SnortSnarf alert page

Source: 24.245.36.142

SnortSnarf v021111.1

Signature section (91123)

Top 20 source IPs

Top 20 dest IPs

21 such alerts found using input module SnortFileInput, with sources:

/home/rivettmj/snort_alertlog/alert

Earliest: 19:18:40.092153 on 04/29/2003
Latest: 20:05:39.703602 on 05/07/2003

6 different signatures are present for 24.245.36.142 as a source

1 instances of WEB-IIS _mem_bin access
1 instances of WEB-FRONTPAGE /_vti_bin/ access
4 instances of WEB-IIS CodeRed v2 root.exe access
4 instances of WEB-IIS multiple decode attempt
5 instances of WEB-IIS unicode directory traversal attempt
6 instances of WEB-IIS cmd.exe access

There are 1 distinct destination IPs in the alerts of the type on this page.

24.245.36.142 Whois lookup at: ARIN RIPE APNIC Geektools

DNS lookup at: Amenesi TRIUMF Princeton

More lookup links: Dshield Sam Spade

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
04/29-19:18:40.092153 24.245.36.142:4265 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:39992 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0xCCE445CD  Ack: 0x355AB4A  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
04/29-19:18:41.320721 24.245.36.142:4313 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:40209 IpLen:20 DgmLen:110 DF
***AP*** Seq: 0xCD0C4687  Ack: 0x2C41E23  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
04/29-19:18:51.171532 24.245.36.142:4763 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:41704 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0xCE5A75C9  Ack: 0x4F10A92  Win: 0x4470  TcpLen: 20

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
04/29-19:18:51.691649 24.245.36.142:4774 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:41767 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0xCE6089E8  Ack: 0x44A1171  Win: 0x4470  TcpLen: 20

[**] [1:1945:1] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/29-19:18:52.205477 24.245.36.142:4808 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:41837 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0xCE718A31  Ack: 0x4442609  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1288:5] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
04/29-19:18:55.839098 24.245.36.142:4820 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:42404 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0xCE78D501  Ack: 0x4FEA6F9  Win: 0x4470  TcpLen: 20

[**] [1:1286:5] WEB-IIS _mem_bin access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
04/29-19:18:56.192820 24.245.36.142:1097 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:42456 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0xCEFE82C3  Ack: 0x49D65D4  Win: 0x4470  TcpLen: 20

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/29-19:18:56.459642 24.245.36.142:1109 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:42500 IpLen:20 DgmLen:185 DF
***AP*** Seq: 0xCF08A1D2  Ack: 0x4D0F6B3  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/29-19:19:00.415036 24.245.36.142:1127 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:43047 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0xCF18B505  Ack: 0x493B26C  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
04/29-19:19:00.792930 24.245.36.142:1275 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:43123 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0xCF94246E  Ack: 0x5983A10  Win: 0x4470  TcpLen: 20

[**] [1:981:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/29-19:19:10.476100 24.245.36.142:1639 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:44479 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0xD0BF7804  Ack: 0x602A149  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:983:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/29-19:19:10.842215 24.245.36.142:1659 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:44544 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0xD0CF5FA4  Ack: 0x5CAD995  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/29-19:19:18.114538 24.245.36.142:1796 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:45571 IpLen:20 DgmLen:138 DF
***AP*** Seq: 0xD1454DF2  Ack: 0x6B71F7B  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/29-19:19:18.644291 24.245.36.142:1946 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:45647 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0xD1B99809  Ack: 0x63BE36C  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/29-19:19:21.425364 24.245.36.142:1946 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:46051 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0xD1B99809  Ack: 0x63BE36C  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/29-19:19:21.969927 24.245.36.142:2071 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:46132 IpLen:20 DgmLen:140 DF
***AP*** Seq: 0xD2224D6B  Ack: 0x6F26801  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
04/29-19:19:22.625104 24.245.36.142:2079 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:46213 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0xD229F959  Ack: 0x6F316F8  Win: 0x4470  TcpLen: 20

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/07-20:05:35.011238 24.245.36.142:1695 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:15101 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0xAC12B31F  Ack: 0xB103F417  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/07-20:05:36.003367 24.245.36.142:1750 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:15249 IpLen:20 DgmLen:110 DF
***AP*** Seq: 0xAC3FA34A  Ack: 0xB1706C11  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/07-20:05:39.191329 24.245.36.142:1763 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:15696 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0xAC4B1265  Ack: 0xB17C2674  Win: 0x4470  TcpLen: 20

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/07-20:05:39.703602 24.245.36.142:1882 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:15780 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0xACADA30C  Ack: 0xB13B3F98  Win: 0x4470  TcpLen: 20

SnortSnarf brought to you courtesy of Silicon Defense
Authors: Jim Hoagland and Stuart Staniford
See also the Snort Page by Marty Roesch
Page generated at Tue Jun 17 09:03:54 2003

24.245.36.142	Whois lookup at:	ARIN	RIPE	APNIC	Geektools
	DNS lookup at:	Amenesi	TRIUMF	Princeton
	More lookup links:	Dshield	Sam Spade