SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) SANS Stormcast Monday, March 23rd, 2026: GSocket Backdoor in Bash; Oracle Security Alert; Rockwell Attacks
Mar 23, 2026
A breakdown of a bash-delivered GSocket backdoor and how attackers hide and persist access. Discussion of timestamp manipulation and a cron/pkill-zero persistence trick. Coverage of a critical Oracle security alert about Identity Manager and Web Services Manager. Warning about industrial control system risks and advice to disconnect and harden PLCs against rising attacks.
AI Snips
Chapters
Transcript
Episode notes
G-Socket Backdoor Bash Script Analysis
- Xavier analyzed a bash script that abused the G-Socket toolkit to create a backdoor on NATed hosts.
- The script used time stomping and a cron-style persistence trick with a 'kill -0' check to keep itself running without obvious timestamp changes.
Time Stomping Hides Bash Backdoor Activity
- Time stomping in a simple bash backdoor hides file modification evidence by preserving original access and modification timestamps.
- Attackers combined this with SSH authorized_keys overwrites and a non-killing 'kill -0' check to avoid obvious restarts.
Look For Legit Tool Abuse And Subtle Persistence
- Check for abuse of legitimate remote tools like G-Socket and inspect outbound connections from NATed hosts.
- Look for subtle persistence indicators like modified authorized_keys with unchanged timestamps and cron entries using 'kill -0' checks.