[Silicon Defense logo]

SnortSnarf alert page

Source: 24.220.31.3

SnortSnarf v021111.1

Signature section (91123)Top 20 source IPsTop 20 dest IPs

16 such alerts found using input module SnortFileInput, with sources:
Earliest: 12:44:41.216076 on 05/02/2003
Latest: 12:45:16.805979 on 05/02/2003

6 different signatures are present for 24.220.31.3 as a source

There are 1 distinct destination IPs in the alerts of the type on this page.

24.220.31.3 Whois lookup at: ARIN RIPE APNIC Geektools
DNS lookup at: Amenesi TRIUMF Princeton
More lookup links: Dshield Sam Spade

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
05/02-12:44:41.216076 24.220.31.3:4393 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:18515 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0x24B5394D Ack: 0xF1E76176 Win: 0xFAF0 TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]
[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
05/02-12:44:50.813970 24.220.31.3:1108 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:20078 IpLen:20 DgmLen:110 DF
***AP*** Seq: 0x264ECE7E Ack: 0xF2B551A9 Win: 0xFAF0 TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]
[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
05/02-12:44:51.079575 24.220.31.3:1121 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:20116 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x265A3166 Ack: 0xF33B830A Win: 0xFAF0 TcpLen: 20
[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
05/02-12:44:51.360740 24.220.31.3:1127 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:20153 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x265F520B Ack: 0xF30E61A3 Win: 0xFAF0 TcpLen: 20
[**] [1:1945:1] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1]
05/02-12:44:51.598896 24.220.31.3:1136 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:20180 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x2667AE07 Ack: 0xF2D72FFC Win: 0xFAF0 TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]
[**] [1:1288:5] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2]
05/02-12:44:51.825955 24.220.31.3:1149 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:20207 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x26718E8C Ack: 0xF26F2D51 Win: 0xFAF0 TcpLen: 20
[**] [1:1286:5] WEB-IIS _mem_bin access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2]
05/02-12:44:52.078311 24.220.31.3:1157 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:20238 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x2678379A Ack: 0xF2DE6FA1 Win: 0xFAF0 TcpLen: 20
[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1]
05/02-12:45:04.475466 24.220.31.3:1601 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:22155 IpLen:20 DgmLen:185 DF
***AP*** Seq: 0x27DAFE18 Ack: 0xF30A61B9 Win: 0xFAF0 TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]
[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1]
05/02-12:45:04.930231 24.220.31.3:1790 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:22241 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x28718E2C Ack: 0xF3F3D1DC Win: 0xFAF0 TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]
[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
05/02-12:45:05.391191 24.220.31.3:1818 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:22331 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x28883EDB Ack: 0xF359BD6D Win: 0xFAF0 TcpLen: 20
[**] [1:981:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1]
05/02-12:45:05.890139 24.220.31.3:1841 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:22421 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x289B0D59 Ack: 0xF3EDACC1 Win: 0xFAF0 TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]
[**] [1:983:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1]
05/02-12:45:06.321892 24.220.31.3:1867 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:22498 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x28B25C40 Ack: 0xF391E2B2 Win: 0xFAF0 TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]
[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1]
05/02-12:45:06.761767 24.220.31.3:1885 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:22587 IpLen:20 DgmLen:138 DF
***AP*** Seq: 0x28BFF3D6 Ack: 0xF3E837C0 Win: 0xFAF0 TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]
[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1]
05/02-12:45:07.216528 24.220.31.3:1910 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:22669 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x28D31034 Ack: 0xF3AA7278 Win: 0xFAF0 TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]
[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1]
05/02-12:45:07.579780 24.220.31.3:1933 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:22747 IpLen:20 DgmLen:140 DF
***AP*** Seq: 0x28E66472 Ack: 0xF441BB67 Win: 0xFAF0 TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]
[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
05/02-12:45:16.805979 24.220.31.3:2448 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:24589 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x2A8C560A Ack: 0xF446CC32 Win: 0xFAF0 TcpLen: 20
SnortSnarf brought to you courtesy of Silicon Defense
Authors: Jim Hoagland and Stuart Staniford
See also the Snort Page by Marty Roesch
Page generated at Tue Jun 17 09:03:52 2003