[Snort-sigs] new db entry
bianco at ...536...
Fri Apr 19 18:05:25 EDT 2002
# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"BACKDOOR MISC linux rootkit attempt";flags: A+; content:"d13hh["; nocase; classtype:attempted-admin; sid:215; rev:1;)
Attempt to exploit a common Unix login trojan
If successful, the trojan logs the attacker in as root.
"D13hh[" is a common password for the original rootkit. This kit contains
a trojaned version of /bin/login which accepts a login name of "root" and
a password of "D13hh[" and gives a root shell in return. Versions of this
rootkit still exist for Solaris and Linux systems, and perhaps others
Could be used by any program which calls /bin/login, such as telnet, rlogin,
rsh, ssh or ftp, although this rule only checks for telnet access.
Ease of Attack:
Extremely easy. If someone else has already done the hard work of
installing the rootkit, anyone who can get a login prompt on the
compromised machine can become root without any special software or
knowledge, just by logging in with the right username/password.
Moderate. This is not a string that should appear in most legitimate
High. The default password can usually be changed, or the attackers can
use some other connection method than telnet to do their work, such as SSH.
Get a copy of chkrootkit from www.chkrootkit.org and run it on the host
which you suspect to be compromised. Chkrootkit will search for many
known rootkits and tell you if it finds any.
David J. Bianco <djbianco at ...144...>
More information about the Snort-sigs