Snort mailing list archives

Previous By Date Next
Previous By Thread Next

ATTACK-RESPONSES and the gentoo portage tree

From: retsil () zipworld com au
Date: Sat, 09 Oct 2004 13:24:54 +1000 (EST)

I received the following alerts from snort on my firewall on Oct 5

[**] ATTACK-RESPONSES id check returned root [**]
10/05-20:28:42.170776 140.211.166.165:873 -> 10.192.2.59:1089
TCP TTL:51 TOS:0x0 ID:25646 IpLen:20 DgmLen:1472 DF
***A**** Seq: 0x2A69E973  Ack: 0x239D5C7  Win: 0x58C  TcpLen: 32
TCP Options (3) => NOP NOP TS: 220967602 220902
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] ATTACK-RESPONSES id check returned root [**]
10/05-20:28:42.171005 140.211.166.165:873 -> 10.192.2.59:1089
TCP TTL:50 TOS:0x0 ID:25646 IpLen:20 DgmLen:1472 DF
***A**** Seq: 0x2A69E973  Ack: 0x239D5C7  Win: 0x58C  TcpLen: 32
TCP Options (3) => NOP NOP TS: 220967602 220902
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

I haven't seen any more responses like this and there is no other evidence of
intrusion in the last 5 days. A quick look using nmap shows that the host is a
rsync host for the gentoo portage tree.

=======================================================================
nmap -O 140.211.166.165

Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-10-09 13:09 EDT
Interesting ports on raptor.gentoo.osuosl.org (140.211.166.165):
(The 1656 ports scanned but not shown below are in state: filtered)
PORT    STATE  SERVICE
22/tcp  open   ssh
80/tcp  closed http
873/tcp open   rsync
Device type: general purpose
Running: Linux 2.4.X
OS details: Linux 2.4.20 - 2.4.22 w/grsecurity.org patch
Uptime 29.232 days (since Fri Sep 10 07:40:41 2004)

Nmap run completed -- 1 IP address (1 host up) scanned in 316.659 seconds
=======================================================================

It looks like it was most likely related related to my last update of my gentoo
portage tree which was completed by 20:36 on Oct 5.



-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: