# (C) Copyright 2001, Martin Roesch, Brian Caswell, et al. All rights reserved. # $Id: backdoor.rules,v 1.15 2001/10/30 05:39:23 cazz Exp $ #--------------- # BACKDOOR RULES #--------------- # alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR subseven 22"; flags: A+; content: "|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485; sid:103; classtype:misc-activity; rev:3;) alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 2589 (msg:"BACKDOOR - Dagger_1.4.0_client_connect"; flags: A+; content: "|0b 00 00 00 07 00 00 00|Connect"; depth: 16; reference:arachnids,483; sid:104; classtype:misc-activity; rev:3;) alert tcp $HOME_NET 2589 -> $EXTERNAL_NET 1024: (msg:"BACKDOOR - Dagger_1.4.0"; flags: A+; content: "|3200000006000000|Drives|2400|"; depth: 16; reference:arachnids,484; sid:105; classtype:misc-activity; rev:3;) alert tcp $EXTERNAL_NET 80 -> $HOME_NET 1054 (msg:"BACKDOOR ACKcmdC trojan scan"; seq: 101058054; ack: 101058054; flags: A;reference:arachnids,445; sid:106; classtype:misc-activity; rev:3;) alert tcp $EXTERNAL_NET 16959 -> $HOME_NET any (msg:"BACKDOOR subseven DEFCON8 2.1 access"; content: "PWD"; content:"acidphreak"; nocase; flags: A+; sid:107; classtype:misc-activity; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET 7597 (msg:"BACKDOOR QAZ Worm Client Login access"; flags: A+; content:"|71 61 7a 77 73 78 2e 68 73 71|"; reference:MCAFEE,98775; sid:108; classtype:misc-activity; rev:3;) alert tcp $HOME_NET 12345 -> $EXTERNAL_NET any (msg:"BACKDOOR netbus active"; flags: A+; content: "NetBus"; reference:arachnids,401; sid:109; classtype:misc-activity; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 12345 (msg:"BACKDOOR netbus getinfo"; flags: A+; content: "GetInfo|0d|"; reference:arachnids,403; sid:110; classtype:misc-activity; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 12346 (msg:"BACKDOOR netbus getinfo"; flags: A+; content: "GetInfo|0d|"; reference:arachnids,403; sid:111; classtype:misc-activity; rev:3;) alert tcp $HOME_NET 80 -> $EXTERNAL_NET any (msg:"BACKDOOR BackOrifice access"; flags: A+; content: "server|3a| BO|2f|"; reference:arachnids,400; sid:112; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 4120 -> $HOME_NET any (msg:"BACKDOOR DeepThroat access"; content: "--Ahhhhhhhhhh"; reference:arachnids,405; sid:113; classtype:misc-activity; rev:3;) alert tcp $HOME_NET 12346 -> $EXTERNAL_NET any (msg:"BACKDOOR netbus active"; flags: A+; content: "NetBus"; reference:arachnids,401; sid:114; classtype:misc-activity; rev:3;) alert tcp $HOME_NET 20034 -> $EXTERNAL_NET any (msg:"BACKDOOR netbus active"; flags: A+; content: "NetBus"; reference:arachnids,401; sid:115; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET any -> $HOME_NET 31337 (msg:"BACKDOOR BackOrifice access"; content: "|ce63 d1d2 16e7 13cf 39a5 a586|"; reference:arachnids,399; sid:116; classtype:misc-activity; rev:3;) alert tcp $HOME_NET 146 -> $EXTERNAL_NET 1024: (msg:"BACKDOOR Infector.1.x"; content: "WHATISIT"; flags: A+; reference:arachnids,315; sid:117; classtype:misc-activity; rev:3;) alert tcp $HOME_NET 666 -> $EXTERNAL_NET 1024: (msg:"BACKDOOR SatansBackdoor.2.0.Beta"; content: "Remote|3A| You are connected to me."; flags:A+; reference:arachnids,316; sid:118; classtype:misc-activity; rev:3;) alert tcp $HOME_NET 6789 -> $EXTERNAL_NET any (msg:"BACKDOOR Doly 2.0 access"; content: "|57 74 7a 75 70 20 55 73 65|"; flags: A+; depth: 32; reference:arachnids,312; sid:119; classtype:misc-activity; rev:3;) alert tcp $HOME_NET 146 -> $EXTERNAL_NET 1000:1300 (msg:"BACKDOOR Infector 1.6 Server to Client"; content:"|57 48 41 54 49 53 49 54|"; flags:A+; sid:120; classtype:misc-activity; rev:3;) alert tcp $EXTERNAL_NET 1000:1300 -> $HOME_NET 146 (msg:"BACKDOOR Infector 1.6 Client to Server Connection Request"; content:"|46 43 20|"; flags:A+; sid:121; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 System Info Client Request"; content:"13"; reference:arachnids,106; sid:122; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 FTP Status Client Request"; content:"09"; reference:arachnids,106; sid:124; classtype:misc-activity; rev:3;) alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 E-Mail Info From Server"; content:"Retreaving"; reference:arachnids,106; sid:125; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 E-Mail Info Client Request"; content:"12"; reference:arachnids,106; sid:126; classtype:misc-activity; rev:3;) alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server Status From