TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

311

312

313

314

315

316

317

318

319

320

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

316

Signature ID: 3166

BACKDOOR win-trin00 connection

Threat Level: Severe

Industry ID: CVE-2000-0138 CVE-1999-0660 Nessus:

10307,10024,10152,10151,10409,10053,10270,10501,10288,10350,10920,10921,10501

Signature Description: Trinoo daemons were originally found in binary form on a number of Solaris 2.x systems,

which were identified as having been compromised by exploitation of buffer overrun bugs in the RPC services "statd",

"cmsd" and "ttdbserverd". It is an UDP based, access-restricted remote command shells, used in conjunction with

sniffers to automate recovering sniffer logs. This signature detects Trin00 connection ping traffic.

Signature ID: 3167

BACKDOOR BackConstruction 2.1 Client FTP Open Request

Threat Level: Severe

Signature Description: This rule tries to detect Backdoor Back Construction. Backdoor BackConstruction 2.1 is a

Trojan that opens up a backdoor program that, once installed on a system, permits unauthorized users to remotely

perform a variety of operations, such as changing the registry, executing commands, starting services, listing files, and

uploading or downloading files. BackConstruction 2.1 operates from the server file c:\WINDOWS\Cmctl32.exe over

ports 666, 5401, and 5402 via TCP. Microsoft, Windows 2000, Windows 2003 Server, Windows 95, Windows 98,

Windows 98SE, Windows Me, Windows NT 4.0 and Windows XP are affected platforms.

Signature ID: 3168

BACKDOOR BackOrifice 2000 Inbound Traffic

Threat Level: Severe

Signature Description: BO-2000 is a backdoor Trojan.The attacker will be able to read, write, delete and transfer files

to and from the affected machine. If they use a plug-in supplied with Back Orifice 2000 they will be able to see what is

on the screen of the affected machine and also take control of the mouse and keyboard. The affected machine can also

be configured to be an HTTP file server allowing anyone with a web browser to transfer files to and from it. Microsoft

Windows 95, Windows 98 and Windows NT 4.0 are affected by this backdoor attack.

Signature ID: 3169

Backdoor Insane Network 4.0 connection established

Threat Level: Severe

Signature Description: Backdoor Insane Network, written in C++, is a remote access trojan for Windows operating

systems. Backdoor Insane is a Trojan that opens up a backdoor program that, once installed on a system, permits

unauthorized users to remotely extract passwords, manage files, manipulate display, etc. Insane typically runs over port

2000 via TCP.

Signature ID: 3170

BACKDOOR Insane Network 4.0 connection established port 63536

Threat Level: Severe

Signature Description: Insane Network, written in C++, is a remote access trojan for Windows operating systems.

Backdoor Insane is a Trojan that opens up a backdoor program that, once installed on a system, permits unauthorized

users to remotely extract passwords, manage files, manipulate display, etc. Insane typically runs over port 63536 via

TCP.