470  TcpLen: 20

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/06-00:39:20.705101 24.114.7.121:4775 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:3521 IpLen:20 DgmLen:185 DF
***AP*** Seq: 0x6B4B9C0C  Ack: 0x8740988C  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/06-00:39:24.383713 24.114.7.121:4834 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:3763 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x6B836387  Ack: 0x880817E2  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/06-00:39:24.611918 24.114.7.121:4842 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:3789 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x6B8A2CEA  Ack: 0x8727C953  Win: 0x4470  TcpLen: 20

[**] [1:981:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/06-00:39:34.191745 24.114.7.121:3022 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:4377 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x6C0CB373  Ack: 0x885B14A5  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:983:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/06-00:39:37.728154 24.114.7.121:3064 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:4578 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x6C35F023  Ack: 0x88AA66DE  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/06-00:39:37.962864 24.114.7.121:3066 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:4595 IpLen:20 DgmLen:138 DF
***AP*** Seq: 0x6C38E848  Ack: 0x88775556  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/06-00:39:38.149265 24.114.7.121:3071 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:4606 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x6C3D312C  Ack: 0x889E6130  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/06-00:39:41.237975 24.114.7.121:3071 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:4678 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x6C3D312C  Ack: 0x889E6130  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/06-00:39:41.539897 24.114.7.121:3097 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:4701 IpLen:20 DgmLen:140 DF
***AP*** Seq: 0x6C5BAF23  Ack: 0x8867DAC6  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/06-00:39:45.075645 24.114.7.121:3147 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:4914 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x6C8EC929  Ack: 0x89268FFF  Win: 0x4470  TcpLen: 20

SnortSnarf brought to you courtesy of Silicon Defense
Authors: Jim Hoagland and Stuart Staniford
See also the Snort Page by Marty Roesch
Page generated at Tue Jun 17 09:03:54 2003

24.114.7.121	Whois lookup at:	ARIN	RIPE	APNIC	Geektools
	DNS lookup at:	Amenesi	TRIUMF	Princeton
	More lookup links:	Dshield	Sam Spade