SnortSnarf alert page

Source: 24.198.102.60

SnortSnarf v021111.1

Signature section (91123)

Top 20 source IPs

Top 20 dest IPs

17 such alerts found using input module SnortFileInput, with sources:

/home/rivettmj/snort_alertlog/alert

Earliest: 03:51:22.527295 on 05/28/2003
Latest: 03:52:14.969423 on 05/28/2003

6 different signatures are present for 24.198.102.60 as a source

1 instances of WEB-IIS _mem_bin access
1 instances of WEB-FRONTPAGE /_vti_bin/ access
2 instances of WEB-IIS CodeRed v2 root.exe access
4 instances of WEB-IIS multiple decode attempt
4 instances of WEB-IIS cmd.exe access
5 instances of WEB-IIS unicode directory traversal attempt

There are 1 distinct destination IPs in the alerts of the type on this page.

24.198.102.60 Whois lookup at: ARIN RIPE APNIC Geektools

DNS lookup at: Amenesi TRIUMF Princeton

More lookup links: Dshield Sam Spade

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/28-03:51:22.527295 24.198.102.60:3043 -> 192.168.1.6:80
TCP TTL:116 TOS:0x0 ID:53834 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0x6D4408CB  Ack: 0x1E1B1F0C  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/28-03:51:23.109362 24.198.102.60:3052 -> 192.168.1.6:80
TCP TTL:116 TOS:0x0 ID:53878 IpLen:20 DgmLen:110 DF
***AP*** Seq: 0x6D4CD55C  Ack: 0x1E092842  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/28-03:51:23.360551 24.198.102.60:3057 -> 192.168.1.6:80
TCP TTL:116 TOS:0x0 ID:53906 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x6D517ED4  Ack: 0x1E199D5A  Win: 0x4470  TcpLen: 20

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/28-03:51:32.597107 24.198.102.60:3331 -> 192.168.1.6:80
TCP TTL:116 TOS:0x0 ID:54683 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x6E3CEDF4  Ack: 0x1ED56E70  Win: 0x4470  TcpLen: 20

[**] [1:1945:1] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/28-03:51:32.870506 24.198.102.60:3337 -> 192.168.1.6:80
TCP TTL:116 TOS:0x0 ID:54719 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x6E41E9DB  Ack: 0x1F5494AC  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1288:5] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
05/28-03:51:33.148850 24.198.102.60:3343 -> 192.168.1.6:80
TCP TTL:116 TOS:0x0 ID:54757 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x6E470690  Ack: 0x1EB9BEE4  Win: 0x4470  TcpLen: 20

[**] [1:1286:5] WEB-IIS _mem_bin access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
05/28-03:51:36.352552 24.198.102.60:3443 -> 192.168.1.6:80
TCP TTL:116 TOS:0x0 ID:55016 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x6E9C24C1  Ack: 0x1FA8B960  Win: 0x4470  TcpLen: 20

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/28-03:51:45.651690 24.198.102.60:3692 -> 192.168.1.6:80
TCP TTL:116 TOS:0x0 ID:55722 IpLen:20 DgmLen:185 DF
***AP*** Seq: 0x6F77C775  Ack: 0x1FB8CDCD  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/28-03:51:45.890913 24.198.102.60:3700 -> 192.168.1.6:80
TCP TTL:116 TOS:0x0 ID:55740 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x6F7E67A0  Ack: 0x1FEEE201  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/28-03:51:46.164427 24.198.102.60:3708 -> 192.168.1.6:80
TCP TTL:116 TOS:0x0 ID:55782 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x6F852D7A  Ack: 0x1F7D0308  Win: 0x4470  TcpLen: 20

[**] [1:981:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/28-03:51:55.390858 24.198.102.60:3996 -> 192.168.1.6:80
TCP TTL:116 TOS:0x0 ID:56611 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x7080C836  Ack: 0x200EE93B  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:983:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/28-03:51:58.771968 24.198.102.60:4109 -> 192.168.1.6:80
TCP TTL:116 TOS:0x0 ID:56949 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x70E25A12  Ack: 0x20707357  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/28-03:52:02.052419 24.198.102.60:4187 -> 192.168.1.6:80
TCP TTL:116 TOS:0x0 ID:57136 IpLen:20 DgmLen:138 DF
***AP*** Seq: 0x71267604  Ack: 0x2115AB9B  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/28-03:52:02.271081 24.198.102.60:4195 -> 192.168.1.6:80
TCP TTL:116 TOS:0x0 ID:57157 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x712D6E9A  Ack: 0x21491007  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/28-03:52:05.241393 24.198.102.60:4195 -> 192.168.1.6:80
TCP TTL:116 TOS:0x0 ID:57365 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x712D6E9A  Ack: 0x21491007  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/28-03:52:05.666408 24.198.102.60:4285 -> 192.168.1.6:80
TCP TTL:116 TOS:0x0 ID:57410 IpLen:20 DgmLen:140 DF
***AP*** Seq: 0x717E253D  Ack: 0x210F997C  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/28-03:52:14.969423 24.198.102.60:4521 -> 192.168.1.6:80
TCP TTL:116 TOS:0x0 ID:58017 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x724FB61A  Ack: 0x22B37056  Win: 0x4470  TcpLen: 20

SnortSnarf brought to you courtesy of Silicon Defense
Authors: Jim Hoagland and Stuart Staniford
See also the Snort Page by Marty Roesch
Page generated at Tue Jun 17 09:03:52 2003

24.198.102.60	Whois lookup at:	ARIN	RIPE	APNIC	Geektools
	DNS lookup at:	Amenesi	TRIUMF	Princeton
	More lookup links:	Dshield	Sam Spade