@intifada Sorry about that. Might have been a mistake.
We get so many spam accounts, that a good one might have been blocked incorrectly :(
Still trying to find a better way to handle the influx of spam accounts.
Does your log analysis / siem tool notifies you by default whenever a new user is added?
Those notifications are pretty useful and help you detect issues (or possible compromises) in almost real time.
In this example, a new user was added to Azure / Office365.
Try https://trunc.org if that could be useful for you
#YouTube in a nutshell
2012: Ads before a video
2015: Ads in between videos
2020: Double ads before a video
2022: 5–10 unskippale ads in one break
2023: "Since this video is 5 minutes long, you need to watch the full 5 minutes of the ad before you can watch it"
After a fun week of research, today's post focuses on the engine.. @dcid and his team took on a monster of a malware payload to figure out what it was doing..
We were able to confirm how it was hijacking SERPs, but also that it was designed to spread malware as well.. all while finding details to their C&C that was protected under 81 layers of encoding..
Oops: Password management software firm LastPass has suffered a data breach that led to the theft of source code and proprietary technical information.
@readsteven Same boat.
Maybe start your own thing? And direct your career with the technology and culture you want?
Over 17,000 spam links added to a hacked WordPress site.
1- Brute force your password
2- Install wp-filemanager plugin
3- Install backdoors (FierzaXploit)
4- Inject 17k spam links
If you duplicate the attacker steps on the Cisco hack, you get a few interesting Windows event logs to be monitoring:
-New service installed
-New user created
-User added to admin group
-Event log cleared
Are you looking for those events on your logs?
Great details on how Cisco got hacked.
1- Personal Google account of an employee gets compromised - it has password synced enabled.
2- Got all the employee's passwords, including their Cisco VPN credentials.
3- Phishing to accept 2FA
4- They are in
Seeing quite a few scans for /.aws/credential
Trying to get the keys used by the AWS CLI tool. Check your logs and that you do not have them exposed.
You do not want that surprise AWS bill because your account got compromised.
The unfamous user agent: Mozlila/5.0 (notice the typo, not Mozilla)
It is on everyone's web logs as part of many web attack campaigns.
Grep for it and you will confirm:
$ grep Mozlila /var/log/apache2/*log
$ grep Mozlila /var/log/nginx/*log
More details about it here:
We love some good ole fashion research. here is the start of a cool series @dcid and I are working on to better understand the TTPs being used by bad actors to attack WordPress in 2022..
@dcid interesting that port 53 is hardcoded. I vaguely remember using a rule like:
# iptables -A FORWARD -p udp --dport 53 -m length --length 512: -j DROP
(i.e block UDP packets > 512 bytes on port 53)
Nice @dcid builds on his remediation analysis and shows how a WordPress website was being used to DOS other sites https://noc.org/articles/php-backdoor-analysis-how-are-attackers-doing-ddos
Founder of CleanBrowsing, Sucuri and OSSEC. Former VP Engineering, GoDaddy - CTO, Sucuri. Builder and breaker by heart...
Open Source Social Network. Focused on technology, networking, linux, privacy and security, but open to anyone. Civil discourse, polite and open. Managed by the noc.org team.