TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
353
backdoor program that, once installed on a system, permits unauthorized users to remotely perform a variety of
operations, such as changing the registry, executing commands, starting services, listing files, and uploading or
downloading files. Olive typically runs over ports 23005 and 23006 via TCP.
Signature ID: 3422
BackDoor Oxon
Threat Level: Severe
Signature Description: Oxon, also known as Backdoor.NetTrash.10.a, Backdoor.Oxon.11 and BackDoor-SU, is a
backdoor Trojan affecting Microsoft Windows operating systems. This rule tries to detect Backdoor Oxon. It is a
Trojan that opens up a backdoor program that, once installed on a system, permits unauthorized users to remotely
perform a variety of operations, such as changing the registry, executing commands, starting services, listing files, and
uploading or downloading files. Oxon typically runs over ports 23005 and 23006 via TCP.
Signature ID: 3423
Hack-a'tack Backdoor detection
Threat Level: Warning
Signature Description: A backdoor is a method of bypassing normal authentication, securing remote access to a
computer, obtaining access to plain text, etc. while attempting to remain undetected. Hack-a'tack is a backdoor program
infecting Microsoft windows family of operating systems. With the Hack'a'Tack backdoor, an attacker can move and
close windows on the host system's desktop, start an FTP server on the infected computer, log the keystrokes, shut
down the infected computer, execute programs on the host system. Hack-a-Tack typically runs over ports 31785 and
31787 via TCP, as well as ports 31789 and 31791 via UDP. This signature detects traffic on UDP port 31785.
Signature ID: 3424
Backdoor PC Invader 0.5
Threat Level: Severe
Signature Description: This rule tries to detect Backdoor PC Invader. PC Invader is a backdoor Trojan that infects
Microsoft Windows operating systems. PC Invader consists of a server and a client component. Once a PC Invader
client on an attacker's machine is launched, it displays a graphical user interface (GUI). An attacker could remotely
control the target host infected with a PC Invader server. PC Invader server also acts as an FTP server and listens on
TCP port 14502, enabling any FTP client to connect to it.
Signature ID: 3425
Backdoor UltimateRAT 1.0
Threat Level: Severe
Signature Description: Backdoor Ultimate RAT 1.0 is a backdoor program that affects Microsoft Windows Operating
System. The backdoor uses a client/server relationship, where the server component is installed in the victim's system
and the remote attacker has control of the client. The server attempts to open a port, typically TCP port 1234 to allow
the client system to connect. Once installed on a system, permits unauthorized users to remotely perform a variety of
operations, such as changing the registry, executing commands, starting services, listing files, and uploading or
downloading files. Administrators are advised to close the port 1234 for external users.
Signature ID: 3426
BackDoor NOK NOK 6.0
Threat Level: Severe
Signature Description: This rule tries to detect Backdoor NokNok 6.0. It is a Trojan that opens up a backdoor program
that, once installed on a system, permits unauthorized users to remotely perform a variety of operations, such as
changing the registry, executing commands, starting services, listing files, and uploading or downloading files.
NokNok typically runs over port 666 via TCP.