Monday, December 26, 2016

1:41083 BLACKLIST suspicious .bit dns query

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created this dns query blacklist alert didn't include documentation.

(1:41083) BLACKLIST suspicious .bit dns query

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST suspicious .bit dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|bit|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; classtype:trojan-activity; sid:41083; rev:1; )


If I had to guess I think it's related to the .bit tld or something similar which stated.

Per the reddit The advantage to owning a .bit domain is that no government or third-party can have your DNS interrupted, it is truly a P2P DNS system with no possibility of censorship.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

1:41088 MALWARE-CNC Win.Trojan.MrWhite Win.Trojan.Ostap out bound communication attempt

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created these trojan connection attempts snort alert didn't include documentation.

(1:41089) MALWARE-CNC Win.Trojan.Ostap out bound communication attempt

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ostap out bound communication attempt"; flow:to_server,established; content:"/ostap.php"; fast_pattern:only; http_uri; content:"/ostap.php"; depth:20; offset:2; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:41089; rev:1; )

(1:41088) MALWARE-CNC Win.Trojan.MrWhite out bound communication attempt

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MrWhite out bound communication attempt"; flow:to_server,established; content:"/GOLD/bender.php"; http_uri; content:"User-Agent: Mr.White|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:41088; rev:1; )


If I had to guess I think it's related to this JScript backdoor or something similar which stated.

Per the article it says MrWhite can profile the victim systems for the presence of running POS software before dropping further POS payloads. Related to financially-motivated threat actor group with access to banking Trojans and other malware, including Dridex, Ursnif, Tinba, and the point-of-sale (POS) malware AbaddonPOS with its loader, TinyLoader.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

1:41035 1:41084 EXPLOIT-KIT Sundown Exploit Kit redirection attempt

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created these exploit kit alerts didn't include documentation.

(1:41035) EXPLOIT-KIT Sundown Exploit Kit redirection attempt

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Sundown Exploit Kit redirection attempt"; flow:established,to_server; content:"/noone.php"; depth:10; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:41035; rev:1; )

(1:41084) EXPLOIT-KIT Sundown Exploit kit landing page obfuscation detected

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sundown Exploit kit landing page obfuscation detected"; flow:to_client,established; file_data; content:"|22|script|22|"; nocase; content:"|22|createE|22|"; within:50; nocase; content:"|22|lement|22|"; within:20; nocase; content:"|22|type|22|"; within:50; nocase; content:"|22|text/j|22|"; within:50; nocase; content:"|22|avascript|22|"; within:50; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:41084; rev:1; )


If I had to guess I think it's related to the Sundown Exploit Kit or something similar which stated.

Per the article, it is composed of a couple of parts: a landing page and an exploit page with a payload. This landing page then probes the user's system to determine if they are potentially vulnerable and then delivers an exploit page with a malicious payload.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

1:41034 MALWARE-CNC Win.Trojan.Sality variant outbound connection

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created these trojan connection attempts snort alert didn't include documentation.

(1:41034) MALWARE-CNC Win.Trojan.Sality variant outbound connection

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sality variant outbound connection"; flow:to_server,established; content:"/images/image.gif"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|"; depth:12; http_header; content:!"proxy"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/22fc19a6d9e0ef40812d05c357beabfed6f7cb9fe72af826947acb458b911213/analysis/; classtype:trojan-activity; sid:41034; rev:1; )


If I had to guess I think it's related to this Sality Gambling campaign or something similar which stated.

It appears to the image.gif callouts download the real payload. The article also mentions Sality has incorporated the use of rootkit functions as part of the malware family’s ongoing evolution. Sality found that it delivered fake-AV malware as the final payload, able to infect not only local drives but also USB devices and network folders.
The virus total link above shows many solid hits of Win32/Sality.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

1:41033 MALWARE-CNC Win.Trojan.Proteus outbound connection

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created these trojan connection attempts snort alert didn't include documentation.

