@intifada Sorry about that. Might have been a mistake.

We get so many spam accounts, that a good one might have been blocked incorrectly :(

Sorry.

Still trying to find a better way to handle the influx of spam accounts.

Implementing the haproxy v2 protocol and their choice for the identification header is interesting:

\x0D\x0A\x0D\x0A\x00\x0D\x0A\x51\x55\x49\x54\x0A

Translates to:

\r\n\r\n 0 \r\n\r\n QUIT\n

Why QUIT at the beginning of the header, who knows.

Does your log analysis / siem tool notifies you by default whenever a new user is added?

Those notifications are pretty useful and help you detect issues (or possible compromises) in almost real time.

In this example, a new user was added to Azure / Office365.

Try trunc.org if that could be useful for you

Daniel Cid boosted

#YouTube in a nutshell

2012: Ads before a video
2015: Ads in between videos
2020: Double ads before a video
2022: 5–10 unskippale ads in one break
2023: "Since this video is 5 minutes long, you need to watch the full 5 minutes of the ad before you can watch it"

Daniel Cid boosted

After a fun week of research, today's post focuses on the engine.. @dcid and his team took on a monster of a malware payload to figure out what it was doing..

We were able to confirm how it was hijacking SERPs, but also that it was designed to spread malware as well.. all while finding details to their C&C that was protected under 81 layers of encoding..

noc.org/articles/navgiting-81-

Daniel Cid boosted

Oops: Password management software firm LastPass has suffered a data breach that led to the theft of source code and proprietary technical information.

securityweek.com/lastpass-says

@readsteven Same boat.

Maybe start your own thing? And direct your career with the technology and culture you want?

Over 17,000 spam links added to a hacked WordPress site.

1- Brute force your password

2- Install wp-filemanager plugin

3- Install backdoors (FierzaXploit)

4- Inject 17k spam links

noc.org/articles/what-hackers-

If you are looking to compress data, use zstd over gzip. Same 5G file:

$ time gzip sql.db
real 1m35.384s

$ time zstd sql.db
real 0m10.655s

Results:
807M Aug 20 14:08 sql.db.gz
713M Aug 20 14:08 sql.db.zst

Better compression and significantly faster over gzip.

If you duplicate the attacker steps on the Cisco hack, you get a few interesting Windows event logs to be monitoring:

-New service installed
-New user created
-User added to admin group
-Event log cleared
-User deleted

Are you looking for those events on your logs?

Details:

trunc.org/learning/cisco-hack-

Great details on how Cisco got hacked.

1- Personal Google account of an employee gets compromised - it has password synced enabled.

2- Got all the employee's passwords, including their Cisco VPN credentials.

3- Phishing to accept 2FA

4- They are in

blog.talosintelligence.com/202

Seeing quite a few scans for /.aws/credential

Trying to get the keys used by the AWS CLI tool. Check your logs and that you do not have them exposed.

You do not want that surprise AWS bill because your account got compromised.

trunc.org/learning/aws-credent

The unfamous user agent: Mozlila/5.0 (notice the typo, not Mozilla)

It is on everyone's web logs as part of many web attack campaigns.

Grep for it and you will confirm:

$ grep Mozlila /var/log/apache2/*log

$ grep Mozlila /var/log/nginx/*log

More details about it here:

trunc.org/learning/the-mozlila

@nico Nope, no specific reason - just forgot. Will add it as well.

@nico @rberlim @SilverWire yep, got it. See if you can get our answer.

We do have IPv6 connectivity

Daniel Cid boosted

We love some good ole fashion research. here is the start of a cool series @dcid and I are working on to better understand the TTPs being used by bad actors to attack WordPress in 2022..

Enjoy.. :)

noc.org/articles/how-wordpress

Daniel Cid boosted

@dcid interesting that port 53 is hardcoded. I vaguely remember using a rule like:

# iptables -A FORWARD -p udp --dport 53 -m length --length 512: -j DROP

(i.e block UDP packets > 512 bytes on port 53)

Daniel Cid boosted

Nice @dcid builds on his remediation analysis and shows how a WordPress website was being used to DOS other sites noc.org/articles/php-backdoor-

A PHP backdoor on a compromised site being used to start attacks:

while(true)
{
$fp=fsockopen($trh2,$trp,$aaa1,$aaa2,1);
fwrite($fp,$spdat);
}

noc.org/articles/php-backdoor-

Show older
Noc.Social

Open Source Social Network. Focused on technology, networking, linux, privacy and security, but open to anyone. Civil discourse, polite and open. Managed by the noc.org team.