[Snort-sigs] SID 320

Anton Chuvakin anton at ...1177...
Wed Jan 15 21:57:04 EST 2003


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id: snort-sid-template.txt,v 1.1 2002/10/09 13:06:31 cazz Exp $
#
#

Rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER cmd_rootsh
backdoor attempt"; flow:to_server,established; content:"cmd_rootsh";
classtype:attempted-admin; reference:nessus,10070;
reference:cve,CAN-1999-0660;
reference:url,www.sans.org/y2k/TFN_toolkit.htm;
reference:url,www.sans.org/y2k/fingerd.htm; sid:320; rev:6;)

--
Sid: 320

-- 
Summary: An access to a UNIX backdoor deployed by intruders

-- 

Impact: attacker have modified a critical system files on a system and
it now attempting to use the system

--
Detailed Information:

The signature tracks an access to a "fingerd" backdoor, which was
often found on the compromised UNIX machines in late 1990s. The Trojan
finger daemon runs as "root" from inetd.conf file unlike regular
finger daemon which runs as "nobody" and replaces the regular
"fingerd" binary. It allows its owner to execute several commands
remotely by sending a finger request to a specific user. Particularly,
the finger request for the user "cmd_rootsh" spawns a root shell bound
to the finger port and allows remote command execution.

--

Attack Scenarios: an attacker gains access to a UNIX machine via the
remote exploit, then downloads and deploys the "fingerd" trojan. Next,
he only need to send a finger request to gain root access with no
password.

-- 

Ease of Attack: this post-attack behavior can accompany different
attacks.

-- 

False Positives: not known

--
False Negatives: not known

-- 

Corrective Action: investigate the target server for signs of
compromise, run the integrity checking software or manually compare
the "fingerd" binary with a known good copy, look for other IDS alerts
involving the same IP addresses.

--
Contributors: Anton Chuvakin <http://www.chuvakin.org>

-- 
Additional References:

nessus,10070 http://cgi.nessus.org/plugins/dump.php3?id=10070
cve,CAN-1999-0660 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0660
www.sans.org/y2k/TFN_toolkit.htm
www.sans.org/y2k/fingerd.htm





More information about the Snort-sigs mailing list