# $Id: backdoor-lib,v 1.4 2000/01/15 11:46:24 fyodor Exp $ 
# backdoors (Back Orifice, etc) go here 

# port 1524 (ingreslock) is pretty popular for setting up backdoor rootshells
alert tcp !$HOME_NET any -> $HOME_NET 1524 (msg: "default Backdoor access!"; flags: S;)


# submitted by Nick Rogness and Jim Forster
# Backdoor Default Ports (not useful on networks with outgoing traffic)
alert udp any any -> $HOME_NET 31 (msg:"Hackers Paradise";)
alert udp any any -> $HOME_NET 456 (msg:"Hackers Paradise";)
alert udp any any -> $HOME_NET 555 (msg:"iNi Killer/Phase Zero/Stealth Spy"; )
alert tcp $HOME_NET 555 -> any any (msg:"Phase Zero Server Active on Network"; content: "phAse"; flags: PA;)
alert udp any any -> $HOME_NET 666 (msg:"Satanz Backdoor";)
alert udp any any -> $HOME_NET 1001 (msg:"Silencer, WebEX";)
alert udp any any -> $HOME_NET 1170 (msg:"Psyber Stream";)
alert udp any any -> $HOME_NET 1234 (msg:"Ultors Trojan";)
alert udp any any -> $HOME_NET 1245 (msg:"VooDoo Doll";)
alert udp any any -> $HOME_NET 1492 (msg:"FTP99cmp";)
alert udp any any -> $HOME_NET 1600 (msg:"Shivka-Burka";)
alert udp any any -> $HOME_NET 1807 (msg:"Spy Sender";)
alert udp any any -> $HOME_NET 1981 (msg:"ShockRave";)
alert udp any any -> $HOME_NET 1999 (msg:"Back Door";)
alert udp any any -> $HOME_NET 2001 (msg:"Trojan Cow";)
alert udp any any -> $HOME_NET 2023 (msg:"Ripper Pro";)
alert udp any any -> $HOME_NET 2115 (msg:"Bugs";)
alert udp any any -> $HOME_NET 2140 (msg:"Deep Throat/Invasor"; content:"00";)
alert udp any any -> $HOME_NET 2565 (msg:"Striker";)
alert udp any any -> $HOME_NET 2801 (msg:"Phineas Phucker";)
alert udp any any -> $HOME_NET 2989 (msg:"Rat backdoor";)
alert udp any any -> $HOME_NET 3024 (msg:"WinCrash";)
alert udp any any -> $HOME_NET 3150 (msg:"Deep Throat/Invasor";)
alert udp any any -> $HOME_NET 3700 (msg:"Portal Of Doom";)
alert udp any any -> $HOME_NET 4092 (msg:"WinCrash";)
alert udp any any -> $HOME_NET 4950 (msg:"ICQ Trojan";)
alert udp any any -> $HOME_NET 5000 (msg:"Sockets De Troie";)
alert udp any any -> $HOME_NET 5001 (msg:"Sockets De Troie";)
alert udp any any -> $HOME_NET 5321 (msg:"FireHotcker";)
alert udp any any -> $HOME_NET 5400 (msg:"Blade Runner";)
alert udp any any -> $HOME_NET 5401 (msg:"Blade Runner";)
alert udp any any -> $HOME_NET 5402 (msg:"Blade Runner";)
alert udp any any -> $HOME_NET 5569 (msg:"Robo-Hack";)
alert udp any any -> $HOME_NET 5742 (msg:"WinCrash";)
alert udp any any -> $HOME_NET 6670 (msg:"Deep Throat";)
alert udp any any -> $HOME_NET 6711 (msg:"Deep Throat/SubSeven";)
alert udp any any -> $HOME_NET 7000 (msg:"Remote Grab";)
alert udp any any -> $HOME_NET 7300 (msg:"Net Monitor";)
alert udp any any -> $HOME_NET 7301 (msg:"Net Monitor";)
alert udp any any -> $HOME_NET 7302 (msg:"Net Monitor";)
alert udp any any -> $HOME_NET 7303 (msg:"Net Monitor";)
alert udp any any -> $HOME_NET 7304 (msg:"Net Monitor";)
alert udp any any -> $HOME_NET 7305 (msg:"Net Monitor";)
alert udp any any -> $HOME_NET 7306 (msg:"Net Monitor";)
alert udp any any -> $HOME_NET 7307 (msg:"Net Monitor";)
alert udp any any -> $HOME_NET 7308 (msg:"Net Monitor";)
alert udp any any -> $HOME_NET 7789 (msg:"ICKiller";)
alert udp any any -> $HOME_NET 9872 (msg:"Portal Of Doom";)
alert udp any any -> $HOME_NET 10067 (msg:"Portal Of Doom"; content: "pod";)
alert tcp any any -> $HOME_NET 10752 (msg:"Linux mountd backdoor";)
alert udp any any -> $HOME_NET 11223 (msg:"Progenic Trojan";)
alert udp any any -> $HOME_NET 12223 (msg:"Hack99-Keylogger";)
alert tcp any any -> $HOME_NET 12345 (msg:"Netbus/GabanBus"; flags: S;)
alert tcp any any -> $HOME_NET 12346 (msg:"Netbus/GabanBus"; flags: S;)
alert tcp any any -> $HOME_NET 12361 (msg:"Whack-a-mole"; flags: S;)
alert tcp any any -> $HOME_NET 12362 (msg:"Whack-a-mole"; flags: S;)
alert udp any any -> $HOME_NET 16969 (msg:"Portal Of Doom/Priority";)
alert udp any any -> $HOME_NET 20000 (msg:"Millenium";)
alert udp any any -> $HOME_NET 20001 (msg:"Millenium";)
alert udp any any -> $HOME_NET 20034 (msg:"NetBus PRO";)
alert udp any any -> $HOME_NET 21544 (msg:"Girlfriend";)
alert udp any any -> $HOME_NET 22222 (msg:"Prosiak";)
alert udp any any -> $HOME_NET 26274 (msg:"Delta";)
alert udp any any -> $HOME_NET 31337 (msg:"Back Orifice";)
alert udp any any -> $HOME_NET 31338 (msg:"Deep Back Orifice";)
alert udp any any -> $HOME_NET 31339 (msg:"NetSpy";)
alert udp any any -> $HOME_NET 31666 (msg:"BOWhack";)
alert udp any any -> $HOME_NET 33333 (msg:"Prosiak";)
alert udp any any -> $HOME_NET 34324 (msg:"Big Gluck/TelnetSrv";)
alert udp any any -> $HOME_NET 40412 (msg:"The Spy";)
alert udp any any -> $HOME_NET 40421 (msg:"Masters Paradise";)
alert udp any any -> $HOME_NET 40422 (msg:"Masters Paradise";)
alert udp any any -> $HOME_NET 40423 (msg:"Masters Paradise";)
alert udp any any -> $HOME_NET 40426 (msg:"Masters Paradise";)
alert udp any any -> $HOME_NET 47262 (msg:"Delta";)
alert udp any any -> $HOME_NET 50505 (msg:"Sockets de Troie";)
alert udp any any -> $HOME_NET 50776 (msg:"Fore";)
alert udp any any -> $HOME_NET 53001 (msg:"Remote Win Shutdown";)
alert udp any any -> $HOME_NET 61446 (msg:"TeleCommando";)
alert udp any any -> $HOME_NET 65000 (msg:"Devil";)
alert tcp any any -> $HOME_NET 31337 (msg:"BIND Shell"; flags: S;)
alert udp any any -> $HOME_NET 5632 (msg:"PCAnywhere"; content:"ST";)
alert udp any any -> $HOME_NET 22 (msg:"PCAnywhere"; content:"ST";)
alert udp any any -> $HOME_NET 22 (msg:"PCAnywhere"; content:"NQ";)

