![snort logo](/images/snort-logo.png)
Snort mailing list archives
Re: Was my host hijacked?
From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 02 Jun 2003 16:01:51 -0400
You're going to have to dig deeper than just overview reports.What source and destination ports were used? This will tell you a whole lot more about what is really going on.
For example, the events to 64.141.14.2 are likely just you surfing websites and opening pages with lots of images on them. This can look to the portscan2 preprocessor like a portscan, because your client may open dozens or hundreds of http connections within a second as all the images get loaded. If portscan2 drops packets and misses the original syn, it can become confused and call it a "syn-ack scan" as the handshake replies come back.
The reason I strongly suspect 64.141.14.2 is just websurfing activity is the reverse DNS entry for that IP.. www.jennicam.org. Unless of course you've not been going there, in which case you might want to do some tcpdump sniffing of the traffic heading to and from that IP:
tcpdump -i <interface> host 64.141.14.2 At 10:26 AM 6/2/2003 -0700, Luiz-Otavio Zorzella wrote:
Hi, I've recently been hacked (shame on me) when I postponed a security patch one day too long (double shame on me). I think (thought?) I managed to clean thesystem, but I've been getting these SNORT reports (below) that seem to indicatethat my host is being used to postscan other folk. I'm not sure that is the case, as I did not have SNORT in this computer before, so it could be false alerts -- this is a somewhat busy box that serves as NAT as well.I'm dumping the full SNORT report, only that I changed my IP address to a.b.c.d for obvious reasons. This is a "real" IP address -- i.e. the IP of the internetinterface.
------------------------------------------------------- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Was my host hijacked? Luiz-Otavio Zorzella (Jun 02)
- Re: Was my host hijacked? Matt Kettler (Jun 02)
- Re: Was my host hijacked? Luiz-Otavio Zorzella (Jun 02)
- <Possible follow-ups>
- Was my host hijacked? zorzella (Jun 04)
- Re: Was my host hijacked? Matt Kettler (Jun 02)