GEN:SID 1:1791
Message BACKDOOR fragroute trojan connection attempt
Summary This event indicates that a backdoor may be installed on a machine.
Impact One of the systems may have been compromised.
Detailed Information www.monkey.org, the system that hosts fragroute was compromised and the fragroute
source code was modified to contain a back door.  The code was corrupted on
May 17, 2002.  Versions after May 31, 2002  and before May 17, 2002 do not contain the backdoor.
Affected Systems Systems running
    dsniff 2.3
    fragroute 1.2
    fragrouter 1.6
Attack Scenarios The backdoor contacts the IP address 216.80.99.202.  A person connecting from that
address can use the backdoor to acquire full control over the compromised machine.  
Ease of Attack Simple.
Corrective Action Upgrade to a new version of fragroute and sanitize the trojaned machine.  
Additional References Bugtraq:
http://www.securityfocus.com/bid/4898
http://www.securityfocus.com/archive/1/274927





Rule References bugtraq: 4898