Snort mailing list archives
ATTACK-RESPONSES and the gentoo portage tree
From: retsil () zipworld com au
Date: Sat, 09 Oct 2004 13:24:54 +1000 (EST)
I received the following alerts from snort on my firewall on Oct 5 [**] ATTACK-RESPONSES id check returned root [**] 10/05-20:28:42.170776 140.211.166.165:873 -> 10.192.2.59:1089 TCP TTL:51 TOS:0x0 ID:25646 IpLen:20 DgmLen:1472 DF ***A**** Seq: 0x2A69E973 Ack: 0x239D5C7 Win: 0x58C TcpLen: 32 TCP Options (3) => NOP NOP TS: 220967602 220902 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] ATTACK-RESPONSES id check returned root [**] 10/05-20:28:42.171005 140.211.166.165:873 -> 10.192.2.59:1089 TCP TTL:50 TOS:0x0 ID:25646 IpLen:20 DgmLen:1472 DF ***A**** Seq: 0x2A69E973 Ack: 0x239D5C7 Win: 0x58C TcpLen: 32 TCP Options (3) => NOP NOP TS: 220967602 220902 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ I haven't seen any more responses like this and there is no other evidence of intrusion in the last 5 days. A quick look using nmap shows that the host is a rsync host for the gentoo portage tree. ======================================================================= nmap -O 140.211.166.165 Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-10-09 13:09 EDT Interesting ports on raptor.gentoo.osuosl.org (140.211.166.165): (The 1656 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 22/tcp open ssh 80/tcp closed http 873/tcp open rsync Device type: general purpose Running: Linux 2.4.X OS details: Linux 2.4.20 - 2.4.22 w/grsecurity.org patch Uptime 29.232 days (since Fri Sep 10 07:40:41 2004) Nmap run completed -- 1 IP address (1 host up) scanned in 316.659 seconds ======================================================================= It looks like it was most likely related related to my last update of my gentoo portage tree which was completed by 20:36 on Oct 5. ------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ATTACK-RESPONSES and the gentoo portage tree retsil (Oct 08)
- Re: ATTACK-RESPONSES and the gentoo portage tree Max Valdez (Oct 11)