Skip to content

Instantly share code, notes, and snippets.

View unblog's full-sized avatar

THINK UNBLOG unblog

8 followers · 2 following
View GitHub Profile
@unblog
unblog / chkwebshell.md
Last active March 14, 2021 11:51
README.md

chkwebshell.ps1

PowerShell Script to Search for Forensic Artifacts.

Preface

The purpose to provide the possibility to quickly identify potentially injection of webshells like hafnium. Detect malicious code on Exchange Server which could compromise the system, this after exploitation of Hafnium webshell injection.

Run on Exchange Server Verion 2013/2016/2019 to Detect Hafnium webshells are present:

@unblog
unblog / chkwebshell.ps1
Last active March 14, 2021 09:50
PowerShell Script to Search for Forensic Artifacts. Detect malicious code on Exchange Server which could compromise the system, this after exploitation of Hafnium webshell injection.
# PowerShell Script to Search for Forensic Artifacts. Detect malicious code on Exchange Server which
# could compromise the system, this after exploitation of Hafnium webshell injection.
# Run on Exchange Server Verion 2013/2016/2019 to Detect Hafnium webshells are present.
Write-Host "Determine vulnerables files ..." -fore yellow
$wroot = "$Env:SystemDrive\inetpub\wwwroot\aspnet_client\"
$Path1 = "$Env:ExchangeInstallPath\FrontEnd\HttpProxy\ecp\auth\TimeoutLogout.aspx"
$Path2 = "$Env:ExchangeInstallPath\FrontEnd\HttpProxy\owa\auth\Current\"
$Path3 = "$Env:ExchangeInstallPath\FrontEnd\HttpProxy\owa\auth\"
Write-Host "Should not contain .aspx files under this folder or sub folders $wroot" -fore yellow
$Files = @(Get-ChildItem $wroot -Recurse -Include *.aspx)
@unblog
unblog / install-docker-compose.sh
Last active March 31, 2018 16:12 — forked from lmakarov/install-docker-compose.sh
Install docker-compose in boot2docker 18.03.0+
#!/bin.sh
DOCKER_COMPOSE_VERSION=1.20.1
# Download docker-compose to the permanent storage
echo 'Downloading docker-compose to the permanent VM storage...'
sudo mkdir -p /var/lib/boot2docker/bin
sudo curl -sL https://github.com/docker/compose/releases/download/${DOCKER_COMPOSE_VERSION}/docker-compose-`uname -s`-`uname -m` -o /var/lib/boot2docker/bin/docker-compose
sudo chmod +x /var/lib/boot2docker/bin/docker-compose
sudo ln -sf /var/lib/boot2docker/bin/docker-compose /usr/local/bin/docker-compose
@unblog
unblog / allow_myhost.md
Last active March 11, 2018 07:57
iptables chain for DDNS A record

iptables chain for dynamic ip address

The purpose is to lookup IPv4 address of DDNS hostname while append to iptables chain. Run script on CentOS or with minor changes on any Linux, may change line 2 for appropriate path to iptables i.e. debian /etc/default.

The host command use a part of the BIND utilities so you need to install them. To install the BIND utilities, type the following: yum -y install bind-utils

A line contains with your DDNS hostname tagged with #MyDDNS must be entered into the iptables configuration file:

@unblog
unblog / WinStat.ps1
Last active March 13, 2017 18:47
A powershell script output client connection status
<#
WinStat.ps1 windows client connection status
Version 1.0.1 (12.03.2017) by DonMatteo
Mail: think@unblog.ch
Blog: think.unblog.ch
#>
$windows = [PSCustomObject]@{
Caption = (Get-WmiObject -Class Win32_OperatingSystem).Caption
Version = [Environment]::OSVersion.Version
User = [Environment]::UserName