Daniel Cid @dcid@noc.social

@intifada Sorry about that. Might have been a mistake.

We get so many spam accounts, that a good one might have been blocked incorrectly :(

Sorry.

Still trying to find a better way to handle the influx of spam accounts.

Implementing the haproxy v2 protocol and their choice for the identification header is interesting:

\x0D\x0A\x0D\x0A\x00\x0D\x0A\x51\x55\x49\x54\x0A

Translates to:

\r\n\r\n 0 \r\n\r\n QUIT\n

Why QUIT at the beginning of the header, who knows.

Does your log analysis / siem tool notifies you by default whenever a new user is added?

Those notifications are pretty useful and help you detect issues (or possible compromises) in almost real time.

In this example, a new user was added to Azure / Office365.

Try https://trunc.org if that could be useful for you

@readsteven Same boat.

Maybe start your own thing? And direct your career with the technology and culture you want?

Over 17,000 spam links added to a hacked WordPress site.

1- Brute force your password

2- Install wp-filemanager plugin

3- Install backdoors (FierzaXploit)

4- Inject 17k spam links

https://noc.org/articles/what-hackers-do-with-wordpress-in-2022-post-hack-analysis?cache1

If you are looking to compress data, use zstd over gzip. Same 5G file:

$ time gzip sql.db
real 1m35.384s

$ time zstd sql.db
real 0m10.655s

Results:
807M Aug 20 14:08 sql.db.gz
713M Aug 20 14:08 sql.db.zst

Better compression and significantly faster over gzip.

If you duplicate the attacker steps on the Cisco hack, you get a few interesting Windows event logs to be monitoring:

-New service installed
-New user created
-User added to admin group
-Event log cleared
-User deleted

Are you looking for those events on your logs?

Details:

https://trunc.org/learning/cisco-hack-tracks-left-in-the-logs

Great details on how Cisco got hacked.

1- Personal Google account of an employee gets compromised - it has password synced enabled.

2- Got all the employee's passwords, including their Cisco VPN credentials.

3- Phishing to accept 2FA

4- They are in

https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html

Seeing quite a few scans for /.aws/credential

Trying to get the keys used by the AWS CLI tool. Check your logs and that you do not have them exposed.

You do not want that surprise AWS bill because your account got compromised.

https://trunc.org/learning/aws-credentials-scan

The unfamous user agent: Mozlila/5.0 (notice the typo, not Mozilla)

It is on everyone's web logs as part of many web attack campaigns.

Grep for it and you will confirm:

$ grep Mozlila /var/log/apache2/*log

$ grep Mozlila /var/log/nginx/*log

More details about it here:

https://trunc.org/learning/the-mozlila-user-agent-bot

@nico Nope, no specific reason - just forgot. Will add it as well.

@nico @rberlim @SilverWire yep, got it. See if you can get our answer.

We do have IPv6 connectivity

@vmmell0 interesting, good idea on that.

A PHP backdoor on a compromised #WordPress site being used to start #DDoS attacks:

while(true)
{
$fp=fsockopen($trh2,$trp,$aaa1,$aaa2,1);
fwrite($fp,$spdat);
}

https://noc.org/articles/php-backdoor-analysis-how-are-attackers-doing-ddos