Bugtraq mailing list archives
Re: Analysis of trin00
From: jwl () POBOX COM (Jacob Langseth)
Date: Thu, 9 Dec 1999 03:58:32 -0500
Stefan Aeschbacher scribed:
Hi here are some snort rules which could show the presence of a trin00
The nature of these attacks do not lend themselves to an easy defense; finding a master and retrieving its list of clients is currently one of the best, albeit proactive, countermeasures. By making rules to detect the master available for a free IDS, you greatly improve the chances of fighting the default configuration. Thank you. I have a few suggestions, if I may.
alert tcp any any -> 192.168.1.0/24 27665 (msg:"Trin00: Attacker to Master (default startup pass detected!)"; content:"betaalmostdone";))
Trinoo uses crypt(3) to verify this password. Stock crypt(3) bases its one-way function on DES, which is limited to a 56-bit key. Passwords exceeding this length are truncated, making "betaalmo" sufficient to authenticate.
alert tcp any any -> 192.168.1.0/24 27665 (msg:"Trin00: Attacker to Master (default r.i. pass detected!)"; content:"gOrave";))
The gOrave password is read via stdin during master startup, making its occurance on the control channel highly unlikely. (As gOrave is required for startup, it's verification takes place before the control port is listening.) I think this rule may be safely dropped. Thanks again, Jacob -- Jacob Langseth <jwl () pobox com>
Current thread:
- new IE5 remote exploit Jeremy Kothe (Dec 05)
- Re: new IE5 remote exploit Dustin Miller (Dec 06)
- Re: new IE5 remote exploit krisp (Dec 06)
- Analysis of trin00 Dave Dittrich (Dec 07)
- Re: Analysis of trin00 Stefan Aeschbacher (Dec 09)
- Re: Analysis of trin00 Jacob Langseth (Dec 09)
- ISSalert: ISS Security Advisory: Buffer Overflow in Solaris Snoop Aleph One (Dec 09)
- Re: Analysis of trin00 Stefan Aeschbacher (Dec 09)
- xsw 1.24 remote buffer overflow Aleph One (Dec 09)
- Re: new IE5 remote exploit Dustin Miller (Dec 06)
- Analysis of Tribe Flood Network Dave Dittrich (Dec 07)
- Re: Analysis of Tribe Flood Network Mixter (Dec 08)
- Re: Analysis of Tribe Flood Network Stefan Laudat (Dec 10)
- Error in System Policies Adam Simms (Dec 10)
- Re: Analysis of Tribe Flood Network Mixter (Dec 11)
- Big problem on linux 2.0 visi0n (Dec 11)
- Re: Big problem on linux 2.0 visi0n (Dec 11)