Snort mailing list archives
Is this a successful hack attempt?...How serious? Suggestions?
From: Sanjay Arora <skpobox () hotpop com>
Date: 21 Jun 2004 19:09:07 +0530
I am running a small Lan with IPcop with one server on DMZ. Gateway address to my ISP is 172.16.0.1, obviously Iḿ behind a NAT server. I myself use IP addresses 192.168.200.x & 192.168.100.x for my Green & DMZ interface respectively. Today, while checking the logs (I had not done that for a few days), I found the following log on the 17th of this month: Date: 06/17 20:41:25 Name: ATTACK RESPONSES id check returned root Priority: 2 Type: Potentially Bad Traffic IP info: 66.54.152.7:110 -> 172.16.0.141:32786 References: none found SID: 498 Checked out SID 498 on Snort.org and found: SID 498 Message ATTACK-RESPONSES id check returned root Signature alert ip any any -> any any (msg:"ATTACK-RESPONSES id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:498; rev:6;) Summary This event is generated by the use of a UNIX "id" command. This may be indicative of post-compromise behavior where the attacker is checking for super user privileges gained by a sucessful exploit against a vulnerable system. Impact Serious. An attacker may have gained super user access to the system. Detailed Information This event is generated when a UNIX "id" command is used to confirm the user name of the currenly logged in user over an unencrypted connection. This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. The string "uid=0(root)" is an output of an "id" command indicating that the user has "root" privileges. Seeing such a response indicates that some user, connected over the network to a target server, has root privileges. Affected Systems Attack Scenarios A buffer overflow exploit against an FTP server results in "/bin/sh" being executed. An automated script performing an attack, checks for the success of the exploit via an "id" command. Ease of Attack Simple. This may be post-attack behavior and can be indicative of the successful exploitation of a vulnerable system. False Positives This rule will generate an event if a legitimate system administrator executes the "id" command over an unencrypted connection to verify the privilege level available to him. This rule may also generate event by viewing the documentation on snort.org. The web site www.bugtraq.org serves a non-standard HTTP header of the form "X-Mandatory-Snort-Alert: *GOBBLE* uid=65534(nobody) uid=0(root)" browsing this site will generate an event. If you think this rule has a false positives, please help fill it out. False Negatives None Known If you think this rule has a false negatives, please help fill it out. Corrective Action Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise Look for other events generated by the same IP addresses. Contributors Original rule writer unknown Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org> Sourcefire Research Team Nigel Houghton <nigel.houghton () sourcefire com> Additional false positive information contributed by Arnd Fischer logged on snort logs as have run an id command after successful attempt of gaining access as root Then I ran a couple of scans on the host... Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on mail.SoftHome.net (66.54.152.7): (The 1141 ports scanned but not shown below are in state: filtered) Port State Service Owner 25/tcp open smtp 80/tcp open http 110/tcp open pop-3 113/tcp closed auth 443/tcp closed https 2500/tcp open rtsserv 2501/tcp open rtsclient 8080/tcp closed http-proxy 8081/tcp closed blackice-icecap Remote operating system guess: Linux 2.4.7 (X86) Nmap run completed -- 1 IP address (1 host up) scanned in 486 seconds This UDP scan really scared me. Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port Interesting ports on mail.SoftHome.net (66.54.152.7): (The 1 port scanned but not shown below is in state: closed) Port State Service 1/udp open tcpmux 2/udp open compressnet 3/udp open compressnet 5/udp open rje 7/udp open echo 9/udp open discard 11/udp open systat 13/udp open daytime 17/udp open qotd 18/udp open msp 19/udp open chargen 20/udp open ftp-data 21/udp open ftp 22/udp open ssh 23/udp open telnet 24/udp open priv-mail 25/udp open smtp 27/udp open nsw-fe 29/udp open msg-icp 31/udp open msg-auth 33/udp open dsp 35/udp open priv-print 37/udp open time 38/udp open rap 39/udp open rlp 41/udp open graphics 42/udp open nameserver 43/udp open shois 44/udp open mpm-flags 45/udp open mpm 46/udp open mpm-snd 47/udp open ni-ftp 48/udp open auditd 49/udp open tacacs 50/udp open re-mail-ck 51/udp open la-maint 52/udp open xns-time 54/udp open xns-ch 55/udp open isi-gl 56/udp open xns-auth 57/udp open priv-term 58/udp open xns-mail 59/udp open priv-file 61/udp open ni-mail 62/udp open acas 63/udp open via-ftp 64/udp open covia 65/udp open tacacs-ds 66/udp open sql*net 67/udp open dhcpserver 68/udp open dhcpclient 69/udp open tftp 70/udp open gopher 71/udp open netrjs-1 72/udp open netrjs-2 73/udp open netrjs-3 74/udp open netrjs-4 75/udp open priv-dial 76/udp open deos 77/udp open priv-rje 78/udp open vettcp 79/udp open finger 80/udp open http 81/udp open hosts2-ns 82/udp open xfer 83/udp open mit-ml-dev 84/udp open ctf 85/udp open mit-ml-dev 86/udp open mfcobol 88/udp open kerberos-sec 89/udp open su-mit-tg 90/udp open dnsix 91/udp open mit-dov 92/udp open npp 93/udp open dcp 94/udp open objcall 95/udp open supdup 96/udp open dixie 97/udp open swift-rvf 98/udp open tacnews 99/udp open metagram 101/udp open hostname 102/udp open iso-tsap 103/udp open gppitnp 104/udp open acr-nema 105/udp open csnet-ns 106/udp open 3com-tsmux 107/udp open rtelnet 108/udp open snagas 109/udp open pop-2 110/udp open pop-3 111/udp open sunrpc 112/udp open mcidas 113/udp open auth 114/udp open audionews 115/udp open sftp 116/udp open ansanotify 117/udp open uucp-path 118/udp open sqlserv 119/udp open nntp 120/udp open cfdptkt 121/udp open erpc 122/udp open smakynet 123/udp open ntp 124/udp open ansatrader 125/udp open locus-map 126/udp open unitary 127/udp open locus-con 128/udp open gss-xlicen 129/udp open pwdgen 130/udp open cisco-fna 131/udp open cisco-tna 132/udp open cisco-sys 133/udp open statsrv 134/udp open ingres-net 135/udp open loc-srv 136/udp open profile 137/udp open netbios-ns 138/udp open netbios-dgm 139/udp open netbios-ssn 140/udp open emfis-data 141/udp open emfis-cntl 142/udp open bl-idm 143/udp open imap2 144/udp open news 145/udp open uaac 146/udp open iso-tp0 147/udp open iso-ip 148/udp open cronus 149/udp open aed-512 150/udp open sql-net 151/udp open hems 152/udp open bftp 153/udp open sgmp 154/udp open netsc-prod 155/udp open netsc-dev 156/udp open sqlsrv 157/udp open knet-cmp 158/udp open pcmail-srv 159/udp open nss-routing 160/udp open sgmp-traps 161/udp open snmp 162/udp open snmptrap 163/udp open cmip-man 164/udp open smip-agent 165/udp open xns-courier 166/udp open s-net 167/udp open namp 168/udp open rsvd 169/udp open send 170/udp open print-srv 171/udp open multiplex 172/udp open cl-1 173/udp open xyplex-mux 174/udp open mailq 175/udp open vmnet 176/udp open genrad-mux 177/udp open xdmcp 178/udp open nextstep 179/udp open bgp 180/udp open ris 181/udp open unify 182/udp open audit 183/udp open ocbinder 184/udp open ocserver 185/udp ope n remote-kis 186/udp open kis 187/udp open aci 188/udp open mumps 189/udp open qft 190/udp open cacp 191/udp open prospero 192/udp open osu-nms 193/udp open srmp 194/udp open irc 195/udp open dn6-nlm-aud 196/udp open dn6-smm-red 197/udp open dls 198/udp open dls-mon 199/udp open smux 200/udp open src 201/udp open at-rtmp 202/udp open at-nbp 203/udp open at-3 204/udp open at-echo 205/udp open at-5 206/udp open at-zis 207/udp open at-7 208/udp open at-8 209/udp open tam 210/udp open z39.50 211/udp open 914c-g 212/udp open anet 213/udp open ipx 214/udp open vmpwscs 215/udp open softpc 216/udp open atls 217/udp open dbase 218/udp open mpp 219/udp open uarps 220/udp open imap3 221/udp open fln-spx 222/udp open rsh-spx 223/udp open cdc 242/udp open direct 243/udp open sur-meas 244/udp open dayna 245/udp open link 246/udp open dsp3270 247/udp open subntbcst_tftp 248/udp open bhfhs 256/udp open rap 257/udp open set 258/udp open yak-chat 259/udp open firewall1-rdp 260/udp open openport 261/udp open nsiiops 262/udp open arcisdms 263/udp open hdap 264/udp open FW1-or-bgmp 280/udp open http-mgmt 281/udp open personal-link 282/udp open cableport-ax 308/udp open novastorbakcup 309/udp open entrusttime 310/udp open bhmds 311/udp open asip-webadmin 312/udp open vslmp 313/udp open magenta-logic 314/udp open opalis-robot 315/udp open dpsi 316/udp open decauth 317/udp open zannet 321/udp open pip 344/udp open pdap 345/udp open pawserv 346/udp open zserv 347/udp open fatserv 348/udp open csi-sgwp 349/udp open mftp 350/udp open matip-type-a 351/udp open matip-type-b 352/udp open dtag-ste-sb 353/udp open ndsauth 354/udp open bh611 355/udp open datex-asn 356/udp open cloanto-net-1 357/udp open bhevent 358/udp open shrinkwrap 359/udp open tenebris_nts 360/udp open scoi2od ialog 361/udp open semantix 362/udp open srssend 363/udp open rsvp_tunnel 364/udp open aurora-cmgr 365/udp open dtk 366/udp open odmr 367/udp open mortgageware 368/udp open qbikgdp 369/udp open rpc2portmap 370/udp open codaauth2 371/udp open clearcase 372/udp open ulistserv 373/udp open legent-1 374/udp open legent-2 375/udp open hassle 376/udp open nip 377/udp open tnETOS 378/udp open dsETOS 379/udp open is99c 380/udp open is99s 381/udp open hp-collector 382/udp open hp-managed-node 383/udp open hp-alarm-mgr 384/udp open arns 385/udp open ibm-app 386/udp open asa 387/udp open aurp 388/udp open unidata-ldm 389/udp open ldap 390/udp open uis 391/udp open synotics-relay 392/udp open synotics-broker 393/udp open dis 394/udp open embl-ndt 395/udp open netcp 396/udp open netware-ip 397/udp open mptn 398/udp open kryptolan 399/udp open iso-tsap-c2 400/udp open work-sol 401/udp open ups 402/udp open genie 403/udp open decap 404/udp open nced 405/udp open ncld 406/udp open imsp 407/udp open timbuktu 408/udp open prm-sm 409/udp open prm-nm 410/udp open decladebug 411/udp open rmt 412/udp open synoptics-trap 413/udp open smsp 414/udp open infoseek 415/udp open bnet 416/udp open silverplatter 417/udp open onmux 418/udp open hyper-g 419/udp open ariel1 420/udp open smpte 421/udp open ariel2 422/udp open ariel3 423/udp open opc-job-start 424/udp open opc-job-track 425/udp open icad-el 426/udp open smartsdp 427/udp open svrloc 428/udp open ocs_cmu 429/udp open ocs_amu 430/udp open utmpsd 431/udp open utmpcd 432/udp open iasd 433/udp open nnsp 434/udp open mobileip-agent 435/udp open mobilip-mn 436/udp open dna-cml 437/udp open comscm 438/udp open dsfgw 439/udp open dasp 440/udp open sgcp 441/udp open decvms-sysmgt 442/udp open cvc_hostd 443/udp open https 444/udp open snpp 445/udp open microsoft-ds 446/udp open ddm-rdb 447/udp open ddm-dfm 448/udp open ddm-ssl 449/udp open as-servermap 450/udp open tserver 451/udp open sfs-smp-net 452/udp open sfs-config 453/udp open creativeserver 454/udp open contentserver 455/udp open creativepartnr 456/udp open macon-udp 457/udp open scohelp 458/udp open appleqtc 459/udp open ampr-rcmd 460/udp open skronk 461/udp open datasurfsrv 462/udp open datasurfsrvsec 463/udp open alpes 464/udp open kpasswd5 465/udp open smtps 466/udp open digital-vrc 467/udp open mylex-mapd 468/udp open photuris 469/udp open rcp 470/udp open scx-proxy 471/udp open mondex 472/udp open ljk-login 473/udp open hybrid-pop 474/udp open tn-tl-w2 475/udp open tcpnethaspsrv 476/udp open tn-tl-fd1 477/udp open ss7ns 478/udp open spsc 479/udp open iafserver 480/udp open iafdbase 481/udp open ph 482/udp open xlog 483/udp open ulpnet 484/udp open integra-sme 485/udp open powerburst 486/udp open avian 487/udp open saft 488/udp open gss-http 489/udp open nest-protocol 490/udp open micom-pfs 491/udp open go-login 492/udp open ticf-1 493/udp open ticf-2 494/udp open pov-ray 495/udp open intecourier 496/udp open pim-rp-disc 497/udp open dantz 498/udp open siam 499/udp open iso-ill 500/udp open isakmp 501/udp open stmf 502/udp open asa-appl-proto 503/udp open intrinsa 504/udp open citadel 505/udp open mailbox-lm 506/udp open ohimsrv 507/udp open crs 508/udp open xvttp 509/udp open snare 510/udp open fcp 511/udp open passgo 512/udp open biff 513/udp open who 514/udp open syslog 515/udp open printer 516/udp open videotex 517/udp open talk 518/udp open ntalk 519/udp open utime 520/udp open route 521/udp open ripng 522/udp open ulp 523/udp open ibm-db2 524/udp open ncp 525/udp open timed 526/udp open tempo 527/udp open stx 528/udp open custix 529/udp open irc-serv 530/udp open courier 531/udp ope n conference 532/udp open netnews 533/udp open netwall 534/udp open mm-admin 535/udp open iiop 536/udp open opalis-rdv 537/udp open nmsp 538/udp open gdomap 539/udp open apertus-ldp 540/udp open uucp 541/udp open uucp-rlogin 542/udp open commerce 543/udp open klogin 544/udp open kshell 545/udp open appleqtcsrvr 546/udp open dhcpv6-client 547/udp open dhcpv6-server 548/udp open afpovertcp 549/udp open idfp 550/udp open new-rwho 551/udp open cybercash 552/udp open deviceshare 553/udp open pirp 554/udp open rtsp 555/udp open dsf 556/udp open remotefs 557/udp open openvms-sysipc 558/udp open sdnskmp 559/udp open teedtap 560/udp open rmonitor 561/udp open monitor 562/udp open chshell 563/udp open snews 564/udp open 9pfs 565/udp open whoami 567/udp open banyan-rpc 568/udp open ms-shuttle 569/udp open ms-rome 570/udp open meter 571/udp open umeter 572/udp open sonar 573/udp open banyan-vip 574/udp open ftp-agent 575/udp open vemmi 576/udp open ipcd 577/udp open vnas 578/udp open ipdd 579/udp open decbsrv 580/udp open sntp-heartbeat 581/udp open bdp 582/udp open scc-security 