[Snort-sigs] SID 141

Robert Wagner rwagner at ...447...
Thu Apr 25 09:56:10 EDT 2002

alert tcp $HOME_NET 31785 -> $EXTERNAL_NET any (msg:"BACKDOOR HackAttack
1.20 Connect"; flags: A+; content:"host"; sid:141; classtype:misc-activity;

A connection was made to an outside server from port 31785.  This is
probably a HackAttack client talking back to the server.  

This is a Trojan client communicating back to the server.  Your system has
been compromised.  The intruder will have complete control of you computer

Detailed Information:
A packet sent from the client back to the server.  If the server was online,
then the intruder has access to your system.

Attack Scenarios:
This trojan is typically installed as an executable on Windows based

Ease of Attack:
Medium.  The attacker need to install the trojan, get the connection from
the trojan back to the server.

False Positives:
Possible but very unlikely.  Various firewall use ports above 1024 for NAT
traffic.  This packet must have an ack and "host" in the content.

False Negatives:
Possible.  This only looks at traffic from 31785.  A small change in the
client port will cause the traffic to be ignored.

Corrective Action:
Identify and remove the trojan from the affected machine.  

Robert Wagner

Additional References:

More information about the Snort-sigs mailing list