[Snort-sigs] db entry for sid 158

Patrick Sarnacke pbsarnac at ...409...
Wed Mar 6 08:07:08 EST 2002


Rule:
alert tcp $HOME_NET 666 -> $EXTERNAL_NET any (msg:"BACKDOOR BackConstruction 
2.1 Server FTP Open Reply"; flags: A+; content:"FTP Port open"; sid:158; 
classtype:misc-activity; rev:3;)
--
Sid:
158
--
Summary:
This signature indicates that the FTP server was activated on a machine on 
$HOME_NET that is infected with the BackConstruction trojan.
--
Impact:
A remote attacker can download files from the trojaned machine.
--
Detailed Information:
BackConstruction is a simple Windows backdoor trojan that allows file 
browsing, manipulation,and download; remote application launching and 
killing; chat; and remote system crash, shutdown, and reboot. This particular 
signature indicates that the BackConstruction client on an attacker's machine 
has sent an instruction to the infected machine (which is running the 
BackConstrucion server) to enable FTP. The client can now download files from 
the trojaned machine's hard drive(s).
--
Attack Scenarios:
This trojan can be distributed through any of the normal means. Once 
installed, any attacker can connect at leisure, as long as she knows the IP 
address and has access to ports 21, 666,  5401 and 5402.
--
Ease of Attack:
Once the trojan is installed, as long as the IP address is known and the 
necessary ports are available to the attacker, attack is extremely easy.
--
False Positives:

--
False Negatives:

--
Corrective Action:
Mitigation:
Block inbound ports 21, 666, 5401, and 5402 at the firewall, or install a 
host-based firewall to block the same ports.
Removal:
Remove the file c:\windows\cmctl32.exe. Delete the registry key:
[HKEY_CURRENT_USER\Software\Microsoft\Winodws\CurrentVersion\Run]
"Shell=""C:\WINDOWS\Cmctl32.exe"
Reboot the infected machine to kill the running instance of the trojan.

[Removal instructions from http://www.tlsecurity.net]
--
Contributors:

--
Additional References:
Packet dump:
0000  00 50 56 fe 18 10 00 50  56 ff ae cb 08 00 45 00   .PVþ...P Vÿ®Ë..E.
0010  00 35 76 01 40 00 80 06  2e 66 c0 a8 ea 85 c0 a8   .5v. at ...253... .fÀšê.Àš
0020  ea 84 02 9a 04 0c 00 64  b1 e7 00 38 bb c8 50 18   ê......d ±ç.8»ÈP.
0030  22 05 6a 3f 00 00 46 54  50 20 50 6f 72 74 20 6f   ".j?..FT P Port o
0040  70 65 6e                                           pen              





More information about the Snort-sigs mailing list