Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Was my host hijacked?

From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 02 Jun 2003 16:01:51 -0400
You're going to have to dig deeper than just overview reports.
What source and destination ports were used? This will tell you a whole lot more about what is really going on.
For example, the events to 64.141.14.2 are likely just you surfing websites and opening pages with lots of images on them. This can look to the portscan2 preprocessor like a portscan, because your client may open dozens or hundreds of http connections within a second as all the images get loaded. If portscan2 drops packets and misses the original syn, it can become confused and call it a "syn-ack scan" as the handshake replies come back.
The reason I strongly suspect 64.141.14.2 is just websurfing activity is the reverse DNS entry for that IP.. www.jennicam.org. Unless of course you've not been going there, in which case you might want to do some tcpdump sniffing of the traffic heading to and from that IP: 

tcpdump -i <interface> host 64.141.14.2


At 10:26 AM 6/2/2003 -0700, Luiz-Otavio Zorzella wrote:

Hi,

I've recently been hacked (shame on me) when I postponed a security patch one
day too long (double shame on me). I think (thought?) I managed to clean the
system, but I've been getting these SNORT reports (below) that seem to indicate 
that my host is being used to postscan other folk. I'm not sure that is the
case, as I did not have SNORT in this computer before, so it could be false
alerts -- this is a somewhat busy box that serves as NAT as well.
I'm dumping the full SNORT report, only that I changed my IP address to a.b.c.d for obvious reasons. This is a "real" IP address -- i.e. the IP of the internet 
interface.




-------------------------------------------------------
This SF.net email is sponsored by: eBay
Get office equipment for less on eBay!
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: