[Snort-users] Was my host hijacked?

zorzella at ...9350... zorzella at ...9350...
Wed Jun 4 06:25:19 EDT 2003


Hi,

I've recently been hacked (shame on me) when I postponed a security patch one
day too long (double shame on me). I think (thought?) I managed to clean the
system, but I've been getting these SNORT reports (below) that seem to indicate
that my host is being used to postscan other folk. I'm not sure that is the
case, as I did not have SNORT in this computer before, so it could be false
alerts -- this is a somewhat busy box that serves as NAT as well.

I'm dumping the full SNORT report, only that I changed my IP address to a.b.c.d
for obvious reasons. This is a "real" IP address -- i.e. the IP of the internet
interface.

Any help would be awesome.

Zorzella

*******************************************************

Events between  06 01 06:59:29  and  06 02 05:53:22
Total events: 68
Signatures recorded: 47
Source IP recorded: 4
Destination IP recorded: 61


Events from same host to same destination using same method
=========================================================================
 # of  from             to               method
=========================================================================
    2  66.35.250.110    a.b.c.d   (spp_portscan2) Portscan detected from
66.35.250.110: 1 targets 21 ports in 2 seconds


Percentage and number of events from a host to a destination
============================================================
  %    # of  from             to               
============================================================
 2.94     2  a.b.c.d   64.141.14.2    
 2.94     2  a.b.c.d   192.52.178.30  
 2.94     2  66.35.250.110    a.b.c.d 
 2.94     2  a.b.c.d   207.155.252.5  
 2.94     2  a.b.c.d   63.203.35.55   


Percentage and number of events from one host to any with same method
==============================================================
  %    # of  from             method
==============================================================
10.29     7  a.b.c.d   (spp_portscan2) Portscan detected from a.b.c.d: 6 targets
6 ports in 0 seconds
 8.82     6  a.b.c.d   (spp_portscan2) Portscan detected from a.b.c.d: 6 targets
6 ports in 1 seconds
 5.88     4  a.b.c.d   (spp_portscan2) Portscan detected from a.b.c.d: 6 targets
6 ports in 6 seconds
 4.41     3  a.b.c.d   (spp_portscan2) Portscan detected from a.b.c.d: 6 targets
6 ports in 5 seconds
 2.94     2  66.35.250.110    (spp_portscan2) Portscan detected from
66.35.250.110: 1 targets 21 ports in 2 seconds
 2.94     2  a.b.c.d   (spp_portscan2) Portscan detected from a.b.c.d: 6 targets
6 ports in 2 seconds
 2.94     2  a.b.c.d   (spp_portscan2) Portscan detected from a.b.c.d: 6 targets
6 ports in 36 seconds
 2.94     2  a.b.c.d   (spp_portscan2) Portscan detected from a.b.c.d: 6 targets
6 ports in 14 seconds
 2.94     2  a.b.c.d   (spp_portscan2) Portscan detected from a.b.c.d: 6 targets
6 ports in 44 seconds


Percentage and number of events to one certain host
=================================================================
  %    # of  to               method
=================================================================
 2.94     2  a.b.c.d   (spp_portscan2) Portscan detected from 66.35.250.110: 1
targets 21 ports in 2 seconds


The distribution of event methods
===============================================
  %    # of  method
===============================================
10.29     7  (spp_portscan2) Portscan detected from a.b.c.d
 8.82     6  (spp_portscan2) Portscan detected from a.b.c.d
 5.88     4  (spp_portscan2) Portscan detected from a.b.c.d
 4.41     3  (spp_portscan2) Portscan detected from a.b.c.d
 2.94     2  (spp_portscan2) Portscan detected from a.b.c.d
 2.94     2  (spp_portscan2) Portscan detected from a.b.c.d
 2.94     2  (spp_portscan2) Portscan detected from a.b.c.d
 2.94     2  (spp_portscan2) Portscan detected from 66.35.250.110
 2.94     2  (spp_portscan2) Portscan detected from a.b.c.d

----- End forwarded message -----




-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/




More information about the Snort-users mailing list