Re: id check returned root

From: Alejandro Flores (alejandro.flores_at_triforsec.com.br)
Date: 01/28/04

  • Next message: Shawn Jackson: "RE: Worm.SCO.A (W32/Mydoom@MM)" 
    To: Floyd Hartog <floyd@webwizard.dyndns.ws>
Date: Wed, 28 Jan 2004 16:55:31 -0300

            Hi Floyd,

    > Date: 01/27 16:03:28 Name: ATTACK RESPONSES id check returned root
    > Priority: 2 Type: Potentially Bad Traffic
    > IP info: 199.233.98.101:17335 -> XXX.XXX.XXX.XXX:25
    > References: none found SID: 498
    > I am a bit confused with the output from my snort logs, which you see
    > above. That looks bad, very bad. But a whois seems to indicate this is
    > the vulnwatch and securityfocus outgoing mail servers. Am I reading
    > this wrong? Is this a snort bug, or a attack? And what would be the
    > correct response? Thanks for your imput. Floyd

            Looks like a false positive. This rule checks for packets with
    'uid=0(root)' inside. And it was found in your mail traffic. Check your
    mail and look for this content inside one of your messages.

    Regards,
    Alejandro Flores

    --TriForSec
    http://www.triforsec.com.br/

    ---------------------------------------------------------------------------
    Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any
    course! All of our class sizes are guaranteed to be 10 students or less.
    We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention,
    and many other technical hands on courses.
    Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off
    any course!
    ----------------------------------------------------------------------------

  • Next message: Shawn Jackson: "RE: Worm.SCO.A (W32/Mydoom@MM)"