Snort mailing list archives
Was my host hijacked?
From: zorzella () zorzella com
Date: Mon, 2 Jun 2003 10:15:46 -0700
Hi, I've recently been hacked (shame on me) when I postponed a security patch one day too long (double shame on me). I think (thought?) I managed to clean the system, but I've been getting these SNORT reports (below) that seem to indicate that my host is being used to postscan other folk. I'm not sure that is the case, as I did not have SNORT in this computer before, so it could be false alerts -- this is a somewhat busy box that serves as NAT as well. I'm dumping the full SNORT report, only that I changed my IP address to a.b.c.d for obvious reasons. This is a "real" IP address -- i.e. the IP of the internet interface. Any help would be awesome. Zorzella ******************************************************* Events between 06 01 06:59:29 and 06 02 05:53:22 Total events: 68 Signatures recorded: 47 Source IP recorded: 4 Destination IP recorded: 61 Events from same host to same destination using same method ========================================================================= # of from to method ========================================================================= 2 66.35.250.110 a.b.c.d (spp_portscan2) Portscan detected from 66.35.250.110: 1 targets 21 ports in 2 seconds Percentage and number of events from a host to a destination ============================================================ % # of from to ============================================================ 2.94 2 a.b.c.d 64.141.14.2 2.94 2 a.b.c.d 192.52.178.30 2.94 2 66.35.250.110 a.b.c.d 2.94 2 a.b.c.d 207.155.252.5 2.94 2 a.b.c.d 63.203.35.55 Percentage and number of events from one host to any with same method ============================================================== % # of from method ============================================================== 10.29 7 a.b.c.d (spp_portscan2) Portscan detected from a.b.c.d: 6 targets 6 ports in 0 seconds 8.82 6 a.b.c.d (spp_portscan2) Portscan detected from a.b.c.d: 6 targets 6 ports in 1 seconds 5.88 4 a.b.c.d (spp_portscan2) Portscan detected from a.b.c.d: 6 targets 6 ports in 6 seconds 4.41 3 a.b.c.d (spp_portscan2) Portscan detected from a.b.c.d: 6 targets 6 ports in 5 seconds 2.94 2 66.35.250.110 (spp_portscan2) Portscan detected from 66.35.250.110: 1 targets 21 ports in 2 seconds 2.94 2 a.b.c.d (spp_portscan2) Portscan detected from a.b.c.d: 6 targets 6 ports in 2 seconds 2.94 2 a.b.c.d (spp_portscan2) Portscan detected from a.b.c.d: 6 targets 6 ports in 36 seconds 2.94 2 a.b.c.d (spp_portscan2) Portscan detected from a.b.c.d: 6 targets 6 ports in 14 seconds 2.94 2 a.b.c.d (spp_portscan2) Portscan detected from a.b.c.d: 6 targets 6 ports in 44 seconds Percentage and number of events to one certain host ================================================================= % # of to method ================================================================= 2.94 2 a.b.c.d (spp_portscan2) Portscan detected from 66.35.250.110: 1 targets 21 ports in 2 seconds The distribution of event methods =============================================== % # of method =============================================== 10.29 7 (spp_portscan2) Portscan detected from a.b.c.d 8.82 6 (spp_portscan2) Portscan detected from a.b.c.d 5.88 4 (spp_portscan2) Portscan detected from a.b.c.d 4.41 3 (spp_portscan2) Portscan detected from a.b.c.d 2.94 2 (spp_portscan2) Portscan detected from a.b.c.d 2.94 2 (spp_portscan2) Portscan detected from a.b.c.d 2.94 2 (spp_portscan2) Portscan detected from a.b.c.d 2.94 2 (spp_portscan2) Portscan detected from 66.35.250.110 2.94 2 (spp_portscan2) Portscan detected from a.b.c.d ----- End forwarded message ----- ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ ------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Was my host hijacked? Luiz-Otavio Zorzella (Jun 02)
- Re: Was my host hijacked? Matt Kettler (Jun 02)
- Re: Was my host hijacked? Luiz-Otavio Zorzella (Jun 02)
- <Possible follow-ups>
- Was my host hijacked? zorzella (Jun 04)
- Re: Was my host hijacked? Matt Kettler (Jun 02)