TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
300
planted in compromised systems. Attacker does the remote control via a simple telnet connection (client) to the handler
(20432/tcp). Handlers work as master to order agents to launch DoS. Shaft agents are capable of doing UDP, TCP
SYN, ICMP packet flooding, or the combination of all three, based on the commands from Handlers. Communication
between handlers and agents is achieved using the unreliable IP protocol UDP (18753/udp).This rule triggers when a
Shaft handler sends a “are you alive” command query to the agent.
Signature ID: 3055
SyGate un-authenticated remote administration vulnerability
Threat Level: Warning
Industry ID: CVE-2000-0113 Bugtraq: 952 Nessus: 10274
Signature Description: Sybergen Sygate is a proxy for sharing internet connection that uses network Address
Translation (NAT) and virtual interfaces to share an internet connection among multiple PCs. Sybergen SyGate 2.0 to
3.11(inclusive) includes an undocumented feature called the Remote Administration Engine (RAE). This feature opens
port 7323, and provides a user interface to any incoming telnet session. This interface requires no authentication of any
kind, and includes the ability to stop the SyGate service, display various statistics on the SyGate process, and display
all TCP or UDP connections, allowing an attacker to generate a map of the internal network.
Signature ID: 3057
Trojan Trinity v3 Server Response
Threat Level: Severe
Industry ID: CVE-2000-0138 Nessus: 10501
Signature Description: A distributed denial of service attack (DDoS) occurs when multiple compromised systems flood
the bandwidth or resources of a targeted system, usually one or more web servers. Trinity is a distributed denial of
service Trojan agent for Linux that is controlled by IRC (Internet Relay Chat) to make your system attack another
network. The Trinity agent connects to an Undernet IRC server and waits for commands to be sent to the channel. The
Trinity trojan can perform 8 different types of flood attacks: UDP flood, Fragment flood, SYN flood, RST flood,
random flags flood, ACK flood, establish flood, and null flood.
Signature ID: 3059
Response from Backdoor/trojan Trin00 server
Threat Level: Severe
Industry ID: CVE-2000-0138
CVE-1999-0660 Nessus:
10288,10024,10152,10151,10409,10053,10270,10501,10307,10350,10920,10921,10501
Signature Description: Trinoo daemons were originally found in binary form on a number of Solaris 2.x systems,
which were identified as having been compromised by exploitation of buffer overrun bugs in the RPC services "statd",
"cmsd" and "ttdbserverd". It is an UDP based, access-restricted remote command shells, used in conjunction with
sniffers to automate recovering sniffer logs. This signature detects Trin00 server responses.
Signature ID: 3061
VNC over HTTP or Backdoor Y3K RAT 1.6 Detected
Threat Level: Warning
Nessus: 10758
Signature Description: This signature detects trakkic on ports that are known to be used by VNC service or Y3K RAT
trojan. Virtual Network Computing (VNC) is a graphical desktop sharing system which uses the RFB protocol to
remotely control another computer. It transmits the keyboard and mouse events from one computer to another, relaying
the graphical screen updates back in the other direction, over a network. Y3K RAT is one of many backdoor programs
that attackers can use to access your computer system without your knowledge or consent. With the Y3K RAT
backdoor, an attacker can shut down the computer, log keystrokes, access files on the computer. Traffic on these ports
must be monitored.