[Snort-users] ATTACK RESPONSES id check returned root
cmg at ...1935...
Tue Oct 8 07:36:11 EDT 2002
Dallas Jordan <DJordan at ...7041...> writes:
> Does anyone know what could possibly set this alert off? I have checked
> Google and didn't come up with anything specific. I have gotten a couple of
> these this morning and was just wondering what I should be on the lookout
> for. Thanks for any suggestions.
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon)
Client Exploit -> Server buffer overflow
Server -> Client -> shell
Client -> Server # id
Server -> Client "you are root"
It's either someone admining a machine over telnet,someone mailing
about it, or a real root exploit.
Chris Green <cmg at ...1935...>
Fame may be fleeting but obscurity is forever.
More information about the Snort-users