q3k

0810 b' from '
0678 b' ssh2'
00d8 b'%.48s:%.48s():%d (pid=%ld)\x00'
0708 b'%s'
0108 b'/usr/sbin/sshd\x00'
0870 b'Accepted password for '
01a0 b'Accepted publickey for '
0c40 b'BN_bin2bn\x00'
06d0 b'BN_bn2bin\x00'
0958 b'BN_dup\x00'

mattreduce

digraph G {
  compound=true;
  splines=false;
  node [shape=diamond, regular=true, fixedsize=true];
  edge [color=red];
  
  subgraph cluster_0 {
    label = "Thread 1\nAdversary 1";
    
    {rank=same; 1 -> 2 [label=A]};

sysopfb

2aaebf0282463c60aa8866e733799eee97f41af1e3ac8ae7855279595217aa2f

SnapITool.zip 

```
https://vzhqu.snapitool.com/SnapITool.zip 

```

```

esell

At this point, it is probably easier to just use something like this: https://github.com/reznok/Spring4Shell-POC


- clone https://spring.io/guides/gs/handling-form-submission/
- you can skip right to gs-handling-form-submission/complete, no need to follow the tutorial
- modify it so that you can build a war file (https://www.baeldung.com/spring-boot-war-tomcat-deploy)
- install tomcat9 + java 11 (i did it on ubuntu 20.04)
- deploy the war file
- update the PoC (https://share.vx-underground.org/) to write the tomcatwar.jsp file to webapps/handling-form-submission instead of webapps/ROOT

SwitHak

Security Advisories / Bulletins / vendors Responses linked to Log4Shell (CVE-2021-44228)

Errors, typos, something to say ?

• If you want to add a link, comment or send it to me
• Feel free to report any mistake directly below in the comment or in DM on Twitter @SwitHak

Other great resources

• Royce Williams list sorted by vendors responses Royce List
• Very detailed list NCSC-NL
• The list maintained by U.S. Cybersecurity and Infrastructure Security Agency: CISA List

superducktoes

ldap://e2216d7a9a31.bingsearchlib.com:39356/a
ldap://612877d3a59b.bingsearchlib.com:39356/a
ldap://205.185.115.217:47324/a
ldap://ab3419ba1f45.bingsearchlib.com:39356/a
ldap://193.3.19.159:53/c
ldap://ea62856c5fc3.bingsearchlib.com:39356/a
ldap://43065f484327.bingsearchlib.com:39356/a
ldap://5486b6edd688.bingsearchlib.com:39356/a
ldap://92d27039ede4.bingsearchlib.com:39356/a
ldap://45cecd2f38ca.bingsearchlib.com:39356/a

Neo23x0

log4j RCE Exploitation Detection

You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228

Grep / Zgrep

This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders

sudo egrep -I -i -r '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+' /var/log

byt3bl33d3r

# !! Remember to replace LIGHTHOUSE_IP with your actual Nebula lighthouse external IP Address
# See the example config file to know what all of these options do https://github.com/slackhq/nebula/blob/master/examples/config.yml

pki:
  ca: /etc/nebula/ca.crt
  cert: /etc/nebula/host.crt
  key: /etc/nebula/host.key

static_host_map:
  "192.168.100.1": ["<LIGHTHOUSE_IP>:4242"]

byt3bl33d3r

{
        # This instructs Caddy to hit the LetsEncrypt staging endpoint, in production you should remove this.
        acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
}

(proxy_upstream) {
        # Enable access logging to STDOUT
        log
        
        # This is our list of naughty client User Agents that we don't want accessing our C2

yunginnanet

#!/usr/bin/env bash
trap "exit 1" TERM
export TOP_PID=$$
#-------------------\
# - - - | 0 | - - -\
#  - -  | r |  - -  OO
#   .   | l |   .   ||--------------->   0rly?   <------------.
#   ?   | y |   ?   ||         * git.tcp.direct/kayos *      ``
#   .------------.  ||        * github.com/yunginnanet *     ``
#  /     0rly?    \ ||----------------------------------------.``