[Snort-sigs] Documentation: SID 355

Steven Alexander alexander.s at ...1565...
Fri Jun 20 09:26:16 EDT 2003


Rule:  

FTP pass wh00t 
--
Sid:

355

--
Summary:

This signature indicates that somebody has tried to login to your FTP
server using a common backdoor password.

--
Impact:

An attacker may have privileged access to your system.

--
Detailed Information:

If an attacker is successful in logging in to your ftp server using this
password then the server has already been compromised.  It is possible
that the attacker is just scanning for systems that have already been
compromised by other people.  Further investigation is warranted.

--
Affected Systems:

Linux

--
Attack Scenarios:

An attacker could be scanning for systems with the backdoor installed.
An attacker may have already compromised the system and installed the
backdoor his/herself.  

--
Ease of Attack:
Very Simple

--
False Positives:

A user could legitimately choose this password.  However, the password
contains upper and lower case letters with numbers and is probably rare.

--
False Negatives:

None known.
--
Corrective Action:

An attempt should be made to determine if the system has been
compromised (perhaps by looking for the backdoor yourself).  If the
server is determined to have been compromised, the system should be
reinstalled from the original media or a backup that is known to be
safe.  All current security patches available for your system should be
applied to prevent the attacker from breaking into the system again.
Other systems on your network should be examined for evidence of
compromise.

--
Contributors:
Documentation - Steven Alexander<alexander.s at ...1565...>
-- 
Additional References:

http://www.whitehats.com/info/IDS324







More information about the Snort-sigs mailing list