TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
312
attacker can do the following move and close windows on your desktop, start an FTP server on your computer, log your
keystrokes, including passwords you type, shut down the computer and execute programs.
Signature ID: 3146
Backdoor Infector 1.6
Threat Level: Severe
Signature Description: Backdoor Infector is a Trojan that opens up a backdoor program that, once installed on a
system, permits unauthorized users to remotely perform a variety of operations, such as changing the registry,
executing commands, starting services, listing files, and uploading or downloading files. Infector typically runs over
ports 146 and 17569 via TCP.
Signature ID: 3147
Infector backdoor detection
Threat Level: Severe
Signature Description: A backdoor is a method of bypassing normal authentication, securing remote access to a
computer, obtaining access to plain text, etc. while attempting to remain undetected. The Infector backdoor, also known
as FC backdoor, is a backdoor program for Windows 95 and Windows 98 operating systems. It has the ability to steal
passwords, delete data, and disable the machine,upload of files, execution of files and reboot the targeted machine. The
Infector backdoor is mainly used for initially infecting a system to upload more feature-rich backdoors, such as
SubSeven or Back Orifice 2000. When the Infector backdoor is executed, it binds to TCP port 146 and awaits a
connection from the attacker's client. Later versions also bind to TCP port 17569. File transfers are implemented using
a lightweight FTP server that binds to TCP port 19. This signature detects Infector backdoor 1.6 Server to Client traffic.
Signature ID: 3148
Infector backdoor detection
Threat Level: Severe
Signature Description: A backdoor is a method of bypassing normal authentication, securing remote access to a
computer, obtaining access to plain text, etc. while attempting to remain undetected. The Infector backdoor, also known
as FC backdoor, is a backdoor program for Windows 95 and Windows 98 operating systems. It has the ability to steal
passwords, delete data, and disable the machine,upload of files, execution of files and reboot the targeted machine. The
Infector backdoor is mainly used for initially infecting a system to upload more feature-rich backdoors, such as
SubSeven or Back Orifice 2000. When the Infector backdoor is executed, it binds to TCP port 146 and awaits a
connection from the attacker's client. Later versions also bind to TCP port 17569. File transfers are implemented using
a lightweight FTP server that binds to TCP port 19. This signature detects Infector backdoor 1.x series.
Signature ID: 3149
MISC Linux rootkit lrkr0x attempt
Threat Level: Warning
Signature Description: Rootkit is the name of a popular collection of trojaned OS utilities that are used by hackers to
backdoor a compromised host. There is the original rootkit, as well as versions specifically for SunOS and Linux.
Attacker attempts to connect to a Telnet server using the phrase "lrkr0x". This is a known password for the Linux
rootkit.
Signature ID: 3150
Linux rootkit satori attempt
Threat Level: Information
Signature Description: Rootkit is the name of a popular collection of trojaned OS utilities that are used by hackers to
backdoor a compromised host. There is the original rootkit, as well as versions specifically for SunOS and Linux.