[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

server bucato

ciao, poco tempo fa mi č stato bucato un server...
non potendo reinstallarlo, almeno per il momento, volevo trovare un mdo per tappare i vari buchi.
Ho installato snort oggi e questo č il primo risultato:


Premetto che 192.168.3.9 č la macchina in questione..
tutte le alre sono cmq locali... domani capirņ quali...



grazie


esempio
/var/log/snort/alert 

[**] [1:648:4] SHELLCODE x86 NOOP [**]
[Classification: Executable code was detected] [Priority: 1]
11/05-20:15:24.333343 192.168.3.175:1026 -> 192.168.3.9:139
TCP TTL:128 TOS:0x0 ID:5512 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xBAB0515D  Ack: 0x8C180816  Win: 0x43A1  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS181]




snort-stat


The log begins from: 11 05 16:58:30
The log ends     at: 11 05 20:15:24
Total events: 88
Signatures recorded: 8
Source IP recorded: 6
Destination IP recorded: 3
Portscan recorded: 4


The number of attacks from same host to same
destination using same method
=========================================================================
  # of
 attacks  from              to                method
=========================================================================
   59     192.168.3.175     192.168.3.9       SHELLCODE x86 NOOP
   10     192.168.3.254     192.168.3.9       WEB-CGI calendar access
   9      192.168.3.128     192.168.3.9       ICMP Destination Unreachable (Port Unreachable)
   2      192.168.3.9       192.168.3.128     ICMP Echo Reply
   2      192.168.3.154     192.168.3.9       NETBIOS Samba clientaccess
   2      192.168.3.9       192.168.3.148     ICMP Echo Reply
   2      192.168.3.128     192.168.3.9       ICMP PING *NIX
   1      192.168.3.148     192.168.3.9       ICMP PING NMAP
   1      192.168.3.148     192.168.3.9       ICMP L3retriever Ping


Percentage and number of attacks from a host to a
destination
============================================================
        #  of
  %    attacks   from              to
============================================================
67.05    59      192.168.3.175     192.168.3.9
12.50    11      192.168.3.128     192.168.3.9
11.36    10      192.168.3.254     192.168.3.9
 2.27    2       192.168.3.148     192.168.3.9
 2.27    2       192.168.3.9       192.168.3.128
 2.27    2       192.168.3.9       192.168.3.148
 2.27    2       192.168.3.154     192.168.3.9


Percentage and number of attacks from one host to any
with same method
==============================================================
        #  of
  %    attacks   from              method
==============================================================
67.05    59      192.168.3.175     SHELLCODE x86 NOOP
11.36    10      192.168.3.254     WEB-CGI calendar access
10.23    9       192.168.3.128     ICMP Destination Unreachable (Port Unreachable)
 4.55    4       192.168.3.9       ICMP Echo Reply
 2.27    2       192.168.3.128     ICMP PING *NIX
 2.27    2       192.168.3.154     NETBIOS Samba clientaccess
 1.14    1       192.168.3.148     ICMP L3retriever Ping
 1.14    1       192.168.3.148     ICMP PING NMAP


Percentage and number of attacks to one certain host
=================================================================
        #  of
  %    attacks   to                method
=================================================================
67.05    59      192.168.3.9      SHELLCODE x86 NOOP
11.36    10      192.168.3.9      WEB-CGI calendar access
10.23    9       192.168.3.9      ICMP Destination Unreachable (Port Unreachable)
 2.27    2       192.168.3.9      ICMP PING *NIX
 2.27    2       192.168.3.128    ICMP Echo Reply
 2.27    2       192.168.3.148    ICMP Echo Reply
 2.27    2       192.168.3.9      NETBIOS Samba clientaccess
 1.14    1       192.168.3.9      ICMP L3retriever Ping
 1.14    1       192.168.3.9      ICMP PING NMAP


The distribution of attack methods
===============================================
        #  of
  %    attacks   method
===============================================
67.05    59      SHELLCODE x86 NOOP
                 59    192.168.3.175   -> 192.168.3.9
11.36    10      WEB-CGI calendar access
                 10    192.168.3.254   -> 192.168.3.9
10.23    9       ICMP Destination Unreachable (Port Unreachable)
                 9     192.168.3.128   -> 192.168.3.9
 4.55    4       ICMP Echo Reply
                 2     192.168.3.9     -> 192.168.3.128
                 2     192.168.3.9     -> 192.168.3.148
 2.27    2       NETBIOS Samba clientaccess
                 2     192.168.3.154   -> 192.168.3.9
 2.27    2       ICMP PING *NIX
                 2     192.168.3.128   -> 192.168.3.9
 1.14    1       ICMP PING NMAP
                 1     192.168.3.148   -> 192.168.3.9
 1.14    1       ICMP L3retriever Ping
                 1     192.168.3.148   -> 192.168.3.9


Portscans performed to/from HOME_NET
===================================
  # of
 attacks  from
===================================
 4       192.168.3.9



-- 
La teoria e' quando si sa tutto ma non funziona niente.
La pratica e' quando funziona tutto ma non si sa il perche'.
In ogni caso si finisce sempre a coniugare la teoria con la
pratica : non funziona niente e non si sa il perche'.
Albert Einstein
Reply to: