[Snort-sigs] new db entry

David Bianco bianco at ...536...
Fri Apr 19 18:05:23 EDT 2002

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$
alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"BACKDOOR MISC linux rootkit attempt";flags: A+; content:"wh00t!"; classtype:attempted-admin; sid:213; rev:1;)  
Possible root kit installed on destination machine.
An intruder could have total superuser acccess to the compromised machine
Detailed Information:
This rule works on the assumption that if anyone telnets into a machine
on your network and the string "w00t!" appears, then it must be an attempt 
to install a rootkit.  "w00t!" is a common exclamation among the 3l33t 
h4x0r community, basically the equivalent of Homer Simpson's "whoo hoo!".
It's a common string found in many exploits used by rootkits.
Attack Scenarios: 
This may not be an attack itself.  Rather, uploading a rootkit is what 
usually happens *after* a successful compromise.
Ease of Attack: 
Not applicable.
False Positives: 
Many.  A legitimate user could type "w00t!" into his favorite text editor
or email program while logged into your machine via telnet and trigger this
False Negatives:
Not applicable, since this isn't a specific attack.  Any rootkit that 
doesn't use the term "w00t!" would fail to trigger.  Don't rely on this as
your only mechanism.
Corrective Action: 
Get a copy of chkrootkit from www.chkrootkit.org and run it on the host 
which you suspect to be compromised. Chkrootkit will search for many 
known rootkits and tell you if it finds any.  
David J. Bianco <djbianco at ...144...>
Additional References:

More information about the Snort-sigs mailing list