backdoor.rules

This is the snapshot of Snot Latest Rules

alert tcp $HOME_NET 2589 -> $EXTERNAL_NET 1024: (msg:"BACKDOOR - Dagger_1.4.0"; flow:from_server,established; content:"2|00 00 00 06 00 00 00|Drives|24 00|"; depth:16; metadata:policy security-ips drop; reference:arachnids,484; reference:url,www.tlsecurity.net/backdoor/Dagger.1.4.html; classtype:misc-activity; sid:105; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 7597 (msg:"BACKDOOR QAZ Worm Client Login access"; flow:to_server,established; content:"qazwsx.hsq"; metadata:policy security-ips drop; reference:mcafee,98775; classtype:misc-activity; sid:108; rev:8;)


alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR Infector.1.x"; flow:established,from_server; content:"WHATISIT"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:arachnids,315; reference:cve,1999-0660; reference:nessus,11157; classtype:misc-activity; sid:117; rev:10;)
alert tcp $HOME_NET 666 -> $EXTERNAL_NET any (msg:"BACKDOOR SatansBackdoor.2.0.Beta"; flow:from_server,established; content:"Remote|3A| "; depth:11; nocase; content:"You are connected to me.|0D 0A|Remote|3A| Ready for commands"; distance:0; nocase; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/s/satanzbackdoor/SBD2.0b.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=5260; classtype:trojan-activity; sid:118; rev:8;)
alert tcp $EXTERNAL_NET 1000:1300 -> $HOME_NET 146 (msg:"BACKDOOR Infector 1.6 Client to Server Connection Request"; flow:to_server,established; content:"FC "; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:cve,1999-0660; reference:nessus,11157; classtype:misc-activity; sid:121; rev:10;)

alert tcp $HOME_NET 31785 -> $EXTERNAL_NET any (msg:"BACKDOOR HackAttack 1.20 Connect"; flow:established,from_server; content:"host"; metadata:policy security-ips drop; classtype:misc-activity; sid:141; rev:6;)

alert tcp $EXTERNAL_NET !80 -> $HOME_NET 21554 (msg:"BACKDOOR GirlFriendaccess"; flow:to_server,established; content:"Girl"; metadata:policy security-ips drop; reference:arachnids,98; classtype:misc-activity; sid:145; rev:6;)
alert tcp $HOME_NET 30100:30102 -> $EXTERNAL_NET any (msg:"BACKDOOR NetSphere access"; flow:established,from_server; content:"NetSphere"; metadata:policy security-ips drop; reference:arachnids,76; classtype:trojan-activity; sid:146; rev:8;)
alert tcp $HOME_NET 6969 -> $EXTERNAL_NET any (msg:"BACKDOOR GateCrasher"; flow:established,from_server; content:"GateCrasher"; depth:11; nocase; content:"Server"; distance:0; nocase; content:"On-Line..."; distance:0; nocase; pcre:"/^GateCrasher\s+v\d+\x2E\d+\x2C\s+Server\s+On-Line\x2E\x2E\x2E/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=973; classtype:trojan-activity; sid:147; rev:7;)
alert tcp $HOME_NET 5401:5402 -> $EXTERNAL_NET any (msg:"BACKDOOR BackConstruction 2.1 Connection"; flow:established,from_server; content:"c|3A 5C|"; metadata:policy security-ips drop; classtype:misc-activity; sid:152; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 666 (msg:"BACKDOOR BackConstruction 2.1 Client FTP Open Request"; flow:to_server,established; content:"FTPON"; metadata:policy security-ips drop; classtype:misc-activity; sid:157; rev:6;)
alert tcp $HOME_NET 666 -> $EXTERNAL_NET any (msg:"BACKDOOR BackConstruction 2.1 Server FTP Open Reply"; flow:from_server,established; content:"FTP Port open"; metadata:policy security-ips drop; classtype:misc-activity; sid:158; rev:6;)
alert udp $EXTERNAL_NET 3344 -> $HOME_NET 3345 (msg:"BACKDOOR Matrix 2.0 Client connect"; flow:to_server; content:"activate"; metadata:policy security-ips drop; reference:arachnids,83; classtype:misc-activity; sid:161; rev:6;)
alert udp $EXTERNAL_NET 3345 -> $HOME_NET 3344 (msg:"BACKDOOR Matrix 2.0 Server access"; flow:to_server; content:"logged in"; metadata:policy security-ips drop; reference:arachnids,83; classtype:misc-activity; sid:162; rev:6;)
alert tcp $HOME_NET 5714 -> $EXTERNAL_NET any (msg:"BACKDOOR WinCrash 1.0 Server Active"; flow:stateless; flags:SA,12; content:"|B4 B4|"; metadata:policy security-ips drop; reference:arachnids,36; classtype:misc-activity; sid:163; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"BACKDOOR CDK"; flow:to_server,established; content:"ypi0ca"; depth:15; nocase; metadata:policy security-ips drop; reference:arachnids,263; classtype:misc-activity; sid:185; rev:6;)


alert tcp $HOME_NET 555 -> $EXTERNAL_NET any (msg:"BACKDOOR PhaseZero Server Active on Network"; flow:established,from_server; content:"phAse zero server"; depth:17; nocase; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/p/phasezero/PhaseZero1.0b.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=4539; classtype:trojan-activity; sid:208; rev:8;)
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR w00w00 attempt"; flow:to_server,established; content:"w00w00"; metadata:policy security-ips drop; reference:arachnids,510; classtype:attempted-admin; sid:209; rev:5;)
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR attempt"; flow:to_server,established; content:"backdoor"; nocase; metadata:policy security-ips drop; classtype:attempted-admin; sid:210; rev:4;)
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC r00t attempt"; flow:to_server,established; content:"r00t"; metadata:policy security-ips drop; classtype:attempted-admin; sid:211; rev:4;)
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC rewt attempt"; flow:to_server,established; content:"rewt"; metadata:policy security-ips drop; classtype:attempted-admin; sid:212; rev:4;)
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Linux rootkit attempt"; flow:to_server,established; content:"wh00t!"; metadata:policy security-ips drop; classtype:attempted-admin; sid:213; rev:5;)
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Linux rootkit attempt lrkr0x"; flow:to_server,established; content:"lrkr0x"; metadata:policy security-ips drop; classtype:attempted-admin; sid:214; rev:5;)
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Linux rootkit attempt"; flow:to_server,established; content:"d13hh["; nocase; metadata:policy security-ips drop; classtype:attempted-admin; sid:215; rev:5;)
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Linux rootkit satori attempt"; flow:to_server,established; content:"satori"; metadata:policy security-ips drop; reference:arachnids,516; classtype:attempted-admin; sid:216; rev:7;)
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC sm4ck attempt"; flow:to_server,established; content:"hax0r"; metadata:policy security-ips drop; classtype:attempted-admin; sid:217; rev:4;)
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Solaris 2.5 attempt"; flow:to_server,established; content:"friday"; metadata:policy security-ips drop; classtype:attempted-user; sid:218; rev:5;)
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR HidePak backdoor attempt"; flow:to_server,established; content:"StoogR"; metadata:policy security-ips drop; classtype:misc-activity; sid:219; rev:7;)
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR HideSource backdoor attempt"; flow:to_server,established; content:"wank"; metadata:policy security-ips drop; classtype:misc-activity; sid:220; rev:7;)
alert tcp $EXTERNAL_NET 31790 -> $HOME_NET 31789 (msg:"BACKDOOR hack-a-tack attempt"; flow:stateless; flags:A+; content:"A"; depth:1; metadata:policy security-ips drop; reference:arachnids,314; classtype:attempted-recon; sid:614; rev:9;)
alert udp $EXTERNAL_NET any -> $HOME_NET 35555 (msg:"BACKDOOR win-trin00 connection attempt"; flow:to_server; content:"png []..Ks l44"; depth:14; metadata:policy balanced-ips drop, policy security-ips drop; reference:cve,2000-0138; reference:nessus,10307; classtype:attempted-admin; sid:1853; rev:9;)


# NOTES: this string should be within the first 3 bytes of the connection
alert tcp $EXTERNAL_NET any -> $HOME_NET 33270 (msg:"BACKDOOR trinity connection attempt"; flow:to_server,established; content:"!@|23|"; depth:3; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:cve,2000-0138; reference:nessus,10501; classtype:attempted-admin; sid:1843; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR SubSeven 2.1 Gold server connection response"; flow:from_server,established; content:"connected. time/date|3A| "; depth:22; content:"version|3A| GOLD 2.1"; distance:1; metadata:policy security-ips drop; reference:mcafee,10566; reference:nessus,10409; classtype:trojan-activity; sid:2100; rev:8;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 34012 (msg:"BACKDOOR Remote PC Access connection attempt"; flow:to_server,established; content:"|28 00 01 00 04 00 00 00 00 00 00 00|"; depth:12; metadata:policy security-ips drop; reference:nessus,11673; classtype:trojan-activity; sid:2124; rev:4;)