[Snort-sigs] SID 493
warchild at ...288...
Tue Jan 29 12:48:02 EST 2002
Rule: alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"INFO psyBNC access";
content:"Welcome!psyBNC at ...327..."; flags:A+; classtype:bad-unknown; sid:493;
Possible access to the psyBNC IRC "bouncer" was detected.
Possible loss of bandwidth, violation of AUP, or system comprimise depending on
the context psyBNC is being use in.
The psyBNC IRC bouncer was designed to hold a connection to an IRC server. As part
of the connection process, a psyBNC server will respond with
"Welcome!psyBNC at ...327...".
The psyBNC server itself is not necessarily a risk in itself, but this may be a
violation of your AUP. Furthermore, psyBNC has found it's way into a large number
of rootkits, both as an IRC bouncer and as remote control agent for dDOS networks.
Ease of Attack:
Any user can install psyBNC.
Since this rule looks for the psyBNC string to/from any port, any tcp connection
that contains "Welcome!psyBNC at ...327..." will trigger this rule.
A modified psyBNC server will not respond with "Welcome!psyBNC at ...327..." and could
easily evade this rule.
Check the originating host IP and source port and investigate the possibility of a
listening psyBNC server and possible system comprimise.
Warchild <warchild at ...288...>
Jon Hart <jhart at ...289...>
More information about the Snort-sigs