SnortSnarf alert page

Source: 24.236.70.2

SnortSnarf v021111.1

Signature section (91123)

Top 20 source IPs

Top 20 dest IPs

17 such alerts found using input module SnortFileInput, with sources:

/home/rivettmj/snort_alertlog/alert

Earliest: 17:21:52.706454 on 04/24/2003
Latest: 17:22:35.221633 on 04/24/2003

6 different signatures are present for 24.236.70.2 as a source

1 instances of WEB-IIS _mem_bin access
1 instances of WEB-FRONTPAGE /_vti_bin/ access
2 instances of WEB-IIS CodeRed v2 root.exe access
3 instances of WEB-IIS multiple decode attempt
5 instances of WEB-IIS unicode directory traversal attempt
5 instances of WEB-IIS cmd.exe access

There are 1 distinct destination IPs in the alerts of the type on this page.

24.236.70.2 Whois lookup at: ARIN RIPE APNIC Geektools

DNS lookup at: Amenesi TRIUMF Princeton

More lookup links: Dshield Sam Spade

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
04/24-17:21:52.706454 24.236.70.2:3763 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:15469 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0x4C9DE4FF  Ack: 0xC9E76C5  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
04/24-17:22:02.759568 24.236.70.2:3898 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:15792 IpLen:20 DgmLen:110 DF
***AP*** Seq: 0x4D2AE332  Ack: 0xCE17ED9  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
04/24-17:22:06.285451 24.236.70.2:3943 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:15915 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x4D5ADE09  Ack: 0xD2AF2B9  Win: 0x4470  TcpLen: 20

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
04/24-17:22:09.795852 24.236.70.2:4009 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:16112 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x4D979C7D  Ack: 0xD0B52A4  Win: 0x4470  TcpLen: 20

[**] [1:1945:1] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/24-17:22:10.080713 24.236.70.2:4010 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:16122 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x4D992B3B  Ack: 0xDE23AFE  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1288:5] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
04/24-17:22:10.405371 24.236.70.2:4016 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:16137 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x4D9E3332  Ack: 0xDEF1523  Win: 0x4470  TcpLen: 20

[**] [1:1286:5] WEB-IIS _mem_bin access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
04/24-17:22:13.940300 24.236.70.2:4057 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:16226 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x4DCA52EC  Ack: 0xD319676  Win: 0x4470  TcpLen: 20

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/24-17:22:14.202127 24.236.70.2:4066 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:16242 IpLen:20 DgmLen:185 DF
***AP*** Seq: 0x4DD16A95  Ack: 0xD97BE14  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/24-17:22:17.698779 24.236.70.2:4108 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:16330 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x4DFF07A7  Ack: 0xD88982D  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
04/24-17:22:20.889033 24.236.70.2:4111 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:16420 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x4E0263D5  Ack: 0xDCCFFFD  Win: 0x4470  TcpLen: 20

[**] [1:981:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/24-17:22:24.724027 24.236.70.2:4190 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:16512 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x4E565124  Ack: 0xE5225BB  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:983:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/24-17:22:27.992194 24.236.70.2:4229 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:16593 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x4E7FFD7C  Ack: 0xE90F5FC  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/24-17:22:28.259059 24.236.70.2:4233 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:16608 IpLen:20 DgmLen:138 DF
***AP*** Seq: 0x4E83BF39  Ack: 0xE7C8E36  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/24-17:22:28.523313 24.236.70.2:4235 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:16618 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x4E863EBE  Ack: 0xE607B44  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/24-17:22:28.782924 24.236.70.2:4238 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:16631 IpLen:20 DgmLen:140 DF
***AP*** Seq: 0x4E8A773F  Ack: 0xEA5DA31  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
04/24-17:22:32.260388 24.236.70.2:4283 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:16728 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x4EB50718  Ack: 0xEF6CECA  Win: 0x4470  TcpLen: 20

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
04/24-17:22:35.221633 24.236.70.2:4283 -> 192.168.1.6:80
TCP TTL:109 TOS:0x0 ID:16794 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x4EB50718  Ack: 0xEF6CECA  Win: 0x4470  TcpLen: 20

SnortSnarf brought to you courtesy of Silicon Defense
Authors: Jim Hoagland and Stuart Staniford
See also the Snort Page by Marty Roesch
Page generated at Tue Jun 17 09:03:52 2003

24.236.70.2	Whois lookup at:	ARIN	RIPE	APNIC	Geektools
	DNS lookup at:	Amenesi	TRIUMF	Princeton
	More lookup links:	Dshield	Sam Spade