SnortSnarf alert page

Source: 24.171.142.32

SnortSnarf v021111.1

Signature section (91123)

Top 20 source IPs

Top 20 dest IPs

17 such alerts found using input module SnortFileInput, with sources:

/home/rivettmj/snort_alertlog/alert

Earliest: 02:34:10.480227 on 05/05/2003
Latest: 02:34:40.260248 on 05/05/2003

6 different signatures are present for 24.171.142.32 as a source

1 instances of WEB-IIS _mem_bin access
1 instances of WEB-FRONTPAGE /_vti_bin/ access
2 instances of WEB-IIS CodeRed v2 root.exe access
4 instances of WEB-IIS multiple decode attempt
4 instances of WEB-IIS cmd.exe access
5 instances of WEB-IIS unicode directory traversal attempt

There are 1 distinct destination IPs in the alerts of the type on this page.

24.171.142.32 Whois lookup at: ARIN RIPE APNIC Geektools

DNS lookup at: Amenesi TRIUMF Princeton

More lookup links: Dshield Sam Spade

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/05-02:34:10.480227 24.171.142.32:2547 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:23547 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0x2EE9892  Ack: 0xAF04F23B  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/05-02:34:10.974476 24.171.142.32:2563 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:23588 IpLen:20 DgmLen:110 DF
***AP*** Seq: 0x2FC94F3  Ack: 0xAEA2C7B4  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/05-02:34:11.310141 24.171.142.32:2578 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:23619 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x3083A9C  Ack: 0xAE936B34  Win: 0x4470  TcpLen: 20

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/05-02:34:20.699905 24.171.142.32:2957 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:24578 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x43ED406  Ack: 0xAF2EE52D  Win: 0x4470  TcpLen: 20

[**] [1:1945:1] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/05-02:34:21.030763 24.171.142.32:2971 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:24621 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x44A23F9  Ack: 0xAF8FBA7D  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1288:5] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
05/05-02:34:21.388745 24.171.142.32:2986 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:24669 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x4568F3A  Ack: 0xAEED44CE  Win: 0x4470  TcpLen: 20

[**] [1:1286:5] WEB-IIS _mem_bin access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
05/05-02:34:21.858001 24.171.142.32:3006 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:24737 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x466E5F2  Ack: 0xAFA1069F  Win: 0x4470  TcpLen: 20

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/05-02:34:22.240090 24.171.142.32:3023 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:24791 IpLen:20 DgmLen:185 DF
***AP*** Seq: 0x4743311  Ack: 0xAF003EB2  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/05-02:34:22.777320 24.171.142.32:3052 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:24871 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x48BE37A  Ack: 0xAF1C485F  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/05-02:34:25.990664 24.171.142.32:3069 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:25297 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x49A7422  Ack: 0xAFDF8AFB  Win: 0x4470  TcpLen: 20

[**] [1:981:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/05-02:34:26.375979 24.171.142.32:3221 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:25321 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x51354A9  Ack: 0xAFED2BE9  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:983:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/05-02:34:35.860137 24.171.142.32:3618 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:26357 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x65A7896  Ack: 0xB08E7417  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/05-02:34:36.207438 24.171.142.32:3639 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:26395 IpLen:20 DgmLen:138 DF
***AP*** Seq: 0x66A055F  Ack: 0xAFFFA10C  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/05-02:34:36.520765 24.171.142.32:3650 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:26419 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x67156F2  Ack: 0xAFE7E40D  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/05-02:34:39.492478 24.171.142.32:3650 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:26696 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x67156F2  Ack: 0xAFE7E40D  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/05-02:34:39.879839 24.171.142.32:3781 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:26744 IpLen:20 DgmLen:140 DF
***AP*** Seq: 0x6DF4CF8  Ack: 0xB0F56022  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/05-02:34:40.260248 24.171.142.32:3794 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:26791 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x6EB3131  Ack: 0xB08C51A6  Win: 0x4470  TcpLen: 20

SnortSnarf brought to you courtesy of Silicon Defense
Authors: Jim Hoagland and Stuart Staniford
See also the Snort Page by Marty Roesch
Page generated at Tue Jun 17 09:09:28 2003

24.171.142.32	Whois lookup at:	ARIN	RIPE	APNIC	Geektools
	DNS lookup at:	Amenesi	TRIUMF	Princeton
	More lookup links:	Dshield	Sam Spade