(1:41033) MALWARE-CNC Win.Trojan.Proteus outbound connection

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Proteus outbound connection"; flow:to_server,established; content:"/api/register"; fast_pattern:only; http_uri; content:"{|22|m|22|:|22 5C 5C|"; depth:8; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/d23b4a30f6b1f083ce86ef9d8ff434056865f6973f12cb075647d013906f51a2/analysis/; classtype:trojan-activity; sid:41033; rev:1; )


If I had to guess I think it's related to this link per the virustotal comments botnet Proteus or something similar which stated.

It appears to make callouts to an api for the C&C server. It appears to have keyloggers capabilities among other things.
The virus total link above shows several generic hits like Trojan.KeyLogger, TrojanDropper.Dapato, Win32.Trojan.WisdomEyes,Trojan.Dynamer, etc.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

1:41031 MALWARE-CNC Win.Trojan.Athena variant outbound connection

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created these trojan connection attempts snort alert didn't include documentation.

(1:41031) MALWARE-CNC Win.Trojan.Athena variant outbound connection

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Athena variant outbound connection"; flow:to_server,established; content:"User-Agent: Go-http-client"; fast_pattern:only; http_header; content:"/cmd/"; depth:5; http_uri; pcre:"/^\x2Fcmd\x2F[\-a-zA-Z0-9_+]{650,}={0,3}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/af385c983832273390bb8e72a9617e89becff2809a24a3c76646544375f21d14/analysis/; classtype:trojan-activity; sid:41031; rev:1; )


If I had to guess I think it's related to this malware analysis of a file called msguard.exe or something similar which stated.

It appears to make callouts to .onion addresses with cmd parameters that are likely sending or receiving information to a C&C server.
The virus total link above shows several generic hits like Win.Trojan.Athena, W32.Clodece.Trojan, Trojan.Dynamer, Trojan.Razy, etc.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Wednesday, December 14, 2016

1:40912 1:40913 MALWARE-OTHER Win.Trojan.Flokibot variant download attempt

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created these trojan download attempt snort alert didn't include documentation.

1 40913 MALWARE-OTHER Win.Trojan.Flokibot variant download attempt
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Flokibot variant download attempt"; flow:to_server,established; file_data; content:"Hash: 0x%x not loaded."; fast_pattern:only; content:"|00|B|00|O|00|T|00|3|00|2|00|"; nocase; content:"|00|K|00|E|00|Y|00|"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/0aa1f07a2ebcdd42896d3d8fdb5e9a9fef0f4f894d2501b9cbbe4cbad673ec03/analysis/; classtype:trojan-activity; sid:40913; rev:1; ) 1 40912 MALWARE-OTHER Win.Trojan.Flokibot variant download attempt
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Flokibot variant download attempt"; flow:to_client,established; file_data; content:"Hash: 0x%x not loaded."; fast_pattern:only; content:"|00|B|00|O|00|T|00|3|00|2|00|"; nocase; content:"|00|K|00|E|00|Y|00|"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/0aa1f07a2ebcdd42896d3d8fdb5e9a9fef0f4f894d2501b9cbbe4cbad673ec03/analysis/; classtype:trojan-activity; sid:40912; rev:1; )


If I had to guess I think it's related to the Sednit hacking group and perhaps a rootkit they developed or something similar which stated.

Floki Bot is a malware variant that has recently been offered for sale on various darknet markets. It is based on the same codebase that was used by the infamous Zeus trojan. Floki Bot claims to feature several new capabilities making it an attractive tool for criminals. Talos also observed the introduction of new code that allows Floki Bot to make use of the Tor network.
Malwarebytes also has a good writeup on the malware.
The virus total link above shows several generic hits like Win.Trojan.Flokibot, Trojan-Spy.Zbot, Trojan.Win32.DownLoader, etc.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

1:40911 MALWARE-CNC Win.Rootkit.Sednit variant outbound connection attempt

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created this sednit rootkit alert didn't include documentation.

