Backdoor.Hale/rpcwhore tcpdump filter

Steve Bernard sbernard at
Wed Aug 20 17:20:02 GMT 2003

A couple of days old but, here's a filter for boxes which are attempting to
join the IRC channel #rpcwhore. I've only seen two destination hosts but,
this filter is host agnostic. It looks for TCP packets with the PUSH and ACK
flags set, and the string "rpcwhore" as part of the data. The exact IRC
string is "JOIN.#rpcwhore.weeeee" but this only looks for the "rpcwhore"
portion as I don't care about everyone who is trying to join an IRC channel.
Since this uses byte offsets, if the tool changes, the packets will change.
I hope this helps.

This should be one long string when used:

tcp[13]==24 && tcp[26]==114 && tcp[27]==112 && tcp[28]==99 && tcp[29]==119
&& tcp[30]==104 && tcp[31]==111 && tcp[32]==114 && tcp[33]==101


Steve Bernard
Sr. Systems Engineer, NET
George Mason University
Fairfax, Virginia

More information about the unisog mailing list