|
|
Choosing A Webhost: |
Re: Sig on psyBNC IRCproxy: msg#00124security.ids.snort.bleedingsnort
Hey Reg, thanks for sending these over. There's one psybnc sig I'm aware of in the snort gpl ruleset: info.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"INFO psyBNC access"; flow:from_server,established; content:"Welcome!psyBNC-e/Fy7hhKugOzQB+pC5nmwQ@xxxxxxxxxxxxxxxx"; classtype:bad-unknown; sid:493; rev:5;) It sucks though. It's probably disabled in every install on the planet. Yours are better. Let me digest them and post with references and such. You happen to have a pcap? I think we can probably go with high ports (>1024) for a dest. Do the regular IRC on off ports sigs hit on these? Seems like they would. I may be able to add these after those flowbits are set to control load. Matt Reg Quinton wrote: > Matt, we occassionally get compromises (often dumb passwords) where the > attacker installs the psyBNC IRC proxy -- often connected to undernet. > It's apparently pretty standard fair in the hacker community and a > method for the bad guys to communicate but hide their location. The > proxies we've seen has a welcome banner like this: > > :Welcome!psyBNC-e/Fy7hhKugOzQB+pC5nmwQ@xxxxxxxxxxxxxxxx NOTICE * :psyBNC2.3.1 > > We have a couple of sigs we use to detect that. You might want to > include one, both, or perhaps some variation of your choosing: > > # Watch for psyBNC servers > > alert tcp $HOME_NET any -> any any (msg:"BLEEDING-UW Suspicious Welcome > Banner o > n Local Port"; flow:from_server,established; content:"\:Welcome!"; > offset:0; dep > th:9; tag:session, 20, packets; classtype:non-standard-protocol; > sid:99990017;) > > # Watch for lam3rz.de servers > > alert tcp $HOME_NET any -> any any (msg:"BLEEDING-UW lam3rze Banner on > Local Por > t"; flow:from_server,established; content:"lam3rz"; offset:0; depth:80; > tag:sess > ion, 20, packets; classtype:non-standard-protocol;sid:99990023; rev:2;) > > I suspect that the "lam3rz" tag is just one gang of bad guys (or perhaps > a reference to the lame security were user "test" has password "test").I > think the "Welcome" and "psyBNC" strings in the banner are enough. > > For a reference we point people to this local document > > http://ist.uwaterloo.ca/security/vulnerable/20050705.shtml > > But you might reference any of these instead (a quick google finds many, > it's really old news but still happens): > > http://www.honeynet.org/papers/phishing/details/de-detailed.html > http://www.infosecwriters.com/texts.php?op=display&id=84 > http://www.ufsdump.org/labs/unix-forensics.html > http://ieeexplore.ieee.org/iel5/8013/27717/01236244.pdf?arnumber=1236244 -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc
|
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | Re: Warning -- floods of Allaple worm alerts.... sid:200329(2-5), Matt Jonkman |
|---|---|
| Next by Date: | Re: Re: Sig on psyBNC IRCproxy, Matt Jonkman |
| Previous by Thread: | Re: Warning -- floods of Allaple worm alerts.... sid:200329(2-5), Matt Jonkman |
| Next by Thread: | Re: Re: Sig on psyBNC IRCproxy, Matt Jonkman |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
Free MagazinesCisco NewsReceive a free quarterly e-newsletter with exclusive articles on how Cisco IT uses its own products and solutions to enable the business. subscribe Systems Management News, the newspaper for IT systems administration and data center managers! Each issue of Systems Management News is chock-full of news and analysis to help you understand what's happening in your field. subscribe The Enterprise Newsweekly eWeek is the essential technology information source for builders of e-business. subscribe Oracle Magazine Oracle Magazine contains technology strategy articles, sample code, tips, Oracle and partner news, how to articles for developers and DBAs, and more. Oracle (NASDAQ: ORCL) is the world's largest enterprise software company. subscribe Total Telecom Total Telecom is "The Economist of the communications industry". subscribe |