[Snort-sigs] Signature to detect shells bound to a port

Jukka Juslin jtjuslin at ...1151...
Tue Jul 29 23:35:06 EDT 2003


For example the famous sshd remote root exploit:
(http://staff.washington.edu/dittrich/misc/ssh-analysis.txt)

...Binds a shell to a high number port. Is there any signature to
detect these shells giving backdoor access to a computer?

I tried to find from the current rule base.

It is hard of course to do this, but what about starting like
looking foor strings "root     root" and -rw------ and similar
in the streams for ports, which are not ftp and http? The user
probably types ls -al at some point.

Jukka




More information about the Snort-sigs mailing list