Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: id check returned root ?!?!

From: MH <procana () insight rr com>
Date: Sat, 28 Jun 2003 12:19:12 -0400
Hi Michael,

If you were on a security related site, this is fairly common.  If I go to 
zone-h or some other defacement mirror where part of a defacement has 
"uid=0(root)", this alarm will fire.  Look at your logs for this alert and 
determine if this is the case.

Hope this helps.
Mike

On Saturday 28 June 2003 11:20 am, Michael D. Schleif wrote:

I am fairly new to snort, and I've just begun analyzing my logs.

I have my home office network, from which I am writing this post, that
is NAT'ed behind an ipchains firewall.  This system is: 192.168.123.150

I also have a web/email server hosted by tera-byte.com: 216.234.189.108

Last week I received several of these:

4  216.234.189.108  192.168.123.150  ATTACK RESPONSES id check returned
root


Now, I have come to realize that this is a dangerous situation.

I run chkrootkit daily and have _nothing_ to report.

What should I do?




-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: