[Snort-users] Do I have a problem?

Wayne T Work securitygauntlet at ...3130...
Sun Aug 25 17:11:05 EDT 2002

The older version of Nmap is strictly a DOS shell run program. No install 
needed. Bot it should be in the tree somewhere. Given the fact that some 
might have planted TROJAN on a machine is now controlling from within I 
would have an Investigation and Vulnerability scan of all the machines done 
ASAP. Test for Trojans and viruses. Find out how Nmap got on ANY box.

Good luck. If you need help I know of some people like my company who 
perform these tests.

At 03:45 PM 8/25/2002 -0600, KEITH KOOYMAN wrote:
>I installed a SNORT box a few weeks ago and now I am getting some strange 
>entries in my logs.  The log entry goes like this:
>ICMP Nmap2.36BETA or HPING2 Echo [Classification: Attempted Information 
>Leak] [Priority: 3]: {ICMP} ipaddress -> ipaddress
>I go to the machines that are the source (first ip) and search the 
>registry for nmap and it is there, on some machines.  No one is logged 
>onto most of the machines when the event occurrs (I am certain of 
>this).  I have seen this about 5-6 times since Fri night and can't 
>determine if I am being scanned or not.
>Does anyone have any ideas?  Does nmap leave any traces on a windows box 
>that can be found/removed?
>Any info would be appreciated.
>Send and receive Hotmail on your mobile device: http://mobile.msn.com
>This sf.net email is sponsored by: OSDN - Tired of that same old
>cell phone?  Get a new here for FREE!
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:

More information about the Snort-users mailing list