TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

291

292

293

294

295

296

297

298

299

300

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

299

Signature ID: 3049

Backdoor Netbus Pro Server

Threat Level: Severe

Industry ID: CVE-1999-0660

Nessus:

10152,10024,10151,10409,10053,10270,10501,10288,10307,10350,10920,10921

Signature Description: This rule tries to detect Backdoor NetBus Pro. NetBus Pro is a Trojan (in reality, it is an

administrative tool) that opens up a backdoor program that, once installed on a system, permits unauthorized users to

remotely perform a variety of operations, such as changing the registry, executing commands, starting services, listing

files, and uploading or downloading files. NetBus Pro typically runs over ports 20034 via TCP.

Signature ID: 3050

Request to Netbus Pro Server

Threat Level: Warning

Industry ID: CVE-1999-0660 Nessus:

10152,10024,10151,10409,10053,10270,10501,10288,10307,10350,10920,10921

Signature Description: NetBus is a remote administration tool that can be used for malicious purposes (like backdoor),

such as sniffing what the user is typing, its passwords and so on. A cracker may have installed it to control hosts on

your network.

Signature ID: 3052

Backdoor Portal of Doom Server

Threat Level: Warning

Industry ID: CVE-1999-0660 Nessus:

10186,10024,10152,10151,10409,10053,10270,10501,10288,10307,10350,10920,10921

Signature Description: Portal of Doom is a backdoor, which allows anyone to partially take the control of the remote

system. Once infected with this backdoor, the system runs the server executable "ljsgz.exe" to take commands from

attacker. When this program executes, the program performs a specific set of actions. This usually works toward the

action of allowing the trojan to survive on a system and open up a backdoor. Another symptom of this Trojan is it sends

a message every two seconds reading ""Keep Aliveeeeeeee". This signature triggers when the attack pattern arrives in

the incoming request traffic.

Signature ID: 3053

Backdoor Portal of Doom Server(Reply)

Threat Level: Severe

Industry ID: CVE-2000-0138 CVE-1999-0660 Nessus:

10350,10024,10152,10151,10409,10053,10270,10501,10288,10307,10920,10921,10501

Signature Description: Portal of Doom is a backdoor, which allows anyone to partially take the control of the remote

system. Once infected with this backdoor, the system runs the server executable "ljsgz.exe" to take commands from

attacker. When this program executes, the program performs a specific set of actions. This usually works toward the

action of allowing the trojan to survive on a system and open up a backdoor. Another symptom of this Trojan is it sends

a message every two seconds reading ""Keep Aliveeeeeeee". This signature triggers when the attack pattern arrives in

the outbound response traffic.

Signature ID: 3054

Shaft DDoS Traffic from handler to agent

Threat Level: Information

Industry ID: CVE-2000-0138

CVE-1999-0660 Nessus:

10350,10024,10152,10151,10409,10053,10270,10501,10288,10307,10920,10921,10501

Signature Description: Shaft is a DDoS tool consists of handlers, clients and agents. Agents are programs that are