Hello Can someone please take a look at my latest snort report and advise me on a course of action.... I cleaned a SuckIT rootkit off of my system the other day (I think I got infected last Sunday). Does the snort log indicate attempts at another hack, or that I still have a problem on my box? My IP at the time was 138.89.107.88
Date: Thu, 29 Jul 2004 07:35:50 -0400 Events between 07 28 16:53:09 and 07 29 01:17:31 Total events: 14 Signatures recorded: 4 Source IP recorded: 4 Destination IP recorded: 2 Events from same host to same destination using same method ======================================================================= == # of from to method ======================================================================= == 6 138.89.107.88 65.54.184.250 (http_inspect) DOUBLE DECODING ATTACK 3 69.19.218.60 138.89.107.88 ICMP Destination Unreachable (Communication with Destination Network is Administratively Prohibited) 3 206.46.170.10 138.89.107.88 ATTACK-RESPONSES id check returned root 2 65.212.179.1 138.89.107.88 ICMP Destination Unreachable (Communication Administratively Prohibited) Percentage and number of events from a host to a destination ============================================================ % # of from to ============================================================ 42.86 6 138.89.107.88 65.54.184.250 21.43 3 69.19.218.60 138.89.107.88 21.43 3 206.46.170.10 138.89.107.88 14.29 2 65.212.179.1 138.89.107.88 Percentage and number of events from one host to any with same method ============================================================== % # of from method ============================================================== 42.86 6 138.89.107.88 (http_inspect) DOUBLE DECODING ATTACK 21.43 3 69.19.218.60 ICMP Destination Unreachable (Communication with Destination Network is Administratively Prohibited) 21.43 3 206.46.170.10 ATTACK-RESPONSES id check returned root 14.29 2 65.212.179.1 ICMP Destination Unreachable (Communication Administratively Prohibited) Percentage and number of events to one certain host ================================================================= % # of to method ================================================================= 42.86 6 65.54.184.250 (http_inspect) DOUBLE DECODING ATTACK 21.43 3 138.89.107.88 ICMP Destination Unreachable (Communication with Destination Network is Administratively Prohibited) 21.43 3 138.89.107.88 ATTACK-RESPONSES id check returned root 14.29 2 138.89.107.88 ICMP Destination Unreachable (Communication Administratively Prohibited) The distribution of event methods =============================================== % # of method =============================================== 42.86 6 (http_inspect) DOUBLE DECODING ATTACK 6 138.89.107.88 -> 65.54.184.250 21.43 3 ATTACK-RESPONSES id check returned root 3 206.46.170.10 -> 138.89.107.88 21.43 3 ICMP Destination Unreachable (Communication with Destination Network is Administratively Prohibited) 3 69.19.218.60 -> 138.89.107.88 14.29 2 ICMP Destination Unreachable (Communication Administratively Prohibited) 2 65.212.179.1 -> 138.89.107.88 Shawn Lamson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]