[Snort-sigs] Root kit and "hackers defender" detection

Robert Wagner rwagner at ...447...
Tue Jan 28 08:48:04 EST 2003

What I would recommend if you wish to capture the backdoor and create a
Run snort with full logging something like: 

/usr/snort/snort -s -D -X -c /etc/snort/snort.conf -o

Create a generic rule to capture all packets going to the backdoor port:

alert udp any any -> any (port#) (msg:"Port Test";tag: session, 300,
alert tcp any any -> any (port#) (msg:"Port Test";tag: session, 300,

This will allow you to see the entire session.  Post the session (someone
will recommend a sign for you) or create a rule using some identifying part
of the session that is unique to the backdoor.

-----Original Message-----
From: Tony Johansson [mailto:tony.johansson at ...1237...]
Sent: Tuesday, January 28, 2003 6:47 AM
To: 'snort-sigs at lists.sourceforge.net'
Subject: [Snort-sigs] Root kit and "hackers defender" detection


Regarding a recent discussion on ntbugtraq about the detection and
characteristics of a root kit which seems to be a modified variant of
"hackers defender" (http://rootkit.host.sk/), I decided to try and see if
snort would detect it.

I downloaded the latest version of "hackers defender" and installed it on a
test machine. It works perfectly, answering on all open tcp ports (scary...)

I then hooked up snort (or more specifically puresecure) and configured it.
I downloaded all the latest rules and enabled them all. It detects port
scans and web cmd.exe attacks (http://machine/../../..cmd.exe ) but I am
still able to connect to the back door over TCP 80 with no alert from snort.

I'm pretty new to snort and havent worked much with sigs. However, I should
think that this would be something that people would want to detect?

regards, Tony

This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list