Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
| GEN:SID | 1:1791 |
| Message | BACKDOOR fragroute trojan connection attempt |
| Summary | This event indicates that a backdoor may be installed on a machine. |
| Impact | One of the systems may have been compromised. |
| Detailed Information | www.monkey.org, the system that hosts fragroute was compromised and the fragroute source code was modified to contain a back door. The code was corrupted on May 17, 2002. Versions after May 31, 2002 and before May 17, 2002 do not contain the backdoor. |
| Affected Systems | Systems running dsniff 2.3 fragroute 1.2 fragrouter 1.6 |
| Attack Scenarios | The backdoor contacts the IP address 216.80.99.202. A person connecting from that address can use the backdoor to acquire full control over the compromised machine. |
| Ease of Attack | Simple. |
| Corrective Action | Upgrade to a new version of fragroute and sanitize the trojaned machine. |
| Additional References | Bugtraq: http://www.securityfocus.com/bid/4898 http://www.securityfocus.com/archive/1/274927 |
| Rule References | bugtraq: 4898 |
--
DID:335437
--
http://www.aanval.com/