Results 1 to 2 of 2

Thread: Mandrake 9 & Snort Log record

  1. #1
    Junior Member linuxalien's Avatar
    Join Date
    Oct 2002
    Posts
    22

    Mandrake 9 & Snort Log record

    Jan 15 19:53:26 linuxalien snort[1782]: [1:1390:3] SHELLCODE x86 inc ebx NOOP [Classification: Executable code was detected] [Priority: 1]: {TCP} 199.105.112.210:25555 -> 192.168.1.42:32899



    I found the above in my log. I'm a newbie, and I'm wondering if that means someone planted code in my Linux box or not. If so, can I get rid of it or do I re-install? I've got a shore firewall running and also a linksys cable/dsl router with an update already installed. Thanks for any help.

    Joe

  2. #2
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    Snort has detected shell code, that doesn't mean it's been planted. It depends on whether the application running on 192.168.1.42 port 32899 was vulnerable to the attack. In fact, it might not be an attack at all, it could be someone downloading an exploit itself (from port 32899)

    Because it's a high port number it's probably either an outgoing connection, a p2p program (these create a zillion IDS false alarms because of their promiscuity), or a connection that has been NAT'd to a high port number.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •