Possible Rooted Box
Results 1 to 5 of 5

Thread: Possible Rooted Box

Hybrid View

  1. #1
    Junior Member Ritalin's Avatar
    Join Date
    May 2006

    Possible Rooted Box

    I turned on my *nix boxed to discover these logs from snort:

    Events between 10 21 05:50:11 and 10 21 05:51:21
    Total events: 2
    Signatures recorded: 1
    Source IP recorded: 1
    Destination IP recorded: 1

    Events from same host to same destination using same method
    # of from to method
    2 (portscan) TCP Portsweep

    Percentage and number of events from a host to a destination
    % # of from to
    100.00 2

    Percentage and number of events from one host to any with same method
    % # of from method
    100.00 2 (portscan) TCP Portsweep

    Percentage and number of events to one certain host
    % # of to method
    100.00 2 (portscan) TCP Portsweep

    I whois the address only to get this back:

    Priority Colo PRICOLO-BLK02 (NET-204-15-192-0-1) -
    Ken Snider PRIORITYCOLO-204-15-193-128 (NET-204-15-193-128-1) -
    #ARIN WHOIS database, last updated 2006-10-20 19:10

    So i check my router logs to find this address repetidly trying to connect on random ports above 40000: 45945 45748 45277 45517 45102 45736 45073 45945 45736 45235 45253 45374 45800 45479 45789 45296 45651 45066 45817


    So i whois this address to bring back:

    OrgName: Asia Pacific Network Information Centre
    OrgID: APNIC
    Address: PO Box 2131
    City: Milton
    StateProv: QLD
    PostalCode: 4064
    Country: AU

    ReferralServer: whois://whois.apnic.net

    NetRange: -
    NetHandle: NET-202-0-0-0-1
    NetType: Allocated to APNIC
    NameServer: NS1.APNIC.NET
    NameServer: NS3.APNIC.NET
    NameServer: NS4.APNIC.NET
    NameServer: TINNIE.ARIN.NET
    NameServer: NS-SEC.RIPE.NET
    NameServer: DNS1.TELSTRA.NET
    Comment: This IP address range is not registered in the ARIN database.
    Comment: For details, refer to the APNIC Whois Database via
    Comment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl
    Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
    Comment: for the Asia Pacific region. APNIC does not operate networks
    Comment: using this IP address range and is not able to investigate
    Comment: spam or abuse reports relating to these addresses. For more
    Comment: help, refer to http://www.apnic.net/info/faq/abuse
    RegDate: 1994-04-05
    Updated: 2005-05-20

    OrgTechHandle: AWC12-ARIN
    OrgTechName: APNIC Whois Contact
    OrgTechPhone: +61 7 3858 3100
    OrgTechEmail: search-apnic-not-arin@apnic.net

    I cannot seem to find any suspicouse file and tripwire has not logged anything changed.

    Im running debian with 2.6 kernel with only one running service, SSH.
    My box is fully updated and patched.

    Any help would be great.


  2. #2
    Junior Member Ritalin's Avatar
    Join Date
    May 2006

    Adding to my previouse post.

    I submited the ip into http://www.netwatchman.com and got these results.



  3. #3
    Senior Member
    Join Date
    Feb 2003
    Memphis, TN
    Looks like all they got was a portscan....nothing to worry about.

    Keep in mind snort is not a firewall, and only alerts you when stuff is happening. It will not block it...for blocking I'd suggest something like APF...I use that on some of my linux boxes in various DC's.

  4. #4
    Senior Member bAgZ's Avatar
    Join Date
    Jul 2001
    It's just a port scan i would not worry about it. As long as your box is updated an patched you should be fine.
    "If I'd asked my customers what they wanted, they'd have said a faster horse." ~ Henry Ford

  5. #5
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Washington D.C. area
    Crap sloshing up against your perimeter is common. There is no evidence of anything other than an alert that one was done against you from a host in Asia. I'd worry if I saw the activity stop. LOL.

    You're fine.

    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts