GEN:SID 1:248
Message DDOS mstream handler to client
Summary This event is generated when an mstream DDoS handler responds to an mstream client.
Impact Severe.  If the list source IP is in your network, it may be an mstream handler.  If the listed destination IP is in your network, it may be an mstream client.
Detailed Information The mstream DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. At the highest level, clients communicate with handlers to inform them to launch attacks.  A client may communicate with a handler using a TCP packet to destination port 12754 with a string of ">" in the payload.  A handler responds to this with a TCP source port of 12754 and a string of ">" in the payload.
Affected Systems Any mstream compromised host.
Attack Scenarios An mstream handler may be respond to a communication from an mstream client.
Ease of Attack Simple. mstream code is freely available.
Corrective Action Perform proper forensic analysis on the suspected compromised host to discover the means of compromise.

Rebuild a confirmed compromised host.

Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised.
Additional References CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0138
Rule References cve: 2000-0138