[Silicon Defense logo]

SnortSnarf alert page

Source: 24.203.49.12

SnortSnarf v021111.1

Signature section (91123)Top 20 source IPsTop 20 dest IPs

9 such alerts found using input module SnortFileInput, with sources:
Earliest: 03:37:58.769885 on 05/27/2003
Latest: 03:38:42.873807 on 05/27/2003

5 different signatures are present for 24.203.49.12 as a source

There are 1 distinct destination IPs in the alerts of the type on this page.

24.203.49.12 Whois lookup at: ARIN RIPE APNIC Geektools
DNS lookup at: Amenesi TRIUMF Princeton
More lookup links: Dshield Sam Spade

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
05/27-03:37:58.769885 24.203.49.12:4020 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:61677 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0x84B92148 Ack: 0xABD6E815 Win: 0xFAF0 TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]
[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
05/27-03:38:09.631463 24.203.49.12:4694 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:63934 IpLen:20 DgmLen:110 DF
***AP*** Seq: 0x8689CE24 Ack: 0xAC188A88 Win: 0xFAF0 TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]
[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
05/27-03:38:22.535009 24.203.49.12:1420 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:1180 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x8850EE47 Ack: 0xACD13398 Win: 0xFAF0 TcpLen: 20
[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
05/27-03:38:26.617743 24.203.49.12:1629 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:1936 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x88F6D594 Ack: 0xAD5997BC Win: 0xFAF0 TcpLen: 20
[**] [1:1945:1] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1]
05/27-03:38:28.586683 24.203.49.12:1866 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:2305 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x89B83EE6 Ack: 0xADD3204D Win: 0xFAF0 TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]
[**] [1:1288:5] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2]
05/27-03:38:30.368563 24.203.49.12:1937 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:2673 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x89F1C641 Ack: 0xADC6E38B Win: 0xFAF0 TcpLen: 20
[**] [1:1286:5] WEB-IIS _mem_bin access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2]
05/27-03:38:31.419829 24.203.49.12:2027 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:2780 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x8A394228 Ack: 0xAE2F9911 Win: 0xFAF0 TcpLen: 20
[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1]
05/27-03:38:42.161807 24.203.49.12:2528 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:4774 IpLen:20 DgmLen:185 DF
***AP*** Seq: 0x8BCCE414 Ack: 0xAE891007 Win: 0xFAF0 TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]
[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1]
05/27-03:38:42.873807 24.203.49.12:2603 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:4999 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x8C0CA3DD Ack: 0xAE5A17CD Win: 0xFAF0 TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]
SnortSnarf brought to you courtesy of Silicon Defense
Authors: Jim Hoagland and Stuart Staniford
See also the Snort Page by Marty Roesch
Page generated at Tue Jun 17 09:03:52 2003