TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

291

292

293

294

295

296

297

298

299

300

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

298

between the client, master, and zombie are not encrypted. It is much like previously known DDOS tools such as

Trinoo. The version that is in wild uses TCP port 6723, and the password is "sex".

Signature ID: 3043

DDoS Mstream Tool Login

Threat Level: Severe

Industry ID: CVE-2000-0138

Nessus: 10391,10501

Signature Description: The mstream program is a distributed denial of service tool based on the "stream.c" attack. This

tool includes a "master controller" and a "zombie." The master controller is the portion of the tool that controls all of

the zombie agents. An attacker connects to the master controller using Telnet to control the zombies. Communications

between the client, master, and zombie are not encrypted. It is much like previously known DDOS tools such as

Trinoo. It workS on Port 15104 via TCP.

Signature ID: 3044

Backdoor NetBus

Threat Level: Warning

Industry ID: CVE-1999-0660 Nessus:

10151,10024,10152,10409,10053,10270,10501,10288,10307,10350,10920,10921

Signature Description: This rule tries to detect the Backdoor NetBus. NetBus allows anyone to partially take the

control of the remote system. A cracker may use it to steal your password or prevent you from working properly. This

backdoor typically runs over the port 12345 and 12346 over TCP

Signature ID: 3045

Backdoor NetBus 1.x Traffic on Port 20034

Threat Level: Warning

Industry ID: CVE-1999-0660 Nessus:

10151,10024,10152,10409,10053,10270,10501,10288,10307,10350,10920,10921

Signature Description: NetBus and NetBusPro are two of many backdoor programs. Netbus 1.x server is able to be

connected to without a password. It open two clients that are compatable with the server being connected to, With one

client connect to the server and wait until the password screen appears. Once this happens connect to the same server

with the other client and it will not ask you for a password, this is done because the server thinks you are already

connected and notices the same IP connected to the same server allowing you to connect. This rule tries to detect the

Backdoor NetBus 1.x. It allows anyone to partially take the control of the remote system. A cracker may use it to steal

your password or prevent you from working properly. It typically runs over ports 20034 via TCP.

Signature ID: 3047

NetBus 1.x getInfo request

Threat Level: Critical

Industry ID: CVE-1999-0660

Nessus:

10151,10024,10152,10409,10053,10270,10501,10288,10307,10350,10920,10921

Signature Description: NetBus and NetBusPro are two of many backdoor programs. Netbus 1.x server is able to be

connected to without a password. It open two clients that are compatable with the server being connected to, With one

client connect to the server and wait until the password screen appears. Once this happens connect to the same server

with the other client and it will not ask you for a password, this is done because the server thinks you are already

connected and notices the same IP connected to the same server allowing you to connect. This rule tries to detect the

Backdoor NetBus 1.x. It allows anyone to partially take the control of the remote system. A cracker may use it to steal

your password or prevent you from working properly. It typically runs over ports 12345 and 12346 via TCP.