[Snort-users] id check returned root ?!?!

MH procana at ...4296...
Sat Jun 28 09:35:03 EDT 2003


Hi Michael,

If you were on a security related site, this is fairly common.  If I go to 
zone-h or some other defacement mirror where part of a defacement has 
"uid=0(root)", this alarm will fire.  Look at your logs for this alert and 
determine if this is the case.

Hope this helps.
Mike

On Saturday 28 June 2003 11:20 am, Michael D. Schleif wrote:
> I am fairly new to snort, and I've just begun analyzing my logs.
>
> I have my home office network, from which I am writing this post, that
> is NAT'ed behind an ipchains firewall.  This system is: 192.168.123.150
>
> I also have a web/email server hosted by tera-byte.com: 216.234.189.108
>
> Last week I received several of these:
>
> 4  216.234.189.108  192.168.123.150  ATTACK RESPONSES id check returned
> root
>
>
> Now, I have come to realize that this is a dangerous situation.
>
> I run chkrootkit daily and have _nothing_ to report.
>
> What should I do?





More information about the Snort-users mailing list