Snort - [Snort-users] Is this a successful hack attempt?...How serious? Suggestions?

Author

[Snort-users] Is this a successful hack attempt?...How serious? Suggestions?

Sanjay Arora

2004-06-26, 2:58 pm

I am running a small Lan with IPcop with one server on DMZ. Gateway
address to my ISP is 172.16.0.1, obviously I=E1=B8=BF behind a NAT server=
.. I
myself use IP addresses 192.168.200.x & 192.168.100.x for my Green & DMZ
interface respectively.

Today, while checking the logs (I had not done that for a few days), I
found the following log on the 17th of this month:

Date: 06/17 20:41:25 Name: ATTACK RESPONSES id check returned root
Priority: 2 Type: Potentially Bad Traffic
IP info: 66.54.152.7:110 -> 172.16.0.141:32786
References: none found SID: 498

Checked out SID 498 on Snort.org and found:

SID 498
Message ATTACK-RESPONSES id check returned root

Signature alert ip any any -> any any (msg:"ATTACK-RESPONSES id check
returned root"; content:"uid=3D0|28|root|29|"; classtype:bad-unknown;
sid:498; rev:6;)

Summary This event is generated by the use of a UNIX "id" command. This
may be indicative of post-compromise behavior where the attacker is
checking for super user privileges gained by a sucessful exploit against
a vulnerable system.

Impact Serious. An attacker may have gained super user access to the
system.

Detailed Information This event is generated when a UNIX "id" command
is used to confirm the user name of the currenly logged in user over an
unencrypted connection.

This connection can either be a legitimate telnet connection or the
result of spawning a remote shell as a consequence of a successful
network exploit.

The string "uid=3D0(root)" is an output of an "id" command indicating tha=
t
the user has "root" privileges. Seeing such a response indicates that
some user, connected over the network to a target server, has root
privileges.

Affected Systems =20
Attack Scenarios A buffer overflow exploit against an FTP server
results in "/bin/sh" being executed. An automated script performing an
attack, checks for the success of the exploit via an "id" command.

Ease of Attack Simple. This may be post-attack behavior and can be
indicative of the successful exploitation of a vulnerable system.

False Positives This rule will generate an event if a legitimate system
administrator executes the "id" command over an unencrypted connection
to verify the privilege level available to him.

This rule may also generate event by viewing the documentation on
snort.org.

The web site www.bugtraq.org serves a non-standard HTTP header of the
form "X-Mandatory-Snort-Alert: *GOBBLE* uid=3D65534(nobody) uid=3D0(root)=
"
browsing this site will generate an event.

If you think this rule has a false positives, please help fill it out.
False Negatives None Known

If you think this rule has a false negatives, please help fill it out.
Corrective Action Ensure that this event was not generated by a
legitimate session then investigate the server for signs of compromise

Look for other events generated by the same IP addresses.
Contributors Original rule writer unknown
Snort documentation contributed by Anton Chuvakin
<http://www.chuvakin.org>
Sourcefire Research Team
Nigel Houghton <nigel.houghton@sourcefire.com>
Additional false positive information contributed by Arnd Fischer
logged on snort logs as have run an id command after successful attempt
of gaining access as root

Then I ran a couple of scans on the host...

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on mail.SoftHome.net (66.54.152.7):
(The 1141 ports scanned but not shown below are in state: filtered)
Port State Service Owner
25/tcp open smtp
80/tcp open http
110/tcp open pop-3
113/tcp closed auth
443/tcp closed https
2500/tcp open rtsserv
2501/tcp open rtsclient
8080/tcp closed http-proxy
8081/tcp closed blackice-icecap
Remote operating system guess: Linux 2.4.7 (X86)
=20
Nmap run completed -- 1 IP address (1 host up) scanned in 486 seconds

This UDP scan really scared me.

