snort Alert

25 Jan 2002

      Hello List,
   today i view my logs for warnings and other Problems with my
   Router Kernel 2.2.19 on SuSE 7.0
   Snort alerts me following messages

[**] FTP99cmp [**]
01/25-12:49:02.510018 172.16.2.5:56704 -> 172.16.2.6:1492
UDP TTL:58 TOS:0x0 ID:45067
Len: 8

[**] Back Door [**]
01/25-12:49:02.921419 172.16.2.5:56704 -> 172.16.2.6:1999
UDP TTL:58 TOS:0x0 ID:5981
Len: 8

[**] iNi Killer/Phase Zero/Stealth Spy [**]
01/25-12:49:03.645493 172.16.2.5:56704 -> 172.16.2.6:555
UDP TTL:58 TOS:0x0 ID:27091
Len: 8

[**] Remote Grab [**]
01/25-12:49:04.464164 172.16.2.5:56704 -> 172.16.2.6:7000
UDP TTL:58 TOS:0x0 ID:16456
Len: 8

[**] Shivka-Burka [**]
01/25-12:49:05.683546 172.16.2.5:56704 -> 172.16.2.6:1600
UDP TTL:58 TOS:0x0 ID:28222
Len: 8

[**] Hackers Paradise [**]
01/25-12:49:05.809637 172.16.2.5:56704 -> 172.16.2.6:31
UDP TTL:58 TOS:0x0 ID:65451
Len: 8

[**] Silencer, WebEX [**]
01/25-12:49:06.161501 172.16.2.5:56704 -> 172.16.2.6:1001
UDP TTL:58 TOS:0x0 ID:45491
Len: 8

[**] Ripper Pro [**]
01/25-12:49:06.525815 172.16.2.5:56704 -> 172.16.2.6:2023
UDP TTL:58 TOS:0x0 ID:18956
Len: 8

[**] Trojan Cow [**]
01/25-12:49:06.558256 172.16.2.5:56704 -> 172.16.2.6:2001
UDP TTL:58 TOS:0x0 ID:60477
Len: 8

[**] Sockets De Troie [**]
01/25-12:49:06.579138 172.16.2.5:56704 -> 172.16.2.6:5000
UDP TTL:58 TOS:0x0 ID:8426
Len: 8

[**] Attempted Sun RPC high port access [**]
01/25-12:49:06.623967 172.16.2.5:56704 -> 172.16.2.6:32771
UDP TTL:58 TOS:0x0 ID:41745
Len: 8

[**] Sockets De Troie [**]
01/25-12:49:06.655303 172.16.2.5:56704 -> 172.16.2.6:5001
UDP TTL:58 TOS:0x0 ID:30473
Len: 8

[**] Hackers Paradise [**]
01/25-12:49:07.470151 172.16.2.5:56704 -> 172.16.2.6:456
UDP TTL:58 TOS:0x0 ID:49981
Len: 8

[**] Back Orifice [**]
01/25-12:49:07.915080 172.16.2.5:56704 -> 172.16.2.6:31337
UDP TTL:58 TOS:0x0 ID:8186
Len: 8

[**] Satanz Backdoor [**]
01/25-12:49:08.362728 172.16.2.5:56704 -> 172.16.2.6:666
UDP TTL:58 TOS:0x0 ID:9630
Len: 8

172.16.2.5 is my Router IP, in the firewall i have set tcp and udp highports
enabled.

The 172.16.2.6 is a win client in my home LAN.

nmap to the client 172.16.2.6  offers following open ports

Port       State       Service
135/tcp    open        loc-srv
139/tcp    open        netbios-ssn
445/tcp    open        microsoft-ds
1025/tcp   open        listen

135/udp    open        loc-srv
137/udp    open        netbios-ns
138/udp    open        netbios-dgm
445/udp    open        microsoft-ds
500/udp    open        isakmp

Do I have a problem?

-- 
Best regards,
 Dietmar                          mailto:earthmate@gmx.net

snort Alert

Dietmar Strasdat