Snort mailing list archives
RE: please help ID payload info
From: twig les <twigles () yahoo com>
Date: Tue, 15 Oct 2002 11:28:48 -0700 (PDT)
I think you may have hit a wall on the usefullness of Snort here. What do your host logs say? Who logged in? What time were the logs manipulated last? What do your firewall logs say? It may be worth your time to check the md5 hashes on a few binaries like ps and top. Regarding how someone could get to your /etc/passwd file...what access control does your Apache use? Which hosts does your sshd/ipfw/ipfilter allow to log in? As far as damage control (since I would assume the box was compromised if it was mine) if you can't rebuild then at least change passwords and make sure /etc/shadow uses something strong (viva la Blowfish!) to encrypt it. I've read of a snafu in FreeBSD that allows user passwds to be stored in DES when created with the adduser function (can't confirm this, don't flame). --- Randy Bey <Randy.Bey () rivernorthsys com> wrote:
Well, first did you check to see if this isactually coming from yourwebserver, or an external one? You left anydetails about that out, so Ifigure it's worth asking just to be sure. If it'san external webserver, Ibet it's a webpage containing sample output from asecurity check tool. Sorry, should have said it's the snort servers web server (used for acid, etc).also you claim that's similar to content sent outvia email... do you havesome sort of webmail access going where you mightbe accessing thoseemails from your webserver, causing it to legitimatelysend that content? No webmail type thing there, and further down the line in the payload it gets weird, like a dump of the /etc directory, then some binary gobbledegook that is not understandable. Here: 2f0 : 2D 72 2D 2D 20 31 20 72 6F 6F 74 20 6F 74 68 65 -r-- 1 root othe 300 : 72 20 33 31 34 20 53 65 70 20 32 30 20 31 36 3A r 314 Sep 20 16: 310 : 32 36 20 32 30 30 32 20 2F 65 74 63 2F 63 6F 72 26 2002 /etc/cor 320 : 65 61 64 6D 2E 63 6F 6E 66 20 20 32 34 37 30 30 eadm.conf 24700 330 : 20 31 0D 0A 2D 2D 2D 0D 0A 3E 20 2D 72 77 2D 72 1..---..> -rw-r 340 : 2D 2D 72 2D 2D 20 31 20 72 6F 6F 74 20 6F 74 68 --r-- 1 root oth 350 : 65 72 20 33 31 34 20 4F 63 74 20 31 30 20 32 32 er 314 Oct 10 22 360 : 3A 30 38 20 32 30 30 32 20 2F 65 74 63 2F 63 6F :08 2002 /etc/co 370 : 72 65 61 64 6D 2E 63 6F 6E 66 20 20 32 34 37 30 readm.conf 2470 380 : 30 20 31 0D 0A 34 38 63 34 38 0D 0A 3C 20 64 72 0 1..48c48..< dr 390 : 77 78 72 2D 78 72 2D 78 20 32 20 72 6F 6F 74 20 wxr-xr-x 2 root 3a0 : 73 79 73 20 35 31 32 20 53 65 70 20 32 30 20 31 sys 512 Sep 20 1 3b0 : 36 3A 32 38 20 32 30 30 32 20 2F 65 74 63 2F 63 6:28 2002 /etc/c 3c0 : 72 6F 6E 2E 64 20 0D 0A 2D 2D 2D 0D 0A 3E 20 64 ron.d ..---..> d 3d0 : 72 77 78 72 2D 78 72 2D 78 20 32 20 72 6F 6F 74 rwxr-xr-x 2 root 3e0 : 20 73 79 73 20 35 31 32 20 4F 63 74 20 31 30 20 sys 512 Oct 10 3f0 : 32 32 3A 30 39 20 32 30 30 32 20 2F 65 74 63 2F 22:09 2002 /etc/ 400 : 63 72 6F 6E 2E 64 20 0D 0A 36 35 63 36 35 0D 0A cron.d ..65c65.. 410 : 3C 20 2D 72 77 2D 72 2D 2D 72 2D 2D 20 31 20 72 < -rw-r--r-- 1 r 420 : 6F 6F 74 20 6F 74 68 65 72 20 32 33 39 20 53 65 oot other 239 Se 430 : 70 20 32 30 20 31 36 3A 32 38 20 32 30 30 32 20 p 20 16:28 2002 440 : 2F 65 74 63 2F 64 75 6D 70 61 64 6D 2E 63 6F 6E /etc/dumpadm.con 450 : 66 20 20 31 39 36 39 36 20 31 0D 0A 2D 2D 2D 0D f 19696 1..---. 460 : 0A 3E 20 2D 72 77 2D 72 2D 2D 72 2D 2D 20 31 20 .> -rw-r--r-- 1 470 : 72 6F 6F 74 20 6F 74 68 65 72 20 32 33 39 20 4F root other 239 O 480 : 63 74 20 31 30 20 32 32 3A 30 39 20 32 30 30 32 ct 10 22:09 2002 490 : 20 2F 65 74 63 2F 64 75 6D 70 61 64 6D 2E 63 6F /etc/dumpadm.co 4a0 : 6E 66 20 20 31 39 36 39 36 20 31 0D 0A 39 30 2C nf 19696 1..90, 4b0 : 39 31 63 39 30 2C 39 31 0D 0A 3C 20 64 72 77 78 91c90,91..< drwx 4c0 : 72 2D 78 72 2D 78 20 32 20 72 6F 6F 74 20 73 79 r-xr-x 2 root sy 4d0 : 73 20 32 30 34 38 20 53 65 70 20 32 33 20 31 37 s 2048 Sep 23 17 4e0 : 3A 30 30 20 32 30 30 32 20 2F 65 74 63 2F 69 6E :00 2002 /etc/in 4f0 : 69 74 2E 64 20 0D 0A 3C 20 70 72 77 2D 2D 2D 2D it.d ..< prw---- 500 : 2D 2D 2D 20 31 20 72 6F 6F 74 20 72 6F 6F 74 20 --- 1 root root 510 : 30 20 53 65 70 20 32 30 20 31 36 3A 32 38 20 32 0 Sep 20 16:28 2 520 : 30 30 32 20 2F 65 74 63 2F 69 6E 69 74 70 69 70 002 /etc/initpip 530 : 65 20 0D 0A 2D 2D 2D 0D 0A 3E 20 64 72 77 78 72 e ..---..> drwxr 540 : 2D 78 72 2D 78 20 32 20 72 6F 6F 74 20 73 79 73 -xr-x 2 root sys 550 : 20 32 30 34 38 20 4F 63 74 20 31 30 20 31 34 3A 2048 Oct 10 14: 560 : 34 31 20 32 89 95 50 FE FF FF 83 BD 50 FE FF FF 41 2..P.....P... 570 : 00 75 26 8B F4 6A 00 8D 85 4C FE FF FF 50 8B 8D .u&..j...L...P.. 580 : 68 FE FF FF 51 8B 55 08 8B 42 08 50 FF 95 6C FE h...Q.U..B.P..l. 590 : FF FF 3B F4 90 43 4B 43 4B 83 BD 50 FE FF FF 64 ..;..CKCK..P...d 5a0 : 7D 5C 8B 8D 50 FE FF FF 83 C1 01 89 8D 50 FE FF }\..P........P.. 5b0 : FF 8B 95 50 FE FF FF 69 D2 8D 66 F0 50 89 95 74 ...P...i..f.P.. Randy Bey RiverNorth Systems 7300 W 147th St Suite 300 Apple Valley, MN 55124 http://www.rivernorthsys.com
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users ===== ----------------------------------------------------------- Heavy metal made me do it. ----------------------------------------------------------- __________________________________________________ Do You Yahoo!? Yahoo! Health - Feel better, live better http://health.yahoo.com ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- please help ID payload info Randy Bey (Oct 15)
- Re: please help ID payload info Matt Kettler (Oct 15)
- Re: please help ID payload info Robby Desmond (Oct 17)
- Help with content-list usage - Unable to open list file: Sven_da_duder Sean Wheeler (Oct 17)
- AW: Help with content-list usage - Unable to open list file: Sven_da_duder Sean Wheeler (Oct 17)
- AW: Help with content-list usage - Unable to open list file: Sven_da_duder Sean Wheeler (Oct 17)
- Help with content-list usage - Unable to open list file: Sven_da_duder Sean Wheeler (Oct 17)
- <Possible follow-ups>
- RE: please help ID payload info Randy Bey (Oct 15)
- RE: please help ID payload info twig les (Oct 15)
- RE: please help ID payload info matthew . keay (Oct 17)
- RE: please help ID payload info matthew . keay (Oct 17)