[Snort-sigs] new db entry

David Bianco bianco at ...536...
Fri Apr 19 18:05:25 EDT 2002

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$
alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"BACKDOOR MISC linux rootkit attempt";flags: A+; content:"d13hh["; nocase; classtype:attempted-admin; sid:215; rev:1;) 
Attempt to exploit a common Unix login trojan
If successful, the trojan logs the attacker in as root.
Detailed Information:
"D13hh[" is a common password for the original rootkit.  This kit contains
a trojaned version of /bin/login which accepts a login name of "root" and
a password of "D13hh[" and gives a root shell in return.  Versions of this
rootkit still exist for Solaris and Linux systems, and perhaps others
as well.
Attack Scenarios: 
Could be used by any program which calls /bin/login, such as telnet, rlogin,
rsh, ssh or ftp, although this rule only checks for telnet access.
Ease of Attack: 
Extremely easy.  If someone else has already done the hard work of 
installing the rootkit, anyone who can get a login prompt on the 
compromised machine can become root without any special software or
knowledge, just by logging in with the right username/password.
False Positives: 
Moderate.  This is not a string that should appear in most legitimate 
False Negatives:
High.  The default password can usually be changed, or the attackers can
use some other connection method than telnet to do their work, such as SSH.
Corrective Action: 
Get a copy of chkrootkit from www.chkrootkit.org and run it on the host 
which you suspect to be compromised. Chkrootkit will search for many 
known rootkits and tell you if it finds any.  

David J. Bianco <djbianco at ...144...>
Additional References:


More information about the Snort-sigs mailing list