Server"; content:"Host"; reference:arachnids,106; sid:127; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Server Status Client Request"; content:"10"; reference:arachnids,106; sid:128; classtype:misc-activity; rev:3;) alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Drive Info From Server"; content:"C - "; reference:arachnids,106; sid:129; classtype:misc-activity; rev:3;) alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 System Info From Server"; content:"Comp Name"; reference:arachnids,106; sid:130; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Drive Info Client Request"; content:"130"; reference:arachnids,106; sid:131; classtype:misc-activity; rev:3;) alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server FTP Port Change From Server"; content:"FTP Server changed to"; reference:arachnids,106; sid:132; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Cached Passwords Client Request"; content:"16"; reference:arachnids,106; sid:133; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 RAS Passwords Client Request"; content:"17"; reference:arachnids,106; sid:134; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Server Password Change Client Request"; content:"91"; reference:arachnids,106; sid:135; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Server Password Remove Client Request"; content:"92"; reference:arachnids,106; sid:136; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Rehash Client Request"; content:"911"; reference:arachnids,106; sid:137; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 3150 (msg:"BACKDOOR DeepThroat 3.1 Server Rehash Client Request"; content:"shutd0wnM0therF***eR"; reference:arachnids,106; sid:138; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 ICQ Alert OFF Client Request"; content:"88"; reference:arachnids,106; sid:140; classtype:misc-activity; rev:3;) alert tcp $HOME_NET 31785 -> $EXTERNAL_NET any (msg:"BACKDOOR HackAttack 1.20 Connect"; flags: A+; content:"host"; sid:141; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 ICQ Alert ON Client Request"; content: "40"; reference:arachnids,106; sid:142; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Change Wallpaper Client Request"; content:"20"; reference:arachnids,106; sid:143; classtype:misc-activity; rev:3;) alert tcp $HOME_NET 21 <- $EXTERNAL_NET any (msg:"BACKDOOR ADMw0rm ftp retrieval";flags: A+; content:"USERw0rm|0D0A|"; reference:arachnids,01; sid:144; classtype:misc-activity; rev:3;) alert tcp $EXTERNAL_NET !80 -> $HOME_NET 21554 (msg:"BACKDOOR GirlFriendaccess"; flags: A+; content:"Girl"; reference:arachnids,98; sid:145; classtype:misc-activity; rev:3;) alert tcp $HOME_NET 30100 -> $EXTERNAL_NET any (msg:"BACKDOOR NetSphere access"; flags: A+; content:"NetSphere"; reference:arachnids,76; sid:146; classtype:misc-activity; rev:3;) alert tcp $HOME_NET 6969 -> $EXTERNAL_NET any (msg:"BACKDOOR GateCrasher"; flags: A+; content:"GateCrasher";reference:arachnids,99; sid:147; classtype:misc-activity; rev:3;) alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Keylogger Active on Network"; content:"KeyLogger Is Enabled On port"; reference:arachnids,106; sid:148; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 3150 (msg:"BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network"; content:"|00 23|"; reference:arachnids,106; sid:149; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 3150 -> $HOME_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server Active on Network"; content:"|00 23|"; reference:arachnids,106; sid:150; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network"; reference:arachnids,106; sid:151; classtype:misc-activity; rev:3;) alert tcp $HOME_NET 5401:5402 -> $EXTERNAL_NET any (msg:"BACKDOOR BackConstruction 2.1 Connection"; flags: A+; content:"c|3A|\\"; sid:152; classtype:misc-activity; rev:3;) alert tcp $HOME_NET 23476 -> $EXTERNAL_NET any (msg:"BACKDOOR DonaldDick 1.53 Traffic"; flags: A+; content:"pINg"; sid:153; classtype:misc-activity; rev:3;) alert udp $HOME_NET 3150 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Wrong Password"; content:"Wrong Password"; reference:arachnids,106; sid:154; classtype:misc-activity; rev:3;) alert tcp $HOME_NET 30100:30102 -> $EXTERNAL_NET any (msg:"BACKDOOR NetSphere 1.31.337 access"; flags: A+; content:"NetSphere"; reference:arachnids,76; sid:155; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Visible Window List Client Request"; content:"37"; reference:arachnids,106; sid:156; classtype:misc-activity; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 666 (msg:"BACKDOOR BackConstruction 2.1 Client FTP Open Request"; flags: A+; content:"FTPON"; sid:157; classtype:misc-activity; rev:3;) alert tcp $HOME_NET 666 -> $EXTERNAL_NET any (msg:"BACKDOOR BackConstruction 2.1 Server FTP Open Reply"; flags: A+; content:"FTP Port open"; sid:158; classtype:misc-activity; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET 5032 (msg:"BACKDOOR NetMetro File List"; flags: A+; content:"|2D 2D|"; reference:arachnids,79; sid:159; classtype:misc-activity; rev:3;) #alert tcp $EXTERNAL_NET 5031 -> $HOME_NET !53:80 (msg:"BACKDOOR NetMetro Incoming Traffic"; flags: A+; reference:arachnids,79; sid:160; rev:1;) alert udp $EXTERNAL_NET 3344 -> $HOME_NET 3345 (msg:"BACKDOOR Matrix 2.0 Client connect"; content:"activate"; reference:arachnids,83; sid:161; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 3345 -> $HOME_NET 3344 (msg:"BACKDOOR Matrix 2.0 Server access"; content:"logged in"; reference:arachnids,83; sid:162; classtype:misc-activity; rev:3;) alert tcp $HOME_NET 5714 -> $EXTERNAL_NET any (msg:"BACKDOOR WinCrash 1.0 Server Active" ; flags:SA; content:"|B4 B4|"; reference:arachnids,36; sid:163; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 2140 -> $HOME_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server Active on Network"; reference:arachnids,106; sid:164; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Keylogger on Server ON"; content:"KeyLogger Is Enabled On port"; reference:arachnids,106; sid:165; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Picture Client Request"; content:"22"; reference:arachnids,106; sid:166; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Clock Client Request"; content:"32"; reference:arachnids,106; sid:167; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Desktop Client Request"; content:"33"; reference:arachnids,106; sid:168; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Swap Mouse Buttons Client Request"; content:"34"; reference:arachnids,106; sid:169; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Enable/Disable CTRL-ALT-DEL Client Request"; content:"110"; reference:arachnids,106; sid:170; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Freeze Mouse Client Request"; content:"35"; reference:arachnids,106; sid:171; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Dialog Box Client Request"; content:"70"; reference:arachnids,106; sid:172; classtype:misc-activity; rev:4;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Replyable Dialog Box Client Request"; content:"71"; reference:arachnids,106; sid:173; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request"; content:"31"; reference:arachnids,106; sid:174; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Resolution Change Client Request"; content:"125"; reference:arachnids,106; sid:175; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request"; content:"04"; reference:arachnids,106; sid:176; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Keylogger on Server OFF"; content:"KeyLogger Shut Down"; reference:arachnids,106; sid:177; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 FTP Server Port Client Request"; content:"21"; reference:arachnids,106; sid:179; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Process List Client request"; content:"64"; reference:arachnids,106; sid:180; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Close Port Scan Client Request"; content:"121"; reference:arachnids,106; sid:181; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Registry Add Client Request"; content:"89"; reference:arachnids,106; sid:182; classtype:misc-activity; rev:3;) alert icmp 255.255.255.0/24 any -> $HOME_NET any (msg:"BACKDOOR SIGNATURE - Q ICMP"; itype: 0; dsize: >1; reference:arachnids,202; sid:183; classtype:misc-activity; rev:3;) alert tcp 255.255.255.0/24 any -> $HOME_NET any (msg:"BACKDOOR Q access"; flags:A+; dsize: >1; reference:arachnids,203; sid:184; classtype:misc-activity; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"BACKDOOR CDK"; content: "ypi0ca"; nocase; flags: A+; depth: 15; reference:arachnids,263; sid:185; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Monitor on/off Client Request"; content:"07"; reference:arachnids,106; sid:186; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Delete File Client Request"; content:"41"; reference:arachnids,106; sid:187; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Kill Window Client Request"; content:"38"; reference:arachnids,106; sid:188; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Disable Window Client Request"; content:"23"; reference:arachnids,106; sid:189; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Enable Window Client Request"; content:"24"; reference:arachnids,106; sid:190; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Change Window Title Client Request"; content:"60"; reference:arachnids,106; sid:191; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide Window Client Request"; content:"26"; reference:arachnids,106; sid:192; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Window Client Request"; content:"25"; reference:arachnids,106; sid:193; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Send Text to Window Client Request"; content:"63"; reference:arachnids,106; sid:194; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Server Response"; content:"Ahhhh My Mouth Is Open"; reference:arachnids,106; sid:195; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Systray Client Request"; content:"30"; reference:arachnids,106; sid:196; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Create Directory Client Request"; content:"39"; reference:arachnids,106; sid:197; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 All Window List Client Request"; content:"370"; reference:arachnids,106; sid:198; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Play Sound Client Request"; content:"36"; reference:arachnids,106; sid:199; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Run Program Normal Client Request"; content:"14"; reference:arachnids,106; sid:200; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Run Program Hidden Client Request"; content:"15"; reference:arachnids,106; sid:201; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Get NET File Client Request"; content:"100"; reference:arachnids,106; sid:202; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Find File Client Request"; content:"117"; reference:arachnids,106; sid:203; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Find File Client Request"; content:"118"; reference:arachnids,106; sid:204; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 HUP Modem Client Request"; content:"199"; reference:arachnids,106; sid:205; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 CD ROM Open Client Request"; content:"02"; reference:arachnids,106; sid:206; classtype:misc-activity; rev:3;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 CD ROM Close Client Request"; content:"03"; reference:arachnids,106; sid:207; classtype:misc-activity; rev:3;) alert tcp $HOME_NET 555 -> $EXTERNAL_NET any (msg:"BACKDOOR PhaseZero Server Active on Network"; flags: A+; content:"phAse"; sid:208; classtype:misc-activity; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"BACKDOOR w00w00 attempt";flags: A+; content:"w00w00"; classtype:attempted-admin; sid:209; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"BACKDOOR attempt"; flags: A+; content:"backdoor"; nocase; classtype:attempted-admin; sid:210; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"BACKDOOR MISC r00t attempt";flags: A+; content:"r00t"; classtype:attempted-admin; sid:211; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"BACKDOOR MISC rewt attempt";flags: A+; content:"rewt"; classtype:attempted-admin; sid:212; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"BACKDOOR MISC linux rootkit attempt";flags: A+; content:"wh00t!"; classtype:attempted-admin; sid:213; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"BACKDOOR MISC linux rootkit attempt lrkr0x";flags: A+; content:"lrkr0x"; classtype:attempted-admin; sid:214; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"BACKDOOR MISC linux rootkit attempt";flags: A+; content:"d13hh["; nocase; classtype:attempted-admin; sid:215; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"BACKDOOR MISC linux rootkit attempt";flags: A+; content:"satori"; classtype:attempted-admin; sid:216; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"BACKDOOR MISC sm4ck attempt";flags: A+; content:"hax0r"; classtype:attempted-admin; sid:217; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"BACKDOOR MISC solaris 2.5 attempt";flags: A+; content:"friday"; classtype:attempted-user; sid:218; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"BACKDOOR HidePak backdoor attempt";flags: A+; content:"StoogR"; sid:219; classtype:misc-activity; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"BACKDOOR HideSource backdoor attempt";flags: A+; content:"wank"; sid:220; classtype:misc-activity; rev:3;)