[Snort-users] Was my host hijacked?
mkettler at ...4108...
Mon Jun 2 13:03:14 EDT 2003
You're going to have to dig deeper than just overview reports.
What source and destination ports were used? This will tell you a whole lot
more about what is really going on.
For example, the events to 188.8.131.52 are likely just you surfing
websites and opening pages with lots of images on them. This can look to
the portscan2 preprocessor like a portscan, because your client may open
dozens or hundreds of http connections within a second as all the images
get loaded. If portscan2 drops packets and misses the original syn, it can
become confused and call it a "syn-ack scan" as the handshake replies come
The reason I strongly suspect 184.108.40.206 is just websurfing activity is
the reverse DNS entry for that IP.. www.jennicam.org. Unless of course
you've not been going there, in which case you might want to do some
tcpdump sniffing of the traffic heading to and from that IP:
tcpdump -i <interface> host 220.127.116.11
At 10:26 AM 6/2/2003 -0700, Luiz-Otavio Zorzella wrote:
>I've recently been hacked (shame on me) when I postponed a security patch one
>day too long (double shame on me). I think (thought?) I managed to clean the
>system, but I've been getting these SNORT reports (below) that seem to
>that my host is being used to postscan other folk. I'm not sure that is the
>case, as I did not have SNORT in this computer before, so it could be false
>alerts -- this is a somewhat busy box that serves as NAT as well.
>I'm dumping the full SNORT report, only that I changed my IP address to
>for obvious reasons. This is a "real" IP address -- i.e. the IP of the
More information about the Snort-users