GEN:SID 1:144
Message FTP ADMw0rm ftp login attempt
Summary This event is generated when an FTP login by user "w0rm" was attempted.
This is an account used by the ADMw0rm-v1 worm.
Impact Infected systems are left with a backdoor user account named
"w0rm" and an email with the victims ip address is emailed to the worms
creators.
Detailed Information This worm exploits a vulnerability in BIND version 4.9.6 and is linux
specific. These attempts mean the box has probably already been
compromised.
Affected Systems Default installations of RedHat 4.0 to 5.2
Attack Scenarios Standard Internet worm.
Ease of Attack Simple.
Corrective Action Upgrade BIND on vulnerable servers.
Additional References Arachnids:
http://www.whitehats.com/info/IDS01
Rule References arachnids: 01