This is a living document. Everything in this document is made in good faith of being accurate, but like I just said; we don't yet know everything about what's going on.
On March 29th, 2024, a backdoor was discovered in xz-utils, a suite of software that
| #! /bin/bash | |
| mkdir -p /var/cache/kerneltest | |
| #Make a file system image for the VM, and mount it. | |
| if [[ -e /var/cache/kerneltest/fs.img ]] | |
| then | |
| rm /var/cache/kerneltest/fs.img | |
| fi | |
| truncate -s 2G /var/cache/kerneltest/fs.img | |
| mkfs.ext4 /var/cache/kerneltest/fs.img |
| I used this handy one-liner to search ip ranges while looking up its PTR record. | |
| The PTR record will have the string "stretchoid". This process took about an hour. | |
| for N in {128..255}; do echo "Testing 192.241.$N.0 - 192.241.$N.255" >> stretchoid_ips.txt; for L in {0..255}; do host -t PTR "192.241.$N.$L" | grep -qF 'stretchoid.com.' && echo "192.241.$N.$L `host -t PTR \"192.241.$N.$L\"`" >> stretchoid_ips.txt; done; done | |
| Credit goes to sissy for the idea: | |
| https://forum.netgate.com/topic/169024/stretchoid-com-ip-list-for-use-in-blocking-their-port-scans?_=1671484145965&lang=en-US | |
| I then opened up the text file in notepad++ and did a regular expressions Search/Replace (CTRL+H) |
| def pma_import_resubmit(br, sqlfile, target_dbname): | |
| """ To be used in phpmyadmin dump.sql file imports using python-mechanize | |
| as described in <https://github.com/phpmyadmin/phpmyadmin/issues/17423#issuecomment-1268271930> | |
| Only call this function when you have already found a 'timeout_passed=' string in browser response | |
| (so you are sure the page contains a resubmit link) | |
| """ | |
| # https://stackoverflow.com/questions/3569622/python-mechanize-following-link-by-url-and-what-is-the-nr-parameter/3569707#3569707 | |
| #link = br.find_link(url = resumeurl) | |
| link = br.find_link(text = "resubmit the same file") | |
| link.absolute_url = link.absolute_url.replace("&","&").replace("?", "?db="+target_dbname+"&") |
| <?php | |
| use Rector\Doctrine\Set\DoctrineSetList; | |
| use Rector\Symfony\Set\SymfonySetList; | |
| use Rector\Symfony\Set\SensiolabsSetList; | |
| use Rector\Nette\Set\NetteSetList; | |
| use Rector\Config\RectorConfig; | |
| use Rector\Php80\Rector\Class_\AnnotationToAttributeRector; | |
| use Rector\Php80\ValueObject\AnnotationToAttribute; |
| # log4j jndi exploit CVE-2021-44228 filter | |
| # Save this file as /etc/fail2ban/filter.d/log4j-jndi.conf | |
| # then copy and uncomment the [log4j-jndi] section | |
| # to /etc/fail2ban/jail.local | |
| # | |
| # jay@gooby.org | |
| # https://jay.gooby.org/2021/12/13/a-fail2ban-filter-for-the-log4j-cve-2021-44228 | |
| # https://gist.github.com/jaygooby/3502143639e09bb694e9c0f3c6203949 | |
| # Thanks to https://gist.github.com/kocour for a better regex | |
| # |
Excerpts from the Proxmox VE Administration Guide]
LVM normally allocates blocks when you create a volume. LVM thin pools instead allocates blocks when they are written. This behaviour is called thin-provisioning, because volumes can be much larger than physically available space.
8.10.2. Trim/Discard It is good practice to run fstrim (discard) regularly on VMs and containers. This releases data blocks that the filesystem isn’t using anymore. It reduces data usage and resource load. Most modern operating systems issue such discard commands to their disks regularly. You only need to ensure that the Virtual Machines enable the disk discard option.
| # TODO: Setup https://github.com/silvermine/serverless-plugin-cloudfront-lambda-edge | |
| sentryOriginReq: | |
| handler: handlers/handler.default | |
| lambdaAtEdge: | |
| distribution: AppDistribution | |
| eventType: origin-request | |
| includeBody: true | |
| pathPattern: /_tunnel # TODO: Choose tunnel path. |
Creating a self-signed certificate for example.com (if you already have a certificate you can skip this step):
openssl req -x509 -newkey rsa:4096 -sha256 -days 365 -nodes \
-keyout cert.key -out cert.crt -extensions ext -config \
<(echo "[req]";
echo distinguished_name=req;
echo "[ext]";
echo "keyUsage=critical,digitalSignature,keyEncipherment";
Courant septembre, j'ai testé un développement qui cherche des patterns parmi (les certificats TLS venant d'être délivrés publiquement)[http://certstream.calidog.io/]. La limite de cette recherche, c'est qu'elle s'applique sur des noms de domaines et pas des URL complètes ! Il suffit de filtrer ces certificats avec le mot-clé « paypal » pour obtenir des dizaines de noms de domaines malveillants par jour, avec parfois... juste un .zip à la racine. Comme j'en ai attrapé quelques-uns (ici 16shop), c'est l'occasion de les décortiquer ;)
Essayons de comprendre comment les attaquants travaillent !