[Snort-users] please help ID payload info

twig les twigles at ...131...
Tue Oct 15 11:29:04 EDT 2002


I think you may have hit a wall on the usefullness of
Snort here.  What do your host logs say?  Who logged
in?  What time were the logs manipulated last?  What
do your firewall logs say?  It may be worth your time
to check the md5 hashes on a few binaries like ps and
top.

Regarding how someone could get to your /etc/passwd
file...what access control does your Apache use? 
Which hosts does your sshd/ipfw/ipfilter allow to log
in?

As far as damage control (since I would assume the box
was compromised if it was mine) if you can't rebuild
then at least change passwords and make sure
/etc/shadow uses something strong (viva la Blowfish!)
to encrypt it.  I've read of a snafu in FreeBSD that
allows user passwds to be stored in DES when created
with the adduser function (can't confirm this, don't
flame).


--- Randy Bey <Randy.Bey at ...6683...> wrote:
> 
> > Well, first did you check to see if this is
> actually coming from your
> > webserver, or an external one? You left any
> details about that out, so
> I
> > figure it's worth asking just to be sure. If it's
> an external
> webserver, I
> > bet it's a webpage containing sample output from a
> security check
> tool.
> 
> Sorry, should have said it's the snort servers web
> server (used for
> acid, etc).
> > 
> > also you claim that's similar to content sent out
> via email... do you
> have
> > some sort of webmail access going where you might
> be accessing those
> > emails
> > from your webserver, causing it to legitimately
> send that content?
> 
> No webmail type thing there, and further down the
> line in the payload it
> gets weird, like a dump of the /etc directory, then
> some binary
> gobbledegook that is not understandable. Here:
> 
> 2f0 : 2D 72 2D 2D 20 31 20 72 6F 6F 74 20 6F 74 68
> 65   -r-- 1 root othe
> 300 : 72 20 33 31 34 20 53 65 70 20 32 30 20 31 36
> 3A   r 314 Sep 20 16:
> 310 : 32 36 20 32 30 30 32 20 2F 65 74 63 2F 63 6F
> 72   26 2002 /etc/cor
> 320 : 65 61 64 6D 2E 63 6F 6E 66 20 20 32 34 37 30
> 30   eadm.conf  24700
> 330 : 20 31 0D 0A 2D 2D 2D 0D 0A 3E 20 2D 72 77 2D
> 72    1..---..> -rw-r
> 340 : 2D 2D 72 2D 2D 20 31 20 72 6F 6F 74 20 6F 74
> 68   --r-- 1 root oth
> 350 : 65 72 20 33 31 34 20 4F 63 74 20 31 30 20 32
> 32   er 314 Oct 10 22
> 360 : 3A 30 38 20 32 30 30 32 20 2F 65 74 63 2F 63
> 6F   :08 2002 /etc/co
> 370 : 72 65 61 64 6D 2E 63 6F 6E 66 20 20 32 34 37
> 30   readm.conf  2470
> 380 : 30 20 31 0D 0A 34 38 63 34 38 0D 0A 3C 20 64
> 72   0 1..48c48..< dr
> 390 : 77 78 72 2D 78 72 2D 78 20 32 20 72 6F 6F 74
> 20   wxr-xr-x 2 root 
> 3a0 : 73 79 73 20 35 31 32 20 53 65 70 20 32 30 20
> 31   sys 512 Sep 20 1
> 3b0 : 36 3A 32 38 20 32 30 30 32 20 2F 65 74 63 2F
> 63   6:28 2002 /etc/c
> 3c0 : 72 6F 6E 2E 64 20 0D 0A 2D 2D 2D 0D 0A 3E 20
> 64   ron.d ..---..> d