# New backdoors from Martin Markgraf with some updates from Jim Forster

alert udp $HOME_NET 2140 -> any any (content:"hhh My Mouth Is Open"; msg:"Deep Throat access";)
alert udp any any -> $HOME_NET 10067 (msg:"Possible Portal of Doom access"; content: "pod";)
alert udp any any -> $HOME_NET 10167 (msg:"Possible Portal of Doom access"; content: "pod";)
alert udp $HOME_NET 10067 -> any any (content:"KeepAliveee"; msg:"Portal of Doom access";)
alert udp $HOME_NET 10167 -> any any (content:"KeepAliveee"; msg:"Portal of Doom access";)
alert udp any any -> $HOME_NET 31789 (msg:"Possible Hack a Tack access"; content: "yourdomain.com";)
alert udp any any -> $HOME_NET 31791 (msg:"Possible Hack a Tack access"; content: "yourdomain.com";)
alert tcp any any -> $HOME_NET 31785 (msg:"Possible Hack a Tack access"; content: "yourdomain.com"; flags: PA;)
alert tcp any any -> $HOME_NET 30100 (msg:"Possible NetSphere access"; flags: S;)
alert tcp $HOME_NET 30100 -> any any (content:"<NetSphere"; msg:"NetSphere access"; flags: PA;)
alert tcp any any -> $HOME_NET 30102 (msg:"Possible NetSphere FTP acces"; flags: S;)
alert tcp $HOME_NET 30102 -> any any (content:"NetSphere Capture FTP"; msg:"NetSphere FTP acces"; flags: PA;)
alert tcp any any -> $HOME_NET 6969 (msg:"Possible GateCrasher access";)
alert tcp $HOME_NET 6969 -> any any (content:"GateCrasher"; msg:"GateCrasher access"; flags: PA;)
alert tcp any any -> $HOME_NET 21554 (msg:"Possible GirlFriend access"; flags: S;)
alert tcp $HOME_NET 21554 -> any any (content:"Girl"; msg:"GirlFriend access"; flags: PA;)
alert tcp any any -> $HOME_NET 23456 (msg:"Possible EvilFTP access"; flags: S;)
alert tcp $HOME_NET 23456 -> any any (content:"EvilFTP"; msg:"EvilFTP access"; flags: PA;)
alert tcp any any -> $HOME_NET 1243 (msg:"Possible SubSeven access"; flags: S;)
alert tcp any any -> $HOME_NET 6776 (msg:"Possible SubSeven access"; flags: S;)

# you can uncomment this rule if you like, but every TCP packet 
# with the PUSH and ACK flags set will have to do a 
# payload pattern match, which is bad for performance!
#alert tcp any any -> any any (content:"phAse Zero server"; msg:"Possible phAse Zero access"; flags: PA;)
#alert tcp any any -> any any (content:"connected. time/date" msg:"Possible SubSeven access"; flags: PA;)

