SnortSnarf alert page

Source: 24.57.13.78

SnortSnarf v021111.1

Signature section (91123)

Top 20 source IPs

Top 20 dest IPs

33 such alerts found using input module SnortFileInput, with sources:

/home/rivettmj/snort_alertlog/alert

Earliest: 16:54:40.586459 on 05/30/2003
Latest: 16:52:45.917442 on 06/04/2003

6 different signatures are present for 24.57.13.78 as a source

2 instances of WEB-IIS _mem_bin access
2 instances of WEB-FRONTPAGE /_vti_bin/ access
4 instances of WEB-IIS CodeRed v2 root.exe access
7 instances of WEB-IIS multiple decode attempt
8 instances of WEB-IIS cmd.exe access
10 instances of WEB-IIS unicode directory traversal attempt

There are 1 distinct destination IPs in the alerts of the type on this page.

24.57.13.78 Whois lookup at: ARIN RIPE APNIC Geektools

DNS lookup at: Amenesi TRIUMF Princeton

More lookup links: Dshield Sam Spade

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/30-16:54:40.586459 24.57.13.78:3469 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:64439 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0x6BE58D39  Ack: 0x2C067D0B  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/30-16:54:41.501201 24.57.13.78:3490 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:64511 IpLen:20 DgmLen:110 DF
***AP*** Seq: 0x6BFA4D07  Ack: 0x2C1F26B7  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/30-16:54:42.036457 24.57.13.78:3494 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:64540 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x6BFDF78F  Ack: 0x2C660729  Win: 0x4470  TcpLen: 20

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/30-16:54:42.317997 24.57.13.78:3503 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:64575 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x6C06E095  Ack: 0x2C5CD977  Win: 0x4470  TcpLen: 20

[**] [1:1945:1] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/30-16:54:42.535325 24.57.13.78:3508 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:64595 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x6C0B4906  Ack: 0x2C13A316  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1288:5] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
05/30-16:54:42.907694 24.57.13.78:3510 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:64620 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x6C0D99F6  Ack: 0x2BC59C66  Win: 0x4470  TcpLen: 20

[**] [1:1286:5] WEB-IIS _mem_bin access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
05/30-16:54:46.054804 24.57.13.78:3522 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:64846 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x6C17FC59  Ack: 0x2C9ECA6D  Win: 0x4470  TcpLen: 20

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/30-16:54:46.256050 24.57.13.78:3571 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:64858 IpLen:20 DgmLen:185 DF
***AP*** Seq: 0x6C444756  Ack: 0x2C575416  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/30-16:54:46.465333 24.57.13.78:3577 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:64884 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x6C49D3B1  Ack: 0x2CD428E8  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/30-16:54:46.654811 24.57.13.78:3580 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:64903 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x6C4D37FC  Ack: 0x2CB12C49  Win: 0x4470  TcpLen: 20

[**] [1:981:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/30-16:54:46.813249 24.57.13.78:3584 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:64918 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x6C510F03  Ack: 0x2CE23971  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:983:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/30-16:54:47.026558 24.57.13.78:3588 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:64936 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x6C54E22A  Ack: 0x2C66E161  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/30-16:54:47.241671 24.57.13.78:3594 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:64970 IpLen:20 DgmLen:138 DF
***AP*** Seq: 0x6C59B82E  Ack: 0x2CCE7041  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/30-16:54:50.278258 24.57.13.78:3594 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:65202 IpLen:20 DgmLen:138 DF
***AP*** Seq: 0x6C59B82E  Ack: 0x2CCE7041  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/30-16:54:56.597191 24.57.13.78:3732 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:82 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x6CE21E76  Ack: 0x2E2C4D49  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/30-16:54:56.906769 24.57.13.78:3737 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:108 IpLen:20 DgmLen:140 DF
***AP*** Seq: 0x6CE7010C  Ack: 0x2DAE3549  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/30-16:54:57.108206 24.57.13.78:3741 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:122 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x6CEB76D0  Ack: 0x2E0D6EC7  Win: 0x4470  TcpLen: 20

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/04-16:52:20.296093 24.57.13.78:4783 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:24222 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0xEB66E46B  Ack: 0x62D170FA  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/04-16:52:24.381900 24.57.13.78:4875 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:24619 IpLen:20 DgmLen:110 DF
***AP*** Seq: 0xEBB9939D  Ack: 0x62E05EC2  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/04-16:52:27.658111 24.57.13.78:4971 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:25006 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0xEC0B1595  Ack: 0x63D1FED6  Win: 0x4470  TcpLen: 20

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/04-16:52:27.992283 24.57.13.78:4980 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:25051 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0xEC128FB4  Ack: 0x63BAAE2E  Win: 0x4470  TcpLen: 20

[**] [1:1945:1] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/04-16:52:31.220761 24.57.13.78:1108 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:25416 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0xEC5F6426  Ack: 0x637DECFC  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1288:5] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
06/04-16:52:31.469349 24.57.13.78:1122 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:25460 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0xEC6ACD25  Ack: 0x635010B1  Win: 0x4470  TcpLen: 20

[**] [1:1286:5] WEB-IIS _mem_bin access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
06/04-16:52:34.721595 24.57.13.78:1192 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:25780 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0xECA9389E  Ack: 0x63C10E56  Win: 0x4470  TcpLen: 20

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/04-16:52:34.962170 24.57.13.78:1197 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:25806 IpLen:20 DgmLen:185 DF
***AP*** Seq: 0xECADFCE2  Ack: 0x638C5D7C  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/04-16:52:35.260032 24.57.13.78:1205 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:25830 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0xECB4ACDF  Ack: 0x644EE4FD  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/04-16:52:35.596768 24.57.13.78:1212 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:25871 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0xECBA18A9  Ack: 0x6440603A  Win: 0x4470  TcpLen: 20

[**] [1:981:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/04-16:52:39.050793 24.57.13.78:1294 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:26251 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0xED027B4A  Ack: 0x645C713B  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:983:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/04-16:52:45.209677 24.57.13.78:1359 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:26753 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0xED3CA8CC  Ack: 0x64272BFB  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/04-16:52:45.395079 24.57.13.78:1411 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:26778 IpLen:20 DgmLen:138 DF
***AP*** Seq: 0xED70E1E7  Ack: 0x6479C5F3  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/04-16:52:45.553928 24.57.13.78:1416 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:26798 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0xED74B412  Ack: 0x6500A0F2  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/04-16:52:45.731633 24.57.13.78:1423 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:26818 IpLen:20 DgmLen:140 DF
***AP*** Seq: 0xED7B1422  Ack: 0x64253832  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/04-16:52:45.917442 24.57.13.78:1429 -> 192.168.1.6:80
TCP TTL:112 TOS:0x0 ID:26838 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0xED7FC83B  Ack: 0x645F27F9  Win: 0x4470  TcpLen: 20

SnortSnarf brought to you courtesy of Silicon Defense
Authors: Jim Hoagland and Stuart Staniford
See also the Snort Page by Marty Roesch
Page generated at Tue Jun 17 09:03:52 2003

24.57.13.78	Whois lookup at:	ARIN	RIPE	APNIC	Geektools
	DNS lookup at:	Amenesi	TRIUMF	Princeton
	More lookup links:	Dshield	Sam Spade