[Snort-users] BACKDOR ??

Jyri Hovila jyri.hovila at ...2940...
Mon Oct 29 16:04:02 EST 2001


Hi!

The rule that triggered the alert (NetMetro Incoming Traffic) works
simply by looking at source- and destination ports of TCP traffic, and
thus easily generates false alarms. It gets triggered whenever there's
incoming TCP traffic coming from port 5031 to any other port but 53 and
80:

alert tcp $EXTERNAL_NET 5031 -> $HOME_NET !53:80 (msg:"BACKDOOR NetMetro
Incoming Traffic"; flags: A+;  reference:arachnids,79; sid:160; rev:1;
resp: rst_all;)

I have had to disable the rule on several networks because of masses of
false alarms it caused. 

So, it's most probably a false alarm. Just to be sure, check that the
host 192.168.7.250 does not have NetMetro installed.


Here's a typical example of what might have happened:

1. A user on host 192.168.7.250 (client) opens FTP connection to
217.126.184.188 (server) with Netscape. To do that, the client makes TCP
connection from a random port number (say, 1243) to the server's FTP
command channel which runs at port 21.

    192.168.7.250:1243 => 217.126.184.188:21

2. As the user is using Netscape, passive FTP mode is used. So, the
client and the server make a deal that data (directory listings, file
transfers etc.) are done so that the client opens data channel by
connecting to a random port (say, 5031) on the server. Source port is
once again random -- 4520 happens to be free so let's use it.

    192.168.7.250:4520 => 217.126.184.188:5031

3. Now the user requests file listing (ls) from the server. Server
happily sends data via the already established data channel:

    217.126.184.188:5031 => 192.168.7.250:4520

SNORT! There's traffic coming from external address, port 5031 to our
home network, port other than 53 and 80. =)

I hope this helps!

Cheers!

- Jyri





More information about the Snort-users mailing list