[Snort-sigs] Signature to detect shells bound to a port
jtjuslin at ...1151...
Tue Jul 29 23:35:06 EDT 2003
For example the famous sshd remote root exploit:
...Binds a shell to a high number port. Is there any signature to
detect these shells giving backdoor access to a computer?
I tried to find from the current rule base.
It is hard of course to do this, but what about starting like
looking foor strings "root root" and -rw------ and similar
in the streams for ports, which are not ftp and http? The user
probably types ls -al at some point.
More information about the Snort-sigs