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Warning: OS detection will be MUCH less reliable because we did not
find at least 1 open and 1 closed TCP port
Interesting ports on mail.SoftHome.net (66.54.152.7):
(The 1 port scanned but not shown below is in state: closed)
Port State Service
1/udp open tcpmux
2/udp open compressnet
3/udp open compressnet
5/udp open rje
7/udp open echo
9/udp open discard
11/udp open systat
13/udp open daytime
17/udp open qotd
18/udp open msp
19/udp open chargen
20/udp open ftp-data
21/udp open ftp
22/udp open ssh
23/udp open telnet
24/udp open priv-mail
25/udp open smtp
27/udp open nsw-fe
29/udp open msg-icp
31/udp open msg-auth
33/udp open dsp
35/udp open priv-print
37/udp open time
38/udp open rap
39/udp open rlp
41/udp open graphics
42/udp open nameserver
43/udp open shois
44/udp open mpm-flags
45/udp open mpm
46/udp open mpm-snd
47/udp open ni-ftp
48/udp open auditd
49/udp open tacacs
50/udp open re-mail-ck
51/udp open la-maint
52/udp open xns-time
54/udp open xns-ch
55/udp open isi-gl
56/udp open xns-auth
57/udp open priv-term
58/udp open xns-mail
59/udp open priv-file
61/udp open ni-mail
62/udp open acas
63/udp open via-ftp
64/udp open covia
65/udp open tacacs-ds
66/udp open sql*net
67/udp open dhcpserver
68/udp open dhcpclient
69/udp open tftp
70/udp open gopher
71/udp open netrjs-1
72/udp open netrjs-2
73/udp open netrjs-3
74/udp open netrjs-4
75/udp open priv-dial
76/udp open deos
77/udp open priv-rje
78/udp open vettcp
79/udp open finger
80/udp open http
81/udp open hosts2-ns
82/udp open xfer
83/udp open mit-ml-dev
84/udp open ctf
85/udp open mit-ml-dev
86/udp open mfcobol
88/udp open kerberos-sec
89/udp open su-mit-tg
90/udp open dnsix
91/udp open mit-dov
92/udp open npp
93/udp open dcp
94/udp open objcall
95/udp open supdup
96/udp open dixie
97/udp open swift-rvf
98/udp open tacnews
99/udp open metagram
101/udp open hostname
102/udp open iso-tsap
103/udp open gppitnp
104/udp open acr-nema
105/udp open csnet-ns
106/udp open 3com-tsmux
107/udp open rtelnet
108/udp open snagas
109/udp open pop-2
110/udp open pop-3
111/udp open sunrpc
112/udp open mcidas
113/udp open auth
114/udp open audionews
115/udp open sftp
116/udp open ansanotify
117/udp open uucp-path
118/udp open sqlserv
119/udp open nntp
120/udp open cfdptkt
121/udp open erpc
122/udp open smakynet
123/udp open ntp
124/udp open ansatrader
125/udp open locus-map
126/udp open unitary
127/udp open locus-con
128/udp open gss-xlicen
129/udp open pwdgen
130/udp open cisco-fna
131/udp open cisco-tna
132/udp open cisco-sys
133/udp open statsrv
134/udp open ingres-net
135/udp open loc-srv
136/udp open profile
137/udp open netbios-ns
138/udp open netbios-dgm
139/udp open netbios-ssn
140/udp open emfis-data
141/udp open emfis-cntl
142/udp open bl-idm
143/udp open imap2
144/udp open news
145/udp open uaac
146/udp open iso-tp0
147/udp open iso-ip
148/udp open cronus
149/udp open aed-512
150/udp open sql-net
151/udp open hems
152/udp open bftp
153/udp open sgmp
154/udp open netsc-prod
155/udp open netsc-dev
156/udp open sqlsrv
157/udp open knet-cmp
158/udp open pcmail-srv
159/udp open nss-routing
160/udp open sgmp-traps
161/udp open snmp
162/udp open snmptrap
163/udp open cmip-man
164/udp open smip-agent
165/udp open xns-courier
166/udp open s-net
167/udp open namp
168/udp open rsvd
169/udp open send
170/udp open print-srv
171/udp open multiplex
172/udp open cl-1
173/udp open xyplex-mux
174/udp open mailq
175/udp open vmnet
176/udp open genrad-mux
177/udp open xdmcp
178/udp open nextstep
179/udp open bgp
180/udp open ris
181/udp open unify
182/udp open audit
183/udp open ocbinder
184/udp open ocserver
185/udp ope n remote-kis
186/udp open kis
187/udp open aci
188/udp open mumps
189/udp open qft
190/udp open cacp
191/udp open prospero
192/udp open osu-nms
193/udp open srmp
194/udp open irc
195/udp open dn6-nlm-aud
196/udp open dn6-smm-red
197/udp open dls
198/udp open dls-mon
199/udp open smux
200/udp open src
201/udp open at-rtmp
202/udp open at-nbp
203/udp open at-3
204/udp open at-echo
205/udp open at-5
206/udp open at-zis
207/udp open at-7
208/udp open at-8
209/udp open tam
210/udp open z39.50
211/udp open 914c-g
212/udp open anet
213/udp open ipx
214/udp open vmpwscs
215/udp open softpc
216/udp open atls
217/udp open dbase
218/udp open mpp
219/udp open uarps
220/udp open imap3
221/udp open fln-spx
222/udp open rsh-spx
223/udp open cdc
242/udp open direct
243/udp open sur-meas
244/udp open dayna
245/udp open link
246/udp open dsp3270
247/udp open subntbcst_tftp
248/udp open bhfhs
256/udp open rap
257/udp open set
258/udp open yak-chat
259/udp open firewall1-rdp
260/udp open openport
261/udp open nsiiops
262/udp open arcisdms
263/udp open hdap
264/udp open FW1-or-bgmp
280/udp open http-mgmt
281/udp open personal-link
282/udp open cableport-ax
308/udp open novastorbakcup
309/udp open entrusttime
310/udp open bhmds
311/udp open asip-webadmin
312/udp open vslmp
313/udp open magenta-logic
314/udp open opalis-robot
315/udp open dpsi
316/udp open decauth
317/udp open zannet
321/udp open pip
344/udp open pdap
345/udp open pawserv
346/udp open zserv
347/udp open fatserv
348/udp open csi-sgwp
349/udp open mftp
350/udp open matip-type-a
351/udp open matip-type-b
352/udp open dtag-ste-sb
353/udp open ndsauth
354/udp open bh611
355/udp open datex-asn
356/udp open cloanto-net-1
357/udp open bhevent
358/udp open shrinkwrap
359/udp open tenebris_nts
360/udp open scoi2od ialog
361/udp open semantix
362/udp open srssend
363/udp open rsvp_tunnel
364/udp open aurora-cmgr
365/udp open dtk
366/udp open odmr
367/udp open mortgageware
368/udp open qbikgdp
369/udp open rpc2portmap
370/udp open codaauth2
371/udp open clearcase
372/udp open ulistserv
373/udp open legent-1
374/udp open legent-2
375/udp open hassle
376/udp open nip
377/udp open tnETOS
378/udp open dsETOS
379/udp open is99c
380/udp open is99s
381/udp open hp-collector
382/udp open hp-managed-node
383/udp open hp-alarm-mgr
384/udp open arns
385/udp open ibm-app
386/udp open asa
387/udp open aurp
388/udp open unidata-ldm
389/udp open ldap
390/udp open uis
391/udp open synotics-relay
392/udp open synotics-broker
393/udp open dis
394/udp open embl-ndt
395/udp open netcp
396/udp open netware-ip
397/udp open mptn
398/udp open kryptolan
399/udp open iso-tsap-c2
400/udp open work-sol
401/udp open ups
402/udp open genie
403/udp open decap
404/udp open nced
405/udp open ncld
406/udp open imsp
407/udp open timbuktu
408/udp open prm-sm
409/udp open prm-nm
410/udp open decladebug
411/udp open rmt
412/udp open synoptics-trap
413/udp open smsp
414/udp open infoseek
415/udp open bnet
416/udp open silverplatter
417/udp open onmux
418/udp open hyper-g
419/udp open ariel1
420/udp open smpte
421/udp open ariel2
422/udp open ariel3
423/udp open opc-job-start
424/udp open opc-job-track
425/udp open icad-el
426/udp open smartsdp
427/udp open svrloc
428/udp open ocs_cmu
429/udp open ocs_amu
430/udp open utmpsd
431/udp open utmpcd
432/udp open iasd
433/udp open nnsp
434/udp open mobileip-agent
435/udp open mobilip-mn
436/udp open dna-cml
437/udp open comscm
438/udp open dsfgw
439/udp open dasp
440/udp open sgcp
441/udp open decvms-sysmgt
442/udp open cvc_hostd
443/udp open https
444/udp open snpp
445/udp open microsoft-ds
446/udp open ddm-rdb
447/udp open ddm-dfm
448/udp open ddm-ssl
449/udp open as-servermap
450/udp open tserver
451/udp open sfs-smp-net
452/udp open sfs-config
453/udp open creativeserver
454/udp open contentserver
455/udp open creativepartnr
456/udp open macon-udp
457/udp open scohelp
458/udp open appleqtc
459/udp open ampr-rcmd
460/udp open skronk
461/udp open datasurfsrv
462/udp open datasurfsrvsec
463/udp open alpes
464/udp open kpasswd5
465/udp open smtps
466/udp open digital-vrc
467/udp open mylex-mapd
468/udp open photuris
469/udp open rcp
470/udp open scx-proxy
471/udp open mondex
472/udp open ljk-login
473/udp open hybrid-pop
474/udp open tn-tl-w2
475/udp open tcpnethaspsrv
476/udp open tn-tl-fd1
477/udp open ss7ns
478/udp open spsc
479/udp open iafserver
480/udp open iafdbase
481/udp open ph
482/udp open xlog
483/udp open ulpnet
484/udp open integra-sme
485/udp open powerburst
486/udp open avian
487/udp open saft
488/udp open gss-http
489/udp open nest-protocol
490/udp open micom-pfs
491/udp open go-login
492/udp open ticf-1
493/udp open ticf-2
494/udp open pov-ray
495/udp open intecourier
496/udp open pim-rp-disc
497/udp open dantz
498/udp open siam
499/udp open iso-ill
500/udp open isakmp
501/udp open stmf
502/udp open asa-appl-proto
503/udp open intrinsa
504/udp open citadel
505/udp open mailbox-lm
506/udp open ohimsrv
507/udp open crs
508/udp open xvttp
509/udp open snare
510/udp open fcp
511/udp open passgo
512/udp open biff
513/udp open who
514/udp open syslog
515/udp open printer
516/udp open videotex
517/udp open talk
518/udp open ntalk
519/udp open utime
520/udp open route
521/udp open ripng
522/udp open ulp
523/udp open ibm-db2
524/udp open ncp
525/udp open timed
526/udp open tempo
527/udp open stx
528/udp open custix
529/udp open irc-serv
530/udp open courier
531/udp ope n conference
532/udp open netnews
533/udp open netwall
534/udp open mm-admin
535/udp open iiop
536/udp open opalis-rdv
537/udp open nmsp
538/udp open gdomap
539/udp open apertus-ldp
540/udp open uucp
541/udp open uucp-rlogin
542/udp open commerce
543/udp open klogin
544/udp open kshell
545/udp open appleqtcsrvr
546/udp open dhcpv6-client
547/udp open dhcpv6-server
548/udp open afpovertcp
549/udp open idfp
550/udp open new-rwho
551/udp open cybercash
552/udp open deviceshare
553/udp open pirp
554/udp open rtsp
555/udp open dsf
556/udp open remotefs
557/udp open openvms-sysipc
558/udp open sdnskmp
559/udp open teedtap
560/udp open rmonitor
561/udp open monitor
562/udp open chshell
563/udp open snews
564/udp open 9pfs
565/udp open whoami
567/udp open banyan-rpc
568/udp open ms-shuttle
569/udp open ms-rome
570/udp open meter
571/udp open umeter
572/udp open sonar
573/udp open banyan-vip
574/udp open ftp-agent
575/udp open vemmi
576/udp open ipcd
577/udp open vnas
578/udp open ipdd
579/udp open decbsrv
580/udp open sntp-heartbeat
581/udp open bdp
582/udp open scc-security
583/udp open philips-vc
584/udp open keyserver
585/udp open imap4-ssl
586/udp open password-chg
587/udp open submission
588/udp open cal
589/udp open eyelink
590/udp open tns-cml
591/udp open http-alt
592/udp open eudora-set
593/udp open http-rpc-epmap
594/udp open tpip
595/udp open cab-protocol
596/udp open smsd
597/udp open ptcnameservice
598/udp open sco-websrvrmg3
599/udp open acp
600/udp open ipcserver
606/udp open urm
607/udp open nqs
608/udp open sift-uft
609/udp open npmp-trap
610/udp open npmp-local
611/udp open npmp-gui
634/udp open ginad
635/udp open mount
637/udp open lanserver
640/udp open pcnfs
650/udp open bwnfs
660/udp open mac-srvr-admin
666/udp open doom
704/udp open elcsd
709/udp open entrustmanager
729/udp open netviewdm1
730/udp open netview dm2
731/udp open netviewdm3
737/udp open sometimes-rpc2
740/udp open netcp
741/udp open netgw
742/udp open netrcs
744/udp open flexlm
747/udp open fujitsu-dev
748/udp open ris-cm
749/udp open kerberos-adm
750/udp open kerberos
751/udp open kerberos_master
752/udp open qrh
753/udp open rrh
758/udp open nlogin
759/udp open con
760/udp open ns
761/udp open rxe
762/udp open quotad
763/udp open cycleserv
764/udp open omserv
765/udp open webster
767/udp open phonebook
769/udp open vid
770/udp open cadlock
771/udp open rtip
772/udp open cycleserv2
773/udp open notify
774/udp open acmaint_dbd
775/udp open acmaint_transd
776/udp open wpages
780/udp open wpgs
781/udp open hp-collector
782/udp open hp-managed-node
783/udp open hp-alarm-mgr
786/udp open concert
800/udp open mdbs_daemon
801/udp open device
888/udp open accessbuilder
996/udp open vsinet
997/udp open maitrd
998/udp open puparp
999/udp open applix
1000/udp open ock
1008/udp open ufsd
1012/udp open sometimes-rpc1
1025/udp open blackjack
1028/udp open ms-lsa
1030/udp open iad1
1031/udp open iad2
1032/udp open iad3
1058/udp open nim
1059/udp open nimreg
1067/udp open instl_boots
1068/udp open instl_bootc
1080/udp open socks
1083/udp open ansoft-lm-1
1084/udp open ansoft-lm-2
1110/udp open nfsd-keepalive
1155/udp open nfa
1167/udp open phone
1212/udp open lupa
1222/udp open nerv
1248/udp open hermes
1346/udp open alta-ana-lm
1347/udp open bbn-mmc
1348/udp open bbn-mmx
1349/udp open sbook
1350/udp open editbench
1351/udp open equationbuilder
1352/udp open lotusnotes
1353/udp open relief
1354/udp open rightbrain
1355/udp open intuitive-edge
1356/udp open cuillamartin
1357/udp open pegboard
1358/udp open connlcli
1359/udp open ftsrv
1360/udp open mimer
1361/udp open linx
1362/udp open timeflies
1363/udp open ndm-requester
1364/udp open ndm-server
1365/udp open adapt-sna
1366/udp open netware-csp
1367/udp open dcs
1368/udp open screencast
1369/udp open gv-us
1370/udp open us-gv
1371/udp open fc-cli
1372/udp open fc-ser
1373/udp open chromagrafx
1374/udp open molly
1375/udp open bytex
1376/udp open ibm-pps
1377/udp open cichlid
1378/udp open elan
1379/udp open dbreporter
1380/udp open telesis-licman
1381/udp open apple-licman
1383/udp open gwha
1384/udp open os-licman
1385/udp open atex_elmd
1386/udp open checksum
1387/udp open cadsi-lm
1388/udp open objective-dbc
1389/udp open iclpv-dm
1390/udp open iclpv-sc
1391/udp open iclpv-sas
1392/udp open iclpv-pm
1393/udp open iclpv-nls
1394/udp open iclpv-nlc
1395/udp open iclpv-wsm
1396/udp open dvl-activemail
1397/udp open audio-activmail
1398/udp open video-activmail
1399/udp open cadkey-licman
1400/udp open cadkey-tablet
1401/udp open goldleaf-licman
1402/udp open prm-sm-np
1403/udp open prm-nm-np
1404/udp open igi-lm
1405/udp open ibm-res
1406/udp open netlabs-lm
1407/udp open dbsa-lm
1408/udp open sophia-lm
1409/udp open here-lm
1410/udp open hiq
1411/udp open af
1412/udp open innosys
1413/udp open innosys-acl
1414/udp open ibm-mqseries
1415/udp open dbstar
1416/udp open novell-lu6.2
1417/udp open timbuktu-srv1
1418/udp open timbuktu-srv2
1419/udp open timbuktu-srv3
1420/udp open timbuktu-srv4
1421/udp open gandalf-lm
1422/udp open autodesk-lm
1423/udp open essbase
1424/udp open hybrid
1425/udp open zion-lm
1426/udp open sas-1
1427/udp open mloadd
1428/udp open informatik-lm
1429/udp open nms
1430/udp open tpdu
1431/udp open rgtp
1432/udp open blueberry-lm
1433/udp open ms-sql-s
1434/udp open ms-sql-m
1435/udp open ibm-cics
1436/udp open sas-2
1437/udp open tabula
1438/udp open eicon-server
1439/udp open eicon-x25
1440/udp open eicon-slp
1441/udp open cadis-1
1442/udp open cadis-2
1443/udp open ies-lm
1444/udp open marcam-lm
1445/udp open proxima-lm
1446/udp open ora-lm
1447/udp open apri-lm
1448/udp open oc-lm
1449/udp open peport
1450/udp open dwf
1451/udp open infoman
1452/udp open gtegsc-lm
1453/udp open genie-lm
1454/udp ope n interhdl_elmd
1455/udp open esl-lm
1456/udp open dca
1457/udp open valisys-lm
1458/udp open nrcabq-lm
1459/udp open proshare1
1460/udp open proshare2
1461/udp open ibm_wrless_lan
1462/udp open world-lm
1463/udp open nucleus
1464/udp open msl_lmd
1465/udp open pipes
1466/udp open oceansoft-lm
1467/udp open csdmbase
1468/udp open csdm
1469/udp open aal-lm
1470/udp open uaiact
1471/udp open csdmbase
1472/udp open csdm
1473/udp open openmath
1474/udp open telefinder
1475/udp open taligent-lm
1476/udp open clvm-cfg
1477/udp open ms-sna-server
1478/udp open ms-sna-base
1479/udp open dberegister
1480/udp open pacerforum
1481/udp open airs
1482/udp open miteksys-lm
1483/udp open afs
1484/udp open confluent
1485/udp open lansource
1486/udp open nms_topo_serv
1487/udp open localinfosrvr
1488/udp open docstor
1489/udp open dmdocbroker
1490/udp open insitu-conf
1491/udp open anynetgateway
1492/udp open stone-design-1
1493/udp open netmap_lm
1494/udp open citrix-ica
1495/udp open cvc
1496/udp open liberty-lm
1497/udp open rfx-lm
1498/udp open watcom-sql
1499/udp open fhc
1500/udp open vlsi-lm
1501/udp open sas-3
1502/udp open shivadiscovery
1503/udp open imtc-mcs
1504/udp open evb-elm
1505/udp open funkproxy
1506/udp open utcd
1507/udp open symplex
1508/udp open diagmond
1509/udp open robcad-lm
1510/udp open mvx-lm
1511/udp open 3l-l1
1512/udp open wins
1513/udp open fujitsu-dtc
1514/udp open fujitsu-dtcns
1515/udp open ifor-protocol
1516/udp open vpad
1517/udp open vpac
1518/udp open vpvd
1519/udp open vpvc
1520/udp open atm-zip-office
1521/udp open ncube-lm
1522/udp open rna-lm
1523/udp open cichild-lm
1524/udp open ingreslock
1525/udp open orasrv
1526/udp open pdap-np
1527/udp open tlisrv
1528/udp open mciautoreg
1529/udp open coauthor
1530/udp open rap-service
1531/udp open rap-listen
1532/udp open miroconnect
1533/udp open virtual-places
1534/udp open micromuse-lm
1535/udp open ampr-info
1536/udp open ampr-inter
1537/udp open sdsc-lm
1538/udp open 3ds-lm
1539/udp open intelli stor-lm
1540/udp open rds
1541/udp open rds2
1542/udp open gridgen-elmd
1543/udp open simba-cs
1544/udp open aspeclmd
1545/udp open vistium-share
1546/udp open abbaccuray
1547/udp open laplink
1548/udp open axon-lm
1549/udp open shivasound
1550/udp open 3m-image-lm
1551/udp open hecmtl-db
1552/udp open pciarray
1600/udp open issd
1645/udp open radius
1646/udp open radacct
1650/udp open nkd
1651/udp open shiva_confsrvr
1652/udp open xnmp
1661/udp open netview-aix-1
1662/udp open netview-aix-2
1663/udp open netview-aix-3
1664/udp open netview-aix-4
1665/udp open netview-aix-5
1666/udp open netview-aix-6
1667/udp open netview-aix-7
1668/udp open netview-aix-8
1669/udp open netview-aix-9
1670/udp open netview-aix-10
1671/udp open netview-aix-11
1672/udp open netview-aix-12
1701/udp open L2TP
1812/udp open radius
1813/udp open radacct
1900/udp open UPnP
1986/udp open licensedaemon
1987/udp open tr-rsrb-p1
1988/udp open tr-rsrb-p2
1989/udp open tr-rsrb-p3
1990/udp open stun-p1
1991/udp open stun-p2
1992/udp open stun-p3
1993/udp open snmp-tcp-port
1994/udp open stun-port
1995/udp open perf-port
1996/udp open tr-rsrb-port
1997/udp open gdp-port
1998/udp open x25-svc-port
1999/udp open tcp-id-port
2000/udp open callbook
2001/udp open wizard
2002/udp open globe
2004/udp open emce
2005/udp open oracle
2006/udp open raid-cc
2007/udp open raid-am
2008/udp open terminaldb
2009/udp open whosockami
2010/udp open pipe_server
2011/udp open servserv
2012/udp open raid-ac
2013/udp open raid-cd
2014/udp open raid-sf
2015/udp open raid-cs
2016/udp open bootserver
2017/udp open bootclient
2018/udp open rellpack
2019/udp open about
2020/udp open xinupageserver
2021/udp open xinuexpansion1
2022/udp open xinuexpansion2
2023/udp open xinuexpansion3
2024/udp open xinuexpansion4
2025/udp open xribs
2026/udp open scrabble
2027/udp open shadowserver
2028/udp open submitserver
2030/udp open device2
2032/udp open blackboard
2033/udp open glogger
2034/udp open scoremgr
2035/udp open imsldoc
2038/udp open objectmanager
2040/udp open lam
2041/udp open interbase
2042/udp open isis
2043/udp open isis-bcast
2044/udp open rimsl
2045/udp open cdfunc
2046/udp open sdfunc
2047/udp open dls
2048/udp open dls-monitor
2049/udp open nfs
2065/udp open dlsrpn
2067/udp open dlswpn
2103/udp open zephyr-clt
2104/udp open zephyr-hm
2105/udp open eklogin
2106/udp open ekshell
2108/udp open rkinit
2201/udp open ats
2232/udp open ivs-video
2241/udp open ivsd
2307/udp open pehelp
2401/udp open cvspserver
2430/udp open venus
2431/udp open venus-se
2432/udp open codasrv
2433/udp open codasrv-se
2500/udp open rtsserv
2501/udp open rtsclient
2627/udp open webster
2784/udp open www-dev
3049/udp open cfs
3130/udp open squid-ipc
3141/udp open vmodem
3264/udp open ccmail
3333/udp open dec-notes
3421/udp open bmap
3455/udp open prsvp
3456/udp open IISrpc-or-vat
3457/udp open vat-control
3900/udp open udt_os
3984/udp open mapper-nodemgr
3985/udp open mapper-mapethd
3986/udp open mapper-ws_ethd
3996/udp open remoteanything
3997/udp open remoteanything
3998/udp open remoteanything
4000/udp open icq
4008/udp open netcheque
4045/udp open lockd
4132/udp open nuts_dem
4133/udp open nuts_bootp
4321/udp open rwhois
4343/udp open unicall
4444/udp open krb524
4500/udp open sae-urn
4672/udp open rfa
5000/udp open UPnP
5001/udp open commplex-link
5002/udp open rfe
5010/udp open telelpathstart
5011/udp open telelpathattack
5050/udp open mmcc
5145/udp open rmonitor_secure
5190/udp open aol
5191/udp open aol-1
5192/udp open aol-2
5193/udp open aol-3
5236/udp open padl2sim
5300/udp open hacl-hb
5301/udp open hacl-gs
5302/udp open hacl-cfg
5303/udp open hacl-probe
5304/udp open hacl-local
5305/udp open hacl-test
5308/udp open cfengine
5500/udp open securid
5540/udp open sdxauthd
5555/udp open rplay
5632/udp open pcanywherestat
5713/udp open proshareaudio
5714/udp open prosharevideo
5715/udp open prosharedata
5716/udp open prosharerequest
5717/udp open prosharenotify
6110/udp open softcm
6111/udp open spc
6141/udp open meta-corp
6142/udp ope n aspentec-lm
6143/udp open watershed-lm
6144/udp open statsci1-lm
6145/udp open statsci2-lm
6146/udp open lonewolf-lm
6147/udp open montage-lm
6148/udp open ricardo-lm
6502/udp open netop-rc
6549/udp open PowerChutePLUS
6558/udp open xdsxdm
6969/udp open acmsoda
7000/udp open afs3-fileserver
7001/udp open afs3-callback
7002/udp open afs3-prserver
7003/udp open afs3-vlserver
7004/udp open afs3-kaserver
7005/udp open afs3-volser
7006/udp open afs3-errors
7007/udp open afs3-bos
7008/udp open afs3-update
7009/udp open afs3-rmtsys
7010/udp open ups-onlinet
7100/udp open font-service
7200/udp open fodms
7201/udp open dlip
7648/udp open cucme-1
7649/udp open cucme-2
7650/udp open cucme-3
7651/udp open cucme-4
9535/udp open man
9876/udp open sd
10080/udp open amanda
17007/udp open isode-dua
17185/udp open wdbrpc
18000/udp open biimenu
22370/udp open hpnpd
26000/udp open quake
26900/udp open hexen2
27015/udp open halflife
27444/udp open Trinoo_Bcast
27500/udp open quakeworld
27910/udp open quake2
27960/udp open quake3
28910/udp open heretic2
31335/udp open Trinoo_Register
31337/udp open BackOrifice
32770/udp open sometimes-rpc4
32771/udp open sometimes-rpc6
32772/udp open sometimes-rpc8
32773/udp open sometimes-rpc10
32774/udp open sometimes-rpc12
32775/udp open sometimes-rpc14
32776/udp open sometimes-rpc16
32777/udp open sometimes-rpc18
32778/udp open sometimes-rpc20
32779/udp open sometimes-rpc22
32780/udp open sometimes-rpc24
32786/udp open sometimes-rpc26
32787/udp open sometimes-rpc28
39213/udp open sygatefw
45000/udp open ciscopop
47557/udp open dbbrowse
54321/udp open bo2k
Too many fingerprints match this host for me to give an accurate OS
guess
=20
Nmap run completed -- 1 IP address (1 host up) scanned in 3282 seconds
=20

What I very nearly did not notice was the hostname.
mail.softhome.net...one of my own free pop3 provider, though not the=20
one from which I subscribe to this mailing list.

Now my question is:

- How serious is this? Am I really compromised? Are stateful iptables=20
firewalls like IPcop really so easy to get through. I have port forwarded
only the http & smtp ports. I am using qmail, so sendmail bugs are out.
Also, as my dmz is only a test site till I get a real ip from my ISP,
the dmz webserver was shut down on that day.

- What do I do? Check for something or straightaway reinstall ipcop so
that any rootkits etc. are destroyed?

- What about my Green Zone? What precautions should I take?

- Where does Snort store the actual packet that triggered this response?
I could not find it in the dir of this ip address in my /var/log/snort!

- How do I tackle this pop3 provider? Is he hacking? or is he hacked
himself? I haven=C2=B4t scanned his other ips pop,mail,www aliases which =
each
have their own ips.

Please help.
Sanjay.

-------------------------------------------------------
This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference
Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer
Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA
REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users

sekure

2004-06-26, 2:58 pm

Chances are one of the emails you received from that host contained
the string uid=3Droot. It could have been a mailing list discussion or
something similar. That's a common FP. I would still try to find the
packet captures and make sure. The location really depends on how you
launch snort. Is it logging in pcap format to a file, or just in
quick format, or in full format creating a directory for each
source/destination.

BTW, you really shouldn't portscan hosts that you are not in charge
of. People don't like that very much. As for nmap reporting all UDP
ports open, it's probably a good thing as opposed to a bad thing, due
to the nature of how nmap works. It sends a UDP packet to the port,
if it doesn't get a response, it assumes that the port is open.=20
However, there may be some sort of a filtering device blocking the
packet. If you see ALL UDP ports open, it's very likely that it's a
False Positive.

Laterz

On 21 Jun 2004 19:09:07 +0530, Sanjay Arora <skpobox@hotpop.com> wrote:
>=20
> I am running a small Lan with IPcop with one server on DMZ. Gateway
> address to my ISP is 172.16.0.1, obviously I=E1=B8=BF behind a NAT server=
.. I
> myself use IP addresses 192.168.200.x & 192.168.100.x for my Green & DMZ
> interface respectively.
>=20
> Today, while checking the logs (I had not done that for a few days), I
> found the following log on the 17th of this month:
>=20
> Date: 06/17 20:41:25 Name: ATTACK RESPONSES id check returned root
> Priority: 2 Type: Potentially Bad Traffic
> IP info: 66.54.152.7:110 -> 172.16.0.141:32786
> References: none found SID: 498
>=20
> Checked out SID 498 on Snort.org and found:
>=20
> SID 498
> Message ATTACK-RESPONSES id check returned root
>=20
> Signature alert ip any any -> any any (msg:"ATTACK-RESPONSES id che=
ck
> returned root"; content:"uid=3D0|28|root|29|"; classtype:bad-unknown;
> sid:498; rev:6;)
>=20
> Summary This event is generated by the use of a UNIX "id" command=
.. This
> may be indicative of post-compromise behavior where the attacker is
> checking for super user privileges gained by a sucessful exploit against
> a vulnerable system.
>=20
> Impact Serious. An attacker may have gained super user access to the
> system.
>=20
> Detailed Information This event is generated when a UNIX "id" command
> is used to confirm the user name of the currenly logged in user over an
> unencrypted connection.
>=20
> This connection can either be a legitimate telnet connection or the
> result of spawning a remote shell as a consequence of a successful
> network exploit.
>=20
> The string "uid=3D0(root)" is an output of an "id" command indicating tha=
t
> the user has "root" privileges. Seeing such a response indicates that
> some user, connected over the network to a target server, has root
> privileges.
>=20
> Affected Systems
> Attack Scenarios A buffer overflow exploit against an FTP server
> results in "/bin/sh" being executed. An automated script performing an
> attack, checks for the success of the exploit via an "id" command.
>=20
> Ease of Attack Simple. This may be post-attack behavior and can be
> indicative of the successful exploitation of a vulnerable system.
>=20
> False Positives This rule will generate an event if a legitimate =
system
> administrator executes the "id" command over an unencrypted connection
> to verify the privilege level available to him.
>=20
> This rule may also generate event by viewing the documentation on
> snort.org.
>=20
> The web site www.bugtraq.org serves a non-standard HTTP header of the
> form "X-Mandatory-Snort-Alert: *GOBBLE* uid=3D65534(nobody) uid=3D0(root)=
"
> browsing this site will generate an event.
>=20
> If you think this rule has a false positives, please help fill it out.
> False Negatives None Known
>=20
> If you think this rule has a false negatives, please help fill it out.
> Corrective Action Ensure that this event was not generated by a
> legitimate session then investigate the server for signs of compromise
>=20
> Look for other events generated by the same IP addresses.
> Contributors Original rule writer unknown
> Snort documentation contributed by Anton Chuvakin
> <http://www.chuvakin.org>
> Sourcefire Research Team
> Nigel Houghton <nigel.houghton@sourcefire.com>
> Additional false positive information contributed by Arnd Fischer
> logged on snort logs as have run an id command after successful attempt
> of gaining access as root
>=20
> Then I ran a couple of scans on the host...
>=20
> Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
> Interesting ports on mail.SoftHome.net (66.54.152.7):
> (The 1141 ports scanned but not shown below are in state: filtered)
> Port State Service Owner
> 25/tcp open smtp
> 80/tcp open http
> 110/tcp open pop-3
> 113/tcp closed auth
> 443/tcp closed https
> 2500/tcp open rtsserv
> 2501/tcp open rtsclient
> 8080/tcp closed http-proxy
> 8081/tcp closed blackice-icecap
> Remote operating system guess: Linux 2.4.7 (X86)
>=20
> Nmap run completed -- 1 IP address (1 host up) scanned in 486 seconds
>=20
> This UDP scan really scared me.
>=20
> Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
> Warning: OS detection will be MUCH less reliable because we did not
> find at least 1 open and 1 closed TCP port
> Interesting ports on mail.SoftHome.net (66.54.152.7):
> (The 1 port scanned but not shown below is in state: closed)
> Port State Service
> 1/udp open tcpmux
> 2/udp open compressnet
> 3/udp open compressnet
> 5/udp open rje
> 7/udp open echo
> 9/udp open discard
> 11/udp open systat
> 13/udp open daytime
> 17/udp open qotd
> 18/udp open msp
> 19/udp open chargen
> 20/udp open ftp-data
> 21/udp open ftp
> 22/udp open ssh
> 23/udp open telnet
> 24/udp open priv-mail
> 25/udp open smtp
> 27/udp open nsw-fe
> 29/udp open msg-icp
> 31/udp open msg-auth
> 33/udp open dsp
> 35/udp open priv-print
> 37/udp open time
> 38/udp open rap
> 39/udp open rlp
> 41/udp open graphics
> 42/udp open nameserver
> 43/udp open shois
> 44/udp open mpm-flags
> 45/udp open mpm
> 46/udp open mpm-snd
> 47/udp open ni-ftp
> 48/udp open auditd
> 49/udp open tacacs
> 50/udp open re-mail-ck
> 51/udp open la-maint
> 52/udp open xns-time
> 54/udp open xns-ch
> 55/udp open isi-gl
> 56/udp open xns-auth
> 57/udp open priv-term
> 58/udp open xns-mail
> 59/udp open priv-file
> 61/udp open ni-mail
> 62/udp open acas
> 63/udp open via-ftp
> 64/udp open covia
> 65/udp open tacacs-ds
> 66/udp open sql*net
> 67/udp open dhcpserver
> 68/udp open dhcpclient
> 69/udp open tftp
> 70/udp open gopher
> 71/udp open netrjs-1
> 72/udp open netrjs-2
> 73/udp open netrjs-3
> 74/udp open netrjs-4
> 75/udp open priv-dial
> 76/udp open deos
> 77/udp open priv-rje
> 78/udp open vettcp
> 79/udp open finger
> 80/udp open http
> 81/udp open hosts2-ns
> 82/udp open xfer
> 83/udp open mit-ml-dev
> 84/udp open ctf
> 85/udp open mit-ml-dev
> 86/udp open mfcobol
> 88/udp open kerberos-sec
> 89/udp open su-mit-tg
> 90/udp open dnsix
> 91/udp open mit-dov
> 92/udp open npp
> 93/udp open dcp
> 94/udp open objcall
> 95/udp open supdup
> 96/udp open dixie
> 97/udp open swift-rvf
> 98/udp open tacnews
> 99/udp open metagram
> 101/udp open hostname
> 102/udp open iso-tsap
> 103/udp open gppitnp
> 104/udp open acr-nema
> 105/udp open csnet-ns
> 106/udp open 3com-tsmux
> 107/udp open rtelnet
> 108/udp open snagas
> 109/udp open pop-2
> 110/udp open pop-3
> 111/udp open sunrpc
> 112/udp open mcidas
> 113/udp open auth
> 114/udp open audionews
> 115/udp open sftp
> 116/udp open ansanotify
> 117/udp open uucp-path
> 118/udp open sqlserv
> 119/udp open nntp
> 120/udp open cfdptkt
> 121/udp open erpc
> 122/udp open smakynet
> 123/udp open ntp
> 124/udp open ansatrader
> 125/udp open locus-map
> 126/udp open unitary
> 127/udp open locus-con
> 128/udp open gss-xlicen
> 129/udp open pwdgen
> 130/udp open cisco-fna
> 131/udp open cisco-tna
> 132/udp open cisco-sys
> 133/udp open statsrv
> 134/udp open ingres-net
> 135/udp open loc-srv
> 136/udp open profile
> 137/udp open netbios-ns
> 138/udp open netbios-dgm
> 139/udp open netbios-ssn
> 140/udp open emfis-data
> 141/udp open emfis-cntl
> 142/udp open bl-idm
> 143/udp open imap2
> 144/udp open news
> 145/udp open uaac
> 146/udp open iso-tp0
> 147/udp open iso-ip
> 148/udp open cronus
> 149/udp open aed-512
> 150/udp open sql-net
> 151/udp open hems
> 152/udp open bftp
> 153/udp open sgmp
> 154/udp open netsc-prod
> 155/udp open netsc-dev
> 156/udp open sqlsrv
> 157/udp open knet-cmp
> 158/udp open pcmail-srv
> 159/udp open nss-routing
> 160/udp open sgmp-traps
> 161/udp open snmp
> 162/udp open snmptrap
> 163/udp open cmip-man
> 164/udp open smip-agent
> 165/udp open xns-courier
> 166/udp open s-net
> 167/udp open namp
> 168/udp open rsvd
> 169/udp open send
> 170/udp open print-srv
> 171/udp open multiplex
> 172/udp open cl-1
> 173/udp open xyplex-mux
> 174/udp open mailq
> 175/udp open vmnet
> 176/udp open genrad-mux
> 177/udp open xdmcp
> 178/udp open nextstep
> 179/udp open bgp
> 180/udp open ris
> 181/udp open unify
> 182/udp open audit
> 183/udp open ocbinder
> 184/udp open ocserver
> 185/udp ope n remote-kis
> 186/udp open kis
> 187/udp open aci
> 188/udp open mumps
> 189/udp open qft
> 190/udp open cacp
> 191/udp open prospero
> 192/udp open osu-nms
> 193/udp open srmp
> 194/udp open irc
> 195/udp open dn6-nlm-aud
> 196/udp open dn6-smm-red
> 197/udp open dls
> 198/udp open dls-mon
> 199/udp open smux
> 200/udp open src
> 201/udp open at-rtmp
> 202/udp open at-nbp
> 203/udp open at-3
> 204/udp open at-echo
> 205/udp open at-5
> 206/udp open at-zis
> 207/udp open at-7
> 208/udp open at-8
> 209/udp open tam
> 210/udp open z39.50
> 211/udp open 914c-g
> 212/udp open anet
> 213/udp open ipx
> 214/udp open vmpwscs
> 215/udp open softpc
> 216/udp open atls
> 217/udp open dbase
> 218/udp open mpp
> 219/udp open uarps
> 220/udp open imap3
> 221/udp open fln-spx
> 222/udp open rsh-spx
> 223/udp open cdc
> 242/udp open direct
> 243/udp open sur-meas
> 244/udp open dayna
> 245/udp open link
> 246/udp open dsp3270
> 247/udp open subntbcst_tftp
> 248/udp open bhfhs
> 256/udp open rap
> 257/udp open set
> 258/udp open yak-chat
> 259/udp open firewall1-rdp
> 260/udp open openport
> 261/udp open nsiiops
> 262/udp open arcisdms
> 263/udp open hdap
> 264/udp open FW1-or-bgmp
> 280/udp open http-mgmt
> 281/udp open personal-link
> 282/udp open cableport-ax
> 308/udp open novastorbakcup
> 309/udp open entrusttime
> 310/udp open bhmds
> 311/udp open asip-webadmin
> 312/udp open vslmp
> 313/udp open magenta-logic
> 314/udp open opalis-robot
> 315/udp open dpsi
> 316/udp open decauth
> 317/udp open zannet
> 321/udp open pip
> 344/udp open pdap
> 345/udp open pawserv
> 346/udp open zserv
> 347/udp open fatserv
> 348/udp open csi-sgwp
> 349/udp open mftp
> 350/udp open matip-type-a
> 351/udp open matip-type-b
> 352/udp open dtag-ste-sb
> 353/udp open ndsauth
> 354/udp open bh611
> 355/udp open datex-asn
> 356/udp open cloanto-net-1
> 357/udp open bhevent
> 358/udp open shrinkwrap
> 359/udp open tenebris_nts
> 360/udp open scoi2od ialog
> 361/udp open semantix
> 362/udp open srssend
> 363/udp open rsvp_tunnel
> 364/udp open aurora-cmgr
> 365/udp open dtk
> 366/udp open odmr
> 367/udp open mortgageware
> 368/udp open qbikgdp
> 369/udp open rpc2portmap
> 370/udp open codaauth2
> 371/udp open clearcase
> 372/udp open ulistserv
> 373/udp open legent-1
> 374/udp open legent-2
> 375/udp open hassle
> 376/udp open nip
> 377/udp open tnETOS
> 378/udp open dsETOS
> 379/udp open is99c
> 380/udp open is99s
> 381/udp open hp-collector
> 382/udp open hp-managed-node
> 383/udp open hp-alarm-mgr
> 384/udp open arns
> 385/udp open ibm-app
> 386/udp open asa
> 387/udp open aurp
> 388/udp open unidata-ldm
> 389/udp open ldap
> 390/udp open uis
> 391/udp open synotics-relay
> 392/udp open synotics-broker
> 393/udp open dis
> 394/udp open embl-ndt
> 395/udp open netcp
> 396/udp open netware-ip
> 397/udp open mptn
> 398/udp open kryptolan
> 399/udp open iso-tsap-c2
> 400/udp open work-sol
> 401/udp open ups
> 402/udp open genie
> 403/udp open decap
> 404/udp open nced
> 405/udp open ncld
> 406/udp open imsp
> 407/udp open timbuktu
> 408/udp open prm-sm
> 409/udp open prm-nm
> 410/udp open decladebug
> 411/udp open rmt
> 412/udp open synoptics-trap
> 413/udp open smsp
> 414/udp open infoseek
> 415/udp open bnet
> 416/udp open silverplatter
> 417/udp open onmux
> 418/udp open hyper-g
> 419/udp open ariel1
> 420/udp open smpte
> 421/udp open ariel2
> 422/udp open ariel3
> 423/udp open opc-job-start
> 424/udp open opc-job-track
> 425/udp open icad-el
> 426/udp open smartsdp
> 427/udp open svrloc
> 428/udp open ocs_cmu
> 429/udp open ocs_amu
> 430/udp open utmpsd
> 431/udp open utmpcd
> 432/udp open iasd
> 433/udp open nnsp
> 434/udp open mobileip-agent
> 435/udp open mobilip-mn
> 436/udp open dna-cml
> 437/udp open comscm
> 438/udp open dsfgw
> 439/udp open dasp
> 440/udp open sgcp
> 441/udp open decvms-sysmgt
> 442/udp open cvc_hostd
> 443/udp open https
> 444/udp open snpp
> 445/udp open microsoft-ds
> 446/udp open ddm-rdb
> 447/udp open ddm-dfm
> 448/udp open ddm-ssl
> 449/udp open as-servermap
> 450/udp open tserver
> 451/udp open sfs-smp-net
> 452/udp open sfs-config
> 453/udp open creativeserver
> 454/udp open contentserver
> 455/udp open creativepartnr
> 456/udp open macon-udp
> 457/udp open scohelp
> 458/udp open appleqtc
> 459/udp open ampr-rcmd
> 460/udp open skronk
> 461/udp open datasurfsrv
> 462/udp open datasurfsrvsec
> 463/udp open alpes
> 464/udp open kpasswd5
> 465/udp open smtps
> 466/udp open digital-vrc
> 467/udp open mylex-mapd
> 468/udp open photuris
> 469/udp open rcp
> 470/udp open scx-proxy
> 471/udp open mondex
> 472/udp open ljk-login
> 473/udp open hybrid-pop
> 474/udp open tn-tl-w2
> 475/udp open tcpnethaspsrv
> 476/udp open tn-tl-fd1
> 477/udp open ss7ns
> 478/udp open spsc
> 479/udp open iafserver
> 480/udp open iafdbase
> 481/udp open ph
> 482/udp open xlog
> 483/udp open ulpnet
> 484/udp open integra-sme
> 485/udp open powerburst
> 486/udp open avian
> 487/udp open saft
> 488/udp open gss-http
> 489/udp open nest-protocol
> 490/udp open micom-pfs
> 491/udp open go-login
> 492/udp open ticf-1
> 493/udp open ticf-2
> 494/udp open pov-ray
> 495/udp open intecourier
> 496/udp open pim-rp-disc
> 497/udp open dantz
> 498/udp open siam
> 499/udp open iso-ill
> 500/udp open isakmp
> 501/udp open stmf
> 502/udp open asa-appl-proto
> 503/udp open intrinsa
> 504/udp open citadel
> 505/udp open mailbox-lm
> 506/udp open ohimsrv
> 507/udp open crs
> 508/udp open xvttp
> 509/udp open snare
> 510/udp open fcp
> 511/udp open passgo
> 512/udp open biff
> 513/udp open who
> 514/udp open syslog
> 515/udp open printer
> 516/udp open videotex
> 517/udp open talk
> 518/udp open ntalk
> 519/udp open utime
> 520/udp open route
> 521/udp open ripng
> 522/udp open ulp
> 523/udp open ibm-db2
> 524/udp open ncp
> 525/udp open timed
> 526/udp open tempo
> 527/udp open stx
> 528/udp open custix
> 529/udp open irc-serv
> 530/udp open courier
> 531/udp ope n conference
> 532/udp open netnews
> 533/udp open netwall
> 534/udp open mm-admin
> 535/udp open iiop
> 536/udp open opalis-rdv
> 537/udp open nmsp
> 538/udp open gdomap
> 539/udp open apertus-ldp
> 540/udp open uucp
> 541/udp open uucp-rlogin
> 542/udp open commerce
> 543/udp open klogin
> 544/udp open kshell
> 545/udp open appleqtcsrvr
> 546/udp open dhcpv6-client
> 547/udp open dhcpv6-server
> 548/udp open afpovertcp
> 549/udp open idfp
> 550/udp open new-rwho
> 551/udp open cybercash
> 552/udp open deviceshare
> 553/udp open pirp
> 554/udp open rtsp
> 555/udp open dsf
> 556/udp open remotefs
> 557/udp open openvms-sysipc
> 558/udp open sdnskmp
> 559/udp open teedtap
> 560/udp open rmonitor
> 561/udp open monitor
> 562/udp open chshell
> 563/udp open snews
> 564/udp open 9pfs
> 565/udp open whoami
> 567/udp open banyan-rpc
> 568/udp open ms-shuttle
> 569/udp open ms-rome
> 570/udp open meter
> 571/udp open umeter
> 572/udp open sonar
> 573/udp open banyan-vip
> 574/udp open ftp-agent
> 575/udp open vemmi
> 576/udp open ipcd
> 577/udp open vnas
> 578/udp open ipdd
> 579/udp open decbsrv
> 580/udp open sntp-heartbeat
> 581/udp open bdp
> 582/udp open scc-security
> 583/udp open philips-vc
> 584/udp open keyserver
> 585/udp open imap4-ssl
> 586/udp open password-chg
> 587/udp open submission
> 588/udp open cal
> 589/udp open eyelink
> 590/udp open tns-cml
> 591/udp open http-alt
> 592/udp open eudora-set
> 593/udp open http-rpc-epmap
> 594/udp open tpip
> 595/udp open cab-protocol
> 596/udp open smsd
> 597/udp open ptcnameservice
> 598/udp open sco-websrvrmg3
> 599/udp open acp
> 600/udp open ipcserver
> 606/udp open urm
> 607/udp open nqs
> 608/udp open sift-uft
> 609/udp open npmp-trap
> 610/udp open npmp-local
> 611/udp open npmp-gui
> 634/udp open ginad
> 635/udp open mount
> 637/udp open lanserver
> 640/udp open pcnfs
> 650/udp open bwnfs
> 660/udp open mac-srvr-admin
> 666/udp open doom
> 704/udp open elcsd
> 709/udp open entrustmanager
> 729/udp open netviewdm1
> 730/udp open netview dm2
> 731/udp open netviewdm3
> 737/udp open sometimes-rpc2
> 740/udp open netcp
> 741/udp open netgw
> 742/udp open netrcs
> 744/udp open flexlm
> 747/udp open fujitsu-dev
> 748/udp open ris-cm
> 749/udp open kerberos-adm
> 750/udp open kerberos
> 751/udp open kerberos_master
> 752/udp open qrh
> 753/udp open rrh
> 758/udp open nlogin
> 759/udp open con
> 760/udp open ns
> 761/udp open rxe
> 762/udp open quotad
> 763/udp open cycleserv
> 764/udp open omserv
> 765/udp open webster
> 767/udp open phonebook
> 769/udp open vid
> 770/udp open cadlock
> 771/udp open rtip
> 772/udp open cycleserv2
> 773/udp open notify
> 774/udp open acmaint_dbd
> 775/udp open acmaint_transd
> 776/udp open wpages
> 780/udp open wpgs
> 781/udp open hp-collector
> 782/udp open hp-managed-node
> 783/udp open hp-alarm-mgr
> 786/udp open concert
> 800/udp open mdbs_daemon
> 801/udp open device
> 888/udp open accessbuilder
> 996/udp open vsinet
> 997/udp open maitrd
> 998/udp open puparp
> 999/udp open applix
> 1000/udp open ock
> 1008/udp open ufsd
> 1012/udp open sometimes-rpc1
> 1025/udp open blackjack
> 1028/udp open ms-lsa
> 1030/udp open iad1
> 1031/udp open iad2
> 1032/udp open iad3
> 1058/udp open nim
> 1059/udp open nimreg
> 1067/udp open instl_boots
> 1068/udp open instl_bootc
> 1080/udp open socks
> 1083/udp open ansoft-lm-1
> 1084/udp open ansoft-lm-2
> 1110/udp open nfsd-keepalive
> 1155/udp open nfa
> 1167/udp open phone
> 1212/udp open lupa
> 1222/udp open nerv
> 1248/udp open hermes
> 1346/udp open alta-ana-lm
> 1347/udp open bbn-mmc
> 1348/udp open bbn-mmx
> 1349/udp open sbook
> 1350/udp open editbench
> 1351/udp open equationbuilder
> 1352/udp open lotusnotes
> 1353/udp open relief
> 1354/udp open rightbrain
> 1355/udp open intuitive-edge
> 1356/udp open cuillamartin
> 1357/udp open pegboard
> 1358/udp open connlcli
> 1359/udp open ftsrv
> 1360/udp open mimer
> 1361/udp open linx
> 1362/udp open timeflies
> 1363/udp open ndm-requester
> 1364/udp open ndm-server
> 1365/udp open adapt-sna
> 1366/udp open netware-csp
> 1367/udp open dcs
> 1368/udp open screencast
> 1369/udp open gv-us
> 1370/udp open us-gv
> 1371/udp open fc-cli
> 1372/udp open fc-ser
> 1373/udp open chromagrafx
> 1374/udp open molly
> 1375/udp open bytex
> 1376/udp open ibm-pps
> 1377/udp open cichlid
> 1378/udp open elan
> 1379/udp open dbreporter
> 1380/udp open telesis-licman
> 1381/udp open apple-licman
> 1383/udp open gwha
> 1384/udp open os-licman
> 1385/udp open atex_elmd
> 1386/udp open checksum
> 1387/udp open cadsi-lm
> 1388/udp open objective-dbc
> 1389/udp open iclpv-dm
> 1390/udp open iclpv-sc
> 1391/udp open iclpv-sas
> 1392/udp open iclpv-pm
> 1393/udp open iclpv-nls
> 1394/udp open iclpv-nlc
> 1395/udp open iclpv-wsm
> 1396/udp open dvl-activemail
> 1397/udp open audio-activmail
> 1398/udp open video-activmail
> 1399/udp open cadkey-licman
> 1400/udp open cadkey-tablet
> 1401/udp open goldleaf-licman
> 1402/udp open prm-sm-np
> 1403/udp open prm-nm-np
> 1404/udp open igi-lm
> 1405/udp open ibm-res
> 1406/udp open netlabs-lm
> 1407/udp open dbsa-lm
> 1408/udp open sophia-lm
> 1409/udp open here-lm
> 1410/udp open hiq
> 1411/udp open af
> 1412/udp open innosys
> 1413/udp open innosys-acl
> 1414/udp open ibm-mqseries
> 1415/udp open dbstar
> 1416/udp open novell-lu6.2
> 1417/udp open timbuktu-srv1
> 1418/udp open timbuktu-srv2
> 1419/udp open timbuktu-srv3
> 1420/udp open timbuktu-srv4
> 1421/udp open gandalf-lm
> 1422/udp open autodesk-lm
> 1423/udp open essbase
> 1424/udp open hybrid
> 1425/udp open zion-lm
> 1426/udp open sas-1
> 1427/udp open mloadd
> 1428/udp open informatik-lm
> 1429/udp open nms
> 1430/udp open tpdu
> 1431/udp open rgtp
> 1432/udp open blueberry-lm
> 1433/udp open ms-sql-s
> 1434/udp open ms-sql-m
> 1435/udp open ibm-cics
> 1436/udp open sas-2
> 1437/udp open tabula
> 1438/udp open eicon-server
> 1439/udp open eicon-x25
> 1440/udp open eicon-slp
> 1441/udp open cadis-1
> 1442/udp open cadis-2
> 1443/udp open ies-lm
> 1444/udp open marcam-lm
> 1445/udp open proxima-lm
> 1446/udp open ora-lm
> 1447/udp open apri-lm
> 1448/udp open oc-lm
> 1449/udp open peport
> 1450/udp open dwf
> 1451/udp open infoman
> 1452/udp open gtegsc-lm
> 1453/udp open genie-lm
> 1454/udp ope n interhdl_elmd
> 1455/udp open esl-lm
> 1456/udp open dca
> 1457/udp open valisys-lm
> 1458/udp open nrcabq-lm
> 1459/udp open proshare1
> 1460/udp open proshare2
> 1461/udp open ibm_wrless_lan
> 1462/udp open world-lm
> 1463/udp open nucleus
> 1464/udp open msl_lmd
> 1465/udp open pipes
> 1466/udp open oceansoft-lm
> 1467/udp open csdmbase
> 1468/udp open csdm
> 1469/udp open aal-lm
> 1470/udp open uaiact
> 1471/udp open csdmbase
> 1472/udp open csdm
> 1473/udp open openmath
> 1474/udp open telefinder
> 1475/udp open taligent-lm
> 1476/udp open clvm-cfg
> 1477/udp open ms-sna-server
> 1478/udp open ms-sna-base
> 1479/udp open dberegister
> 1480/udp open pacerforum
> 1481/udp open airs
> 1482/udp open miteksys-lm
> 1483/udp open afs
> 1484/udp open confluent
> 1485/udp open lansource
> 1486/udp open nms_topo_serv
> 1487/udp open localinfosrvr
> 1488/udp open docstor
> 1489/udp open dmdocbroker
> 1490/udp open insitu-conf
> 1491/udp open anynetgateway
> 1492/udp open stone-design-1
> 1493/udp open netmap_lm
> 1494/udp open citrix-ica
> 1495/udp open cvc
> 1496/udp open liberty-lm
> 1497/udp open rfx-lm
> 1498/udp open watcom-sql
> 1499/udp open fhc
> 1500/udp open vlsi-lm
> 1501/udp open sas-3
> 1502/udp open shivadiscovery
> 1503/udp open imtc-mcs
> 1504/udp open evb-elm
> 1505/udp open funkproxy
> 1506/udp open utcd
> 1507/udp open symplex
> 1508/udp open diagmond
> 1509/udp open robcad-lm
> 1510/udp open mvx-lm
> 1511/udp open 3l-l1
> 1512/udp open wins
> 1513/udp open fujitsu-dtc
> 1514/udp open fujitsu-dtcns
> 1515/udp open ifor-protocol
> 1516/udp open vpad
> 1517/udp open vpac
> 1518/udp open vpvd
> 1519/udp open vpvc
> 1520/udp open atm-zip-office
> 1521/udp open ncube-lm
> 1522/udp open rna-lm
> 1523/udp open cichild-lm
> 1524/udp open ingreslock
> 1525/udp open orasrv
> 1526/udp open pdap-np
> 1527/udp open tlisrv
> 1528/udp open mciautoreg
> 1529/udp open coauthor
> 1530/udp open rap-service
> 1531/udp open rap-listen
> 1532/udp open miroconnect
> 1533/udp open virtual-places
> 1534/udp open micromuse-lm
> 1535/udp open ampr-info
> 1536/udp open ampr-inter
> 1537/udp open sdsc-lm
> 1538/udp open 3ds-lm
> 1539/udp open intelli stor-lm
> 1540/udp open rds
> 1541/udp open rds2
> 1542/udp open gridgen-elmd
> 1543/udp open simba-cs
> 1544/udp open aspeclmd
> 1545/udp open vistium-share
> 1546/udp open abbaccuray
> 1547/udp open laplink
> 1548/udp open axon-lm
> 1549/udp open shivasound
> 1550/udp open 3m-image-lm
> 1551/udp open hecmtl-db
> 1552/udp open pciarray
> 1600/udp open issd
> 1645/udp open radius
> 1646/udp open radacct
> 1650/udp open nkd
> 1651/udp open shiva_confsrvr
> 1652/udp open xnmp
