[Silicon Defense logo]

SnortSnarf alert page

Source: 24.126.120.88

SnortSnarf v021111.1

Signature section (91123)Top 20 source IPsTop 20 dest IPs

16 such alerts found using input module SnortFileInput, with sources:
Earliest: 23:32:00.512778 on 04/29/2003
Latest: 23:33:28.695548 on 04/29/2003

6 different signatures are present for 24.126.120.88 as a source

There are 1 distinct destination IPs in the alerts of the type on this page.

24.126.120.88 Whois lookup at: ARIN RIPE APNIC Geektools
DNS lookup at: Amenesi TRIUMF Princeton
More lookup links: Dshield Sam Spade

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
04/29-23:32:00.512778 24.126.120.88:1076 -> 192.168.1.6:80
TCP TTL:104 TOS:0x0 ID:6035 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0xB0E610D7 Ack: 0xC01030E3 Win: 0x4470 TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]
[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
04/29-23:32:04.413787 24.126.120.88:1362 -> 192.168.1.6:80
TCP TTL:104 TOS:0x0 ID:6663 IpLen:20 DgmLen:110 DF
***AP*** Seq: 0xB1D4A64B Ack: 0xC0E12369 Win: 0x4470 TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]
[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
04/29-23:32:05.999487 24.126.120.88:1419 -> 192.168.1.6:80
TCP TTL:104 TOS:0x0 ID:6907 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0xB1FFFE1B Ack: 0xC0CA4804 Win: 0x4470 TcpLen: 20
[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
04/29-23:32:07.659826 24.126.120.88:1479 -> 192.168.1.6:80
TCP TTL:104 TOS:0x0 ID:7143 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0xB230119F Ack: 0xC0913BD6 Win: 0x4470 TcpLen: 20
[**] [1:1945:1] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1]
04/29-23:32:21.496828 24.126.120.88:1880 -> 192.168.1.6:80
TCP TTL:104 TOS:0x0 ID:9258 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0xB3872FB3 Ack: 0xC1C39946 Win: 0x4470 TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]
[**] [1:1288:5] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2]
04/29-23:32:22.945129 24.126.120.88:2054 -> 192.168.1.6:80
TCP TTL:104 TOS:0x0 ID:9515 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0xB4194BF7 Ack: 0xC1EA26A8 Win: 0x4470 TcpLen: 20
[**] [1:1286:5] WEB-IIS _mem_bin access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2]
04/29-23:32:33.455674 24.126.120.88:2443 -> 192.168.1.6:80
TCP TTL:104 TOS:0x0 ID:11192 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0xB55F5CB8 Ack: 0xC2BBE19E Win: 0x4470 TcpLen: 20
[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1]
04/29-23:32:34.938859 24.126.120.88:2490 -> 192.168.1.6:80
TCP TTL:104 TOS:0x0 ID:11456 IpLen:20 DgmLen:185 DF
***AP*** Seq: 0xB584B0F0 Ack: 0xC2463223 Win: 0x4470 TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]
[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1]
04/29-23:32:45.224757 24.126.120.88:2561 -> 192.168.1.6:80
TCP TTL:104 TOS:0x0 ID:13273 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0xB5C035B4 Ack: 0xC263A37C Win: 0x4470 TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]
[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
04/29-23:33:07.786753 24.126.120.88:3769 -> 192.168.1.6:80
TCP TTL:104 TOS:0x0 ID:17016 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0xB9B5F8BD Ack: 0xC44E7AC5 Win: 0x4470 TcpLen: 20
[**] [1:981:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1]
04/29-23:33:12.280651 24.126.120.88:3831 -> 192.168.1.6:80
TCP TTL:104 TOS:0x0 ID:17738 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0xB9ECD922 Ack: 0xC52A4CED Win: 0x4470 TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]
[**] [1:983:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1]
04/29-23:33:13.693392 24.126.120.88:4005 -> 192.168.1.6:80
TCP TTL:104 TOS:0x0 ID:18021 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0xBA7E2B8B Ack: 0xC5807149 Win: 0x4470 TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]
[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1]
04/29-23:33:24.057162 24.126.120.88:4419 -> 192.168.1.6:80
TCP TTL:104 TOS:0x0 ID:19772 IpLen:20 DgmLen:138 DF
***AP*** Seq: 0xBBCBEB82 Ack: 0xC6AD08DE Win: 0x4470 TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]
[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1]
04/29-23:33:25.683433 24.126.120.88:4472 -> 192.168.1.6:80
TCP TTL:104 TOS:0x0 ID:20046 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0xBBF98DD5 Ack: 0xC648328B Win: 0x4470 TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]
[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1]
04/29-23:33:27.248994 24.126.120.88:4536 -> 192.168.1.6:80
TCP TTL:104 TOS:0x0 ID:20301 IpLen:20 DgmLen:140 DF
***AP*** Seq: 0xBC2FEA8F Ack: 0xC692B649 Win: 0x4470 TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]
[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
04/29-23:33:28.695548 24.126.120.88:4607 -> 192.168.1.6:80
TCP TTL:104 TOS:0x0 ID:20578 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0xBC67608A Ack: 0xC6A1B094 Win: 0x4470 TcpLen: 20
SnortSnarf brought to you courtesy of Silicon Defense
Authors: Jim Hoagland and Stuart Staniford
See also the Snort Page by Marty Roesch
Page generated at Tue Jun 17 09:09:28 2003