SnortSnarf alert page

Source: 24.98.99.141

SnortSnarf v021111.1

Signature section (91123)

Top 20 source IPs

Top 20 dest IPs

31 such alerts found using input module SnortFileInput, with sources:

/home/rivettmj/snort_alertlog/alert

Earliest: 00:23:35.049578 on 06/12/2003
Latest: 04:04:56.803450 on 06/13/2003

6 different signatures are present for 24.98.99.141 as a source

2 instances of WEB-IIS _mem_bin access
2 instances of WEB-FRONTPAGE /_vti_bin/ access
4 instances of WEB-IIS CodeRed v2 root.exe access
7 instances of WEB-IIS multiple decode attempt
7 instances of WEB-IIS cmd.exe access
9 instances of WEB-IIS unicode directory traversal attempt

There are 1 distinct destination IPs in the alerts of the type on this page.

24.98.99.141 Whois lookup at: ARIN RIPE APNIC Geektools

DNS lookup at: Amenesi TRIUMF Princeton

More lookup links: Dshield Sam Spade

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/12-00:23:35.049578 24.98.99.141:3240 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:45944 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0xF6FC3A63  Ack: 0xC98499EB  Win: 0xFAF0  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/12-00:23:45.514705 24.98.99.141:3650 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:47363 IpLen:20 DgmLen:110 DF
***AP*** Seq: 0xF847CC10  Ack: 0xCACF599F  Win: 0xFAF0  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/12-00:23:46.443887 24.98.99.141:3670 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:47447 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0xF858B6F0  Ack: 0xCABAEA48  Win: 0xFAF0  TcpLen: 20

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/12-00:23:47.263823 24.98.99.141:3725 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:47573 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0xF883B526  Ack: 0xCA7E6828  Win: 0xFAF0  TcpLen: 20

[**] [1:1945:1] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/12-00:23:55.106743 24.98.99.141:3882 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:48641 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0xF9036EDE  Ack: 0xCB5C1544  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1288:5] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
06/12-00:23:55.622224 24.98.99.141:4063 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:48718 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0xF98A3494  Ack: 0xCAB55F16  Win: 0xFAF0  TcpLen: 20

[**] [1:1286:5] WEB-IIS _mem_bin access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
06/12-00:24:02.772944 24.98.99.141:4271 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:49920 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0xFA2A619D  Ack: 0xCB94F44F  Win: 0xFAF0  TcpLen: 20

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/12-00:24:03.366316 24.98.99.141:4439 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:50005 IpLen:20 DgmLen:185 DF
***AP*** Seq: 0xFAAE2816  Ack: 0xCB67D454  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/12-00:24:06.965872 24.98.99.141:4628 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:50555 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0xFB3FA73C  Ack: 0xCC4971AB  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/12-00:24:07.507019 24.98.99.141:4634 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:50619 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0xFB457C33  Ack: 0xCBBED59A  Win: 0xFAF0  TcpLen: 20

[**] [1:981:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/12-00:24:11.795037 24.98.99.141:4958 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:51241 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0xFBC60618  Ack: 0xCBE8FF89  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:983:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/12-00:24:12.361891 24.98.99.141:3023 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:51326 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0xFBEBEEF8  Ack: 0xCBC6E4FC  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/12-00:24:22.104774 24.98.99.141:3438 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:52628 IpLen:20 DgmLen:138 DF
***AP*** Seq: 0xFD34438D  Ack: 0xCCB2023F  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/12-00:24:22.563158 24.98.99.141:3453 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:52739 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0xFD3FABAE  Ack: 0xCD37DCEC  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/12-00:24:25.756712 24.98.99.141:3453 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:53257 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0xFD3FABAE  Ack: 0xCD37DCEC  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/12-00:24:32.051828 24.98.99.141:3896 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:54291 IpLen:20 DgmLen:140 DF
***AP*** Seq: 0xFE9D3F32  Ack: 0xCD3328CA  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/13-04:04:05.361577 24.98.99.141:3679 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:9045 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0x35930AE1  Ack: 0x4AB08214  Win: 0xFAF0  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/13-04:04:05.873191 24.98.99.141:3713 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:9149 IpLen:20 DgmLen:110 DF
***AP*** Seq: 0x35AEBF5C  Ack: 0x4ABCD771  Win: 0xFAF0  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/13-04:04:06.244008 24.98.99.141:3728 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:9208 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x35BCAD78  Ack: 0x4A48D90C  Win: 0xFAF0  TcpLen: 20

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/13-04:04:06.885678 24.98.99.141:3744 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:9283 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x35C80E5B  Ack: 0x4B17B9BD  Win: 0xFAF0  TcpLen: 20

[**] [1:1945:1] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/13-04:04:07.702579 24.98.99.141:3769 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:9378 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x35DAE387  Ack: 0x4B0E900E  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1288:5] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
06/13-04:04:08.395723 24.98.99.141:3792 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:9470 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x35ED7CCE  Ack: 0x4A5207AB  Win: 0xFAF0  TcpLen: 20

[**] [1:1286:5] WEB-IIS _mem_bin access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
06/13-04:04:09.245557 24.98.99.141:3806 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:9555 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x35FAC7E0  Ack: 0x4A66B114  Win: 0xFAF0  TcpLen: 20

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/13-04:04:19.030306 24.98.99.141:4127 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:10730 IpLen:20 DgmLen:185 DF
***AP*** Seq: 0x36FF75A3  Ack: 0x4B403F4F  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/13-04:04:23.046993 24.98.99.141:4239 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:11171 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x3759F339  Ack: 0x4BACAEAC  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/13-04:04:32.912144 24.98.99.141:4544 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:12353 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x385975C6  Ack: 0x4C8711A5  Win: 0xFAF0  TcpLen: 20

[**] [1:983:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/13-04:04:41.656045 24.98.99.141:4875 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:13306 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x3932466E  Ack: 0x4CB3A656  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/13-04:04:51.685739 24.98.99.141:3244 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:14487 IpLen:20 DgmLen:138 DF
***AP*** Seq: 0x3A371D04  Ack: 0x4DE2BFE9  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/13-04:04:52.261008 24.98.99.141:3263 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:14568 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x3A47EF1A  Ack: 0x4DF011D6  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/13-04:04:52.846084 24.98.99.141:3280 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:14651 IpLen:20 DgmLen:140 DF
***AP*** Seq: 0x3A56C529  Ack: 0x4DE6CC9B  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/13-04:04:56.803450 24.98.99.141:3421 -> 192.168.1.6:80
TCP TTL:111 TOS:0x0 ID:15217 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x3ACBFCDA  Ack: 0x4EBDF2C4  Win: 0xFAF0  TcpLen: 20

SnortSnarf brought to you courtesy of Silicon Defense
Authors: Jim Hoagland and Stuart Staniford
See also the Snort Page by Marty Roesch
Page generated at Tue Jun 17 09:09:28 2003

24.98.99.141	Whois lookup at:	ARIN	RIPE	APNIC	Geektools
	DNS lookup at:	Amenesi	TRIUMF	Princeton
	More lookup links:	Dshield	Sam Spade