583/udp open philips-vc 584/udp open keyserver 585/udp open imap4-ssl 586/udp open password-chg 587/udp open submission 588/udp open cal 589/udp open eyelink 590/udp open tns-cml 591/udp open http-alt 592/udp open eudora-set 593/udp open http-rpc-epmap 594/udp open tpip 595/udp open cab-protocol 596/udp open smsd 597/udp open ptcnameservice 598/udp open sco-websrvrmg3 599/udp open acp 600/udp open ipcserver 606/udp open urm 607/udp open nqs 608/udp open sift-uft 609/udp open npmp-trap 610/udp open npmp-local 611/udp open npmp-gui 634/udp open ginad 635/udp open mount 637/udp open lanserver 640/udp open pcnfs 650/udp open bwnfs 660/udp open mac-srvr-admin 666/udp open doom 704/udp open elcsd 709/udp open entrustmanager 729/udp open netviewdm1 730/udp open netview dm2 731/udp open netviewdm3 737/udp open sometimes-rpc2 740/udp open netcp 741/udp open netgw 742/udp open netrcs 744/udp open flexlm 747/udp open fujitsu-dev 748/udp open ris-cm 749/udp open kerberos-adm 750/udp open kerberos 751/udp open kerberos_master 752/udp open qrh 753/udp open rrh 758/udp open nlogin 759/udp open con 760/udp open ns 761/udp open rxe 762/udp open quotad 763/udp open cycleserv 764/udp open omserv 765/udp open webster 767/udp open phonebook 769/udp open vid 770/udp open cadlock 771/udp open rtip 772/udp open cycleserv2 773/udp open notify 774/udp open acmaint_dbd 775/udp open acmaint_transd 776/udp open wpages 780/udp open wpgs 781/udp open hp-collector 782/udp open hp-managed-node 783/udp open hp-alarm-mgr 786/udp open concert 800/udp open mdbs_daemon 801/udp open device 888/udp open accessbuilder 996/udp open vsinet 997/udp open maitrd 998/udp open puparp 999/udp open applix 1000/udp open ock 1008/udp open ufsd 1012/udp open sometimes-rpc1 1025/udp open blackjack 1028/udp open ms-lsa 1030/udp open iad1 1031/udp open iad2 1032/udp open iad3 1058/udp open nim 1059/udp open nimreg 1067/udp open instl_boots 1068/udp open instl_bootc 1080/udp open socks 1083/udp open ansoft-lm-1 1084/udp open ansoft-lm-2 1110/udp open nfsd-keepalive 1155/udp open nfa 1167/udp open phone 1212/udp open lupa 1222/udp open nerv 1248/udp open hermes 1346/udp open alta-ana-lm 1347/udp open bbn-mmc 1348/udp open bbn-mmx 1349/udp open sbook 1350/udp open editbench 1351/udp open equationbuilder 1352/udp open lotusnotes 1353/udp open relief 1354/udp open rightbrain 1355/udp open intuitive-edge 1356/udp open cuillamartin 1357/udp open pegboard 1358/udp open connlcli 1359/udp open ftsrv 1360/udp open mimer 1361/udp open linx 1362/udp open timeflies 1363/udp open ndm-requester 1364/udp open ndm-server 1365/udp open adapt-sna 1366/udp open netware-csp 1367/udp open dcs 1368/udp open screencast 1369/udp open gv-us 1370/udp open us-gv 1371/udp open fc-cli 1372/udp open fc-ser 1373/udp open chromagrafx 1374/udp open molly 1375/udp open bytex 1376/udp open ibm-pps 1377/udp open cichlid 1378/udp open elan 1379/udp open dbreporter 1380/udp open telesis-licman 1381/udp open apple-licman 1383/udp open gwha 1384/udp open os-licman 1385/udp open atex_elmd 1386/udp open checksum 1387/udp open cadsi-lm 1388/udp open objective-dbc 1389/udp open iclpv-dm 1390/udp open iclpv-sc 1391/udp open iclpv-sas 1392/udp open iclpv-pm 1393/udp open iclpv-nls 1394/udp open iclpv-nlc 1395/udp open iclpv-wsm 1396/udp open dvl-activemail 1397/udp open audio-activmail 1398/udp open video-activmail 1399/udp open cadkey-licman 1400/udp open cadkey-tablet 1401/udp