SnortSnarf alert page

Source: 24.167.224.150

SnortSnarf v021111.1

Signature section (91123)

Top 20 source IPs

Top 20 dest IPs

17 such alerts found using input module SnortFileInput, with sources:

/home/rivettmj/snort_alertlog/alert

Earliest: 20:41:18.111839 on 05/26/2003
Latest: 20:42:02.423014 on 05/26/2003

6 different signatures are present for 24.167.224.150 as a source

1 instances of WEB-IIS _mem_bin access
1 instances of WEB-FRONTPAGE /_vti_bin/ access
2 instances of WEB-IIS CodeRed v2 root.exe access
4 instances of WEB-IIS multiple decode attempt
4 instances of WEB-IIS cmd.exe access
5 instances of WEB-IIS unicode directory traversal attempt

There are 1 distinct destination IPs in the alerts of the type on this page.

24.167.224.150 Whois lookup at: ARIN RIPE APNIC Geektools

DNS lookup at: Amenesi TRIUMF Princeton

More lookup links: Dshield Sam Spade

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/26-20:41:18.111839 24.167.224.150:3399 -> 192.168.1.6:80
TCP TTL:115 TOS:0x0 ID:56057 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0x92ED9D44  Ack: 0x85E8D188  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/26-20:41:18.742680 24.167.224.150:3409 -> 192.168.1.6:80
TCP TTL:115 TOS:0x0 ID:56093 IpLen:20 DgmLen:110 DF
***AP*** Seq: 0x92F6DD3D  Ack: 0x86B80756  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/26-20:41:28.349347 24.167.224.150:3531 -> 192.168.1.6:80
TCP TTL:115 TOS:0x0 ID:56430 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x9376CD1D  Ack: 0x86ED6177  Win: 0x4470  TcpLen: 20

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/26-20:41:28.549679 24.167.224.150:3535 -> 192.168.1.6:80
TCP TTL:115 TOS:0x0 ID:56440 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x937AF58A  Ack: 0x873F8967  Win: 0x4470  TcpLen: 20

[**] [1:1945:1] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/26-20:41:28.780595 24.167.224.150:3539 -> 192.168.1.6:80
TCP TTL:115 TOS:0x0 ID:56451 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x937EC648  Ack: 0x875803B9  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1288:5] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
05/26-20:41:29.016650 24.167.224.150:3541 -> 192.168.1.6:80
TCP TTL:115 TOS:0x0 ID:56469 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x9380CE1F  Ack: 0x872EDB89  Win: 0x4470  TcpLen: 20

[**] [1:1286:5] WEB-IIS _mem_bin access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
05/26-20:41:32.511620 24.167.224.150:3613 -> 192.168.1.6:80
TCP TTL:115 TOS:0x0 ID:56705 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x93BFC1CB  Ack: 0x86BA6363  Win: 0x4470  TcpLen: 20

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/26-20:41:36.023741 24.167.224.150:3674 -> 192.168.1.6:80
TCP TTL:115 TOS:0x0 ID:56870 IpLen:20 DgmLen:185 DF
***AP*** Seq: 0x93F68671  Ack: 0x873BBC70  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/26-20:41:36.235446 24.167.224.150:3677 -> 192.168.1.6:80
TCP TTL:115 TOS:0x0 ID:56885 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x93F97C14  Ack: 0x878F943A  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/26-20:41:45.680082 24.167.224.150:3819 -> 192.168.1.6:80
TCP TTL:115 TOS:0x0 ID:57321 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x948471AB  Ack: 0x88399DC8  Win: 0x4470  TcpLen: 20

[**] [1:981:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/26-20:41:45.926156 24.167.224.150:3824 -> 192.168.1.6:80
TCP TTL:115 TOS:0x0 ID:57337 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x948961BC  Ack: 0x87A157F7  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:983:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/26-20:41:46.122923 24.167.224.150:3829 -> 192.168.1.6:80
TCP TTL:115 TOS:0x0 ID:57345 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x948D5BED  Ack: 0x8852D123  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/26-20:41:55.592957 24.167.224.150:3957 -> 192.168.1.6:80
TCP TTL:115 TOS:0x0 ID:57725 IpLen:20 DgmLen:138 DF
***AP*** Seq: 0x950BE332  Ack: 0x8825F495  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/26-20:41:58.516276 24.167.224.150:3957 -> 192.168.1.6:80
TCP TTL:115 TOS:0x0 ID:57825 IpLen:20 DgmLen:138 DF
***AP*** Seq: 0x950BE332  Ack: 0x8825F495  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/26-20:41:58.795054 24.167.224.150:3994 -> 192.168.1.6:80
TCP TTL:115 TOS:0x0 ID:57835 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x95337ADC  Ack: 0x88B70233  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/26-20:41:58.991017 24.167.224.150:3996 -> 192.168.1.6:80
TCP TTL:115 TOS:0x0 ID:57848 IpLen:20 DgmLen:140 DF
***AP*** Seq: 0x95358F1A  Ack: 0x88E8D9BF  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/26-20:42:02.423014 24.167.224.150:4045 -> 192.168.1.6:80
TCP TTL:115 TOS:0x0 ID:57993 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x9565C847  Ack: 0x88E53473  Win: 0x4470  TcpLen: 20

SnortSnarf brought to you courtesy of Silicon Defense
Authors: Jim Hoagland and Stuart Staniford
See also the Snort Page by Marty Roesch
Page generated at Tue Jun 17 09:03:54 2003

24.167.224.150	Whois lookup at:	ARIN	RIPE	APNIC	Geektools
	DNS lookup at:	Amenesi	TRIUMF	Princeton
	More lookup links:	Dshield	Sam Spade