[Snort-sigs] SID 498

Anton Chuvakin anton at ...1177...
Tue Jan 14 21:48:07 EST 2003

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id: snort-sid-template.txt,v 1.1 2002/10/09 13:06:31 cazz Exp $


alert ip any any -> any any (msg:"ATTACK RESPONSES id check returned
root"; content: "uid=0(root)"; classtype:bad-unknown; sid:498; rev:3;)

Sid: 498


Summary: A post-compromise behavior indicating the use of a UNIX "id"


Impact: attacker might have gained an ability to execute commands
remotely on the system.

Detailed Information:

This signature triggers when a UNIX "id" command is used to confirm
the user name of the currenly logged in user over any unencrypted
connection. Such connection can be either a legitimate telnet
connection or a result of spawning a shell on FTP, POP3, SMTP or other
port as a consequence of network exploit. The string "uid=0(root)" is
an output of an "id" command indicating that the user has "root"
privileges.  Seeing such a response indicates that some user,
connected over the network to a target server, has root privileges.


Attack Scenarios: a buffer overflow exploit against the FTP server
results in "/bin/sh" being executed. An automated script performing an
attack, checks for the success of the exploit via an "id" command.


Ease of Attack: this post-attack behavior can accompany different


False Positives: the signature will trigger if a legitimate system
administrator executes the "id" command over the telnet connection.

False Negatives: not known


Corrective Action: check the port reported by snort, provided that the
port is not a telnet/rlogin and no legitimate connection took place,
one needs to investigate the server for signs of compromise, run the
integrity checking software, look for other IDS alerts involving the
same IP addresses.

Contributors: Anton Chuvakin <http://www.chuvakin.org>

Additional References:

More information about the Snort-sigs mailing list