SnortSnarf alert page

Source: 24.242.248.248

SnortSnarf v021111.1

Signature section (91123)

Top 20 source IPs

Top 20 dest IPs

31 such alerts found using input module SnortFileInput, with sources:

/home/rivettmj/snort_alertlog/alert

Earliest: 16:56:00.658862 on 04/25/2003
Latest: 17:13:04.126634 on 04/25/2003

6 different signatures are present for 24.242.248.248 as a source

2 instances of WEB-IIS _mem_bin access
2 instances of WEB-FRONTPAGE /_vti_bin/ access
3 instances of WEB-IIS CodeRed v2 root.exe access
6 instances of WEB-IIS multiple decode attempt
8 instances of WEB-IIS cmd.exe access
10 instances of WEB-IIS unicode directory traversal attempt

There are 1 distinct destination IPs in the alerts of the type on this page.

24.242.248.248 Whois lookup at: ARIN RIPE APNIC Geektools

DNS lookup at: Amenesi TRIUMF Princeton

More lookup links: Dshield Sam Spade

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
04/25-16:56:00.658862 24.242.248.248:2909 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:2205 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0xAF75F0A5  Ack: 0xEA2286E4  Win: 0xFAF0  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
04/25-16:56:25.102947 24.242.248.248:1302 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:11055 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0xB4BB85FE  Ack: 0xEAE63D24  Win: 0xFAF0  TcpLen: 20

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
04/25-16:56:39.195423 24.242.248.248:3948 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:16526 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0xBC53C6CF  Ack: 0xED1FC196  Win: 0xFAF0  TcpLen: 20

[**] [1:1945:1] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/25-16:56:40.810789 24.242.248.248:4943 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:17173 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0xBDD667F1  Ack: 0xEC78CC5B  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1288:5] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
04/25-16:56:42.896639 24.242.248.248:1304 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:17790 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0xBEAEC8B4  Ack: 0xEC72292B  Win: 0xFAF0  TcpLen: 20

[**] [1:1286:5] WEB-IIS _mem_bin access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
04/25-16:56:44.715636 24.242.248.248:1522 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:18562 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0xBF524915  Ack: 0xED42C1A3  Win: 0xFAF0  TcpLen: 20

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/25-16:56:46.386782 24.242.248.248:1737 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:19266 IpLen:20 DgmLen:185 DF
***AP*** Seq: 0xBFEE171B  Ack: 0xECC69BA6  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/25-16:56:48.038811 24.242.248.248:1967 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:19792 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0xC094153D  Ack: 0xECDB00B9  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
04/25-16:56:49.471002 24.242.248.248:2165 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:20492 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0xC124E398  Ack: 0xED2410D4  Win: 0xFAF0  TcpLen: 20

[**] [1:981:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/25-16:56:57.706004 24.242.248.248:2813 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:23709 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0xC3122B08  Ack: 0xEDEE936E  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:983:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/25-16:57:02.400503 24.242.248.248:3431 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:25468 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0xC4D6AD4A  Ack: 0xEDC3A1FC  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/25-16:57:04.286739 24.242.248.248:4186 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:26260 IpLen:20 DgmLen:138 DF
***AP*** Seq: 0xC679351C  Ack: 0xEDB46508  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/25-16:57:15.004623 24.242.248.248:4401 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:30181 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0xC6EBEB8A  Ack: 0xEE4160DE  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/25-16:57:16.491000 24.242.248.248:2134 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:30867 IpLen:20 DgmLen:140 DF
***AP*** Seq: 0xCB046A68  Ack: 0xEEA20FBD  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
04/25-16:57:24.644249 24.242.248.248:2745 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:33896 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0xCCD139CE  Ack: 0xEF86F06F  Win: 0xFAF0  TcpLen: 20

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
04/25-17:12:09.246121 24.242.248.248:2289 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:33142 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0x6E9175A  Ack: 0x27354972  Win: 0xFAF0  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
04/25-17:12:17.667676 24.242.248.248:2924 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:36139 IpLen:20 DgmLen:110 DF
***AP*** Seq: 0x8BBC6F1  Ack: 0x27912C49  Win: 0xFAF0  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
04/25-17:12:21.844199 24.242.248.248:3548 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:37711 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0xA6E578B  Ack: 0x279509DF  Win: 0xFAF0  TcpLen: 20

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
04/25-17:12:26.733639 24.242.248.248:1089 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:39427 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0xD47CDB4  Ack: 0x28735962  Win: 0xFAF0  TcpLen: 20

[**] [1:1945:1] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/25-17:12:28.438108 24.242.248.248:1235 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:39896 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0xDAE2835  Ack: 0x28281C14  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1288:5] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
04/25-17:12:29.880009 24.242.248.248:1352 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:40463 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0xE078E71  Ack: 0x28383752  Win: 0xFAF0  TcpLen: 20

[**] [1:1286:5] WEB-IIS _mem_bin access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
04/25-17:12:35.168105 24.242.248.248:1971 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:42335 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0xFC6A644  Ack: 0x28869A56  Win: 0xFAF0  TcpLen: 20

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/25-17:12:36.860467 24.242.248.248:2313 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:42987 IpLen:20 DgmLen:185 DF
***AP*** Seq: 0x10BE74D9  Ack: 0x2942B8B5  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/25-17:12:38.629560 24.242.248.248:2467 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:43623 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x112C815B  Ack: 0x28734FFA  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
04/25-17:12:44.128443 24.242.248.248:3109 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:45653 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x13065E23  Ack: 0x298608D8  Win: 0xFAF0  TcpLen: 20

[**] [1:981:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/25-17:12:51.566638 24.242.248.248:3729 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:48328 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x14CCE6A7  Ack: 0x29BF8587  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:983:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/25-17:12:53.484272 24.242.248.248:4575 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:49080 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x16745E53  Ack: 0x29A34350  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/25-17:12:55.794406 24.242.248.248:4923 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:49840 IpLen:20 DgmLen:138 DF
***AP*** Seq: 0x16FC6AB9  Ack: 0x29FAD8B5  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/25-17:12:57.833900 24.242.248.248:1362 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:50591 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x180B820C  Ack: 0x2A0CC6E3  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/25-17:12:59.633786 24.242.248.248:1538 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:51324 IpLen:20 DgmLen:140 DF
***AP*** Seq: 0x188F2E15  Ack: 0x2A97570E  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
04/25-17:13:04.126634 24.242.248.248:1706 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:53199 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x190E5BAF  Ack: 0x2AD49E02  Win: 0xFAF0  TcpLen: 20

SnortSnarf brought to you courtesy of Silicon Defense
Authors: Jim Hoagland and Stuart Staniford
See also the Snort Page by Marty Roesch
Page generated at Tue Jun 17 09:03:52 2003

24.242.248.248	Whois lookup at:	ARIN	RIPE	APNIC	Geektools
	DNS lookup at:	Amenesi	TRIUMF	Princeton
	More lookup links:	Dshield	Sam Spade