GEN:SID 1:235
Message DDOS Trin00 Attacker to Master default mdie password
Summary This event is generated when a trinoo DDoS attacker host communicates with a master host.  
Impact Attempted DDoS. If the listed source IP is in your network, it may be a trinoo attacker. If the listed destination IP is in your network, it may be a trinoo master.
Detailed Information The trinoo DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. At the highest level, attackers communicate with masters to direct them to launch attacks.  An attacker may communicate with a master via TCP destination port 27665 with a string of "killme" in the payload.  This string is a default mdie password.
Affected Systems Any trinoo compromised host.
Attack Scenarios A trinoo attacker will communicate with masters to direct them to launch attacks.
Ease of Attack Simple. trinoo code is freely available.
Corrective Action Perform proper forensic analysis on the suspected compromised host to discover the means of compromise.

Rebuild a confirmed compromised host.

Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised.

Additional References CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0138
SecurityFocus:
http://www.securityfocus.com/archive/1/37706

CERT:
http://www.cert.org/incident_notes/IN-99-07.html#trinoo