Re: id check returned root ?!?!

["Michael D. Schleif" <mds () helices org>]

Also sprach Nicholas Delo (Sat 28 Jun 02003 at 12:58:26PM -0400):
> Check the packet contents to make sure that it is not a false positive.
> Email from the snort-users and snort-sigs mailing lists always triggers
> this alert on my IDS. Check the source and dest ports, it may be something
> like source port 110 (if you are using pop3) on your mail server to an
> unprivladged port on your mail client.
>
> > I am fairly new to snort, and I've just begun analyzing my logs.
> >
> > I have my home office network, from which I am writing this post, that
> > is NAT'ed behind an ipchains firewall.  This system is: 192.168.123.150
> >
> > I also have a web/email server hosted by tera-byte.com: 216.234.189.108
> >
> > Last week I received several of these:
> >
> > 4  216.234.189.108  192.168.123.150  ATTACK RESPONSES id check returned
> > root
> >
> >
> > Now, I have come to realize that this is a dangerous situation.
> >
> > I run chkrootkit daily and have _nothing_ to report.
> >
> > What should I do?
> >
> > --
> > Best Regards,
> >
> > mds

Is it safe to *assume* that if my box is _not_ the destination `to',
then I am *NOT* under attack?

In other words, if my box is compromised, won't _it_ be sending id=root
to the remote boxen?

What do you think?

-- 
Best Regards,

mds
-
Dare to fix things before they break . . .
-
Our capacity for understanding is inversely proportional to how much
we think we know.  The more I know, the more I know I don't know . . .
--

Attachment: _bin
Description: