What does this snort log look like to you?

kav · 01-02-2008, 08:13 AM

Does this say what I think it does?
I'm going to be rebuilding this box when I get back from work today aren't I?

The traffic from 192.168.1.44 is being picked up because it is connected to the same hub as the scanning computer.

Code:

[**] [122:3:0] (portscan) TCP Portsweep [**]
[Priority: 3]
01/02-06:44:34.543798 192.168.1.44 -> 90.157.227.80
PROTO:255 TTL:0 TOS:0x0 ID:4987 IpLen:20 DgmLen:164

[**] [1:1398:10] EXPLOIT CDE dtspcd exploit attempt [**]
[Classification: Misc Attack] [Priority: 2]
01/02-06:48:35.413985 192.168.1.44:1811 -> 125.236.157.217:6112
TCP TTL:128 TOS:0x0 ID:29698 IpLen:20 DgmLen:82 DF
***AP*** Seq: 0x2C161A2E  Ack: 0x6FE3F9B2  Win: 0x3DAE  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2002-01.html][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2001-0803][Xref => http://www.securityfocus.com
/bid/3517]

[**] [122:3:0] (portscan) TCP Portsweep [**]
[Priority: 3]
01/02-06:48:35.768135 192.168.1.44 -> 124.190.59.129
PROTO:255 TTL:0 TOS:0x0 ID:21335 IpLen:20 DgmLen:170

[**] [1:1398:10] EXPLOIT CDE dtspcd exploit attempt [**]
[Classification: Misc Attack] [Priority: 2]
01/02-06:48:36.450540 192.168.1.44:1811 -> 125.236.157.217:6112
TCP TTL:128 TOS:0x0 ID:28395 IpLen:20 DgmLen:82 DF
***AP*** Seq: 0x2C161A2E  Ack: 0x6FE3F9B2  Win: 0x3DAE  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2002-01.html][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2001-0803][Xref => http://www.securityfocus.com/bid/3517]

[**] [1:1398:10] EXPLOIT CDE dtspcd exploit attempt [**]
[Classification: Misc Attack] [Priority: 2]
01/02-06:48:44.220333 192.168.1.44:1811 -> 125.236.157.217:6112
TCP TTL:128 TOS:0x0 ID:30590 IpLen:20 DgmLen:124 DF
***AP*** Seq: 0x2C16E754  Ack: 0x6FE3F9E5  Win: 0x3D7B  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2002-01.html][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2001-0803][Xref => http://www.securityfocus.com/bid/3517]

[**] [122:3:0] (portscan) TCP Portsweep [**]
[Priority: 3]
01/02-06:50:38.928917 192.168.1.44 -> 90.149.43.144
PROTO:255 TTL:0 TOS:0x0 ID:0 IpLen:20 DgmLen:168 DF

[**] [122:19:0] (portscan) UDP Portsweep [**]
[Priority: 3]
01/02-06:58:22.419030 192.168.1.44 -> 192.168.1.255
PROTO:255 TTL:0 TOS:0x0 ID:16711 IpLen:20 DgmLen:165

[**] [1:1398:10] EXPLOIT CDE dtspcd exploit attempt [**]
[Classification: Misc Attack] [Priority: 2]
01/02-06:58:26.028112 192.168.1.44:2609 -> 125.236.157.217:6112
TCP TTL:128 TOS:0x0 ID:18527 IpLen:20 DgmLen:82 DF
***AP*** Seq: 0x9A965A57  Ack: 0xF8A39458  Win: 0x4147  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2002-01.html][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2001-0803][Xref => http://www.securityfocus.com/bid/3517]

unixfool · 01-02-2008, 09:36 AM

Do a thorough investigation before reinstalling anything for two reasons:

1. You don't want to end up reinstalling the same way as you first did, negating a refresh of the OS. You want to understand how your machine was compromised so that you learn from it and adapt your install so that it doesn't happen again.

2. You may not even need to reinstall if this is a false positive or something that can be mitigated/lessened via layered security.

Looking at what you've posted, it appears IP 192.168.1.44 is scanning outbound and maybe attacking certain IPs utilizing port 6112.

I'd look into the raw snort logs (the payload or packet trace) to see whether these are 'real' events to worry about. Assess the signature (or rule) to determine if the packet traces are actually matching the snort rule's signature string.

unSpawn · 01-03-2008, 07:11 AM

Quote:

Originally Posted by kav

Does this say what I think it does?

If you run ancient (and I mean ancient) Sun / IBM / HP / SGI running the Common Desktop Environment (CDE) then yes, it probably does (do read them reference links, they are given for some reason). In all other cases check the box, firewalling and routing policies for what is listening on that port and who should be allowed access to it and adjust accordingly. Don't forget to update your snort.conf variables, suppression statements in the threshold.conf or BPF file contents.

Quote:

Originally Posted by kav

I'm going to be rebuilding this box when I get back from work today aren't I?

Sure, if you've got nothing else to do :-]