Security Basics mailing list archives

Re: id check returned root

From: Joerg Over Dexia <over () dexia de>
Date: Wed, 28 Jan 2004 20:20:14 +0100

Hi there.

Am 23:28 27.01.2004 -0600 teilte Floyd Hartog mir folgendes mit:
->Date:    01/27 16:03:28     Name:    ATTACK RESPONSES id check
returned root
->Priority:    2     Type:    Potentially Bad Traffic
->IP info:     199.233.98.101:17335 -> XXX.XXX.XXX.XXX:25
->References:    none found    SID:     498
->
->Date:    01/27 16:52:21     Name:    ATTACK RESPONSES id check
returned root
->Priority:    2     Type:    Potentially Bad Traffic
->IP info:     205.206.231.26:56101 -> XXX.XXX.XXX.XXX:25
->References:    none found    SID:     498
->
->Hi
->I am a bit confused with the output from my snort logs, which
you see 
->above.  That looks bad, very bad.  But a whois seems to
indicate this is 
->the vulnwatch and securityfocus outgoing mail servers.  Am I
reading 
->this wrong?  Is this a snort bug, or a attack?  And what would
be the 
->correct response?  Thanks for your imput.  Floyd

I'd believe you get mails containing the string "uid=0(root)". 25
is you smtp port on host XXX.XXX.XXX.XXX which probably is your
mailserver. snort is just triggering on that string, because that
*can* indicate someone is issuing the "id" command after having
hacked the system. If above assumptions are correct and your
mailserver still works, I'd believe you're green.

hth, JO
-- 
+---------------------------------------------------------------+
|  __ __ __ __ _ _          just another pointless signature    |
| / _ \ V / -_) '_/                                             |
| \___/\_/\___|_|                                               |
+---------------------------------------------------------------+


---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 
course! All of our class sizes are guaranteed to be 10 students or less. 
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
any course!  
----------------------------------------------------------------------------

Current thread:

id check returned root Floyd Hartog (Jan 28)
- Re: id check returned root Joerg Over Dexia (Jan 28)
- Re: id check returned root Alejandro Flores (Jan 28)
  - Re: id check returned root Karma (Jan 29)
    - Re: id check returned root Floyd Hartog (Jan 29)