SnortSnarf alert page

Source: 24.29.173.81

SnortSnarf v021111.1

Signature section (91123)

Top 20 source IPs

Top 20 dest IPs

33 such alerts found using input module SnortFileInput, with sources:

/home/rivettmj/snort_alertlog/alert

Earliest: 00:47:16.462901 on 04/23/2003
Latest: 17:50:33.710456 on 04/24/2003

6 different signatures are present for 24.29.173.81 as a source

2 instances of WEB-IIS _mem_bin access
2 instances of WEB-FRONTPAGE /_vti_bin/ access
4 instances of WEB-IIS CodeRed v2 root.exe access
6 instances of WEB-IIS multiple decode attempt
9 instances of WEB-IIS cmd.exe access
10 instances of WEB-IIS unicode directory traversal attempt

There are 1 distinct destination IPs in the alerts of the type on this page.

24.29.173.81 Whois lookup at: ARIN RIPE APNIC Geektools

DNS lookup at: Amenesi TRIUMF Princeton

More lookup links: Dshield Sam Spade

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
04/23-00:47:16.462901 24.29.173.81:1289 -> 192.168.1.6:80
TCP TTL:119 TOS:0x0 ID:54638 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0x90A860FC  Ack: 0x1E79E65A  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
04/23-00:47:16.738663 24.29.173.81:1292 -> 192.168.1.6:80
TCP TTL:119 TOS:0x0 ID:54650 IpLen:20 DgmLen:110 DF
***AP*** Seq: 0x90AB945D  Ack: 0x1E7B40D0  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
04/23-00:47:16.831029 24.29.173.81:1293 -> 192.168.1.6:80
TCP TTL:119 TOS:0x0 ID:54659 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x90ACCD34  Ack: 0x1EA2A72E  Win: 0x4470  TcpLen: 20

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
04/23-00:47:25.991465 24.29.173.81:1528 -> 192.168.1.6:80
TCP TTL:119 TOS:0x0 ID:55304 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x917BF073  Ack: 0x1EF38E83  Win: 0x4470  TcpLen: 20

[**] [1:1945:1] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/23-00:47:35.219517 24.29.173.81:1808 -> 192.168.1.6:80
TCP TTL:119 TOS:0x0 ID:56158 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x926E13CD  Ack: 0x2018CAF3  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1288:5] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
04/23-00:47:35.321403 24.29.173.81:1815 -> 192.168.1.6:80
TCP TTL:119 TOS:0x0 ID:56167 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x927385D5  Ack: 0x1FD6B132  Win: 0x4470  TcpLen: 20

[**] [1:1286:5] WEB-IIS _mem_bin access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
04/23-00:47:44.386373 24.29.173.81:2120 -> 192.168.1.6:80
TCP TTL:119 TOS:0x0 ID:57148 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x9379A744  Ack: 0x20284F82  Win: 0x4470  TcpLen: 20

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/23-00:47:44.454627 24.29.173.81:2123 -> 192.168.1.6:80
TCP TTL:119 TOS:0x0 ID:57161 IpLen:20 DgmLen:185 DF
***AP*** Seq: 0x937C0F07  Ack: 0x20DB0958  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/23-00:47:44.532611 24.29.173.81:2128 -> 192.168.1.6:80
TCP TTL:119 TOS:0x0 ID:57177 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x937FF156  Ack: 0x208D064B  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
04/23-00:47:47.782719 24.29.173.81:2232 -> 192.168.1.6:80
TCP TTL:119 TOS:0x0 ID:57450 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x93D7705D  Ack: 0x20BA18B0  Win: 0x4470  TcpLen: 20

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
04/23-00:47:50.972770 24.29.173.81:2232 -> 192.168.1.6:80
TCP TTL:119 TOS:0x0 ID:57702 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x93D7705D  Ack: 0x20BA18B0  Win: 0x4470  TcpLen: 20

[**] [1:981:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/23-00:47:52.068501 24.29.173.81:2313 -> 192.168.1.6:80
TCP TTL:119 TOS:0x0 ID:57784 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x9422146E  Ack: 0x2061E9D6  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:983:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/23-00:47:53.174082 24.29.173.81:2343 -> 192.168.1.6:80
TCP TTL:119 TOS:0x0 ID:57861 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x943CAE5D  Ack: 0x21443043  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/23-00:47:54.387551 24.29.173.81:2372 -> 192.168.1.6:80
TCP TTL:119 TOS:0x0 ID:57995 IpLen:20 DgmLen:138 DF
***AP*** Seq: 0x94578E28  Ack: 0x208EE82E  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/23-00:47:54.472902 24.29.173.81:2391 -> 192.168.1.6:80
TCP TTL:119 TOS:0x0 ID:58017 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x9469C17B  Ack: 0x212D5C63  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/23-00:47:54.933643 24.29.173.81:2394 -> 192.168.1.6:80
TCP TTL:119 TOS:0x0 ID:58043 IpLen:20 DgmLen:140 DF
***AP*** Seq: 0x946B8B96  Ack: 0x20D67645  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
04/23-00:48:04.035685 24.29.173.81:2647 -> 192.168.1.6:80
TCP TTL:119 TOS:0x0 ID:58941 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x95494B7C  Ack: 0x21E9C6AA  Win: 0x4470  TcpLen: 20