> 1661/udp open netview-aix-1
> 1662/udp open netview-aix-2
> 1663/udp open netview-aix-3
> 1664/udp open netview-aix-4
> 1665/udp open netview-aix-5
> 1666/udp open netview-aix-6
> 1667/udp open netview-aix-7
> 1668/udp open netview-aix-8
> 1669/udp open netview-aix-9
> 1670/udp open netview-aix-10
> 1671/udp open netview-aix-11
> 1672/udp open netview-aix-12
> 1701/udp open L2TP
> 1812/udp open radius
> 1813/udp open radacct
> 1900/udp open UPnP
> 1986/udp open licensedaemon
> 1987/udp open tr-rsrb-p1
> 1988/udp open tr-rsrb-p2
> 1989/udp open tr-rsrb-p3
> 1990/udp open stun-p1
> 1991/udp open stun-p2
> 1992/udp open stun-p3
> 1993/udp open snmp-tcp-port
> 1994/udp open stun-port
> 1995/udp open perf-port
> 1996/udp open tr-rsrb-port
> 1997/udp open gdp-port
> 1998/udp open x25-svc-port
> 1999/udp open tcp-id-port
> 2000/udp open callbook
> 2001/udp open wizard
> 2002/udp open globe
> 2004/udp open emce
> 2005/udp open oracle
> 2006/udp open raid-cc
> 2007/udp open raid-am
> 2008/udp open terminaldb
> 2009/udp open whosockami
> 2010/udp open pipe_server
> 2011/udp open servserv
> 2012/udp open raid-ac
> 2013/udp open raid-cd
> 2014/udp open raid-sf
> 2015/udp open raid-cs
> 2016/udp open bootserver
> 2017/udp open bootclient
> 2018/udp open rellpack
> 2019/udp open about
> 2020/udp open xinupageserver
> 2021/udp open xinuexpansion1
> 2022/udp open xinuexpansion2
> 2023/udp open xinuexpansion3
> 2024/udp open xinuexpansion4
> 2025/udp open xribs
> 2026/udp open scrabble
> 2027/udp open shadowserver
> 2028/udp open submitserver
> 2030/udp open device2
> 2032/udp open blackboard
> 2033/udp open glogger
> 2034/udp open scoremgr
> 2035/udp open imsldoc
> 2038/udp open objectmanager
> 2040/udp open lam
> 2041/udp open interbase
> 2042/udp open isis
> 2043/udp open isis-bcast
> 2044/udp open rimsl
> 2045/udp open cdfunc
> 2046/udp open sdfunc
> 2047/udp open dls
> 2048/udp open dls-monitor
> 2049/udp open nfs
> 2065/udp open dlsrpn
> 2067/udp open dlswpn
> 2103/udp open zephyr-clt
> 2104/udp open zephyr-hm
> 2105/udp open eklogin
> 2106/udp open ekshell
> 2108/udp open rkinit
> 2201/udp open ats
> 2232/udp open ivs-video
> 2241/udp open ivsd
> 2307/udp open pehelp
> 2401/udp open cvspserver
> 2430/udp open venus
> 2431/udp open venus-se
> 2432/udp open codasrv
> 2433/udp open codasrv-se
> 2500/udp open rtsserv
> 2501/udp open rtsclient
> 2627/udp open webster
> 2784/udp open www-dev
> 3049/udp open cfs
> 3130/udp open squid-ipc
> 3141/udp open vmodem
> 3264/udp open ccmail
> 3333/udp open dec-notes
> 3421/udp open bmap
> 3455/udp open prsvp
> 3456/udp open IISrpc-or-vat
> 3457/udp open vat-control
> 3900/udp open udt_os
> 3984/udp open mapper-nodemgr
> 3985/udp open mapper-mapethd
> 3986/udp open mapper-ws_ethd
> 3996/udp open remoteanything
> 3997/udp open remoteanything
> 3998/udp open remoteanything
> 4000/udp open icq
> 4008/udp open netcheque
> 4045/udp open lockd
> 4132/udp open nuts_dem
> 4133/udp open nuts_bootp
> 4321/udp open rwhois
> 4343/udp open unicall
> 4444/udp open krb524
> 4500/udp open sae-urn
> 4672/udp open rfa
> 5000/udp open UPnP
> 5001/udp open commplex-link
> 5002/udp open rfe
> 5010/udp open telelpathstart
> 5011/udp open telelpathattack
> 5050/udp open mmcc
> 5145/udp open rmonitor_secure
> 5190/udp open aol
> 5191/udp open aol-1
> 5192/udp open aol-2
> 5193/udp open aol-3
> 5236/udp open padl2sim
> 5300/udp open hacl-hb
> 5301/udp open hacl-gs
> 5302/udp open hacl-cfg
> 5303/udp open hacl-probe
> 5304/udp open hacl-local
> 5305/udp open hacl-test
> 5308/udp open cfengine
> 5500/udp open securid
> 5540/udp open sdxauthd
> 5555/udp open rplay
> 5632/udp open pcanywherestat
> 5713/udp open proshareaudio
> 5714/udp open prosharevideo
> 5715/udp open prosharedata
> 5716/udp open prosharerequest
> 5717/udp open prosharenotify
> 6110/udp open softcm
> 6111/udp open spc
> 6141/udp open meta-corp
> 6142/udp ope n aspentec-lm
> 6143/udp open watershed-lm
> 6144/udp open statsci1-lm
> 6145/udp open statsci2-lm
> 6146/udp open lonewolf-lm
> 6147/udp open montage-lm
> 6148/udp open ricardo-lm
> 6502/udp open netop-rc
> 6549/udp open PowerChutePLUS
> 6558/udp open xdsxdm
> 6969/udp open acmsoda
> 7000/udp open afs3-fileserver
> 7001/udp open afs3-callback
> 7002/udp open afs3-prserver
> 7003/udp open afs3-vlserver
> 7004/udp open afs3-kaserver
> 7005/udp open afs3-volser
> 7006/udp open afs3-errors
> 7007/udp open afs3-bos
> 7008/udp open afs3-update
> 7009/udp open afs3-rmtsys
> 7010/udp open ups-onlinet
> 7100/udp open font-service
> 7200/udp open fodms
> 7201/udp open dlip
> 7648/udp open cucme-1
> 7649/udp open cucme-2
> 7650/udp open cucme-3
> 7651/udp open cucme-4
> 9535/udp open man
> 9876/udp open sd
> 10080/udp open amanda
> 17007/udp open isode-dua
> 17185/udp open wdbrpc
> 18000/udp open biimenu
> 22370/udp open hpnpd
> 26000/udp open quake
> 26900/udp open hexen2
> 27015/udp open halflife
> 27444/udp open Trinoo_Bcast
> 27500/udp open quakeworld
> 27910/udp open quake2
> 27960/udp open quake3
> 28910/udp open heretic2
> 31335/udp open Trinoo_Register
> 31337/udp open BackOrifice
> 32770/udp open sometimes-rpc4
> 32771/udp open sometimes-rpc6
> 32772/udp open sometimes-rpc8
> 32773/udp open sometimes-rpc10
> 32774/udp open sometimes-rpc12
> 32775/udp open sometimes-rpc14
> 32776/udp open sometimes-rpc16
> 32777/udp open sometimes-rpc18
> 32778/udp open sometimes-rpc20
> 32779/udp open sometimes-rpc22
> 32780/udp open sometimes-rpc24
> 32786/udp open sometimes-rpc26
> 32787/udp open sometimes-rpc28
> 39213/udp open sygatefw
> 45000/udp open ciscopop
> 47557/udp open dbbrowse
> 54321/udp open bo2k
> Too many fingerprints match this host for me to give an accurate OS
> guess
>=20
> Nmap run completed -- 1 IP address (1 host up) scanned in 3282 seconds
>=20
> What I very nearly did not notice was the hostname.
> mail.softhome.net...one of my own free pop3 provider, though not the
> one from which I subscribe to this mailing list.
>=20
> Now my question is:
>=20
> - How serious is this? Am I really compromised? Are stateful iptables
> firewalls like IPcop really so easy to get through. I have port forwarded
> only the http & smtp ports. I am using qmail, so sendmail bugs are out.
> Also, as my dmz is only a test site till I get a real ip from my ISP,
> the dmz webserver was shut down on that day.
>=20
> - What do I do? Check for something or straightaway reinstall ipcop so
> that any rootkits etc. are destroyed?
>=20
> - What about my Green Zone? What precautions should I take?
>=20
> - Where does Snort store the actual packet that triggered this response?
> I could not find it in the dir of this ip address in my /var/log/snort!
>=20
> - How do I tackle this pop3 provider? Is he hacking? or is he hacked
> himself? I haven=C2=B4t scanned his other ips pop,mail,www aliases which =
each
> have their own ips.
>=20
> Please help.
> Sanjay.
>=20
> -------------------------------------------------------
> This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference
> Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer
> Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA
> REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND
> ________________________________________
_______
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists...nfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf....t=3Dsnort-users
>

-------------------------------------------------------
This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference
Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer
Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA
REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users