SnortSnarf alert page

Source: 24.34.222.52

SnortSnarf v021111.1

Signature section (91123)

Top 20 source IPs

Top 20 dest IPs

19 such alerts found using input module SnortFileInput, with sources:

/home/rivettmj/snort_alertlog/alert

Earliest: 17:07:07.034474 on 05/22/2003
Latest: 16:25:10.341095 on 06/05/2003

7 different signatures are present for 24.34.222.52 as a source

1 instances of WEB-IIS _mem_bin access
1 instances of WEB-FRONTPAGE /_vti_bin/ access
1 instances of WEB-IIS ISAPI .ida attempt
2 instances of WEB-IIS CodeRed v2 root.exe access
3 instances of WEB-IIS multiple decode attempt
5 instances of WEB-IIS cmd.exe access
6 instances of WEB-IIS unicode directory traversal attempt

There are 1 distinct destination IPs in the alerts of the type on this page.

24.34.222.52 Whois lookup at: ARIN RIPE APNIC Geektools

DNS lookup at: Amenesi TRIUMF Princeton

More lookup links: Dshield Sam Spade

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/22-17:07:07.034474 24.34.222.52:4888 -> 192.168.1.6:80
TCP TTL:108 TOS:0x0 ID:307 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0x9631937D  Ack: 0x5DD062A7  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/22-17:07:08.426208 24.34.222.52:4929 -> 192.168.1.6:80
TCP TTL:108 TOS:0x0 ID:482 IpLen:20 DgmLen:110 DF
***AP*** Seq: 0x9654E426  Ack: 0x5ED9A0A4  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/22-17:07:09.338884 24.34.222.52:4957 -> 192.168.1.6:80
TCP TTL:108 TOS:0x0 ID:618 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x966C4FF1  Ack: 0x5E48C2DD  Win: 0x4470  TcpLen: 20

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/22-17:07:10.409484 24.34.222.52:4986 -> 192.168.1.6:80
TCP TTL:108 TOS:0x0 ID:753 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x9684D16D  Ack: 0x5EF52FC8  Win: 0x4470  TcpLen: 20

[**] [1:1945:1] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/22-17:07:14.246170 24.34.222.52:3106 -> 192.168.1.6:80
TCP TTL:108 TOS:0x0 ID:1266 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x96E7B13D  Ack: 0x5EBF842B  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1288:5] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
05/22-17:07:15.046994 24.34.222.52:3127 -> 192.168.1.6:80
TCP TTL:108 TOS:0x0 ID:1366 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x96FB0A07  Ack: 0x5ED8B7E3  Win: 0x4470  TcpLen: 20

[**] [1:1286:5] WEB-IIS _mem_bin access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
05/22-17:07:19.149697 24.34.222.52:3261 -> 192.168.1.6:80
TCP TTL:108 TOS:0x0 ID:1904 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x9770E463  Ack: 0x5F06042D  Win: 0x4470  TcpLen: 20

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/22-17:07:23.402856 24.34.222.52:3376 -> 192.168.1.6:80
TCP TTL:108 TOS:0x0 ID:2456 IpLen:20 DgmLen:185 DF
***AP*** Seq: 0x97D5696E  Ack: 0x5F14E327  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/22-17:07:33.312905 24.34.222.52:3396 -> 192.168.1.6:80
TCP TTL:108 TOS:0x0 ID:3696 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x97E6BEFF  Ack: 0x5FAE8A10  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/22-17:07:34.626473 24.34.222.52:3676 -> 192.168.1.6:80
TCP TTL:108 TOS:0x0 ID:3878 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x98D897E3  Ack: 0x604836C9  Win: 0x4470  TcpLen: 20

[**] [1:981:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/22-17:07:41.533151 24.34.222.52:3795 -> 192.168.1.6:80
TCP TTL:108 TOS:0x0 ID:4726 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x994331EE  Ack: 0x6096554E  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:983:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/22-17:07:45.549558 24.34.222.52:3979 -> 192.168.1.6:80
TCP TTL:108 TOS:0x0 ID:5199 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x99E4F9C2  Ack: 0x606397B0  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:983:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/22-17:07:48.544211 24.34.222.52:3979 -> 192.168.1.6:80
TCP TTL:108 TOS:0x0 ID:5621 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x99E4F9C2  Ack: 0x606397B0  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/22-17:07:49.879329 24.34.222.52:4111 -> 192.168.1.6:80
TCP TTL:108 TOS:0x0 ID:5800 IpLen:20 DgmLen:138 DF
***AP*** Seq: 0x9A56800A  Ack: 0x607FA05F  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/22-17:07:56.435356 24.34.222.52:4230 -> 192.168.1.6:80
TCP TTL:108 TOS:0x0 ID:6642 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x9ABFCC09  Ack: 0x616FAEE8  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/22-17:08:00.140683 24.34.222.52:4320 -> 192.168.1.6:80
TCP TTL:108 TOS:0x0 ID:7133 IpLen:20 DgmLen:140 DF
***AP*** Seq: 0x9B0A9C93  Ack: 0x6186FF5B  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/22-17:08:01.015722 24.34.222.52:4429 -> 192.168.1.6:80
TCP TTL:108 TOS:0x0 ID:7246 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x9B691521  Ack: 0x61FDC4B1  Win: 0x4470  TcpLen: 20

[**] [1:1243:8] WEB-IIS ISAPI .ida attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/05-16:25:10.333035 24.34.222.52:4454 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:34991 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x3E1DE18B  Ack: 0x3B360E10  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0071][Xref => http://www.securityfocus.com/bid/1065][Xref => http://www.whitehats.com/info/IDS552]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/05-16:25:10.341095 24.34.222.52:4454 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:34992 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x3E1DE73F  Ack: 0x3B360E10  Win: 0x4470  TcpLen: 20

SnortSnarf brought to you courtesy of Silicon Defense
Authors: Jim Hoagland and Stuart Staniford
See also the Snort Page by Marty Roesch
Page generated at Tue Jun 17 09:03:53 2003

24.34.222.52	Whois lookup at:	ARIN	RIPE	APNIC	Geektools
	DNS lookup at:	Amenesi	TRIUMF	Princeton
	More lookup links:	Dshield	Sam Spade