[Snort-users] id check returned root ?!?!
procana at ...4296...
Sat Jun 28 09:35:03 EDT 2003
If you were on a security related site, this is fairly common. If I go to
zone-h or some other defacement mirror where part of a defacement has
"uid=0(root)", this alarm will fire. Look at your logs for this alert and
determine if this is the case.
Hope this helps.
On Saturday 28 June 2003 11:20 am, Michael D. Schleif wrote:
> I am fairly new to snort, and I've just begun analyzing my logs.
> I have my home office network, from which I am writing this post, that
> is NAT'ed behind an ipchains firewall. This system is: 192.168.123.150
> I also have a web/email server hosted by tera-byte.com: 18.104.22.168
> Last week I received several of these:
> 4 22.214.171.124 192.168.123.150 ATTACK RESPONSES id check returned
> Now, I have come to realize that this is a dangerous situation.
> I run chkrootkit daily and have _nothing_ to report.
> What should I do?
More information about the Snort-users