[Snort-users] Anyone have problems with aanval?
scheidell at ...5171...
Thu Jan 26 19:33:03 EST 2006
Started to test 'aanval' for its better reporting that base.
Found some interesting things. They insist you take php out of safe
mode (saying that they have secured aanval, and there is no need for
Also found something that may be a bug in aanval, or something worse.
We traced a very large data transfer from the host we had running aanval
(21GB of data)
Killall -9 httpd didn't stop it.
Killall -9 php didn't stop it.
(process starts itself again and again)
Had to null route 22.214.171.124 to block the traffic.
Processes involved in transfer:
root php 26953 0 tcp4 126.96.36.199:1831
ps -p26953 -auxww
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
root 26953 0.0 5.4 33328 27868 ?? S 10:12PM 0:14.14 php -q
Tcpdump of traffic appears to be random (or encrypted) data.
Interesting thing about that ip address:
www.aanval.com is a nickname for aanval.com
aanval.com has address 188.8.131.52
aanval.com mail is handled (pri=10) by mail.aanval.com
Anyone else use or try to use aanval? (ps, I didn't turn off safe mode.
It requires safe mode to install, but once installed, runs fine if you
re-enable it and HUP apache)
Needless to say, we will be taking aanval php source code apart to see
what is was doing.
If anyone has an answer, I would appreciate it.
Michael Scheidell, CTO
561-999-5000, ext 1131
SECNAP Network Security Corporation
Keep up to date with latest information on IT security: Real time
security alerts: http://www.secnap.com/news
More information about the Snort-users