1 40911 MALWARE-CNC Win.Rootkit.Sednit variant outbound connection attempt
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Rootkit.Sednit variant outbound connection attempt"; flow:to_server,established; urilen:11; content:"/search.php"; fast_pattern:only; http_uri; content:"as_ft="; http_client_body; content:"as_q="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/471fbdc52b501dfe6275a32f89a8a6b02a2aa9a0e70937f5de610b4185334668/analysis/1480953133/; classtype:trojan-activity; sid:40911; rev:1; )


If I had to guess I think it's related to the Sednit hacking group and perhaps a rootkit they developed or something similar which stated.

the notorious Sednit hacking group which has targeted over 1000 high-profile individuals with phishing attacks and zero-day exploits. The Sednit gang, also known as APT28, Fancy Bear, Pawn Storm and Sofacy, are highly experienced, and have been engaged in criminal activity since at least 2004. They have developed sophisticated attacks that bypass the typical network security at compromised organizations.
Another blog mentioned The obvious goal of the SEDNIT-related spyware is to steal personal data, record audio, make screenshots, and send them to a remote command-and-control (C&C) server.
The virus total link above shows several generic hits like TROJ_SEDNIT, Rootkit.BlackEnergy, Trojan-Dropper.Win32.Agent, etc.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

1:40910 MALWARE-CNC Win.Trojan.Locky variant outbound connection attempt

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created this locky ransomware alert didn't include documentation.

1 40910 MALWARE-CNC Win.Trojan.Locky variant outbound connection attempt
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Locky variant outbound connection attempt"; flow:to_server,established; urilen:16; content:"POST"; http_method; content:"/information.cgi"; depth:16; fast_pattern; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:40910; rev:1; )


If I had to guess I think it's related to Lockys massive spray and pray spam campaign or something similar which stated.

The encrypting malware then goes on to connect to a number of hard-coded IP addresses whose purpose is to enroll the affected computer into a botnet: http://xxxxxx / information.cgi ....

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

1:40906 MALWARE-CNC Win.Malware.Disttrack variant outbound connection

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created this Disttrack malware snort alert didn't include documentation.

1 40906 MALWARE-CNC Win.Malware.Disttrack variant outbound connection
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Malware.Disttrack variant outbound connection"; flow:to_server,established; content:"/category/page.php"; http_uri; content:"shinu="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/61c1c8fc8b268127751ac565ed4abd6bdab8d2d0f2ff6074291b2d54b0228842/analysis/; classtype:trojan-activity; sid:40906; rev:1; )


If I had to guess I think it's related to Disttrack malware that spreads across the network destroying data or something similar which stated.

Disttrack is a multipurpose tool that exhibits worm-like behavior by attempting to spread to other systems on a local network using stolen administrator credentials. More importantly, its claim to fame is the ability to destroy data and to render infected systems unusable. The data in “shinu” parameter is a combination of the system’s tickcount, local IP address, operating system version, keyboard layout and the contents of %WINDOWS%\inf\netimm173.pnf. The C2 server can respond to this HTTP request
The virus total link provided has hits on things such as Trojan/Win32.DistTrack , DistTrack!comm , etc.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

1:40905 SERVER-WEBAPP Oracle Weblogic default credentials login attempt

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created this default credential alert didn't include documentation.

1 40905 SERVER-WEBAPP Oracle Weblogic default credentials login attempt
alert tcp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"SERVER-WEBAPP Oracle Weblogic default credentials login attempt"; flow:to_server,established; content:"/j_security_check"; fast_pattern:only; http_uri; content:"j_username="; http_client_body; content:"j_password=weblogic"; http_client_body; pcre:"/j_username=(root|system)/P"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-admin; sid:40905; rev:1; )

1 40904 SERVER-WEBAPP Oracle Weblogic default credentials login attempt
alert tcp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"SERVER-WEBAPP Oracle Weblogic default credentials login attempt"; flow:to_server,established; content:"/j_security_check"; fast_pattern:only; http_uri; content:"j_username=weblogic"; http_client_body; content:"j_password"; http_client_body; pcre:"/j_password=(welcome1|weblogic|admin)/P"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-admin; sid:40904; rev:1; )


If I had to guess I think it's related to Oracles documenation on default credentials for WebLogic or something similar which stated.

