Several "trojan horses" have been introduced to the Microsoft Windows environment including Back Oriffice, Netbus, and Netbus II. In addition, the so-called Ramen Web backdoor has been detected as part of the Ramen Linux worm attack. Recently a variant of Ramen, called Lion has been identified (3/22/01).
These "Trojans" allow a malicious user to manipulate a Microsoft Windows system iand/or Linux system without the knowledge of the legitimate user.
The Ramen backdoor provides a Web server for replicated worms to collect their attack programs. The Lion worm installs a instance of SSH on a non-standard port and opens other backdoor ports.
Back Oriffice, Netbus, Netbus II, as well as the Ramen and Lion worms are "Trojan Horse" programs that resemble computer viruses in that the user inadvertently installs them. Once installed, their presence is difficult to detect. These "backdoors" allow the hacker to manipulate the compromised host at will. Data can be compromised or modified.
SARA detects possible signatures of "backdoor" presence. It is up to you, the user to confirm that the "backdoors" are really present. Refer to the Microsoft Site for details in confirming the presence of the "backdoors.
SARA also can detect the Ramen Web server. If detected and confirmed by the administrator, the system is severely compromised (root kits, kernel mods, etc.)
SARA also detects the signature of the Lion worm by checking for SSH servers running on non-standard ports, and tcp services running on port 33567 and/or 60008. If detected and confimed by the administrator, the system is severely compromised.
Systems that have been found to have a backdoor should be considered fully comproimised and need to be rebuilt. The SANS Institute provides a Lion worm detection program at http://www.sans.org/y2k/lionfind-0.1.tar.gz.