SnortSnarf alert page

Source: 24.85.206.152

SnortSnarf v021111.1

Signature section (91123)

Top 20 source IPs

Top 20 dest IPs

18 such alerts found using input module SnortFileInput, with sources:

/home/rivettmj/snort_alertlog/alert

Earliest: 01:49:13.447248 on 04/23/2003
Latest: 01:49:57.692042 on 04/23/2003

6 different signatures are present for 24.85.206.152 as a source

1 instances of WEB-IIS _mem_bin access
1 instances of WEB-FRONTPAGE /_vti_bin/ access
2 instances of WEB-IIS CodeRed v2 root.exe access
4 instances of WEB-IIS cmd.exe access
5 instances of WEB-IIS multiple decode attempt
5 instances of WEB-IIS unicode directory traversal attempt

There are 1 distinct destination IPs in the alerts of the type on this page.

24.85.206.152 Whois lookup at: ARIN RIPE APNIC Geektools

DNS lookup at: Amenesi TRIUMF Princeton

More lookup links: Dshield Sam Spade

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
04/23-01:49:13.447248 24.85.206.152:3651 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:38211 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0x68AAD9F3  Ack: 0x8F62045  Win: 0xFAF0  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
04/23-01:49:14.554817 24.85.206.152:3683 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:38353 IpLen:20 DgmLen:110 DF
***AP*** Seq: 0x68C44923  Ack: 0x90BFC36  Win: 0xFAF0  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
04/23-01:49:18.414642 24.85.206.152:3788 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:38876 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x692094A3  Ack: 0x9E8E756  Win: 0xFAF0  TcpLen: 20

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
04/23-01:49:19.408923 24.85.206.152:3817 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:39014 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x693AC015  Ack: 0x9DAB468  Win: 0xFAF0  TcpLen: 20

[**] [1:1945:1] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/23-01:49:20.131171 24.85.206.152:3843 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:39133 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x69515D52  Ack: 0xA11A65D  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1288:5] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
04/23-01:49:30.085751 24.85.206.152:4149 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:40572 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x6A55B664  Ack: 0x9F85ADE  Win: 0xFAF0  TcpLen: 20

[**] [1:1286:5] WEB-IIS _mem_bin access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
04/23-01:49:30.600189 24.85.206.152:4170 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:40641 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x6A67FAA9  Ack: 0xA2216B3  Win: 0xFAF0  TcpLen: 20

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/23-01:49:31.223457 24.85.206.152:4186 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:40726 IpLen:20 DgmLen:185 DF
***AP*** Seq: 0x6A75DFA3  Ack: 0xA3DB73A  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/23-01:49:31.999589 24.85.206.152:4205 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:40836 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x6A84E10F  Ack: 0xAA13133  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
04/23-01:49:32.854079 24.85.206.152:4240 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:40944 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x6AA00650  Ack: 0xA905309  Win: 0xFAF0  TcpLen: 20

[**] [1:981:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/23-01:49:33.589690 24.85.206.152:4261 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:41061 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x6AB15A4B  Ack: 0xA3EEC0D  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:983:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/23-01:49:42.996259 24.85.206.152:4548 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:42324 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x6BA84FB3  Ack: 0xAB67E5F  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/23-01:49:43.170428 24.85.206.152:4554 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:42361 IpLen:20 DgmLen:138 DF
***AP*** Seq: 0x6BADE263  Ack: 0xB27FBD4  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/23-01:49:46.353088 24.85.206.152:4554 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:42726 IpLen:20 DgmLen:138 DF
***AP*** Seq: 0x6BADE263  Ack: 0xB27FBD4  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/23-01:49:52.960040 24.85.206.152:4821 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:43445 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x6C7C60AF  Ack: 0xBD383A3  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/23-01:49:55.893594 24.85.206.152:4821 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:43770 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x6C7C60AF  Ack: 0xBD383A3  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/23-01:49:56.873963 24.85.206.152:4975 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:43877 IpLen:20 DgmLen:140 DF
***AP*** Seq: 0x6CCC69CB  Ack: 0xBD39EFF  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
04/23-01:49:57.692042 24.85.206.152:1042 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:43980 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x6CE3CF25  Ack: 0xC5175D6  Win: 0xFAF0  TcpLen: 20

SnortSnarf brought to you courtesy of Silicon Defense
Authors: Jim Hoagland and Stuart Staniford
See also the Snort Page by Marty Roesch
Page generated at Tue Jun 17 09:03:53 2003

24.85.206.152	Whois lookup at:	ARIN	RIPE	APNIC	Geektools
	DNS lookup at:	Amenesi	TRIUMF	Princeton
	More lookup links:	Dshield	Sam Spade