[Snort-sigs] SID 141
rwagner at ...447...
Thu Apr 25 09:56:10 EDT 2002
alert tcp $HOME_NET 31785 -> $EXTERNAL_NET any (msg:"BACKDOOR HackAttack
1.20 Connect"; flags: A+; content:"host"; sid:141; classtype:misc-activity;
A connection was made to an outside server from port 31785. This is
probably a HackAttack client talking back to the server.
This is a Trojan client communicating back to the server. Your system has
been compromised. The intruder will have complete control of you computer
A packet sent from the client back to the server. If the server was online,
then the intruder has access to your system.
This trojan is typically installed as an executable on Windows based
Ease of Attack:
Medium. The attacker need to install the trojan, get the connection from
the trojan back to the server.
Possible but very unlikely. Various firewall use ports above 1024 for NAT
traffic. This packet must have an ack and "host" in the content.
Possible. This only looks at traffic from 31785. A small change in the
client port will cause the traffic to be ignored.
Identify and remove the trojan from the affected machine.
More information about the Snort-sigs