nathanqthai

Samples

Enclosed are some sanitized samples of data GreyNoise has identified and collected related to the Log4J vulnerability exploitation in the wild. GreyNoise infrastructure IPs have been removed while preserving the data to the best of our ability. Please note that GreyNoise HAS NOT verified if any of these are effective. These examples are not a comprehensive coverage of all the payloads GreyNoise have observed.

These samples are intended to provide individuals with a clearer idea of some of the variation in the wild.

Examples

The follow section includes Log4Shell samples seen in the wild

URL Encoding and Failed argv Input (????)

What appears to be a failed attempt:

Overbryd

Cloudflare fragment rendering/caching

This worker script will evaluate your origin response, and replace html comments marked as fragment:key with a respective prefetch defined in a X-Fragments response header.

Usage

Your origin must include the X-Fragments header, specifying the a comma separated list of prefetch requests to make for that response.

< HTTP/1.1 200 OK

whitequark

1. install postgres
2. run makedb.rb >tiles.csv
3. run tiles.sql
4. run archive.rb
5. enjoy

Jc2k

This is a quick demo of using twisted enpoints with cowrie to be able to use systemd socket activation. This has been tested on a fresh install of Ubuntu 16.04.2:

Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

Last login: Tue May 2 23:47:09 2017

darencard

Please see the most up-to-date version of this protocol on my blog at https://darencard.net/blog/.

Automatically push an updated file whenever it is changed

Linux

1. Make sure inotify-tools is installed (https://github.com/rvoicilas/inotify-tools)
2. Configure git as usual
3. Clone the git repository of interest from github and, if necessary, add file you want to monitor
4. Allow username/password to be cached so you aren't asked everytime

mubix

• How to Build a Successful Information Security Career (Daniel Miessler)
  • https://danielmiessler.com/blog/build-successful-infosec-career/#gs.DtVCbbw
• The First Steps to a Career in Information Security (Errata Security - Marisa Fagan)
  • http://blog.erratasec.com/2010/04/first-steps-to-career-in-information.html#.WFrbofkrIuU
• Hiring your first Security Professional (Peerlyst - Dawid Balut)
  • https://www.peerlyst.com/posts/hiring-your-first-security-professional-dawid-balut
• How to Start a Career in Cyber security
  • https://www.concise-courses.com/security/how-to-start-your-career/
• How to Get Into Information Security (ISC^2)
• https://www.isc2.org/how-to-get-into-information-security.aspx

sniper7kills

#/bin/bash
#Ask some info
echo -n "Enter ELK Server IP or FQDN: "
read eip
echo -n "Enter Admin Web Password: "
read adpwd

#Update System
sudo apt-get update
sudo apt-get upgrade -y

eob

from scapy.all import *
import requests
import time
MAGIC_FORM_URL = 'http://put-your-url-here'

def record_poop():
  data = {
    "Timestamp": time.strftime("%Y-%m-%d %H:%M"), 
    "Measurement": 'Poopy Diaper'
  }

ludoo0d0a

Sometimes after a hard reboot (power cut), if your synology cannot be logged in with DSM and it shows "System is getting ready. Please log in later" , please do these steps :

#Admin login via ssh
> synobootseq --set-boot-done
> synobootseq --is-ready
#optional
> /usr/syno/etc/rc.d/S97apache-sys.sh start
> /usr/syno/etc/rc.d/S95sshd.sh start

tehpeh

Update June 2019

The patch described below may no longer be necessary. CloudFlare instructions here. Perl module JSON::Any may still be required, however, see comments.

Description

Dyn's free dynamic DNS service will be ending on Wednesday, May 7th, 2014.

CloudFlare, however, has a little known feature that will allow you to update your DNS records via API or a command line script called ddclient. This will