open goldleaf-licman 1402/udp open prm-sm-np 1403/udp open prm-nm-np 1404/udp open igi-lm 1405/udp open ibm-res 1406/udp open netlabs-lm 1407/udp open dbsa-lm 1408/udp open sophia-lm 1409/udp open here-lm 1410/udp open hiq 1411/udp open af 1412/udp open innosys 1413/udp open innosys-acl 1414/udp open ibm-mqseries 1415/udp open dbstar 1416/udp open novell-lu6.2 1417/udp open timbuktu-srv1 1418/udp open timbuktu-srv2 1419/udp open timbuktu-srv3 1420/udp open timbuktu-srv4 1421/udp open gandalf-lm 1422/udp open autodesk-lm 1423/udp open essbase 1424/udp open hybrid 1425/udp open zion-lm 1426/udp open sas-1 1427/udp open mloadd 1428/udp open informatik-lm 1429/udp open nms 1430/udp open tpdu 1431/udp open rgtp 1432/udp open blueberry-lm 1433/udp open ms-sql-s 1434/udp open ms-sql-m 1435/udp open ibm-cics 1436/udp open sas-2 1437/udp open tabula 1438/udp open eicon-server 1439/udp open eicon-x25 1440/udp open eicon-slp 1441/udp open cadis-1 1442/udp open cadis-2 1443/udp open ies-lm 1444/udp open marcam-lm 1445/udp open proxima-lm 1446/udp open ora-lm 1447/udp open apri-lm 1448/udp open oc-lm 1449/udp open peport 1450/udp open dwf 1451/udp open infoman 1452/udp open gtegsc-lm 1453/udp open genie-lm 1454/udp ope n interhdl_elmd 1455/udp open esl-lm 1456/udp open dca 1457/udp open valisys-lm 1458/udp open nrcabq-lm 1459/udp open proshare1 1460/udp open proshare2 1461/udp open ibm_wrless_lan 1462/udp open world-lm 1463/udp open nucleus 1464/udp open msl_lmd 1465/udp open pipes 1466/udp open oceansoft-lm 1467/udp open csdmbase 1468/udp open csdm 1469/udp open aal-lm 1470/udp open uaiact 1471/udp open csdmbase 1472/udp open csdm 1473/udp open openmath 1474/udp open telefinder 1475/udp open taligent-lm 1476/udp open clvm-cfg 1477/udp open ms-sna-server 1478/udp open ms-sna-base 1479/udp open dberegister 1480/udp open pacerforum 1481/udp open airs 1482/udp open miteksys-lm 1483/udp open afs 1484/udp open confluent 1485/udp open lansource 1486/udp open nms_topo_serv 1487/udp open localinfosrvr 1488/udp open docstor 1489/udp open dmdocbroker 1490/udp open insitu-conf 1491/udp open anynetgateway 1492/udp open stone-design-1 1493/udp open netmap_lm 1494/udp open citrix-ica 1495/udp open cvc 1496/udp open liberty-lm 1497/udp open rfx-lm 1498/udp open watcom-sql 1499/udp open fhc 1500/udp open vlsi-lm 1501/udp open sas-3 1502/udp open shivadiscovery 1503/udp open imtc-mcs 1504/udp open evb-elm 1505/udp open funkproxy 1506/udp open utcd 1507/udp open symplex 1508/udp open diagmond 1509/udp open robcad-lm 1510/udp open mvx-lm 1511/udp open 3l-l1 1512/udp open wins 1513/udp open fujitsu-dtc 1514/udp open fujitsu-dtcns 1515/udp open ifor-protocol 1516/udp open vpad 1517/udp open vpac 1518/udp open vpvd 1519/udp open vpvc 1520/udp open atm-zip-office 1521/udp open ncube-lm 1522/udp open rna-lm 1523/udp open cichild-lm 1524/udp open ingreslock 1525/udp open orasrv 1526/udp open pdap-np 1527/udp open tlisrv 1528/udp open mciautoreg 1529/udp open coauthor 1530/udp open rap-service 1531/udp open rap-listen 1532/udp open miroconnect 1533/udp open virtual-places 1534/udp open micromuse-lm 1535/udp open ampr-info 1536/udp open ampr-inter 1537/udp open sdsc-lm 1538/udp open 3ds-lm 1539/udp open intelli stor-lm 1540/udp open rds 1541/udp open rds2 1542/udp open gridgen-elmd 1543/udp open simba-cs 1544/udp open aspeclmd 1545/udp open vistium-share 1546/udp open abbaccuray 1547/udp open laplink 1548/udp open axon-lm 