In the tutorial the username is weblogic and the password is Welcome1.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

1:40991 MALWARE-CNC Linux.DDoS.D93 outbound connection

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created this DDoS snort alert didn't include documentation.

(1:40991) MALWARE-CNC Linux.DDoS.D93 outbound connection
alert tcp $HOME_NET any -> $EXTERNAL_NET 31337 (msg:"MALWARE-CNC Linux.DDoS.D93 outbound connection"; flow:to_server; content:"|4E 0F 42 07 27|"; depth:5; dsize:25; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2c017c94d9f40cba9a20e92c7c636e98de15c599bf004fa06508d701ab9e3068/analysis/; classtype:trojan-activity; sid:40991; rev:1; ) v:1; )


If I had to guess I think it's related to this article on Linux DDoS 93 or something similar which stated.

Crooks are hijacking devices running Linux-based operating systems and use them to launch DDoS attacks at their behest. Dr.Web security researchers say the trojan seems to infect Linux machines via the Shellshock vulnerability, still unpatched in a large number of devices.

The virus total link in the alert above has hits for Linux.DDoS.93 , Linux.DDOS.Flood.W , etc.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

1:41018 1:41019 SERVER-WEBAPP Nagios XI Incident Manager SQL command injection attempt

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created these 2 new sql injection snort alerts for nagios didn't include documentation.

1 41019 SERVER-WEBAPP Nagios XI Incident Manager SQL command injection attempt
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Nagios XI Incident Manager SQL command injection attempt"; flow:to_server,established; content:"nagiosxi/includes/components/nagiosim/nagiosim.php"; fast_pattern:only; http_uri; content:"host="; nocase; http_uri; pcre:"/[?&]host=[^&]*?([\x60\x3b\x7c]|\x24\x28)/Ui"; metadata:policy security-ips drop, service http; classtype:web-application-attack; sid:41019; rev:1; )

1 41018 SERVER-WEBAPP Nagios XI Incident Manager SQL command injection attempt
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Nagios XI Incident Manager SQL command injection attempt"; flow:to_server,established; content:"nagiosxi/includes/components/nagiosim/nagiosim.php"; fast_pattern:only; http_uri; content:"host="; nocase; http_raw_uri; content:"%26"; distance:0; http_raw_uri; pcre:"/[?&]host=[^&]*?%26/Ii"; metadata:policy security-ips drop, service http; classtype:web-application-attack; sid:41018; rev:1; )


If I had to guess I think it's related to this disclosure or something similar which stated.

The ‘host’ and ‘service’ GET parameters in the ‘nagiosim.php’ page are vulnerable to SQL injection via error-based payloads

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Documentation-less Snort Rules

Has anybody else noticed that what seems like the majority of new snort rules that come out and you can use in an IDS (intrusion detection systems) like Sourcefire don't have any documentation? You're stuck with

Summary: This rule does not have documentation


Or if you're lucky some link to a virus total page with no other explanation.

Well I thought it might be interesting to try to collect some brief links or documentation around some documentation-less snort rules. I did not write the rules, I have no insight into who did or why they did. I did not write the documentation either, I simply collected the information and put it in a spot where maybe if you're lucky and google searching why a snort rule fired and what it means, then I was just hoping this documentation would be helpful for you. Enjoy.

Sample initial documentation I put together for the documentation-less:
- SERVER-WEBAPP Nagios XI Incident Manager SQL command injection attempt 41018 41019
- MALWARE-CNC Linux.DDoS.D93 outbound connection 40991
- SERVER-WEBAPP Oracle Weblogic default credentials login attempt 40905 40905
- MALWARE-CNC Win.Malware.Disttrack variant outbound connection 40906
- MALWARE-CNC Win.Trojan.Locky variant outbound connection attempt 40910
- MALWARE-CNC Win.Rootkit.Sednit variant outbound connection attempt 40911
- MALWARE-OTHER Win.Trojan.Flokibot variant download attempt 40912 40913


More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.