File: 243.txt

package info (click to toggle)
snort 2.7.0-20.4
  • links: PTS
  • area: main
  • in suites: lenny
  • size: 34,512 kB
  • ctags: 18,772
  • sloc: ansic: 115,404; sh: 10,893; makefile: 1,372; perl: 487; sql: 213
file content (67 lines) | stat: -rw-r--r-- 1,631 bytes parent folder | download | duplicates (6)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
Rule:

--
Sid:
243

--
Summary:
This event is generated when the mstream DDoS tool is used.

--
Impact:
Severe. This indicates a host may have been compromised and mstream may have been installed.  

--
Detailed Information:
The mstream DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack.

There are "handler" hosts that are used to coordinate the attacks and "agent" hosts that launch the attack. An agent will attempt to contact its known handlers using a UDP packet to destination port 6838 with a string of "newserver" in the payload.

--
Affected Systems:
Any mstream compromised host.

--
Attack Scenarios:
After a host becomes a mstream agent, it will attempt to communicate with its known handlers.

--
Ease of Attack:
Simple. mstream code is freely available.

--
False Positives:
None Known.

--
False Negatives:
There may be ports other than 6838 used for agent-to-handler communications.

--
Corrective Action:
Perform proper forensic analysis on the suspected compromised host to discover the means of compromise.

Rebuild a confirmed compromised host.

Use a packet filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised.

--
Contributors:
Original rule writer unknown
Sourcefire Research Team
Judy Novak <judy.novak@sourcefire.com>

--
Additional References:
NAI:
http://vil.nai.com/vil/content/v_98662.htm
SecurityFocus:
http://www.securityfocus.com/archive/82/58040
CERT:
http://www.cert.org/incident_notes/IN-2000-05.html

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0138

--