SnortSnarf alert page

Source: 24.157.60.48

SnortSnarf v021111.1

Signature section (91123)

Top 20 source IPs

Top 20 dest IPs

20 such alerts found using input module SnortFileInput, with sources:

/home/rivettmj/snort_alertlog/alert

Earliest: 02:16:18.353498 on 05/07/2003
Latest: 20:32:08.337760 on 05/14/2003

7 different signatures are present for 24.157.60.48 as a source

1 instances of WEB-IIS _mem_bin access
1 instances of WEB-FRONTPAGE /_vti_bin/ access
2 instances of WEB-IIS CodeRed v2 root.exe access
2 instances of WEB-IIS ISAPI .ida attempt
3 instances of WEB-IIS multiple decode attempt
4 instances of WEB-IIS unicode directory traversal attempt
7 instances of WEB-IIS cmd.exe access

There are 1 distinct destination IPs in the alerts of the type on this page.

24.157.60.48 Whois lookup at: ARIN RIPE APNIC Geektools

DNS lookup at: Amenesi TRIUMF Princeton

More lookup links: Dshield Sam Spade

[**] [1:1243:8] WEB-IIS ISAPI .ida attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/07-02:16:18.353498 24.157.60.48:2016 -> 192.168.1.6:80
TCP TTL:107 TOS:0x0 ID:36721 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x37FC8A15  Ack: 0xEAF9BA65  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0071][Xref => http://www.securityfocus.com/bid/1065][Xref => http://www.whitehats.com/info/IDS552]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/07-02:16:18.417861 24.157.60.48:2016 -> 192.168.1.6:80
TCP TTL:107 TOS:0x0 ID:36722 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x37FC8FC9  Ack: 0xEAF9BA65  Win: 0x4470  TcpLen: 20

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/14-03:05:02.659635 24.157.60.48:3379 -> 192.168.1.6:80
TCP TTL:107 TOS:0x0 ID:63769 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0x5BA4B3FB  Ack: 0x60D3CABF  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/14-03:05:12.750219 24.157.60.48:3671 -> 192.168.1.6:80
TCP TTL:107 TOS:0x0 ID:64961 IpLen:20 DgmLen:110 DF
***AP*** Seq: 0x5CA835EF  Ack: 0x60F02755  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/14-03:05:13.613736 24.157.60.48:3687 -> 192.168.1.6:80
TCP TTL:107 TOS:0x0 ID:65037 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x5CB59B6F  Ack: 0x60CDC614  Win: 0x4470  TcpLen: 20

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/14-03:05:22.754107 24.157.60.48:3960 -> 192.168.1.6:80
TCP TTL:107 TOS:0x0 ID:800 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x5DA2B50A  Ack: 0x621D7125  Win: 0x4470  TcpLen: 20

[**] [1:1945:1] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/14-03:05:45.083342 24.157.60.48:4541 -> 192.168.1.6:80
TCP TTL:107 TOS:0x0 ID:3781 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x5F9E5D81  Ack: 0x62DE03BC  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1288:5] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
05/14-03:05:46.876886 24.157.60.48:4587 -> 192.168.1.6:80
TCP TTL:107 TOS:0x0 ID:4001 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x5FC574AF  Ack: 0x62ED5A1C  Win: 0x4470  TcpLen: 20

[**] [1:1286:5] WEB-IIS _mem_bin access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
05/14-03:06:32.821221 24.157.60.48:1919 -> 192.168.1.6:80
TCP TTL:107 TOS:0x0 ID:10083 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x64409BAF  Ack: 0x661364DA  Win: 0x4470  TcpLen: 20

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/14-03:06:43.735825 24.157.60.48:2201 -> 192.168.1.6:80
TCP TTL:107 TOS:0x0 ID:11427 IpLen:20 DgmLen:185 DF
***AP*** Seq: 0x6534762E  Ack: 0x663CDB53  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/14-03:06:50.311992 24.157.60.48:2381 -> 192.168.1.6:80
TCP TTL:107 TOS:0x0 ID:12298 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x65D3798A  Ack: 0x6720E1F9  Win: 0x4470  TcpLen: 20

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/14-03:06:52.668525 24.157.60.48:2381 -> 192.168.1.6:80
TCP TTL:107 TOS:0x0 ID:12631 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x65D3798A  Ack: 0x6720E1F9  Win: 0x4470  TcpLen: 20

[**] [1:981:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/14-03:06:54.628491 24.157.60.48:2508 -> 192.168.1.6:80
TCP TTL:107 TOS:0x0 ID:12786 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x66438EDA  Ack: 0x673B3279  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:983:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/14-03:06:56.608532 24.157.60.48:2536 -> 192.168.1.6:80
TCP TTL:107 TOS:0x0 ID:12990 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x665CF35E  Ack: 0x67476273  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/14-03:07:07.310917 24.157.60.48:2834 -> 192.168.1.6:80
TCP TTL:107 TOS:0x0 ID:14375 IpLen:20 DgmLen:138 DF
***AP*** Seq: 0x67643C49  Ack: 0x67D79DC1  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/14-03:07:09.377190 24.157.60.48:2888 -> 192.168.1.6:80
TCP TTL:107 TOS:0x0 ID:14613 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x6793A444  Ack: 0x686F5DD0  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/14-03:07:11.685838 24.157.60.48:2943 -> 192.168.1.6:80
TCP TTL:107 TOS:0x0 ID:14862 IpLen:20 DgmLen:140 DF
***AP*** Seq: 0x67C2F78F  Ack: 0x68852177  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/14-03:07:16.147834 24.157.60.48:3006 -> 192.168.1.6:80
TCP TTL:107 TOS:0x0 ID:15479 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x67FA29F3  Ack: 0x69008164  Win: 0x4470  TcpLen: 20

[**] [1:1243:8] WEB-IIS ISAPI .ida attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/14-20:32:08.274521 24.157.60.48:1828 -> 192.168.1.6:80
TCP TTL:107 TOS:0x0 ID:33586 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xB4ED9199  Ack: 0xD327EC5D  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0071][Xref => http://www.securityfocus.com/bid/1065][Xref => http://www.whitehats.com/info/IDS552]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/14-20:32:08.337760 24.157.60.48:1828 -> 192.168.1.6:80
TCP TTL:107 TOS:0x0 ID:33587 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xB4ED974D  Ack: 0xD327EC5D  Win: 0x4470  TcpLen: 20

SnortSnarf brought to you courtesy of Silicon Defense
Authors: Jim Hoagland and Stuart Staniford
See also the Snort Page by Marty Roesch
Page generated at Tue Jun 17 09:03:51 2003

24.157.60.48	Whois lookup at:	ARIN	RIPE	APNIC	Geektools
	DNS lookup at:	Amenesi	TRIUMF	Princeton
	More lookup links:	Dshield	Sam Spade