GEN:SID 1:355
Message FTP pass wh00t
Summary This event is generated when a password of "wh00t" is used to login to an File Transfer Protocol (FTP) server.
Impact Remote root access.  The attack may indicate that the FTP server has been compromised.
Detailed Information The password "wh00t" is a common backdoor password associated with a compromised root account.  If this password is observed, it may indicate that the FTP server has been compromised and a backdoor root account with a password of "wh00t" has been created.  Alternately, this may indicate a failed attempt of an attacker attempting to locate FTP servers compromised by others.
Affected Systems FTP servers.
Attack Scenarios An attacker may compromise a host and create a backdoor account.  An attacker may attempt to locate FTP servers with a backdoor account.
Ease of Attack Simple
Corrective Action Examine the suspected compromised host for unauthorized changes.

Make sure that the suspected compromised host has all security patches applied.

Log activity to and from the suspected compromised host.

Examine other systems on the network for evidence of compromise.

If a compromised is discovered, reinstall the operating system.
Additional References Arachnids:
http://www.whitehats.com/info/IDS324
Rule References arachnids: 324