-
January 16th, 2003, 08:33 AM
#1
Junior Member
Mandrake 9 & Snort Log record
Jan 15 19:53:26 linuxalien snort[1782]: [1:1390:3] SHELLCODE x86 inc ebx NOOP [Classification: Executable code was detected] [Priority: 1]: {TCP} 199.105.112.210:25555 -> 192.168.1.42:32899
I found the above in my log. I'm a newbie, and I'm wondering if that means someone planted code in my Linux box or not. If so, can I get rid of it or do I re-install? I've got a shore firewall running and also a linksys cable/dsl router with an update already installed. Thanks for any help.
Joe
-
January 16th, 2003, 12:06 PM
#2
Snort has detected shell code, that doesn't mean it's been planted. It depends on whether the application running on 192.168.1.42 port 32899 was vulnerable to the attack. In fact, it might not be an attack at all, it could be someone downloading an exploit itself (from port 32899)
Because it's a high port number it's probably either an outgoing connection, a p2p program (these create a zillion IDS false alarms because of their promiscuity), or a connection that has been NAT'd to a high port number.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|