14 lines
512 B
Plaintext
14 lines
512 B
Plaintext
|
|
rule Backdoor_Linux_Gafgyt_Q_MTB{
|
|
meta:
|
|
description = "Backdoor:Linux/Gafgyt.Q!MTB,SIGNATURE_TYPE_ELFHSTR_EXT,03 00 03 00 04 00 00 02 00 "
|
|
|
|
strings :
|
|
$a_03_0 = {10 40 2d e9 21 01 90 01 01 ef 01 0a 70 e3 00 40 a0 e1 03 00 90 01 04 ff eb 00 30 64 e2 00 30 80 e5 00 40 e0 e3 04 00 a0 e1 10 80 bd e8 90 00 } //01 00
|
|
$a_01_1 = {4b 49 4c 4c 41 54 54 4b } //01 00 KILLATTK
|
|
$a_01_2 = {62 69 67 62 6f 74 73 } //01 00 bigbots
|
|
$a_01_3 = {55 44 50 52 41 57 } //00 00 UDPRAW
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |