SnortSnarf alert page

Source: 24.201.150.218

SnortSnarf v021111.1

Signature section (91123)

Top 20 source IPs

Top 20 dest IPs

17 such alerts found using input module SnortFileInput, with sources:

/home/rivettmj/snort_alertlog/alert

Earliest: 13:57:19.984803 on 05/03/2003
Latest: 13:57:56.609768 on 05/03/2003

6 different signatures are present for 24.201.150.218 as a source

1 instances of WEB-IIS _mem_bin access
1 instances of WEB-FRONTPAGE /_vti_bin/ access
2 instances of WEB-IIS CodeRed v2 root.exe access
4 instances of WEB-IIS multiple decode attempt
4 instances of WEB-IIS cmd.exe access
5 instances of WEB-IIS unicode directory traversal attempt

There are 1 distinct destination IPs in the alerts of the type on this page.

24.201.150.218 Whois lookup at: ARIN RIPE APNIC Geektools

DNS lookup at: Amenesi TRIUMF Princeton

More lookup links: Dshield Sam Spade

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/03-13:57:19.984803 24.201.150.218:4781 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:2459 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0x9EBB0DD5  Ack: 0x44DCD667  Win: 0xFAF0  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/03-13:57:21.312677 24.201.150.218:4816 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:2588 IpLen:20 DgmLen:110 DF
***AP*** Seq: 0x9EDCD65A  Ack: 0x44CA0DE4  Win: 0xFAF0  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/03-13:57:25.326239 24.201.150.218:4829 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:2875 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x9EE7EFB4  Ack: 0x45158E66  Win: 0xFAF0  TcpLen: 20

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/03-13:57:26.383316 24.201.150.218:4899 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:2966 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x9F243352  Ack: 0x451D9063  Win: 0xFAF0  TcpLen: 20

[**] [1:1945:1] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/03-13:57:28.121361 24.201.150.218:4923 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:3050 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x9F3553DD  Ack: 0x45218128  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1288:5] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
05/03-13:57:29.269827 24.201.150.218:4948 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:3160 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x9F47DAEC  Ack: 0x4515997D  Win: 0xFAF0  TcpLen: 20

[**] [1:1286:5] WEB-IIS _mem_bin access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
05/03-13:57:30.364357 24.201.150.218:4996 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:3268 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x9F5A9443  Ack: 0x45604054  Win: 0xFAF0  TcpLen: 20

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/03-13:57:31.480480 24.201.150.218:1046 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:3380 IpLen:20 DgmLen:185 DF
***AP*** Seq: 0x9F70A34F  Ack: 0x45118266  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/03-13:57:36.232406 24.201.150.218:1120 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:3744 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x9FB6B1AC  Ack: 0x456A3D4F  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/03-13:57:37.238223 24.201.150.218:1148 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:3853 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x9FD27535  Ack: 0x454D8E39  Win: 0xFAF0  TcpLen: 20

[**] [1:981:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/03-13:57:38.311732 24.201.150.218:1162 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:3950 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x9FE0AB5B  Ack: 0x45D5DC81  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:983:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/03-13:57:39.328216 24.201.150.218:1180 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:4042 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x9FF3241D  Ack: 0x45C06C51  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/03-13:57:40.391473 24.201.150.218:1197 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:4138 IpLen:20 DgmLen:138 DF
***AP*** Seq: 0xA0042B1B  Ack: 0x45B14E46  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/03-13:57:41.380028 24.201.150.218:1219 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:4210 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0xA017EEB2  Ack: 0x465A027A  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/03-13:57:44.372258 24.201.150.218:1219 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:4449 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0xA017EEB2  Ack: 0x465A027A  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/03-13:57:46.450748 24.201.150.218:1286 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:4590 IpLen:20 DgmLen:140 DF
***AP*** Seq: 0xA057EF21  Ack: 0x464446EF  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/03-13:57:56.609768 24.201.150.218:1450 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:5352 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0xA0F8E9D6  Ack: 0x46ABF2E3  Win: 0xFAF0  TcpLen: 20

SnortSnarf brought to you courtesy of Silicon Defense
Authors: Jim Hoagland and Stuart Staniford
See also the Snort Page by Marty Roesch
Page generated at Tue Jun 17 09:03:54 2003

24.201.150.218	Whois lookup at:	ARIN	RIPE	APNIC	Geektools
	DNS lookup at:	Amenesi	TRIUMF	Princeton
	More lookup links:	Dshield	Sam Spade