Felipe Molina felmoltor

## checkbinaries.sh
#!/bin/bash

# Author: Felipe Molina (@felmoltor)
# Date: January 2015
# Purpose: This scripts checks for new binaries captured by kippo and send an email when an attacker drops a new one

#############################

LASTLS='lastls.txt'
CURRENTLS='currentls.txt'

## estadisticas.sh
#!/bin/bash

TOPIP=15
TOPUP=30
TOPU=30
TOPP=30
TOPLU=15
TOPLP=15
GEOLITEDB="/home/<username>/maxmind/GeoIPCountryWhois.db" # Use the sqlite3 db created with http://pastebin.com/9WxCy5ks

## keybase.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                felmoltor
                / keybase.md
            
            
              Last active
              August 29, 2015 14:13
            
              
                keybase.md
              
          
    Keybase proof

I hereby claim:

I am felmoltor on github.
I am felmoltor (https://keybase.io/felmoltor) on keybase.
I have a public key whose fingerprint is 1485 9C64 36C5 CA4F 236B  C04A 990A 3B4D BB7C FB45

To claim this, I am signing this object:

  
## CGI scripts being scanned
/admin.cgi
/administrator.cgi
/agora.cgi
/aktivate/cgi-bin/catgy.cgi
/analyse.cgi
/apps/web/vs_diag.cgi
/axis-cgi/buffer/command.cgi
/bandwidth/index.cgi
/bigconf.cgi
/cartcart.cgi

## Gmail 5M accounts dumped analysis (2)
--------------
- 1º Million -
--------------

________________ __________         ____    _______
\_   _____/  _  \\______   \ ___  _/_   |   \   _  \
 |    __)/  /_\  \|     ___/ \  \/ /|   |   /  /_\  \
 |    | /    |    \    |      \   / |   |   \  \_/   \
 \__  | \____|__  /____|       \_/  |___| /\ \_____  /
    \/          \/                        \/       \/

## Gmail 5M accounts dumped analysis
--------------------
---- 1º Million ----
--------------------

Analyzing a file with user, passwords and separator ':'
Loading the whole dump file. Be patient...
Spliting the dump information...
Analycing the password frecuency...
Analycing the domains frecuency...
Analycing passwords complexity...

## gist:092b76182cc58a331b1f
Top domains leaked in 5M password dump of Gmail accounts. Mainly gmail.com and yandex.ru, another similar domains that seems like bug in the phishing or keylogger program:

4800946 gmail.com
 123213 yandex.ru
    608 gmail.com777
    338 gmail.com.vn
    256 gmail.com.br
    238 gmail.com.au
    188 gmail.com7777
    174 gmail.com.com

## gist:a9f9445413c210b1b6c4
####################################################
# List all the files recursively under a directory #
####################################################

def ls_r_files(path)
  path.gsub!(/\/+$/,"")
  if path[-2,2] != "/." and path[-2,3] != "/.."
    if File.directory?(path)
      fentries = []
      entries = Dir.entries(path)

## gist:01e732dd1375f96114ed
# With this two lines of bash you will donwload the last malware samples extracted from the public lists of www.malwaredomainlist.com
# and you'll submit automatically the alive samples (check if the response was an executable or not) to totalhash.com (contribute to
# the community) and obtain the detection rate of the sample # from Virus Total (virustotal.com).
# As a result you'll get a bunch of executable files and their detection rate in the log "output.virustotal.txt"

# Download all the samples detected and listed in the public CSV of mdl.com
$ curl -s http://www.malwaredomainlist.com/mdlcsv.php | awk 'BEGIN {FS="\",\""} {print $2}' | strings -n 3 | grep -E "\.exe$|\.so$|\.bin$|\.src$|\.pdf$|\.docx$|\.vb$|\.sh$" | xargs -I% bash -c 'echo "Downloading: %" && curl -s -O %' | tee $(date +%Y%m%d_%H%M)_malware_download.log

# Upload the downloaded samples to totalhash.com and query virustotal.com with it MD5 checksum to obtain the detection ratio
$ ls *_malware_download.log -ltr | tail -n1 | cat $(awk '{pr

