- Use Case Reference : SUC028
- Use Case Title : ProFTPD Backdoor Inbound Backdoor Open Request (ACIDBITCHEZ)
- Use Case Detection : IDS / FTP logs
- Attacker Class : Opportunists
- Attack Sophistication : Unsophisticated
- Identified tool(s) : Metasploit, Nessus, scripts, etc.
- Source IP(s) : Random
- Source Countries : Random
- Source Port(s) : Random
- Destination Port(s) : 21/TCP
Possible(s) correlation(s) :
- Pen-testing tools or home made scripts
Source(s) :
- ProFTPD Backdoor demo
Emerging Threats SIG 2011994 triggers are :
- The FTP content should contain “HELP ACIDBITCHEZ“, how is the backdoor command.
- The source port could be any FROM EXTERNAL_NET in destination of an HOME_NET port 21/TCP.
