This was not in any "log". Snort analyizes all traffic that it
sees and checks it against specific rules. If the packet contains
a certain attack signiture/pattern it creates an alert. Here is
the rule that created that alert:<br>
<br>
alert ip any any -> any any (msg:"ATTACK-RESPONSES id check returned
root"; content:"uid=0|28|root|29|"; classtype:bad-unknown<br>
; sid:498; rev:6;)<br>
<br>
See "content". If that string is an a packet, snort will fire an alert.<br>
<br>
I am going to head over to snort now, I asked this list first because I
was more concerned about verifing if my box has be hacked or not.
I was hoping that some could point me to other places/files/etc to
check.<br>
<br>
Thanks,<br>
Chris<br><br><div><span class="gmail_quote">On 10/21/05, <b class="gmail_sendername">Ken Rambler</b> <<a href="mailto:ken@ramblernet.com">ken@ramblernet.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div><span><font color="#0000ff" face="Arial" size="2">I
still think this is a 404 string entry in your HTTP log, perhaps an overflow
attempt. It would be good to know specifically which log contained the entry.
Can you log in to the server and read the log files? If that is one entry in
your access file, then I would not be too concerned. You could add the offending
IP address to your hosts.deny file but that doesn't normally stop
an attacker for long.</font></span></div>
<div><span><font color="#0000ff" face="Arial" size="2"></font></span> </div>
<div><span><font color="#0000ff" face="Arial" size="2">My
suggestion is to ask the <a href="http://snort.org" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">snort.org</a> forum to be sure. </font></span></div>
<div><span><font color="#0000ff" face="Arial" size="2"></font></span> </div>
<div></div>
<div><font face="Tahoma" size="2"><span class="q">-----Original Message-----<br><b>From:</b>
wplug-bounces+ken=<a href="mailto:ramblernet.com@wplug.org" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">ramblernet.com@wplug.org</a>
[mailto:<a href="mailto:wplug-bounces+ken=ramblernet.com@wplug.org" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">wplug-bounces+ken=ramblernet.com@wplug.org</a>] <b>On Behalf Of </b>Chris
Romano<br></span><span class="q"><b>Sent:</b> Friday, October 21, 2005 11:45 AM<br><b>To:</b> General
user list<br></span></font><div><span class="e" id="q_107140db71a5a0db_3"><font face="Tahoma" size="2"><b>Subject:</b> Re: [wplug] Need help with a snort alert. Did my
box get hacked?<br><br></font></span></div></div><div><span class="e" id="q_107140db71a5a0db_5">
<blockquote style="margin-right: 0px;" dir="ltr"><br><br>
<div><span class="gmail_quote">On 10/21/05, <b class="gmail_sendername">Ken
Rambler</b> <<a href="mailto:ken@ramblernet.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">ken@ramblernet.com</a>>
wrote:</span>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div><font color="#0000ff" face="Arial" size="2"><span>Chris,</span></font></div>
<div><font color="#0000ff" face="Arial" size="2"><span></span></font> </div>
<div><font color="#0000ff" face="Arial" size="2"><span>Are you using IPTABLES or
SHOREWALL? </span></font></div>
<div><font color="#0000ff" face="Arial" size="2"><span>Do you have a wireless
router on your LAN, and if so are you using wireless encryption?
</span></font></div>
<div><font color="#0000ff" face="Arial" size="2"><span>Was this message from your
firewall or a machine behind it? </span></font></div>
<div><font color="#0000ff" face="Arial" size="2"><span>Which log contained the
message?</span></font></div>
<div><font color="#0000ff" face="Arial" size="2"><span></span></font> </div>
<div><font color="#0000ff" face="Arial" size="2"><span>At first glance this looks
like a 404 entry from your HTTP log.</span></font></div></blockquote>
<div><br><br>The main firewall is an InstaGate firewall. It's basically,
a box with Pittbull Linux and you use a web interface to administor it.
The firewall/proxy box is using IPTABLES.<br><br>This is a LAN and we do not
have any wireless APs.<br><br>The entry is from Snort IDS. Our snort box
logs everthing into a MySQL database and we just a Web GUI to view the
data.<br><br>This is our setup<br><br>XXXXXXX - main Firewall (<a href="http://10.10.10.1" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">10.10.10.1</a>)<br>
|<br> | --- XXXX Snort
Box<br> |<br> | --- XXXX two
public boxes (web/email etc)<br> |<br>XXXXXXX -
Firewall/Proxy (<a href="http://10.10.10.5" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">10.10.10.5</a>)<br>
|<br>XXXXXXX - 192.168.0.x
network<br><br>Thanks,<br>Chris<br></div><br></div></blockquote>
</span></div><br>_______________________________________________<br>wplug mailing list<br><a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:wplug@wplug.org">wplug@wplug.org</a><br><a onclick="return top.js.OpenExtLink(window,event,this)" href="http://www.wplug.org/mailman/listinfo/wplug" target="_blank">
http://www.wplug.org/mailman/listinfo/wplug</a><br><br><br></blockquote></div><br>