[Snort-sigs] SID 141

Robert Wagner rwagner at ...447...
Thu Apr 25 09:56:10 EDT 2002


--
Rule:
alert tcp $HOME_NET 31785 -> $EXTERNAL_NET any (msg:"BACKDOOR HackAttack
1.20 Connect"; flags: A+; content:"host"; sid:141; classtype:misc-activity;
rev:3;) 
--
Sid:
141

--
Summary:
A connection was made to an outside server from port 31785.  This is
probably a HackAttack client talking back to the server.  

--
Impact:
This is a Trojan client communicating back to the server.  Your system has
been compromised.  The intruder will have complete control of you computer

--
Detailed Information:
A packet sent from the client back to the server.  If the server was online,
then the intruder has access to your system.

--
Attack Scenarios:
This trojan is typically installed as an executable on Windows based
machines.  

--
Ease of Attack:
Medium.  The attacker need to install the trojan, get the connection from
the trojan back to the server.

--
False Positives:
Possible but very unlikely.  Various firewall use ports above 1024 for NAT
traffic.  This packet must have an ack and "host" in the content.

--
False Negatives:
Possible.  This only looks at traffic from 31785.  A small change in the
client port will cause the traffic to be ignored.

--
Corrective Action:
Identify and remove the trojan from the affected machine.  

--
Contributors:
Robert Wagner

-- 
Additional References:
http://www.eckertweb.de/hackingschutz/trojaner/hackatack/hackatack.htm
http://www.xploiter.com/security/hackattack.html






More information about the Snort-sigs mailing list