[Snort-sigs] SID 493

Warchild warchild at ...288...
Tue Jan 29 12:48:02 EST 2002


Rule:  alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"INFO psyBNC access";
content:"Welcome!psyBNC at ...327..."; flags:A+; classtype:bad-unknown; sid:493;
rev:2;) 

--
Sid: 493

--
Summary: 
Possible access to the psyBNC IRC "bouncer" was detected.

--
Impact: 
Possible loss of bandwidth, violation of AUP, or system comprimise depending on
the context psyBNC is being use in. 


--
Detailed Information:
The psyBNC IRC bouncer was designed to hold a connection to an IRC server.  As part
of the connection process, a psyBNC server will respond with
"Welcome!psyBNC at ...327...".

--
Attack Scenarios:
The psyBNC server itself is not necessarily a risk in itself, but this may be a
violation of your AUP.  Furthermore, psyBNC has found it's way into a large number
of rootkits, both as an IRC bouncer and as remote control agent for dDOS networks.

--
Ease of Attack:
Any user can install psyBNC.

--
False Positives:
Since this rule looks for the psyBNC string to/from any port, any tcp connection
that contains "Welcome!psyBNC at ...327..." will trigger this rule.  


--
False Negatives:
A modified psyBNC server will not respond with "Welcome!psyBNC at ...327..." and could
easily evade this rule.


--
Corrective Action:
Check the originating host IP and source port and investigate the possibility of a
listening psyBNC server and possible system comprimise.

--
Contributors:
Warchild <warchild at ...288...>
Jon Hart <jhart at ...289...>

-- 
Additional References:
http://www.psychoid.lam3rz.de/





More information about the Snort-sigs mailing list