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
04/24-17:50:10.220636 24.29.173.81:1854 -> 192.168.1.6:80
TCP TTL:119 TOS:0x0 ID:15217 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0x89F63F48  Ack: 0x765833DA  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
04/24-17:50:13.969574 24.29.173.81:1962 -> 192.168.1.6:80
TCP TTL:119 TOS:0x0 ID:15804 IpLen:20 DgmLen:110 DF
***AP*** Seq: 0x8A54B09E  Ack: 0x7683508C  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
04/24-17:50:14.094369 24.29.173.81:1968 -> 192.168.1.6:80
TCP TTL:119 TOS:0x0 ID:15832 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x8A59BE8E  Ack: 0x772A7E5C  Win: 0x4470  TcpLen: 20

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
04/24-17:50:14.190848 24.29.173.81:1970 -> 192.168.1.6:80
TCP TTL:119 TOS:0x0 ID:15852 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x8A5BFE2E  Ack: 0x7735DAD2  Win: 0x4470  TcpLen: 20

[**] [1:1945:1] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/24-17:50:23.300211 24.29.173.81:2205 -> 192.168.1.6:80
TCP TTL:119 TOS:0x0 ID:17118 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x8B275617  Ack: 0x7729D397  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1288:5] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
04/24-17:50:23.430169 24.29.173.81:2210 -> 192.168.1.6:80
TCP TTL:119 TOS:0x0 ID:17149 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x8B2BC951  Ack: 0x7772309B  Win: 0x4470  TcpLen: 20

[**] [1:1286:5] WEB-IIS _mem_bin access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
04/24-17:50:23.608118 24.29.173.81:2215 -> 192.168.1.6:80
TCP TTL:119 TOS:0x0 ID:17179 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x8B30152A  Ack: 0x7720FD20  Win: 0x4470  TcpLen: 20

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/24-17:50:23.685440 24.29.173.81:2220 -> 192.168.1.6:80
TCP TTL:119 TOS:0x0 ID:17191 IpLen:20 DgmLen:185 DF
***AP*** Seq: 0x8B341F35  Ack: 0x77897FAA  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/24-17:50:26.841527 24.29.173.81:2299 -> 192.168.1.6:80
TCP TTL:119 TOS:0x0 ID:17664 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x8B77568E  Ack: 0x78010CC5  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
04/24-17:50:29.918958 24.29.173.81:2402 -> 192.168.1.6:80
TCP TTL:119 TOS:0x0 ID:18195 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x8BD2C37C  Ack: 0x7788693C  Win: 0x4470  TcpLen: 20

[**] [1:981:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/24-17:50:30.008035 24.29.173.81:2406 -> 192.168.1.6:80
TCP TTL:119 TOS:0x0 ID:18221 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x8BD52543  Ack: 0x77D52273  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:983:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/24-17:50:30.200870 24.29.173.81:2409 -> 192.168.1.6:80
TCP TTL:119 TOS:0x0 ID:18248 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x8BD7D68D  Ack: 0x77685A82  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/24-17:50:30.438248 24.29.173.81:2416 -> 192.168.1.6:80
TCP TTL:119 TOS:0x0 ID:18307 IpLen:20 DgmLen:138 DF
***AP*** Seq: 0x8BDD8B1E  Ack: 0x7847EA8C  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/24-17:50:30.547785 24.29.173.81:2422 -> 192.168.1.6:80
TCP TTL:119 TOS:0x0 ID:18333 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x8BE28ECF  Ack: 0x781C41C5  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/24-17:50:30.620728 24.29.173.81:2425 -> 192.168.1.6:80
TCP TTL:119 TOS:0x0 ID:18352 IpLen:20 DgmLen:140 DF
***AP*** Seq: 0x8BE524B2  Ack: 0x78442B63  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
04/24-17:50:33.710456 24.29.173.81:2548 -> 192.168.1.6:80
TCP TTL:119 TOS:0x0 ID:18960 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x8C4BF6C4  Ack: 0x7878CFA2  Win: 0x4470  TcpLen: 20

SnortSnarf brought to you courtesy of Silicon Defense
Authors: Jim Hoagland and Stuart Staniford
See also the Snort Page by Marty Roesch
Page generated at Tue Jun 17 09:03:52 2003

24.29.173.81	Whois lookup at:	ARIN	RIPE	APNIC	Geektools
	DNS lookup at:	Amenesi	TRIUMF	Princeton
	More lookup links:	Dshield	Sam Spade