zlacker

[return to "Detecting the use of "curl | bash" server-side"]
1. michae+93[view] [source] 2018-07-29 02:46:39
>>rubyn0+(OP)
On the evading detection side, one other simple way to avoid this is to add sponge[0] between curl and bash in the pipeline, i.e. curl ... | sponge | bash. sponge consumes all input until EOF before outputting anything, stopping bash from executing a partially downloaded script.

[0] https://linux.die.net/man/1/sponge

◧◩
2. andrew+Mb[view] [source] 2018-07-29 06:08:05
>>michae+93
Just curl it to tee or redirect to a file and you know it won't change before you execute the script file.

There's nothing stopping somebody from even more trivially just sending each IP a benign script once (per curl user agent) and a malicious script the second time. Putting it in a file and executing the file brings it entirely into your domain of control.

[go to top]