1549/udp open shivasound 1550/udp open 3m-image-lm 1551/udp open hecmtl-db 1552/udp open pciarray 1600/udp open issd 1645/udp open radius 1646/udp open radacct 1650/udp open nkd 1651/udp open shiva_confsrvr 1652/udp open xnmp 1661/udp open netview-aix-1 1662/udp open netview-aix-2 1663/udp open netview-aix-3 1664/udp open netview-aix-4 1665/udp open netview-aix-5 1666/udp open netview-aix-6 1667/udp open netview-aix-7 1668/udp open netview-aix-8 1669/udp open netview-aix-9 1670/udp open netview-aix-10 1671/udp open netview-aix-11 1672/udp open netview-aix-12 1701/udp open L2TP 1812/udp open radius 1813/udp open radacct 1900/udp open UPnP 1986/udp open licensedaemon 1987/udp open tr-rsrb-p1 1988/udp open tr-rsrb-p2 1989/udp open tr-rsrb-p3 1990/udp open stun-p1 1991/udp open stun-p2 1992/udp open stun-p3 1993/udp open snmp-tcp-port 1994/udp open stun-port 1995/udp open perf-port 1996/udp open tr-rsrb-port 1997/udp open gdp-port 1998/udp open x25-svc-port 1999/udp open tcp-id-port 2000/udp open callbook 2001/udp open wizard 2002/udp open globe 2004/udp open emce 2005/udp open oracle 2006/udp open raid-cc 2007/udp open raid-am 2008/udp open terminaldb 2009/udp open whosockami 2010/udp open pipe_server 2011/udp open servserv 2012/udp open raid-ac 2013/udp open raid-cd 2014/udp open raid-sf 2015/udp open raid-cs 2016/udp open bootserver 2017/udp open bootclient 2018/udp open rellpack 2019/udp open about 2020/udp open xinupageserver 2021/udp open xinuexpansion1 2022/udp open xinuexpansion2 2023/udp open xinuexpansion3 2024/udp open xinuexpansion4 2025/udp open xribs 2026/udp open scrabble 2027/udp open shadowserver 2028/udp open submitserver 2030/udp open device2 2032/udp open blackboard 2033/udp open glogger 2034/udp open scoremgr 2035/udp open imsldoc 2038/udp open objectmanager 2040/udp open lam 2041/udp open interbase 2042/udp open isis 2043/udp open isis-bcast 2044/udp open rimsl 2045/udp open cdfunc 2046/udp open sdfunc 2047/udp open dls 2048/udp open dls-monitor 2049/udp open nfs 2065/udp open dlsrpn 2067/udp open dlswpn 2103/udp open zephyr-clt 2104/udp open zephyr-hm 2105/udp open eklogin 2106/udp open ekshell 2108/udp open rkinit 2201/udp open ats 2232/udp open ivs-video 2241/udp open ivsd 2307/udp open pehelp 2401/udp open cvspserver 2430/udp open venus 2431/udp open venus-se 2432/udp open codasrv 2433/udp open codasrv-se 2500/udp open rtsserv 2501/udp open rtsclient 2627/udp open webster 2784/udp open www-dev 3049/udp open cfs 3130/udp open squid-ipc 3141/udp open vmodem 3264/udp open ccmail 3333/udp open dec-notes 3421/udp open bmap 3455/udp open prsvp 3456/udp open IISrpc-or-vat 3457/udp open vat-control 3900/udp open udt_os 3984/udp open mapper-nodemgr 3985/udp open mapper-mapethd 3986/udp open mapper-ws_ethd 3996/udp open remoteanything 3997/udp open remoteanything 3998/udp open remoteanything 4000/udp open icq 4008/udp open netcheque 4045/udp open lockd 4132/udp open nuts_dem 4133/udp open nuts_bootp 4321/udp open rwhois 4343/udp open unicall 4444/udp open krb524 4500/udp open sae-urn 4672/udp open rfa 5000/udp open UPnP 5001/udp open commplex-link 5002/udp open rfe 5010/udp open telelpathstart 5011/udp open telelpathattack 5050/udp open mmcc 5145/udp open rmonitor_secure 5190/udp open aol 5191/udp open aol-1 5192/udp open aol-2 5193/udp open aol-3 5236/udp open padl2sim 5300/udp open hacl-hb 5301/udp open hacl-gs 5302/udp open hacl-cfg 5303/udp open hacl-probe 5304/udp