GEN:SID 1:238
Message DDOS TFN server response
Summary This event is generated when a Tribe Flood Network (TFN) Distributed Denial of Service (DDoS) daemon responds to a client request to spawn a shell.
Impact Attempted DDoS.  If the listed source IP is in your network, it may be a TFN daemon.  If the listed destination IP is in your network, it may be a TFN client.
Detailed Information The TFN DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. Clients communicate with daemons to inform them to launch attacks. A daemon will respond with a client request to spawn a shell with an ICMP echo reply with an ICMP identification number of 123, an ICMP sequence number of 0 and a string of "shell bound to port" in the payload.  
Affected Systems Any TFN compromised host.
Attack Scenarios After a host becomes a TFN daemon, it will respond to client requests.
Ease of Attack Simple. TFN code is freely available.
Corrective Action Perform proper forensic analysis on the suspected compromised host to discover the means of compromise.

Rebuild a confirmed compromised host.

Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised.
Additional References CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0138

Arachnids:
http://www.whitehats.com/info/IDS182
Rule References arachnids: 182