TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

291

292

293

294

295

296

297

298

299

300

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

296

Signature ID: 3030

Trojan GateCrasher detected

Threat Level: Warning

Industry ID: CVE-1999-0660 Nessus:

10093,10024,10152,10151,10409,10053,10270,10501,10288,10307,10350,10920,10921

Signature Description: Backdoor Gate crasher 1.2 is a Trojan that opens up a backdoor program that, once installed on

a system, permits unauthorized users to remotely manage files, alter user interface, shutdown the system, etc. Gate

Crasher typically runs from the server file "c:\WINDOWS\system.exe" over ports 6969 and 6970 via TCP. GateCrasher

disguises itself as a TCP/IP booster and allows a 3rd party to take over the infected computer with the same rights as

the user. It has also been designed to be embedded in a Microsoft Word 97 document.

Signature ID: 3031

Presence of the backdoor GirlFriend detected

Threat Level: Warning

Industry ID: CVE-1999-0660 Nessus:

10093,10094,10024,10152,10151,10409,10053,10270,10501,10288,10307,10350,10920,10921

Signature Description: Backdoor GirlFriend is a Trojan that opens up a backdoor program,once installed on a system,

permits unauthorized users to remotely extract passwords, control user interface, spoof system messages, etc.

GirlFriend typically runs from the server file "C:\WINDOWS\Windll.exe" over ports 21554 and 22554 via TCP.

Signature ID: 3033

The presence of the virus Kuang2 detected

Threat Level: Severe

Industry ID: CVE-1999-0660 Nessus:

10132,10024,10152,10151,10409,10053,10270,10501,10288,10307,10350,10920,10921

Signature Description: Kuang2 the Virus is a program that infects all the executables on the system, as well as set up a

server that allows the remote control of the computer. The client program allows files to be browsed, uploaded,

downloaded etc on the infected machine. The client program also can execute programs on the remote machine. Its

aliases is W32/Weird-10240.

Signature ID: 3034

Backdoor Lion worm vulnerability

Threat Level: Severe

Nessus: 10646

Signature Description: Lion worm infects the system (using bind exploit) and feeds it a web page. It also again sends

out an email with the /etc/passwd and /etc/shadow to huckit@china.com. It infects Linux machines with the BIND

DNS server running. It is known to infect BIND versions 8.2, 8.2-P1, 8.2.1, 8.2.2-Px. BIND 8.2.3-REL and BIND 9 are

not vulnerable. The Lion worm spread via an application called pscan. randb then generates random class B networks

probing TCP port 53. Ports 60008/tcp and 33567/tcp get a backdoor root shell (via inetd, see /etc/inetd.conf), and a

trojaned version of ssh gets placed on 33568/tcp. Syslogd is killed, so the logging on the system can't be trusted. This

signature will trigger when malicious traffic passes through port 60008/Tcp.

Signature ID: 3035

Backdoor Lion worm vulnerability

Threat Level: Severe

Nessus: 10646

Signature Description: Lion worm infects the system (using bind exploit) feeds it a web page. It also again sends out an

email with the /etc/passwd and /etc/shadow to huckit@china.com. It infects Linux machines with the BIND DNS