What's New
About Whitehats
Infosec Library
Contact Us
Terms Of Use
Privacy Policy
Intrusion Detection
. arachNIDS Center
. Mailing List *
. Submit Signatures
. Forum: General NIDS
. Forum: arachNIDS
. Forum: Signatures
. Forum: Snort IDS
. IDS Tools
Penetration Testing
. Forum: Penetration
. Forum: Nessus
. Assessment Tools
Network Defense
. Forum: DDOS Attacks
. Forum: Internet Law
. Forum: Incidents
. Defense Tools
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
IDS111/TROJAN_TROJAN-ACTIVE-BLA
|
Platform(s): |
|
windows |
|
Category: |
|
trojan |
|
Classification: |
|
System Integrity Success |
|
|
|
|
|
CVE |
|
CAN-1999-0660 |
|
Bugtraq |
|
nomatch |
|
advICE |
|
nomatch |
|
|
|
|
This event indicates that a known trojan may be operating on the host. This is not a scan or probe, but a successful connection.
This event is specific to a particular exploit, but the packet payload is not considered as part of the signature to detect the attack.
Trusting The Source IP Address |
|
The packet that caused this event is normally a part of an established TCP session, indicating that the source IP address has not been spoofed. If you are using a firewall that supports stateful inspection, and are not vulnerable to sequence number prediction attacks, then you can be fairly certain that the source IP address of the event is accurate. It has been noted that the intruder is likely to expect or desire a response to their packets, so it may be likely that the source IP address is not spoofed.
There are reported incidents where legitimate traffic may
cause an intrusion detection system to raise "false positive"
alerts for this event. The following details have been reported:
This signature matches the known default port of the trojan. It is possible that other server software could listen at the same port.
Protocol details... (ip
header, tcp/udp/icmp header, payload data)
Research details... (packet
captures, background, credits)
IDS Signatures... (dynamically
generated signatures for free and commercial IDS)
|
|
|
|
Copyright © 2001 Whitehats, Inc. All rights reserved. |
|
|
|
|
|
|
|
|