Backdoor.IRC.Zapchast.zwrc

alert tcp $HOME_NET any -> $EXTERNAL_NET 6664:6669 (msg:”Backdoor.IRC.Zapchast.zwrc”; flow:to_server,established; content:”ISON”; nocase; content:”adrian”; nocase; distance:0; content:”ctrldel”; nocase; distance:0; pcre:”/^\x20+disk\x20+hack\x20+hacker\x20+jail\x20+mirc\x20+mircea\x20+sex/Rmi”; threshold:type limit, track by_src, count 1, seconds 600; )

Advertisements

About this entry