Snort Signature Information

Rule:

--
Sid:
234

--
Summary:
This event is generated when a trinoo DDoS attacker host communicates with a master host.

--
Impact:
Attempted DDoS. If the listed source IP is in your network, it may be a trinoo attacker. If the listed destination IP is in your network, it may be a trinoo master.

--
Detailed Information:
The trinoo DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. At the highest level, attackers communicate with masters to direct them to launch attacks. An attacker may communicate with a master via TCP destination port 27665 with a string of "g0rave" in the payload. This string is the default master startup password.

--
Affected Systems:
Any trinoo compromised host.

--
Attack Scenarios:
A trinoo attacker will communicate with masters to direct them to launch attacks.

--
Ease of Attack:
Simple. trinoo code is freely available.

--
False Positives:
None Known.

--
False Negatives:
None Known.

--
Corrective Action:
Perform proper forensic analysis on the suspected compromised host to discover the means of compromise.

Rebuild a confirmed compromised host.

Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised.


--
Contributors:
Original rule writer unknown
Sourcefire Vulnerability Research Team
Judy Novak

--
Additional References:
CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0138
SecurityFocus:
http://www.securityfocus.com/archive/1/37706

CERT:
http://www.cert.org/incident_notes/IN-99-07.html#trinoo

--

This site is run by the rootedyour.com team, publishing of the Snort SID information has been made available by permission from SourceFire.

Snort and Sourcefire are registered trademarks of SourceFire, Inc. All rights reserved.