## gist:617feed1e12e5c53aa5d
#!/bin/bash

if [[ ! -f $1 || $# -ne 2 ]];then
    echo "Usage: $0 <file> <resultfile>"
else
    resultfile=$2
    echo -n "" > $resultfile
    for line in `cat $1`; do
        line=$(echo $line | tr -d ' ')
        if [[ $(echo $line | grep "-"| wc -l) > 0 ]];then
	#!/bin/bash

	# Author: Felipe Molina (@felmoltor)
	# Date: January 2015
	# Purpose: This scripts checks for new binaries captured by kippo and send an email when an attacker drops a new one

	#############################

	LASTLS='lastls.txt'
	CURRENTLS='currentls.txt'
	#!/bin/bash

	TOPIP=15
	TOPUP=30
	TOPU=30
	TOPP=30
	TOPLU=15
	TOPLP=15
	GEOLITEDB="/home/<username>/maxmind/GeoIPCountryWhois.db" # Use the sqlite3 db created with http://pastebin.com/9WxCy5ks
	/admin.cgi
	/administrator.cgi
	/agora.cgi
	/aktivate/cgi-bin/catgy.cgi
	/analyse.cgi
	/apps/web/vs_diag.cgi
	/axis-cgi/buffer/command.cgi
	/bandwidth/index.cgi
	/bigconf.cgi
	/cartcart.cgi
	--------------
	- 1º Million -
	--------------

	________________ __________ ____ _______
	\_ _____/ _ \\______ \ ___ _/_ \| \ _ \
	\| __)/ /_\ \\| ___/ \ \/ /\| \| / /_\ \
	\| \| / \| \ \| \ / \| \| \ \_/ \
	\__ \| \____\|__ /____\| \_/ \|___\| /\ \_____ /
	\/ \/ \/ \/
	--------------------
	---- 1º Million ----
	--------------------

	Analyzing a file with user, passwords and separator ':'
	Loading the whole dump file. Be patient...
	Spliting the dump information...
	Analycing the password frecuency...
	Analycing the domains frecuency...
	Analycing passwords complexity...
	Top domains leaked in 5M password dump of Gmail accounts. Mainly gmail.com and yandex.ru, another similar domains that seems like bug in the phishing or keylogger program:

	4800946 gmail.com
	123213 yandex.ru
	608 gmail.com777
	338 gmail.com.vn
	256 gmail.com.br
	238 gmail.com.au
	188 gmail.com7777
	174 gmail.com.com
	####################################################
	# List all the files recursively under a directory #
	####################################################

	def ls_r_files(path)
	path.gsub!(/\/+$/,"")
	if path[-2,2] != "/." and path[-2,3] != "/.."
	if File.directory?(path)
	fentries = []
	entries = Dir.entries(path)
	# With this two lines of bash you will donwload the last malware samples extracted from the public lists of www.malwaredomainlist.com
	# and you'll submit automatically the alive samples (check if the response was an executable or not) to totalhash.com (contribute to
	# the community) and obtain the detection rate of the sample # from Virus Total (virustotal.com).
	# As a result you'll get a bunch of executable files and their detection rate in the log "output.virustotal.txt"

	# Download all the samples detected and listed in the public CSV of mdl.com
	$ curl -s http://www.malwaredomainlist.com/mdlcsv.php \| awk 'BEGIN {FS="\",\""} {print $2}' \| strings -n 3 \| grep -E "\.exe$\|\.so$\|\.bin$\|\.src$\|\.pdf$\|\.docx$\|\.vb$\|\.sh$" \| xargs -I% bash -c 'echo "Downloading: %" && curl -s -O %' \| tee $(date +%Y%m%d_%H%M)_malware_download.log

	# Upload the downloaded samples to totalhash.com and query virustotal.com with it MD5 checksum to obtain the detection ratio
	$ ls *_malware_download.log -ltr \| tail -n1 \| cat $(awk '{pr
	#!/bin/bash

	if [[ ! -f $1 \|\| $# -ne 2 ]];then
	echo "Usage: $0 <file> <resultfile>"
	else
	resultfile=$2
	echo -n "" > $resultfile
	for line in `cat $1`; do
	line=$(echo $line \| tr -d ' ')
	if [[ $(echo $line \| grep "-"\| wc -l) > 0 ]];then