Skip to content

Instantly share code, notes, and snippets.

🐈
There's a storm coming, Mr. Wayne

Miroslav Stampar stamparm

🐈
There's a storm coming, Mr. Wayne
View GitHub Profile
View mac-vendor.txt
000000 Xerox
000001 Xerox
000002 Xerox
000003 Xerox
000004 Xerox
000005 Xerox
000006 Xerox
000007 Xerox
000008 Xerox
000009 Xerox
@stamparm
stamparm / drupalgeddon2.rules
Last active Oct 16, 2018
Snort rule for "Drupalgeddon2 (CVE-2018-7600)"
View drupalgeddon2.rules
alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"Drupalgeddon2 (CVE-2018-7600)"; flow: to_server,established; content:"POST"; http_method; content:"markup"; fast_pattern; content: "/user/register"; http_uri; pcre:"/(access_callback|pre_render|lazy_builder|post_render)/i"; classtype:web-application-attack; sid:9000110; rev:1;)
View sha256sum.txt
b5bea41b6c623f7c09f1bf24dcae58ebab3c0cdd90ad966bc43a45b44867e12b ./installed.ete
0439628816cabe113315751e7113a9e9f720d7e499ffdd78acbac1ed8ba35887 ./bins/coli-0.dll
52e88433f2106cc9a3a961cd8c3d0a8939d8de28f2ef3ee8ea648534a8b036a4 ./bins/tibe-1.dll
d3db1e56360b25e7f36abb822e03c18d23a19a9b5f198e16c16e06785fc8c5fa ./bins/cnli-0.dll
13ce3731db5b926f980855e923e1c754c4a15a5cdad47b7ef27e6dd54cf5293d ./bins/Eternalsynergy-1.0.1.0.xml
96edea8d08ab10eee86776cfb9e32b4701096d21c39dbffeb49bd638f09d726a ./bins/trfo.dll
8a5cce25f1bf60e716709c724b96630b95e55cc0e488d74d60ea50ffba7d6946 ./bins/etebCore-2.x64.dll
5f30aa2fe338191b972705412b8043b0a134cdb287d754771fc225f2309e82ee ./bins/libeay32.dll
47e16f7db53d9adf24d193ff4d523b1bc7ae59ff8520cfa012365bdb947c96f9 ./bins/posh.dll
36107f74be98f15a45ff716e37dad70f1ff9515bc72a0a1ec583b803c220aa92 ./bins/tucl.dll
@stamparm
stamparm / 2017-5638.rules
Last active Jan 30, 2018
Snort rule for Apache Struts Remote Code Execution (2017-5638)
View 2017-5638.rules
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"WEB_SERVER Apache Struts Remote Code Execution (2017-5638)"; flow:established,to_server; content:"opensymphony"; fast_pattern:only; content:"Content-Type|3a 20|"; http_header; pcre:"/Content-Type: [ ]*[%$]{[^\r\n]*#\w+/Hi"; reference:cve,2017-5638; classtype:web-application-attack; sid:9000101; rev:2;)
@stamparm
stamparm / sinkhole_emails.txt
Last active Jun 30, 2020
Email addresses used in WHOIS registrations of sinkholed malicious/malware domains
View sinkhole_emails.txt
botsmustdie@gmail.com
jgou.veia@gmail.com
malicious-domains@shadowserver.org
the.malware.cabal@gmail.com
bdomaincontrol@gmail.com
malsinkhole@gmail.com
cyd-dns@ic.fbi.gov
s1nkh0l3@yahoo.com
info@fitsec.com
ctu-sinkhole@secureworks.com
@stamparm
stamparm / disable_wsh.reg
Last active Mar 27, 2020
Disable Windows Script Host (for prevention of recent ransomware phishing attacks)
View disable_wsh.reg
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script Host\Settings]
"Enabled"="0"
View keybase.md

Keybase proof

I hereby claim:

  • I am stamparm on github.
  • I am stamparm (https://keybase.io/stamparm) on keybase.
  • I have a public key whose fingerprint is 93D8 F2DD 0948 7028 EAB1 D51E DF02 F6DE B539 7B1B

To claim this, I am signing this object:

@stamparm
stamparm / creds.txt
Last active Mar 25, 2017
Honeypot collected telnet brute-force credentials
View creds.txt
666666:666666
888888:888888
admin:1111
admin:1111111
admin:1234
admin:12345
admin:123456
admin1:password
admin:4321
admin:7ujMko0admin
View gist:e4cf68f422d5c4f612db
sons.console.cf
advisory.terranovaroofingandsiding.com
alberta.croftonliving.com
corn.liziarossi.com
dave.ddhowdoyoulikemenow.com
do.liziarossi.com
doug.liziarossi.com
electronics.reelhighmedia.com
embassy.ddhowdoyoulikemenow.com
emphasis.croftonliving.com
@stamparm
stamparm / gist:df9a0dcdd18f36662363
Created May 5, 2015
OpenX/Revive malicious/compromised oxCacheFile.delivery.php
View gist:df9a0dcdd18f36662363
<?php
/*
+---------------------------------------------------------------------------+
| OpenX v${RELEASE_MAJOR_MINOR} |
| =======${RELEASE_MAJOR_MINOR_DOUBLE_UNDERLINE} |
| |
| Copyright (c) 2003-2009 OpenX Limited |
| For contact details, see: http://www.openx.org/ |
| |
You can’t perform that action at this time.