Snort mailing list archives

Was my host hijacked?

From: zorzella () zorzella com
Date: Mon, 2 Jun 2003 10:15:46 -0700
Hi,

I've recently been hacked (shame on me) when I postponed a security patch one
day too long (double shame on me). I think (thought?) I managed to clean the
system, but I've been getting these SNORT reports (below) that seem to indicate
that my host is being used to postscan other folk. I'm not sure that is the
case, as I did not have SNORT in this computer before, so it could be false
alerts -- this is a somewhat busy box that serves as NAT as well.

I'm dumping the full SNORT report, only that I changed my IP address to a.b.c.d
for obvious reasons. This is a "real" IP address -- i.e. the IP of the internet
interface.

Any help would be awesome.

Zorzella

*******************************************************

Events between  06 01 06:59:29  and  06 02 05:53:22
Total events: 68
Signatures recorded: 47
Source IP recorded: 4
Destination IP recorded: 61


Events from same host to same destination using same method
=========================================================================
 # of  from             to               method
=========================================================================
    2  66.35.250.110    a.b.c.d   (spp_portscan2) Portscan detected from
66.35.250.110: 1 targets 21 ports in 2 seconds


Percentage and number of events from a host to a destination
============================================================
  %    # of  from             to               
============================================================
 2.94     2  a.b.c.d   64.141.14.2    
 2.94     2  a.b.c.d   192.52.178.30  
 2.94     2  66.35.250.110    a.b.c.d 
 2.94     2  a.b.c.d   207.155.252.5  
 2.94     2  a.b.c.d   63.203.35.55   


Percentage and number of events from one host to any with same method
==============================================================
  %    # of  from             method
==============================================================
10.29     7  a.b.c.d   (spp_portscan2) Portscan detected from a.b.c.d: 6 targets
6 ports in 0 seconds
 8.82     6  a.b.c.d   (spp_portscan2) Portscan detected from a.b.c.d: 6 targets
6 ports in 1 seconds
 5.88     4  a.b.c.d   (spp_portscan2) Portscan detected from a.b.c.d: 6 targets
6 ports in 6 seconds
 4.41     3  a.b.c.d   (spp_portscan2) Portscan detected from a.b.c.d: 6 targets
6 ports in 5 seconds
 2.94     2  66.35.250.110    (spp_portscan2) Portscan detected from
66.35.250.110: 1 targets 21 ports in 2 seconds
 2.94     2  a.b.c.d   (spp_portscan2) Portscan detected from a.b.c.d: 6 targets
6 ports in 2 seconds
 2.94     2  a.b.c.d   (spp_portscan2) Portscan detected from a.b.c.d: 6 targets
6 ports in 36 seconds
 2.94     2  a.b.c.d   (spp_portscan2) Portscan detected from a.b.c.d: 6 targets
6 ports in 14 seconds
 2.94     2  a.b.c.d   (spp_portscan2) Portscan detected from a.b.c.d: 6 targets
6 ports in 44 seconds


Percentage and number of events to one certain host
=================================================================
  %    # of  to               method
=================================================================
 2.94     2  a.b.c.d   (spp_portscan2) Portscan detected from 66.35.250.110: 1
targets 21 ports in 2 seconds


The distribution of event methods
===============================================
  %    # of  method
===============================================
10.29     7  (spp_portscan2) Portscan detected from a.b.c.d
 8.82     6  (spp_portscan2) Portscan detected from a.b.c.d
 5.88     4  (spp_portscan2) Portscan detected from a.b.c.d
 4.41     3  (spp_portscan2) Portscan detected from a.b.c.d
 2.94     2  (spp_portscan2) Portscan detected from a.b.c.d
 2.94     2  (spp_portscan2) Portscan detected from a.b.c.d
 2.94     2  (spp_portscan2) Portscan detected from a.b.c.d
 2.94     2  (spp_portscan2) Portscan detected from 66.35.250.110
 2.94     2  (spp_portscan2) Portscan detected from a.b.c.d

----- End forwarded message -----




-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/


-------------------------------------------------------
This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:

Was my host hijacked? Luiz-Otavio Zorzella (Jun 02)
- Re: Was my host hijacked? Matt Kettler (Jun 02)
  - Re: Was my host hijacked? Luiz-Otavio Zorzella (Jun 02)
- <Possible follow-ups>
- Was my host hijacked? zorzella (Jun 04)