[Snort-sigs] INETD backdoor signature (sh -i)

Meder Baike meder at ...643...
Fri Jun 21 18:21:03 EDT 2002

hi, i didn't see this one in rules, so decided to write one:
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INETD backdoor (interactive shell\: sh -i)"; \
                                         flags: A+; content:"stream tcp nowait root /bin/sh sh -i"; nocase; \
                                          classtype:attempted-admin; sid:1000001; rev:1;)

More information about the Snort-sigs mailing list