[Snort-users] Anyone have problems with aanval?

Michael Scheidell scheidell at ...5171...
Thu Jan 26 19:33:03 EST 2006

Started to test 'aanval' for its better reporting that base.

Found some interesting things.  They insist you take php out of safe
mode (saying that they have secured aanval, and there is no need for
safe mode).

Also found something that may be a bug in aanval, or something worse.

We traced a very large data transfer from the host we had running aanval

(21GB of data)

Killall -9 httpd didn't stop it.
Killall -9 php didn't stop it.
(process starts itself again and again)

Had to null route to block the traffic.

Processes involved in transfer:
root     php      26953    0 tcp4

ps -p26953    -auxww
root 26953  0.0  5.4 33328 27868  ??  S    10:12PM   0:14.14 php -q

Tcpdump of traffic appears to be random (or encrypted) data.

Interesting thing about that ip address:
host www.aanval.com
www.aanval.com is a nickname for aanval.com
aanval.com has address
aanval.com mail is handled (pri=10) by mail.aanval.com

Anyone else use or try to use aanval? (ps, I didn't turn off safe mode.
It requires safe mode to install, but once installed, runs fine if you
re-enable it and HUP apache)

Needless to say, we will be taking aanval php source code apart to see
what is was doing.

If anyone has an answer, I would appreciate it.

Michael Scheidell, CTO
561-999-5000, ext 1131
SECNAP Network Security Corporation
Keep up to date with latest information on IT security: Real time
security alerts: http://www.secnap.com/news

More information about the Snort-users mailing list