SnortSnarf alert page

Source: 24.129.102.205

SnortSnarf v021111.1

Signature section (91123)

Top 20 source IPs

Top 20 dest IPs

27 such alerts found using input module SnortFileInput, with sources:

/home/rivettmj/snort_alertlog/alert

Earliest: 19:33:01.278046 on 05/14/2003
Latest: 19:27:40.441441 on 06/06/2003

6 different signatures are present for 24.129.102.205 as a source

2 instances of WEB-IIS _mem_bin access
3 instances of WEB-IIS multiple decode attempt
3 instances of WEB-FRONTPAGE /_vti_bin/ access
6 instances of WEB-IIS CodeRed v2 root.exe access
6 instances of WEB-IIS unicode directory traversal attempt
7 instances of WEB-IIS cmd.exe access

There are 1 distinct destination IPs in the alerts of the type on this page.

24.129.102.205 Whois lookup at: ARIN RIPE APNIC Geektools

DNS lookup at: Amenesi TRIUMF Princeton

More lookup links: Dshield Sam Spade

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/14-19:33:01.278046 24.129.102.205:2610 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:22667 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0xA2FB51E2  Ack: 0xF3B6F3EE  Win: 0xFAF0  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/14-19:33:05.895569 24.129.102.205:2796 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:23354 IpLen:20 DgmLen:110 DF
***AP*** Seq: 0xA3989CD2  Ack: 0xF4643C98  Win: 0xFAF0  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/14-19:33:06.673545 24.129.102.205:2814 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:23450 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0xA3A9D5FA  Ack: 0xF47B717C  Win: 0xFAF0  TcpLen: 20

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/14-19:33:25.768449 24.129.102.205:3219 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:26055 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0xA4F84A00  Ack: 0xF4F0BD20  Win: 0xFAF0  TcpLen: 20

[**] [1:1945:1] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/14-19:33:35.999897 24.129.102.205:3976 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:27320 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0xA75EA834  Ack: 0xF75C25AB  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1288:5] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
05/14-19:33:49.007778 24.129.102.205:4367 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:29068 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0xA8A1D6C8  Ack: 0xF788A18A  Win: 0xFAF0  TcpLen: 20

[**] [1:1286:5] WEB-IIS _mem_bin access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
05/14-19:33:53.375919 24.129.102.205:4770 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:29694 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0xA9A61ECA  Ack: 0xF7CFE326  Win: 0xFAF0  TcpLen: 20

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/14-19:33:54.170107 24.129.102.205:4800 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:29784 IpLen:20 DgmLen:185 DF
***AP*** Seq: 0xA9B88D50  Ack: 0xF7E1F34C  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/14-19:33:58.412091 24.129.102.205:1072 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:30388 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0xAA3C19F2  Ack: 0xF887340E  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/14-19:33:59.314697 24.129.102.205:1096 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:30476 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0xAA508F91  Ack: 0xF8A04D8F  Win: 0xFAF0  TcpLen: 20

[**] [1:981:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/14-19:34:06.739095 24.129.102.205:1282 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:31562 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0xAAEE2668  Ack: 0xF9257EA6  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/14-19:34:36.337783 24.129.102.205:2551 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:35708 IpLen:20 DgmLen:138 DF
***AP*** Seq: 0xAF127D49  Ack: 0xFAB25F24  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/14-19:34:46.063225 24.129.102.205:2569 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:37025 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0xAF22530C  Ack: 0xFAB1EDCE  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/14-19:34:47.031932 24.129.102.205:2959 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:37133 IpLen:20 DgmLen:140 DF
***AP*** Seq: 0xB06873E4  Ack: 0xFB7C64BA  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/14-19:34:47.570518 24.129.102.205:3044 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:37254 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0xB0AA570A  Ack: 0xFB0D5D27  Win: 0xFAF0  TcpLen: 20

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/06-18:08:10.867033 24.129.102.205:4727 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:62392 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0xFA1387BE  Ack: 0x116629D  Win: 0xFAF0  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/06-18:08:21.321345 24.129.102.205:1354 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:63994 IpLen:20 DgmLen:110 DF
***AP*** Seq: 0xFBAE2669  Ack: 0x14FADFC  Win: 0xFAF0  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/06-18:08:25.160118 24.129.102.205:1369 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:64521 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0xFBBBD3AB  Ack: 0xF2528F  Win: 0xFAF0  TcpLen: 20

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/06-19:27:05.517014 24.129.102.205:3966 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:45976 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0x5695DB58  Ack: 0x2A9E5E90  Win: 0xFAF0  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/06-19:27:09.761218 24.129.102.205:4096 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:46477 IpLen:20 DgmLen:110 DF
***AP*** Seq: 0x5706B6DB  Ack: 0x2B6604B9  Win: 0xFAF0  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/06-19:27:22.953445 24.129.102.205:4273 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:48452 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x579FA575  Ack: 0x2BECA774  Win: 0xFAF0  TcpLen: 20

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/06-19:27:23.410869 24.129.102.205:4674 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:48552 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x58DEEC30  Ack: 0x2C83B78D  Win: 0xFAF0  TcpLen: 20

[**] [1:1945:1] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/06-19:27:23.841215 24.129.102.205:4693 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:48613 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x58E75E36  Ack: 0x2BD2B28C  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1288:5] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
06/06-19:27:28.127241 24.129.102.205:1053 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:49222 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x597C0B81  Ack: 0x2BDCFC15  Win: 0xFAF0  TcpLen: 20

[**] [1:1288:5] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
06/06-19:27:30.856372 24.129.102.205:1053 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:49665 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x597C0B81  Ack: 0x2BDCFC15  Win: 0xFAF0  TcpLen: 20

[**] [1:1286:5] WEB-IIS _mem_bin access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
06/06-19:27:32.524258 24.129.102.205:1188 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:49904 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x59F1BE4F  Ack: 0x2CCCCB13  Win: 0xFAF0  TcpLen: 20

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/06-19:27:40.441441 24.129.102.205:1489 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:51052 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x5AF280B1  Ack: 0x2D2A7DC2  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

SnortSnarf brought to you courtesy of Silicon Defense
Authors: Jim Hoagland and Stuart Staniford
See also the Snort Page by Marty Roesch
Page generated at Tue Jun 17 09:09:28 2003

24.129.102.205	Whois lookup at:	ARIN	RIPE	APNIC	Geektools
	DNS lookup at:	Amenesi	TRIUMF	Princeton
	More lookup links:	Dshield	Sam Spade