I hereby claim:
- I am neo23x0 on github.
- I am johngalt (https://keybase.io/johngalt) on keybase.
- I have a public key whose fingerprint is 55CB FD26 19E9 BF9E 78C1 D582 FE04 247D 50D1 ACC8
To claim this, I am signing this object:
Florian Roth Neo23x0
Neo23x0
/ crime_petya_jun17.yar
Last active
July 1, 2017 00:53
YARA Rule for Petya Ransomware - June 2017
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| I just pushed the rule to "signature-base" | |
| https://github.com/Neo23x0/signature-base/blob/master/yara/crime_nopetya_jun17.yar | |
| Some of the other rules are running in QS right now. | |
| I'll update the 'crime_nopetya_jun17.yar' file frequently. |
Neo23x0
/ pulggable.patch
Last active
July 11, 2017 11:54
Wordpress CVE-2017-8295 WordPress Core <= 4.7.4 Potential Unauthorized Password Reset (0day) Patch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- pluggable.php 2017-05-04 09:37:27.000000000 +0200 | |
| +++ pluggable_patched.php 2017-05-04 09:40:39.000000000 +0200 | |
| @@ -323,10 +323,7 @@ | |
| if ( !isset( $from_email ) ) { | |
| // Get the site domain and get rid of www. | |
| - $sitename = strtolower( $_SERVER['SERVER_NAME'] ); | |
| - if ( substr( $sitename, 0, 4 ) == 'www.' ) { | |
| - $sitename = substr( $sitename, 4 ); | |
| - } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| open /Applications/Google\ Chrome.app --args --cipher-suite-blacklist=0x000a,0xc013,0xc014,0xc02b,0xc02c,0xc02f,0xc030,0xcca8,0xcca9 |
Neo23x0
/ send-logon-to-slack.sh
Last active
January 9, 2018 14:47
Report user logons to a slack channel
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # | |
| # Uses slack web hooks to report logons on SSH servers | |
| # Webhooks: https://yourslack.slack.com/apps/A0F7XDUAZ-incoming-webhooks | |
| # Add this script to /etc/profile or create a ~/.profile for a certain user | |
| WEB_HOOK=your_slack_web_hook | |
| hostname=$(hostname) | |
| source=$(echo "$SSH_CONNECTION" | cut -d' ' -f 1) | |
| geo=$(geoiplookup "$source") |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| import ( | |
| "fmt" | |
| "os" | |
| "syscall" | |
| ) | |
| func main() { | |
| if len(os.Args) != 2 { |
Neo23x0
/ gist:4dffdbbc08595436f95a2d9dd06af6b2
Created
June 19, 2018 14:36
Regex - Non-ASCII Characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [^\x00-\x7E] |
Neo23x0
/ thor-ts-converter.py
Created
October 31, 2018 14:40
THOR Timestamp Injector (adds year to old SYSLOG format and create RFC3339 timestamp)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/python3 | |
| import os | |
| import sys | |
| import argparse | |
| import logging | |
| import re | |
| import platform | |
| MONTHS = { |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Product Requirements | |
| PRODUCT_REQUIREMENTS = { | |
| "FireEyeAX": { | |
| "maximum_version": "3.4.0", | |
| "supported_modules": [], # assumption | |
| "with_crypto": True, # assumption | |
| }, | |
| "FireEyeNX": { | |
| "maximum_version": "3.4.0", | |
| "supported_modules": [], # assumption |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| alert http any any -> any any (msg:"VPNFilter malware User-Agent"; content:"Mozilla/6.1 (compatible|3B| MSIE 9.0|3B| Windows NT 5.3|3B| Trident/5.0)"; http_user_agent; sid:2; rev:1;) |
OlderNewer