[Snort-users] ATTACK RESPONSES id check returned root

Chris Green cmg at ...1935...
Tue Oct 8 07:36:11 EDT 2002


Dallas Jordan <DJordan at ...7041...> writes:

> Does anyone know what could possibly set this alert off?  I have checked
> Google and didn't come up with anything specific.  I have gotten a couple of
> these this morning and was just wondering what I should be on the lookout
> for.  Thanks for any suggestions. 


bash-2.05# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon)

Client Exploit -> Server buffer overflow
Server -> Client -> shell
Client -> Server # id
Server -> Client "you are root"

It's either someone admining a machine over telnet,someone mailing
about it, or a real root exploit.
-- 
Chris Green <cmg at ...1935...>
Fame may be fleeting but obscurity is forever.




More information about the Snort-users mailing list