| VID |
24005 |
| Severity |
40 |
| Port |
|
| Protocol |
ICMP |
| Class |
BackDoor |
| Detailed Description |
The host appears to be running TFN (Tribe Flood Network), which is a trojan that can be used to control your system or make it attack another network (this is actually called a distributed denial of service attack tool). Denial of service is a technique to deny access to a resource by overloading it, such as packet flooding in the network context.
TFN is currently being developed and tested on a large number of compromised Unix systems on the Internet, along with another distributed denial of service tool named "trinoo". TFN is made up of client and daemon programs, which implement a distributed network denial of service tool capable of waging ICMP flood, SYN flood, UDP flood, and Smurf style attacks, as well as providing an "on demand" root shell bound to a TCP port. Communication from the TFN client to daemons is accomplished via ICMP_ECHOREPLY packets. There is no TCP or UDP based communication between the client and daemons at all. It is very likely that this host has been compromised.
* References:
http://www.iss.net/security_center/static/3506.php
http://staff.washington.edu/dittrich/misc/tfn.analysis |
| Recommendation |
Restore your system from backups, contact CERT and your local authorities |
| Related URL |
CVE-2000-0138 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
