[Snort-sigs] SID 320
anton at ...1177...
Wed Jan 15 21:57:04 EST 2003
# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id: snort-sid-template.txt,v 1.1 2002/10/09 13:06:31 cazz Exp $
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER cmd_rootsh
backdoor attempt"; flow:to_server,established; content:"cmd_rootsh";
reference:url,www.sans.org/y2k/fingerd.htm; sid:320; rev:6;)
Summary: An access to a UNIX backdoor deployed by intruders
Impact: attacker have modified a critical system files on a system and
it now attempting to use the system
The signature tracks an access to a "fingerd" backdoor, which was
often found on the compromised UNIX machines in late 1990s. The Trojan
finger daemon runs as "root" from inetd.conf file unlike regular
finger daemon which runs as "nobody" and replaces the regular
"fingerd" binary. It allows its owner to execute several commands
remotely by sending a finger request to a specific user. Particularly,
the finger request for the user "cmd_rootsh" spawns a root shell bound
to the finger port and allows remote command execution.
Attack Scenarios: an attacker gains access to a UNIX machine via the
remote exploit, then downloads and deploys the "fingerd" trojan. Next,
he only need to send a finger request to gain root access with no
Ease of Attack: this post-attack behavior can accompany different
False Positives: not known
False Negatives: not known
Corrective Action: investigate the target server for signs of
compromise, run the integrity checking software or manually compare
the "fingerd" binary with a known good copy, look for other IDS alerts
involving the same IP addresses.
Contributors: Anton Chuvakin <http://www.chuvakin.org>
More information about the Snort-sigs