[Snort-users] Anyone have problems with aanval?

Michael Scheidell scheidell at ...5171...
Thu Jan 26 19:33:03 EST 2006


Started to test 'aanval' for its better reporting that base.

Found some interesting things.  They insist you take php out of safe
mode (saying that they have secured aanval, and there is no need for
safe mode).

Also found something that may be a bug in aanval, or something worse.

We traced a very large data transfer from the host we had running aanval
to 82.165.229.52

(21GB of data)

Killall -9 httpd didn't stop it.
Killall -9 php didn't stop it.
(process starts itself again and again)

Had to null route 82.165.229.52 to block the traffic.

Processes involved in transfer:
root     php      26953    0 tcp4   204.89.241.133:1831
82.165.229.52:80

ps -p26953    -auxww
USER   PID %CPU %MEM   VSZ  RSS  TT  STAT STARTED      TIME COMMAND
root 26953  0.0  5.4 33328 27868  ??  S    10:12PM   0:14.14 php -q
/usr/local/www/hackertrap/aanval/apps/processorB.php

Tcpdump of traffic appears to be random (or encrypted) data.

Interesting thing about that ip address:
host www.aanval.com
www.aanval.com is a nickname for aanval.com
aanval.com has address 82.165.229.52
aanval.com mail is handled (pri=10) by mail.aanval.com

Anyone else use or try to use aanval? (ps, I didn't turn off safe mode.
It requires safe mode to install, but once installed, runs fine if you
re-enable it and HUP apache)

Needless to say, we will be taking aanval php source code apart to see
what is was doing.

If anyone has an answer, I would appreciate it.

-- 
Michael Scheidell, CTO
561-999-5000, ext 1131
SECNAP Network Security Corporation
Keep up to date with latest information on IT security: Real time
security alerts: http://www.secnap.com/news
 




More information about the Snort-users mailing list