GEN:SID 1:228
Message DDOS TFN client command BE
Summary This event is generated when a Tribe Flood Network (TFN) Distributed Denial of Service (DDoS) client communicates with the TFN handler daemon to spawn a shell.
Impact Attempted DDoS.  If the listed source IP is in your network, it may be a TFN client.  If the listed destination IP is in your network, it may be a TFN handler daemon.
Detailed Information The TFN DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. Clients communicate with daemons to direct them to launch attacks. A client will communicate with a daemon to spawn a shell via an ICMP echo reply with an ICMP identification number of 456 and an ICMP sequence number of 0.  
Affected Systems Any TFN compromised host.
Attack Scenarios After a host becomes a TFN client, it will attempt to communicate with other TFN handler daemons.
Ease of Attack Simple. TFN code is freely available.
Corrective Action Perform proper forensic analysis on the suspected compromised host to discover the means of compromise.

Rebuild a confirmed compromised host.

Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised.
Additional References CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0138

Arachnids:
http://www.whitehats.com/info/IDS184
Rule References arachnids: 184