[Snort-users] Was my host hijacked?

Matt Kettler mkettler at ...4108...
Mon Jun 2 13:03:14 EDT 2003


You're going to have to dig deeper than just overview reports.

What source and destination ports were used? This will tell you a whole lot 
more about what is really going on.

For example, the events to  64.141.14.2 are likely just you surfing 
websites and opening pages with lots of images on them. This can look to 
the portscan2 preprocessor like a portscan, because your client may open 
dozens or hundreds of http connections within a second as all the images 
get loaded. If portscan2 drops packets and misses the original syn, it can 
become confused and call it a "syn-ack scan" as the handshake replies come 
back.

The reason I strongly suspect 64.141.14.2  is just websurfing activity is 
the reverse DNS entry for that IP.. www.jennicam.org. Unless of course 
you've not been going there, in which case you might want to do some 
tcpdump sniffing of the traffic heading to and from that IP:

tcpdump -i <interface> host 64.141.14.2


At 10:26 AM 6/2/2003 -0700, Luiz-Otavio Zorzella wrote:
>Hi,
>
>I've recently been hacked (shame on me) when I postponed a security patch one
>day too long (double shame on me). I think (thought?) I managed to clean the
>system, but I've been getting these SNORT reports (below) that seem to 
>indicate
>that my host is being used to postscan other folk. I'm not sure that is the
>case, as I did not have SNORT in this computer before, so it could be false
>alerts -- this is a somewhat busy box that serves as NAT as well.
>
>I'm dumping the full SNORT report, only that I changed my IP address to 
>a.b.c.d
>for obvious reasons. This is a "real" IP address -- i.e. the IP of the 
>internet
>interface.





More information about the Snort-users mailing list