[Snort-users] ATTACK-RESPONSES and the gentoo portage tree

retsil at ...12533... retsil at ...12533...
Fri Oct 8 20:30:43 EDT 2004


I received the following alerts from snort on my firewall on Oct 5

[**] ATTACK-RESPONSES id check returned root [**]
10/05-20:28:42.170776 140.211.166.165:873 -> 10.192.2.59:1089
TCP TTL:51 TOS:0x0 ID:25646 IpLen:20 DgmLen:1472 DF
***A**** Seq: 0x2A69E973  Ack: 0x239D5C7  Win: 0x58C  TcpLen: 32
TCP Options (3) => NOP NOP TS: 220967602 220902
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] ATTACK-RESPONSES id check returned root [**]
10/05-20:28:42.171005 140.211.166.165:873 -> 10.192.2.59:1089
TCP TTL:50 TOS:0x0 ID:25646 IpLen:20 DgmLen:1472 DF
***A**** Seq: 0x2A69E973  Ack: 0x239D5C7  Win: 0x58C  TcpLen: 32
TCP Options (3) => NOP NOP TS: 220967602 220902
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

I haven't seen any more responses like this and there is no other evidence of
intrusion in the last 5 days. A quick look using nmap shows that the host is a
rsync host for the gentoo portage tree.

=======================================================================
nmap -O 140.211.166.165

Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-10-09 13:09 EDT
Interesting ports on raptor.gentoo.osuosl.org (140.211.166.165):
(The 1656 ports scanned but not shown below are in state: filtered)
PORT    STATE  SERVICE
22/tcp  open   ssh
80/tcp  closed http
873/tcp open   rsync
Device type: general purpose
Running: Linux 2.4.X
OS details: Linux 2.4.20 - 2.4.22 w/grsecurity.org patch
Uptime 29.232 days (since Fri Sep 10 07:40:41 2004)

Nmap run completed -- 1 IP address (1 host up) scanned in 316.659 seconds
=======================================================================

It looks like it was most likely related related to my last update of my gentoo
portage tree which was completed by 20:36 on Oct 5.





More information about the Snort-users mailing list