$ ./zenbot.sh trade gdax.eth-USD --trend_ema 20 -period 7m --max_slippage_pct 0.48 --poll_trades 6000 --order_poll_time 6000 --order_adjust_time 6000 --oversold_rsi_periods=1000 --oversold_rsi=1000 --rsi_periods=1100 --neutral_rate=0.1 --max_sell_loss_pct=0.85 --max_buy_loss_pct=5 --buy_pct=100 --sell_pct=100 --selector gdax.eth-usd --markup_sell_pct 0.25 --markdown_buy_pct 0.00 --reset-profit
# | |
yum upgrade | |
reboot | |
dnf install epel-release | |
dnf install rpmconf | |
dnf install yum-utils | |
rpmconf -a # answer "n" to both things | |
package-cleanup --leaves | |
package-cleanup --orphans | |
dnf install https://mirror.stream.centos.org/9-stream/BaseOS/x86_64/os/Packages/centos-stream-release-9.0-12.el9.noarch.rpm https://mirror.stream.centos.org/9-stream/BaseOS/x86_64/os/Packages/centos-stream-repos-9.0-12.el9.noarch.rpm https://mirror.stream.centos.org/9-stream/BaseOS/x86_64/os/Packages/centos-gpg-keys-9.0-12.el9.noarch.rpm |
title: Suspicious msdt.exe execution - Office Exploit | |
id: 97a80ed7-1f3f-4d05-9ef4-65760e634f6b | |
status: experimental | |
description: This rule will monitor suspicious arguments passed to the msdt.exe process. These arguments are an indicator of recent Office/Msdt exploitation. | |
references: | |
- https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e | |
- https://twitter.com/MalwareJake/status/1531019243411623939 | |
author: 'Matthew Brennan' | |
tags: | |
- attack.execution |
Let's say somebody temporarily got root access to your system, whether because you "temporarily" gave them sudo rights, they guessed your password, or any other way. Even if you can disable their original method of accessing root, there's an infinite number of dirty tricks they can use to easily get it back in the future.
While the obvious tricks are easy to spot, like adding an entry to /root/.ssh/authorized_keys, or creating a new user, potentially via running malware, or via a cron job. I recently came across a rather subtle one that doesn't require changing any code, but instead exploits a standard feature of Linux user permissions system called setuid to subtly allow them to execute a root shell from any user account from the system (including www-data
, which you might not even know if compromised).
If the "setuid bit" (or flag, or permission mode) is set for executable, the operating system will run not as the cur
Getting started:
Related tutorials: