Security Basics mailing list archives
Re: id check returned root
From: "Karma" <steve () frij com>
Date: Thu, 29 Jan 2004 19:40:35 +1100
Yup, agreed. Just like this thread would have snort jumping up and down with alerts too. ----- Original Message ----- From: "Alejandro Flores" <alejandro.flores () triforsec com br> To: "Floyd Hartog" <floyd () webwizard dyndns ws> Cc: <security-basics () securityfocus com> Sent: Thursday, January 29, 2004 6:55 AM Subject: Re: id check returned root
Hi Floyd,Date: 01/27 16:03:28 Name: ATTACK RESPONSES id check returned
root
Priority: 2 Type: Potentially Bad Traffic IP info: 199.233.98.101:17335 -> XXX.XXX.XXX.XXX:25 References: none found SID: 498 I am a bit confused with the output from my snort logs, which you see above. That looks bad, very bad. But a whois seems to indicate this is the vulnwatch and securityfocus outgoing mail servers. Am I reading this wrong? Is this a snort bug, or a attack? And what would be the correct response? Thanks for your imput. FloydLooks like a false positive. This rule checks for packets with 'uid=0(root)' inside. And it was found in your mail traffic. Check your mail and look for this content inside one of your messages. Regards, Alejandro Flores --TriForSec http://www.triforsec.com.br/
---------------------------------------------------------------------------- ----
--------------------------------------------------------------------------
-
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any course! All of our class sizes are guaranteed to be 10 students or less. We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion
Prevention,
and many other technical hands on courses. Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off any course! --------------------------------------------------------------------------
-- --------------------------------------------------------------------------- Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any course! All of our class sizes are guaranteed to be 10 students or less. We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, and many other technical hands on courses. Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off any course! ----------------------------------------------------------------------------
Current thread:
- id check returned root Floyd Hartog (Jan 28)
- Re: id check returned root Joerg Over Dexia (Jan 28)
- Re: id check returned root Alejandro Flores (Jan 28)
- Re: id check returned root Karma (Jan 29)
- Re: id check returned root Floyd Hartog (Jan 29)
- Re: id check returned root Karma (Jan 29)