SnortSnarf alert page

Source: 24.52.59.25

SnortSnarf v021111.1

Signature section (91123)

Top 20 source IPs

Top 20 dest IPs

18 such alerts found using input module SnortFileInput, with sources:

/home/rivettmj/snort_alertlog/alert

Earliest: 01:18:44.410134 on 05/27/2003
Latest: 01:19:46.319714 on 05/27/2003

6 different signatures are present for 24.52.59.25 as a source

1 instances of WEB-IIS _mem_bin access
1 instances of WEB-FRONTPAGE /_vti_bin/ access
2 instances of WEB-IIS CodeRed v2 root.exe access
3 instances of WEB-IIS multiple decode attempt
4 instances of WEB-IIS cmd.exe access
7 instances of WEB-IIS unicode directory traversal attempt

There are 1 distinct destination IPs in the alerts of the type on this page.

24.52.59.25 Whois lookup at: ARIN RIPE APNIC Geektools

DNS lookup at: Amenesi TRIUMF Princeton

More lookup links: Dshield Sam Spade

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/27-01:18:44.410134 24.52.59.25:1243 -> 192.168.1.6:80
TCP TTL:108 TOS:0x0 ID:6021 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0xA0BB2016  Ack: 0x9D9A751D  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/27-01:18:45.515605 24.52.59.25:1256 -> 192.168.1.6:80
TCP TTL:108 TOS:0x0 ID:6082 IpLen:20 DgmLen:110 DF
***AP*** Seq: 0xA0C8933E  Ack: 0x9E254FE3  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/27-01:18:45.911486 24.52.59.25:1276 -> 192.168.1.6:80
TCP TTL:108 TOS:0x0 ID:6113 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0xA0D8CA59  Ack: 0x9D8D19A5  Win: 0x4470  TcpLen: 20

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/27-01:18:46.250630 24.52.59.25:1285 -> 192.168.1.6:80
TCP TTL:108 TOS:0x0 ID:6145 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0xA0E163C8  Ack: 0x9DABD888  Win: 0x4470  TcpLen: 20

[**] [1:1945:1] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/27-01:18:46.620017 24.52.59.25:1304 -> 192.168.1.6:80
TCP TTL:108 TOS:0x0 ID:6167 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0xA0F083C5  Ack: 0x9DF42AAF  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1945:1] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/27-01:18:49.556066 24.52.59.25:1304 -> 192.168.1.6:80
TCP TTL:108 TOS:0x0 ID:6327 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0xA0F083C5  Ack: 0x9DF42AAF  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1288:5] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
05/27-01:18:49.895941 24.52.59.25:1370 -> 192.168.1.6:80
TCP TTL:108 TOS:0x0 ID:6349 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0xA1307735  Ack: 0x9E168E61  Win: 0x4470  TcpLen: 20

[**] [1:1286:5] WEB-IIS _mem_bin access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
05/27-01:18:50.195748 24.52.59.25:1374 -> 192.168.1.6:80
TCP TTL:108 TOS:0x0 ID:6368 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0xA1335A6B  Ack: 0x9DD095F1  Win: 0x4470  TcpLen: 20

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/27-01:18:50.481133 24.52.59.25:1375 -> 192.168.1.6:80
TCP TTL:108 TOS:0x0 ID:6392 IpLen:20 DgmLen:185 DF
***AP*** Seq: 0xA135791C  Ack: 0x9DE30AB2  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/27-01:18:50.741022 24.52.59.25:1394 -> 192.168.1.6:80
TCP TTL:108 TOS:0x0 ID:6413 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0xA14367C2  Ack: 0x9E1CB1AF  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/27-01:18:53.727252 24.52.59.25:1394 -> 192.168.1.6:80
TCP TTL:108 TOS:0x0 ID:6572 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0xA14367C2  Ack: 0x9E1CB1AF  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/27-01:18:54.124210 24.52.59.25:1469 -> 192.168.1.6:80
TCP TTL:108 TOS:0x0 ID:6596 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0xA186B3CB  Ack: 0x9E34B232  Win: 0x4470  TcpLen: 20

[**] [1:981:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/27-01:18:54.399060 24.52.59.25:1479 -> 192.168.1.6:80
TCP TTL:108 TOS:0x0 ID:6626 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0xA18F9AD6  Ack: 0x9E857C6A  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:983:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/27-01:18:54.702894 24.52.59.25:1485 -> 192.168.1.6:80
TCP TTL:108 TOS:0x0 ID:6640 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0xA193F050  Ack: 0x9ED97FB4  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/27-01:19:40.849232 24.52.59.25:2617 -> 192.168.1.6:80
TCP TTL:108 TOS:0x0 ID:9849 IpLen:20 DgmLen:138 DF
***AP*** Seq: 0xA588353C  Ack: 0xA161DD30  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/27-01:19:41.825925 24.52.59.25:2654 -> 192.168.1.6:80
TCP TTL:108 TOS:0x0 ID:9939 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0xA5A8B1CC  Ack: 0xA142AEC1  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/27-01:19:45.414886 24.52.59.25:2738 -> 192.168.1.6:80
TCP TTL:108 TOS:0x0 ID:10181 IpLen:20 DgmLen:140 DF
***AP*** Seq: 0xA5F73077  Ack: 0xA17384D5  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/27-01:19:46.319714 24.52.59.25:2760 -> 192.168.1.6:80
TCP TTL:108 TOS:0x0 ID:10236 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0xA6091EA1  Ack: 0xA1D491A7  Win: 0x4470  TcpLen: 20

SnortSnarf brought to you courtesy of Silicon Defense
Authors: Jim Hoagland and Stuart Staniford
See also the Snort Page by Marty Roesch
Page generated at Tue Jun 17 09:09:28 2003

24.52.59.25	Whois lookup at:	ARIN	RIPE	APNIC	Geektools
	DNS lookup at:	Amenesi	TRIUMF	Princeton
	More lookup links:	Dshield	Sam Spade