[Snort-sigs] BACKDOOR w00w00 attempt

Khan khan at ...270...
Tue Jan 22 11:01:02 EST 2002

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$

Rule: BACKDOOR w00w00 attempt

Sid: 209

Summary: This indicates that the string "w00w00" has appeared in a Telnet session.  In
the most severe of cases, it indicates that an internal server has been compromised an
contains the account "w00w00".

Impact:  The potential impact of this string can be varied.  If it indicates that a use
rname/password combination contains "w00w00", a server exists with a possible backdoor

Detailed Information:  This indicates that the search string "w00w00" has shown up in e
ither an inbound or outbound Telnet connection.  This could indicate either a compromis
ed internal/external system with the account having the string "w00w00" as a username/p
assword.  It could also indicate an attempt to join the chat channel #w00w00, or could
simply indicate someone reading an email with "w00w00" in the string.

Attack Scenarios:  An attacker will attempt to connect to port 23 and login using "w00w
00" to gain access. This could also indicate an attempt to login to IRC to the chat cha
nnel "#w00w00" or another variant of that.  In addition, this could indicate an attack
via your network to another compromised system using "w00w00" as a login.

Ease of Attack: This attack only requires a login and/or password combination or an att
empt to join a "hacking" channel.

False Positives: The most likely false positive would be a user reading email with "w00
w00" in the email.  This could simply be someone reading a security advisory, patch, et
c.  Also, this could simply indicate a chat channel join request.  According to your sp
ecific policies regarding chat usage, this could indicate a policy violation.

False Negatives: None known.

Corrective Action: Examine Telnet server for compromised services and specifically look
 for accounts with "w00w00" as a user and/or password. If this indicates an attempt to
join the chat channel "#w00w00", review your security policies for a possible security
violation (i.e. discussion of "hacking" is prohbited on company time, etc)

Contributors: Andy Boncek <khan at ...270...>

Additional References:

More information about the Snort-sigs mailing list