alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ftpchk3.php possible upload success"; flow:to_client,established; content:"|0d 0a|150 "; content:"ftpchk3.php|0d 0a|226 "; distance:0; nocase; reference:url,digitalpbk.blogspot.com/2009/10/ftpchk3-virus-php-pl-hacked-website.html; reference:url,labs.mwrinfosecurity.com/system/assets/131/original/Journey-to-the-Centre-of-the-Breach.pdf; classtype:attempted-admin; sid:2018417; rev:3; metadata:created_at 2014_04_24, signature_severity Major, updated_at 2019_07_26;)