> 3d0 : 72 77 78 72 2D 78 72 2D 78 20 32 20 72 6F 6F
> 74   rwxr-xr-x 2 root
> 3e0 : 20 73 79 73 20 35 31 32 20 4F 63 74 20 31 30
> 20    sys 512 Oct 10 
> 3f0 : 32 32 3A 30 39 20 32 30 30 32 20 2F 65 74 63
> 2F   22:09 2002 /etc/
> 400 : 63 72 6F 6E 2E 64 20 0D 0A 36 35 63 36 35 0D
> 0A   cron.d ..65c65..
> 410 : 3C 20 2D 72 77 2D 72 2D 2D 72 2D 2D 20 31 20
> 72   < -rw-r--r-- 1 r
> 420 : 6F 6F 74 20 6F 74 68 65 72 20 32 33 39 20 53
> 65   oot other 239 Se
> 430 : 70 20 32 30 20 31 36 3A 32 38 20 32 30 30 32
> 20   p 20 16:28 2002 
> 440 : 2F 65 74 63 2F 64 75 6D 70 61 64 6D 2E 63 6F
> 6E   /etc/dumpadm.con
> 450 : 66 20 20 31 39 36 39 36 20 31 0D 0A 2D 2D 2D
> 0D   f  19696 1..---.
> 460 : 0A 3E 20 2D 72 77 2D 72 2D 2D 72 2D 2D 20 31
> 20   .> -rw-r--r-- 1 
> 470 : 72 6F 6F 74 20 6F 74 68 65 72 20 32 33 39 20
> 4F   root other 239 O
> 480 : 63 74 20 31 30 20 32 32 3A 30 39 20 32 30 30
> 32   ct 10 22:09 2002
> 490 : 20 2F 65 74 63 2F 64 75 6D 70 61 64 6D 2E 63
> 6F    /etc/dumpadm.co
> 4a0 : 6E 66 20 20 31 39 36 39 36 20 31 0D 0A 39 30
> 2C   nf  19696 1..90,
> 4b0 : 39 31 63 39 30 2C 39 31 0D 0A 3C 20 64 72 77
> 78   91c90,91..< drwx
> 4c0 : 72 2D 78 72 2D 78 20 32 20 72 6F 6F 74 20 73
> 79   r-xr-x 2 root sy
> 4d0 : 73 20 32 30 34 38 20 53 65 70 20 32 33 20 31
> 37   s 2048 Sep 23 17
> 4e0 : 3A 30 30 20 32 30 30 32 20 2F 65 74 63 2F 69
> 6E   :00 2002 /etc/in
> 4f0 : 69 74 2E 64 20 0D 0A 3C 20 70 72 77 2D 2D 2D
> 2D   it.d ..< prw----
> 500 : 2D 2D 2D 20 31 20 72 6F 6F 74 20 72 6F 6F 74
> 20   --- 1 root root 
> 510 : 30 20 53 65 70 20 32 30 20 31 36 3A 32 38 20
> 32   0 Sep 20 16:28 2
> 520 : 30 30 32 20 2F 65 74 63 2F 69 6E 69 74 70 69
> 70   002 /etc/initpip
> 530 : 65 20 0D 0A 2D 2D 2D 0D 0A 3E 20 64 72 77 78
> 72   e ..---..> drwxr
> 540 : 2D 78 72 2D 78 20 32 20 72 6F 6F 74 20 73 79
> 73   -xr-x 2 root sys
> 550 : 20 32 30 34 38 20 4F 63 74 20 31 30 20 31 34
> 3A    2048 Oct 10 14:
> 560 : 34 31 20 32 89 95 50 FE FF FF 83 BD 50 FE FF
> FF   41 2..P.....P...
> 570 : 00 75 26 8B F4 6A 00 8D 85 4C FE FF FF 50 8B
> 8D   .u&..j...L...P..
> 580 : 68 FE FF FF 51 8B 55 08 8B 42 08 50 FF 95 6C
> FE   h...Q.U..B.P..l.
> 590 : FF FF 3B F4 90 43 4B 43 4B 83 BD 50 FE FF FF
> 64   ..;..CKCK..P...d
> 5a0 : 7D 5C 8B 8D 50 FE FF FF 83 C1 01 89 8D 50 FE
> FF   }\..P........P..
> 5b0 : FF 8B 95 50 FE FF FF 69 D2 8D 66 F0 50 89 95
> 74   ...P...i..f.P..
> 
> 
> Randy Bey
> RiverNorth Systems
> 7300 W 147th St Suite 300
> Apple Valley, MN 55124
> http://www.rivernorthsys.com
> 
> 
> 
>
-------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or
> unsubscribe:
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users


=====
-----------------------------------------------------------
Heavy metal made me do it.                        
-----------------------------------------------------------

__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com




More information about the Snort-users mailing list