12-19-2003 07:22 AM - edited 03-09-2019 05:56 AM
I would like to create a custom signature to identify this backdoor. I am using CISCO k9-4235's and am at the latest on all apps S63............
Beast2.05
from -SANS-
http://isc.sans.org/diary.html?date=2003-12-15
The default listen port is 6666 and the port for its outbound connections is 9999. The 'server' calls itself svchost.exe. It can be remotely controlled either in a listening mode or in a "reverse mode". In the reverse mode once installed it connects to a server. Many firewalls allow connections from the inside of the network outbound in such a network "The Beast" can by pass the firewall by opening the outbound connection to its server.
Any help would be appreciated!
Gary Price
12-19-2003 12:00 PM
You can use the 9xxx and 92xx series signatures as a template for your custom signature. I would write on of each for port 6666 and 9999.
-Tony
12-30-2003 11:55 AM
Interesting traffic. I didn't find any for the beast(TCP6666->TCP9999). But i have seen tons of traffic to and from a CounterStrike server in Germany. Seems it initiates a client session using port 9999......Sig is working great.....
gp
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide