TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
297
server running. It is known to infect BIND version(s) 8.2, 8.2-P1, 8.2.1, 8.2.2-Px. BIND 8.2.3-REL and BIND 9 are not
vulnerable. The Lion worm spread via an application called pscan. randb then generates random class B networks
probing TCP port 53. Ports 60008/tcp and 33567/tcp get a backdoor root shell (via inetd, see /etc/inetd.conf), and a
trojaned version of ssh gets placed on 33568/tcp. Syslogd is killed, so the logging on the system can't be trusted. This
rule hits for the attack pattern having returned values of user identification numbers flowing towards the destination
port 60008.
Signature ID: 3036
The presence of Lion worm on port 33567
Threat Level: Severe
Nessus: 10646
Signature Description: The lion worm spawns shells running on extra port and a copy of SSH running on port 33568. It
sends an email to huckit@china.com with /etc/passwd, /etc/shadow as attachments. It randomly creates class-B network
address and scans the network for vulnerable hosts. once it exploits a host, it installs the t0rm root kit. when lion worm
got installed in the system, the ports 60008/tcp and 33567/tcp get bound to root shell and the Trojan version of SSH
will be bound to 33568/tcp. This rule hits when attack pattern found on the traffic towards 33567 destination port.
Signature ID: 3037
Backdoor Lion worm vulnerability
Threat Level: Warning
Nessus: 10646
Signature Description: Lion worm infects the system (using bind exploit) and sets up to listen on port 27374 and feeds
it a web page. It also again sends out an email with the /etc/passwd and /etc/shadow to huckit@china.com. It infects
Linux machines with the BIND DNS server running. It is known to infect BIND version(s) 8.2, 8.2-P1, 8.2.1, 8.2.2-Px.
BIND 8.2.3-REL and BIND 9 are not vulnerable. The Lion worm spread via an application called pscan. randb then
generates random class B networks probing TCP port 53. Ports 60008/tcp and 33567/tcp get a backdoor root shell (via
inetd, see /etc/inetd.conf), and a trojaned version of ssh gets placed on 33568/tcp. Syslogd is killed, so the logging on
the system can't be trusted. This rule hits for the attack pattern having returned values of user identification numbers
flowing towards the destination port 33567.
Signature ID: 3038
Backdoor Lion worm vulnerability
Threat Level: Severe
Nessus: 10646
Signature Description: Lion worm infects the system (using bind exploit) and sets up to listen on port 27374 and feeds
it a web page. It also again sends out an email with the /etc/passwd and /etc/shadow to huckit@china.com. It infects
Linux machines with the BIND DNS server running. It is known to infect BIND version(s) 8.2, 8.2-P1, 8.2.1, 8.2.2-Px.
BIND 8.2.3-REL and BIND 9 are not vulnerable. The Lion worm spread via an application called pscan. randb then
generates random class B networks probing TCP port 53. Ports 60008/tcp and 33567/tcp get a backdoor root shell (via
inetd, see /etc/inetd.conf), and a trojaned version of ssh gets placed on 33568/tcp. Syslogd is killed, so the logging on
the system can't be trusted. This rule hits for the attack pattern towards the destination port 33568.Lion worm runs SSH
server on these ports.
Signature ID: 3042
DDos Mstream Tool agent via TCP
Threat Level: Severe
Industry ID: CVE-2000-0138
Nessus: 10391,10501
Signature Description: The mstream program is a distributed denial of service tool based on the "stream.c" attack. This
tool includes a "master controller" and a "zombie." The master controller is the portion of the tool that controls all of
the zombie agents. An attacker connects to the master controller using Telnet to control the zombies. Communications