SnortSnarf alert page

Source: 24.34.91.29

SnortSnarf v021111.1

Signature section (91123)

Top 20 source IPs

Top 20 dest IPs

14 such alerts found using input module SnortFileInput, with sources:

/home/rivettmj/snort_alertlog/alert

Earliest: 19:57:55.281574 on 05/23/2003
Latest: 19:59:41.909193 on 05/23/2003

6 different signatures are present for 24.34.91.29 as a source

1 instances of WEB-IIS _mem_bin access
1 instances of WEB-FRONTPAGE /_vti_bin/ access
2 instances of WEB-IIS CodeRed v2 root.exe access
2 instances of WEB-IIS multiple decode attempt
3 instances of WEB-IIS cmd.exe access
5 instances of WEB-IIS unicode directory traversal attempt

There are 1 distinct destination IPs in the alerts of the type on this page.

24.34.91.29 Whois lookup at: ARIN RIPE APNIC Geektools

DNS lookup at: Amenesi TRIUMF Princeton

More lookup links: Dshield Sam Spade

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/23-19:57:55.281574 24.34.91.29:1082 -> 192.168.1.6:80
TCP TTL:107 TOS:0x0 ID:29119 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0x9D50208F  Ack: 0x22A0A892  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/23-19:57:56.365791 24.34.91.29:1190 -> 192.168.1.6:80
TCP TTL:107 TOS:0x0 ID:29207 IpLen:20 DgmLen:110 DF
***AP*** Seq: 0x9DAAD316  Ack: 0x238AEB6D  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/23-19:58:06.278437 24.34.91.29:1431 -> 192.168.1.6:80
TCP TTL:107 TOS:0x0 ID:30235 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x9E7D8721  Ack: 0x238F9E62  Win: 0x4470  TcpLen: 20

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/23-19:58:15.963081 24.34.91.29:1677 -> 192.168.1.6:80
TCP TTL:107 TOS:0x0 ID:31236 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x9F58BE51  Ack: 0x24A18B46  Win: 0x4470  TcpLen: 20

[**] [1:1945:1] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/23-19:58:25.830050 24.34.91.29:1962 -> 192.168.1.6:80
TCP TTL:107 TOS:0x0 ID:32494 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0xA04CAD18  Ack: 0x24BAF158  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1288:5] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
05/23-19:58:39.000381 24.34.91.29:2229 -> 192.168.1.6:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:157
***AP*** Seq: 0xA139C00E  Ack: 0x0  Win: 0x0  TcpLen: 20

[**] [1:1286:5] WEB-IIS _mem_bin access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
05/23-19:58:39.333215 24.34.91.29:2342 -> 192.168.1.6:80
TCP TTL:107 TOS:0x0 ID:34097 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0xA19AA76E  Ack: 0x25C4EC62  Win: 0x4470  TcpLen: 20

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/23-19:58:58.045736 24.34.91.29:2604 -> 192.168.1.6:80
TCP TTL:107 TOS:0x0 ID:36221 IpLen:20 DgmLen:185 DF
***AP*** Seq: 0xA27FC47E  Ack: 0x26280D64  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/23-19:59:01.675283 24.34.91.29:2845 -> 192.168.1.6:80
TCP TTL:107 TOS:0x0 ID:36573 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0xA35828A8  Ack: 0x270EE686  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/23-19:59:11.495755 24.34.91.29:3146 -> 192.168.1.6:80
TCP TTL:107 TOS:0x0 ID:37670 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0xA466D410  Ack: 0x27857227  Win: 0x4470  TcpLen: 20

[**] [1:981:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/23-19:59:21.465903 24.34.91.29:3415 -> 192.168.1.6:80
TCP TTL:107 TOS:0x0 ID:38814 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0xA54C8F13  Ack: 0x281DC0F3  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:983:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/23-19:59:31.419950 24.34.91.29:3655 -> 192.168.1.6:80
TCP TTL:107 TOS:0x0 ID:39815 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0xA61BCF13  Ack: 0x28D5FD9D  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/23-19:59:41.179189 24.34.91.29:3662 -> 192.168.1.6:80
TCP TTL:107 TOS:0x0 ID:40968 IpLen:20 DgmLen:138 DF
***AP*** Seq: 0xA6248217  Ack: 0x287A6A9D  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/23-19:59:41.909193 24.34.91.29:3917 -> 192.168.1.6:80
TCP TTL:107 TOS:0x0 ID:41028 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0xA7057B98  Ack: 0x29A3F8E4  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

SnortSnarf brought to you courtesy of Silicon Defense
Authors: Jim Hoagland and Stuart Staniford
See also the Snort Page by Marty Roesch
Page generated at Tue Jun 17 09:03:52 2003

24.34.91.29	Whois lookup at:	ARIN	RIPE	APNIC	Geektools
	DNS lookup at:	Amenesi	TRIUMF	Princeton
	More lookup links:	Dshield	Sam Spade