[Snort-sigs] Documentation: SID 355
alexander.s at ...1565...
Fri Jun 20 09:26:16 EDT 2003
FTP pass wh00t
This signature indicates that somebody has tried to login to your FTP
server using a common backdoor password.
An attacker may have privileged access to your system.
If an attacker is successful in logging in to your ftp server using this
password then the server has already been compromised. It is possible
that the attacker is just scanning for systems that have already been
compromised by other people. Further investigation is warranted.
An attacker could be scanning for systems with the backdoor installed.
An attacker may have already compromised the system and installed the
Ease of Attack:
A user could legitimately choose this password. However, the password
contains upper and lower case letters with numbers and is probably rare.
An attempt should be made to determine if the system has been
compromised (perhaps by looking for the backdoor yourself). If the
server is determined to have been compromised, the system should be
reinstalled from the original media or a backup that is known to be
safe. All current security patches available for your system should be
applied to prevent the attacker from breaking into the system again.
Other systems on your network should be examined for evidence of
Documentation - Steven Alexander<alexander.s at ...1565...>
More information about the Snort-sigs