Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: snort.org > snort-sigs > att-11311791.txt (Request Expert snort.org Support)
Rule:  
BACKDOOR fragroute trojan connection attempt 
--
Sid:
1791

--
Summary:
This indicates that a backdoor may be installed on one of your machines.

--
Impact:

One of your systems may have been compromised.

--
Detailed Information:

www.monkey.org, the system that hosts fragroute was compromised and the fragroute
source code was modified to contain a back door.  The code was corrupted on 
May 17, 2002.  Versions after May 31, 2002  and before May 17, 2002
do not contain the backdoor.

--
Affected Systems:

Systems running

dsniff 2.3
fragroute 1.2
fragrouter 1.6
--
Attack Scenarios:

The backdoor contacts the IP address 216.80.99.202.  A person connecting from that
address can use the backdoor to acquire full control over the compromised machine.  

--
Ease of Attack:
Easy, yet unlikely.  They're probably aren't very many people using the trojaned code 
and the new distributions are clean.

--
False Positives:

While the IP address flagged in this rule was associated with the backdoor at the time
fragroute was trojaned, it may now or in the future be used by unrelated parties.

--
False Negatives:

None known.
--
Corrective Action:

Upgrade to a new version of fragroute and sanitize the trojaned machine.   

--
Contributors:
Snort documentation contributed by Steven Alexander
-- 
Additional References:
http://www.securityfocus.com/bid/4898
http://www.securityfocus.com/archive/1/274927
Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library