Bind shell backdoor listens on TCP 33270
| backdoor-uucico-bindshell (5179) |  High Risk |
Description:
A backdoor program that is associated with the Trinity distributed denial of service (DDoS) tool listens on TCP port 33270 (by default), awaiting an attacker's connection. Once connected, the attacker can issue a preconfigured password to open a shell running with root uid privileges. This backdoor has been observed running on many hosts infected with the Trinity DDoS agent.
Consequences:
Gain Access
Remedy:
If this backdoor is found on a system, the computer should be considered completely compromised, and it should be removed from any network or Internet connectivity. The compromised computer may be needed for forensics purposes.
Because the computer may also be infected with the Trinity DDoS agent, it is necessary to completely re-install the operating system.
References:
- CIAC Information Bulletin K-072: New Variants of Trinity and Stacheldraht DDoS.
- Internet Security Systems Security Alert #59: Trinity v3 Distributed Denial of Service tool.
- National Infrastructure Protection Center 00-055: "Trinity v3/ Stacheldraht 1.666" Distributed Denial of Service Tool.
- National Infrastructure Protection Center 00-063: "New Year's DDoS Advisory".
- CVE-1999-0660: A hacker utility, back door, or Trojan Horse is installed on a system, e.g. NetBus, Back Orifice, Rootkit, etc.
Platforms Affected:
- Linux Kernel
Reported:
Aug 28, 2000
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net