Just got the following Snort alert as part of "hacking attempt" ticket from my server provider:
Date: 05/10 13:16:17 Name: ET DROP Known Bot C&C Server Traffic UDP (group 15) Priority: 1 Type: A Network Trojan was Detected IP info: 192.168.0.3:42070 -> 173.45.238.221:123 References: http://abuse.ch http://www.shadowserver.org http://doc.emergingthreats.net/bin/view/Main/ShadowServerCC SID: 2404029 Date: 05/10 13:16:17 Name: ET DROP Known Bot C&C Server Traffic UDP (group 15) Priority: 1 Type: A Network Trojan was Detected IP info: 192.168.0.3:42070 -> 173.45.238.221:123 References: http://abuse.ch http://www.shadowserver.org http://doc.emergingthreats.net/bin/view/Main/ShadowServerCC SID: 2404029 I took a look at the snort rule and it seems that any UDP traffic to the IP address of that pool server is flagged. Is anyone else seeing things like this? _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
