[Silicon Defense logo]

SnortSnarf alert page

Source: 24.94.212.166

SnortSnarf v021111.1

Signature section (91123)Top 20 source IPsTop 20 dest IPs

16 such alerts found using input module SnortFileInput, with sources:
Earliest: 13:40:24.610775 on 05/21/2003
Latest: 13:41:11.127635 on 05/21/2003

6 different signatures are present for 24.94.212.166 as a source

There are 1 distinct destination IPs in the alerts of the type on this page.

24.94.212.166 Whois lookup at: ARIN RIPE APNIC Geektools
DNS lookup at: Amenesi TRIUMF Princeton
More lookup links: Dshield Sam Spade

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
05/21-13:40:24.610775 24.94.212.166:4728 -> 192.168.1.6:80
TCP TTL:116 TOS:0x0 ID:29944 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0xB0DDB8F4 Ack: 0x10D10117 Win: 0x4470 TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]
[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
05/21-13:40:25.079837 24.94.212.166:4733 -> 192.168.1.6:80
TCP TTL:116 TOS:0x0 ID:29983 IpLen:20 DgmLen:110 DF
***AP*** Seq: 0xB0E37797 Ack: 0x11923CF2 Win: 0x4470 TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]
[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
05/21-13:40:25.353159 24.94.212.166:4734 -> 192.168.1.6:80
TCP TTL:116 TOS:0x0 ID:29997 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0xB0E5707B Ack: 0x10CDD8D1 Win: 0x4470 TcpLen: 20
[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
05/21-13:40:25.585506 24.94.212.166:4735 -> 192.168.1.6:80
TCP TTL:116 TOS:0x0 ID:30009 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0xB0E6B4CD Ack: 0x11088CCC Win: 0x4470 TcpLen: 20
[**] [1:1945:1] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1]
05/21-13:40:25.835940 24.94.212.166:4736 -> 192.168.1.6:80
TCP TTL:116 TOS:0x0 ID:30027 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0xB0E8A2BF Ack: 0x11745876 Win: 0x4470 TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]
[**] [1:1288:5] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2]
05/21-13:40:26.101106 24.94.212.166:4744 -> 192.168.1.6:80
TCP TTL:116 TOS:0x0 ID:30046 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0xB0EEF1E9 Ack: 0x10CE11D1 Win: 0x4470 TcpLen: 20
[**] [1:1286:5] WEB-IIS _mem_bin access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2]
05/21-13:40:26.368999 24.94.212.166:4748 -> 192.168.1.6:80
TCP TTL:116 TOS:0x0 ID:30066 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0xB0F2C3F2 Ack: 0x10C92FD9 Win: 0x4470 TcpLen: 20
[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1]
05/21-13:40:35.705381 24.94.212.166:4902 -> 192.168.1.6:80
TCP TTL:116 TOS:0x0 ID:30687 IpLen:20 DgmLen:185 DF
***AP*** Seq: 0xB1888245 Ack: 0x119BC66D Win: 0x4470 TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]
[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1]
05/21-13:40:35.994070 24.94.212.166:4907 -> 192.168.1.6:80
TCP TTL:116 TOS:0x0 ID:30709 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0xB18D1AC9 Ack: 0x11F74C17 Win: 0x4470 TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]
[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
05/21-13:40:45.244530 24.94.212.166:1070 -> 192.168.1.6:80
TCP TTL:116 TOS:0x0 ID:31244 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0xB2145B90 Ack: 0x1274E51F Win: 0x4470 TcpLen: 20
[**] [1:981:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1]
05/21-13:40:48.485373 24.94.212.166:1112 -> 192.168.1.6:80
TCP TTL:116 TOS:0x0 ID:31396 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0xB23E6DD0 Ack: 0x12A68DCA Win: 0x4470 TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]
[**] [1:983:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1]
05/21-13:40:49.116584 24.94.212.166:1119 -> 192.168.1.6:80
TCP TTL:116 TOS:0x0 ID:31423 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0xB244AFDA Ack: 0x12DEB7A4 Win: 0x4470 TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]
[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1]
05/21-13:41:10.353834 24.94.212.166:1448 -> 192.168.1.6:80
TCP TTL:116 TOS:0x0 ID:32757 IpLen:20 DgmLen:138 DF
***AP*** Seq: 0xB388DDAE Ack: 0x13BC9C01 Win: 0x4470 TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]
[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1]
05/21-13:41:10.594973 24.94.212.166:1451 -> 192.168.1.6:80
TCP TTL:116 TOS:0x0 ID:32771 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0xB38C3678 Ack: 0x143ABF2D Win: 0x4470 TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]
[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1]
05/21-13:41:10.874470 24.94.212.166:1453 -> 192.168.1.6:80
TCP TTL:116 TOS:0x0 ID:32786 IpLen:20 DgmLen:140 DF
***AP*** Seq: 0xB38EB589 Ack: 0x13E1354A Win: 0x4470 TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]
[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
05/21-13:41:11.127635 24.94.212.166:1456 -> 192.168.1.6:80
TCP TTL:116 TOS:0x0 ID:32803 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0xB391C30A Ack: 0x140C8803 Win: 0x4470 TcpLen: 20
SnortSnarf brought to you courtesy of Silicon Defense
Authors: Jim Hoagland and Stuart Staniford
See also the Snort Page by Marty Roesch
Page generated at Tue Jun 17 09:09:28 2003