• Use Case Reference : SUC028
  • Use Case Title : ProFTPD Backdoor Inbound Backdoor Open Request (ACIDBITCHEZ)
  • Use Case Detection : IDS / FTP logs
  • Attacker Class : Opportunists
  • Attack Sophistication : Unsophisticated
  • Identified tool(s) : Metasploit, Nessus, scripts, etc.
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 21/TCP

Possible(s) correlation(s) :

  • Pen-testing tools or home made scripts

Source(s) :

  • ProFTPD Backdoor demo

Emerging Threats SIG 2011994 triggers are :

  • The FTP content should contain “HELP ACIDBITCHEZ“, how is the backdoor command.
  • The source port could be any FROM EXTERNAL_NET in destination of an HOME_NET port 21/TCP.
SIG 2011994 1 year events activity

SIG 2011994 1 year events activity