[Snort-sigs] SID 493

Warchild warchild at ...288...
Tue Jan 29 12:48:02 EST 2002

Rule:  alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"INFO psyBNC access";
content:"Welcome!psyBNC at ...327..."; flags:A+; classtype:bad-unknown; sid:493;

Sid: 493

Possible access to the psyBNC IRC "bouncer" was detected.

Possible loss of bandwidth, violation of AUP, or system comprimise depending on
the context psyBNC is being use in. 

Detailed Information:
The psyBNC IRC bouncer was designed to hold a connection to an IRC server.  As part
of the connection process, a psyBNC server will respond with
"Welcome!psyBNC at ...327...".

Attack Scenarios:
The psyBNC server itself is not necessarily a risk in itself, but this may be a
violation of your AUP.  Furthermore, psyBNC has found it's way into a large number
of rootkits, both as an IRC bouncer and as remote control agent for dDOS networks.

Ease of Attack:
Any user can install psyBNC.

False Positives:
Since this rule looks for the psyBNC string to/from any port, any tcp connection
that contains "Welcome!psyBNC at ...327..." will trigger this rule.  

False Negatives:
A modified psyBNC server will not respond with "Welcome!psyBNC at ...327..." and could
easily evade this rule.

Corrective Action:
Check the originating host IP and source port and investigate the possibility of a
listening psyBNC server and possible system comprimise.

Warchild <warchild at ...288...>
Jon Hart <jhart at ...289...>

Additional References:

More information about the Snort-sigs mailing list