Snort mailing list archives

Was my host hijacked?

From: Luiz-Otavio Zorzella <z0079 () zorzella com>
Date: Mon, 2 Jun 2003 10:26:47 -0700
Hi,

I've recently been hacked (shame on me) when I postponed a security patch one
day too long (double shame on me). I think (thought?) I managed to clean the
system, but I've been getting these SNORT reports (below) that seem to indicate
that my host is being used to postscan other folk. I'm not sure that is the
case, as I did not have SNORT in this computer before, so it could be false
alerts -- this is a somewhat busy box that serves as NAT as well.

I'm dumping the full SNORT report, only that I changed my IP address to a.b.c.d
for obvious reasons. This is a "real" IP address -- i.e. the IP of the internet
interface.

Any help would be awesome.

Zorzella

*******************************************************

Events between  06 01 06:59:29  and  06 02 05:53:22
Total events: 68
Signatures recorded: 47
Source IP recorded: 4
Destination IP recorded: 61


Events from same host to same destination using same method
=========================================================================
 # of  from             to               method
=========================================================================
    2  66.35.250.110    a.b.c.d   (spp_portscan2) Portscan detected from
66.35.250.110: 1 targets 21 ports in 2 seconds


Percentage and number of events from a host to a destination
============================================================
  %    # of  from             to              
============================================================
 2.94     2  a.b.c.d   64.141.14.2    
 2.94     2  a.b.c.d   192.52.178.30  
 2.94     2  66.35.250.110    a.b.c.d
 2.94     2  a.b.c.d   207.155.252.5  
 2.94     2  a.b.c.d   63.203.35.55  


Percentage and number of events from one host to any with same method
==============================================================
  %    # of  from             method
==============================================================
10.29     7  a.b.c.d   (spp_portscan2) Portscan detected from a.b.c.d: 6 targets
6 ports in 0 seconds
 8.82     6  a.b.c.d   (spp_portscan2) Portscan detected from a.b.c.d: 6 targets
6 ports in 1 seconds
 5.88     4  a.b.c.d   (spp_portscan2) Portscan detected from a.b.c.d: 6 targets
6 ports in 6 seconds
 4.41     3  a.b.c.d   (spp_portscan2) Portscan detected from a.b.c.d: 6 targets
6 ports in 5 seconds
 2.94     2  66.35.250.110    (spp_portscan2) Portscan detected from
66.35.250.110: 1 targets 21 ports in 2 seconds
 2.94     2  a.b.c.d   (spp_portscan2) Portscan detected from a.b.c.d: 6 targets
6 ports in 2 seconds
 2.94     2  a.b.c.d   (spp_portscan2) Portscan detected from a.b.c.d: 6 targets
6 ports in 36 seconds
 2.94     2  a.b.c.d   (spp_portscan2) Portscan detected from a.b.c.d: 6 targets
6 ports in 14 seconds
 2.94     2  a.b.c.d   (spp_portscan2) Portscan detected from a.b.c.d: 6 targets
6 ports in 44 seconds


Percentage and number of events to one certain host
=================================================================
  %    # of  to               method
=================================================================
 2.94     2  a.b.c.d   (spp_portscan2) Portscan detected from 66.35.250.110: 1
targets 21 ports in 2 seconds


The distribution of event methods
===============================================
  %    # of  method
===============================================
10.29     7  (spp_portscan2) Portscan detected from a.b.c.d
 8.82     6  (spp_portscan2) Portscan detected from a.b.c.d
 5.88     4  (spp_portscan2) Portscan detected from a.b.c.d
 4.41     3  (spp_portscan2) Portscan detected from a.b.c.d
 2.94     2  (spp_portscan2) Portscan detected from a.b.c.d
 2.94     2  (spp_portscan2) Portscan detected from a.b.c.d
 2.94     2  (spp_portscan2) Portscan detected from a.b.c.d
 2.94     2  (spp_portscan2) Portscan detected from 66.35.250.110
 2.94     2  (spp_portscan2) Portscan detected from a.b.c.d 



-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/


-------------------------------------------------------
This SF.net email is sponsored by: eBay
Get office equipment for less on eBay!
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:

Was my host hijacked? Luiz-Otavio Zorzella (Jun 02)
- Re: Was my host hijacked? Matt Kettler (Jun 02)
  - Re: Was my host hijacked? Luiz-Otavio Zorzella (Jun 02)
- <Possible follow-ups>
- Was my host hijacked? zorzella (Jun 04)