[Snort-sigs] Sigs for /sumthin and Rst.b backdoor

Joe Stewart jstewart at ...5...
Mon Apr 7 15:02:04 EDT 2003


Some signatures from my analysis of the ATD Mass Exploiter
http://www.lurhq.com/atd.htm

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC 
OpenSSL-Mass scan"; flow:to_server,established; content:"GET /sumthin 
HTTP/1.0"; offset:0; depth:21; classtype:attempted-recon; 
reference:url,www.lurhq.com/atd.htm; sid:1000001; rev:1;)

alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR Linux/Rst.b Scan"; 
dsize: <9; content:"|44 4f 4d 02|"; depth:4; classtype:attempted-recon; 
reference:url,www.lurhq.com/atd.htm; sid:1000002; rev:1;)

alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR Linux/Rst.b Shell 
Command"; content:"|44 4f 4d 01|"; depth:4; classtype:misc-activity; 
reference:url,www.lurhq.com/atd.htm; sid:1000003; rev:1;)

alert udp $HOME_NET any -> $EXTERNAL_NET 4369 (msg:"BACKDOOR Linux/Rst.b 
Reply"; content:"DOM"; dsize:3; classtype:misc-activity; 
reference:url,www.lurhq.com/atd.htm; sid:1000004; rev:1;)

-Joe

-- 
Joe Stewart, GCIH 
Senior Intrusion Analyst
LURHQ Corporation
http://www.lurhq.com/





More information about the Snort-sigs mailing list