SnortSnarf alert page

Source: 24.140.13.155

SnortSnarf v021111.1

Signature section (91123)

Top 20 source IPs

Top 20 dest IPs

17 such alerts found using input module SnortFileInput, with sources:

/home/rivettmj/snort_alertlog/alert

Earliest: 22:03:40.153482 on 06/09/2003
Latest: 22:04:08.561907 on 06/09/2003

6 different signatures are present for 24.140.13.155 as a source

1 instances of WEB-IIS _mem_bin access
1 instances of WEB-FRONTPAGE /_vti_bin/ access
2 instances of WEB-IIS CodeRed v2 root.exe access
4 instances of WEB-IIS multiple decode attempt
4 instances of WEB-IIS cmd.exe access
5 instances of WEB-IIS unicode directory traversal attempt

There are 1 distinct destination IPs in the alerts of the type on this page.

24.140.13.155 Whois lookup at: ARIN RIPE APNIC Geektools

DNS lookup at: Amenesi TRIUMF Princeton

More lookup links: Dshield Sam Spade

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/09-22:03:40.153482 24.140.13.155:1968 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:26718 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0x7790E9CE  Ack: 0x39336A11  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/09-22:03:43.828940 24.140.13.155:2131 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:27215 IpLen:20 DgmLen:110 DF
***AP*** Seq: 0x7815EC34  Ack: 0x39AC14C3  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/09-22:03:47.232316 24.140.13.155:2257 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:27469 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x787BC1FE  Ack: 0x39647080  Win: 0x4470  TcpLen: 20

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/09-22:03:47.424994 24.140.13.155:2263 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:27489 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x7880F3B1  Ack: 0x39515CE6  Win: 0x4470  TcpLen: 20

[**] [1:1945:1] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/09-22:03:56.871571 24.140.13.155:2612 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:28263 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x799F692D  Ack: 0x39AE634E  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1288:5] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
06/09-22:03:57.068579 24.140.13.155:2619 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:28291 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x79A596B7  Ack: 0x3A3C056B  Win: 0x4470  TcpLen: 20

[**] [1:1286:5] WEB-IIS _mem_bin access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
06/09-22:03:57.257169 24.140.13.155:2628 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:28313 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x79ABCD91  Ack: 0x39BF6BFB  Win: 0x4470  TcpLen: 20

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/09-22:03:57.440998 24.140.13.155:2635 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:28333 IpLen:20 DgmLen:185 DF
***AP*** Seq: 0x79B1410D  Ack: 0x3A1FE29A  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/09-22:03:57.612973 24.140.13.155:2638 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:28351 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x79B41385  Ack: 0x3A0C2BB1  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/09-22:03:57.768314 24.140.13.155:2644 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:28362 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x79BA2A28  Ack: 0x3A1A7A30  Win: 0x4470  TcpLen: 20

[**] [1:981:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/09-22:03:57.934003 24.140.13.155:2649 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:28384 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x79BE3EA0  Ack: 0x3A989428  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:983:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/09-22:04:04.662596 24.140.13.155:2812 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:29064 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x7A42BC62  Ack: 0x3A837928  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/09-22:04:04.857800 24.140.13.155:2927 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:29086 IpLen:20 DgmLen:138 DF
***AP*** Seq: 0x7AA3107F  Ack: 0x3AE03E2B  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/09-22:04:07.833952 24.140.13.155:2927 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:29350 IpLen:20 DgmLen:138 DF
***AP*** Seq: 0x7AA3107F  Ack: 0x3AE03E2B  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/09-22:04:08.185547 24.140.13.155:3057 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:29403 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x7B04B829  Ack: 0x3A7D9C1E  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/09-22:04:08.364701 24.140.13.155:3062 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:29432 IpLen:20 DgmLen:140 DF
***AP*** Seq: 0x7B0819F2  Ack: 0x3A5812C1  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/09-22:04:08.561907 24.140.13.155:3072 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:29466 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x7B110EC7  Ack: 0x3AC96CC0  Win: 0x4470  TcpLen: 20

SnortSnarf brought to you courtesy of Silicon Defense
Authors: Jim Hoagland and Stuart Staniford
See also the Snort Page by Marty Roesch
Page generated at Tue Jun 17 09:09:28 2003

24.140.13.155	Whois lookup at:	ARIN	RIPE	APNIC	Geektools
	DNS lookup at:	Amenesi	TRIUMF	Princeton
	More lookup links:	Dshield	Sam Spade