Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
GEN:SID | 1:1791 |
Message | BACKDOOR fragroute trojan connection attempt |
Summary | This event indicates that a backdoor may be installed on a machine. |
Impact | One of the systems may have been compromised. |
Detailed Information | www.monkey.org, the system that hosts fragroute was compromised and the fragroute source code was modified to contain a back door. The code was corrupted on May 17, 2002. Versions after May 31, 2002 and before May 17, 2002 do not contain the backdoor. |
Affected Systems | Systems running dsniff 2.3 fragroute 1.2 fragrouter 1.6 |
Attack Scenarios | The backdoor contacts the IP address 216.80.99.202. A person connecting from that address can use the backdoor to acquire full control over the compromised machine. |
Ease of Attack | Simple. |
Corrective Action | Upgrade to a new version of fragroute and sanitize the trojaned machine. |
Additional References | Bugtraq: http://www.securityfocus.com/bid/4898 http://www.securityfocus.com/archive/1/274927 |
Rule References | bugtraq: 4898 |
--
DID:335437
--
http://www.aanval.com/