GEN:SID | 1:1791 |
Message | BACKDOOR fragroute trojan connection attempt |
Summary | This event indicates that a backdoor may be installed on a machine.
|
Impact | One of the systems may have been compromised.
|
Detailed Information | www.monkey.org, the system that hosts fragroute was compromised and the fragroute source code was modified to contain a back door. The code was corrupted on May 17, 2002. Versions after May 31, 2002 and before May 17, 2002 do not contain the backdoor.
|
Affected Systems | Systems running dsniff 2.3 fragroute 1.2 fragrouter 1.6
|
Attack Scenarios | The backdoor contacts the IP address 216.80.99.202. A person connecting from that address can use the backdoor to acquire full control over the compromised machine.
|
Ease of Attack | Simple.
|
Corrective Action | Upgrade to a new version of fragroute and sanitize the trojaned machine.
|
Additional References | Bugtraq: http://www.securityfocus.com/bid/4898 http://www.securityfocus.com/archive/1/274927
|
Rule References | bugtraq: 4898
|