open hacl-local 5305/udp open hacl-test 5308/udp open cfengine 5500/udp open securid 5540/udp open sdxauthd 5555/udp open rplay 5632/udp open pcanywherestat 5713/udp open proshareaudio 5714/udp open prosharevideo 5715/udp open prosharedata 5716/udp open prosharerequest 5717/udp open prosharenotify 6110/udp open softcm 6111/udp open spc 6141/udp open meta-corp 6142/udp ope n aspentec-lm 6143/udp open watershed-lm 6144/udp open statsci1-lm 6145/udp open statsci2-lm 6146/udp open lonewolf-lm 6147/udp open montage-lm 6148/udp open ricardo-lm 6502/udp open netop-rc 6549/udp open PowerChutePLUS 6558/udp open xdsxdm 6969/udp open acmsoda 7000/udp open afs3-fileserver 7001/udp open afs3-callback 7002/udp open afs3-prserver 7003/udp open afs3-vlserver 7004/udp open afs3-kaserver 7005/udp open afs3-volser 7006/udp open afs3-errors 7007/udp open afs3-bos 7008/udp open afs3-update 7009/udp open afs3-rmtsys 7010/udp open ups-onlinet 7100/udp open font-service 7200/udp open fodms 7201/udp open dlip 7648/udp open cucme-1 7649/udp open cucme-2 7650/udp open cucme-3 7651/udp open cucme-4 9535/udp open man 9876/udp open sd 10080/udp open amanda 17007/udp open isode-dua 17185/udp open wdbrpc 18000/udp open biimenu 22370/udp open hpnpd 26000/udp open quake 26900/udp open hexen2 27015/udp open halflife 27444/udp open Trinoo_Bcast 27500/udp open quakeworld 27910/udp open quake2 27960/udp open quake3 28910/udp open heretic2 31335/udp open Trinoo_Register 31337/udp open BackOrifice 32770/udp open sometimes-rpc4 32771/udp open sometimes-rpc6 32772/udp open sometimes-rpc8 32773/udp open sometimes-rpc10 32774/udp open sometimes-rpc12 32775/udp open sometimes-rpc14 32776/udp open sometimes-rpc16 32777/udp open sometimes-rpc18 32778/udp open sometimes-rpc20 32779/udp open sometimes-rpc22 32780/udp open sometimes-rpc24 32786/udp open sometimes-rpc26 32787/udp open sometimes-rpc28 39213/udp open sygatefw 45000/udp open ciscopop 47557/udp open dbbrowse 54321/udp open bo2k Too many fingerprints match this host for me to give an accurate OS guess Nmap run completed -- 1 IP address (1 host up) scanned in 3282 seconds What I very nearly did not notice was the hostname. mail.softhome.net...one of my own free pop3 provider, though not the one from which I subscribe to this mailing list. Now my question is: - How serious is this? Am I really compromised? Are stateful iptables firewalls like IPcop really so easy to get through. I have port forwarded only the http & smtp ports. I am using qmail, so sendmail bugs are out. Also, as my dmz is only a test site till I get a real ip from my ISP, the dmz webserver was shut down on that day. - What do I do? Check for something or straightaway reinstall ipcop so that any rootkits etc. are destroyed? - What about my Green Zone? What precautions should I take? - Where does Snort store the actual packet that triggered this response? I could not find it in the dir of this ip address in my /var/log/snort! - How do I tackle this pop3 provider? Is he hacking? or is he hacked himself? I haven´t scanned his other ips pop,mail,www aliases which each have their own ips. Please help. Sanjay. ------------------------------------------------------- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Is this a successful hack attempt?...How serious? Suggestions? Sanjay Arora (Jun 21)
- <Possible follow-ups>
- Re: Is this a successful hack attempt?...How serious? Suggestions? Brian King (Jun 21)