Neo23x0

#!/bin/bash
#
# Uses slack web hooks to report logons on SSH servers
# Webhooks: https://yourslack.slack.com/apps/A0F7XDUAZ-incoming-webhooks
# Add this script to /etc/profile or create a ~/.profile for a certain user 

WEB_HOOK=your_slack_web_hook
hostname=$(hostname)
source=$(echo "$SSH_CONNECTION" | cut -d' ' -f 1)
geo=$(geoiplookup "$source")

Neo23x0

open /Applications/Google\ Chrome.app --args --cipher-suite-blacklist=0x000a,0xc013,0xc014,0xc02b,0xc02c,0xc02f,0xc030,0xcca8,0xcca9

Neo23x0

# IMPORTANT!
# This gist has been transformed into a github repo 
# You can find the most recent version there:
# https://github.com/Neo23x0/auditd

#      ___             ___ __      __
#     /   | __  ______/ (_) /_____/ /
#    / /| |/ / / / __  / / __/ __  / 
#   / ___ / /_/ / /_/ / / /_/ /_/ /  
#  /_/  |_\__,_/\__,_/_/\__/\__,_/   

Neo23x0

I just pushed the rule to "signature-base" 

https://github.com/Neo23x0/signature-base/blob/master/yara/crime_nopetya_jun17.yar

Some of the other rules are running in QS right now.
I'll update the 'crime_nopetya_jun17.yar' file frequently. 

Neo23x0

rule Microsoft_PE_Timestamp_Copyright_Anomaly {
   meta:
      description = "Detects a portable executable with an old copyrigth statement but a new compilation timestamp"
      author = "Florian Roth"
      reference = "Internal Research"
      date = "2017-06-02"
      score = 30
   strings:
      $a1 = "Copyright (C) Microsoft Corp. 19" wide

Neo23x0

# Scan for CVE-2017-0143 MS17-010
# The vulnerability used by WannaCry Ransomware
# 
# 1. Use @calderpwn's script
#    http://seclists.org/nmap-dev/2017/q2/79
# 
# 2. Save it to Nmap NSE script directory
#    Linux - /usr/share/nmap/scripts/ or /usr/local/share/nmap/scripts/
#    OSX - /opt/local/share/nmap/scripts/
# 

Neo23x0

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskdl.exe]
"Debugger"="taskkill /F /IM "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskse.exe]
"Debugger"="taskkill /F /IM "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wannacry.exe]
"Debugger"="taskkill /F /IM "

Neo23x0

--- pluggable.php	2017-05-04 09:37:27.000000000 +0200
+++ pluggable_patched.php	2017-05-04 09:40:39.000000000 +0200
@@ -323,10 +323,7 @@

 	if ( !isset( $from_email ) ) {
 		// Get the site domain and get rid of www.
-		$sitename = strtolower( $_SERVER['SERVER_NAME'] );
-		if ( substr( $sitename, 0, 4 ) == 'www.' ) {
-			$sitename = substr( $sitename, 4 );
-		}

Neo23x0

<?xml version="1.0" encoding="UTF-8"?>
<Annotations start="0" num="171" total="171">
  <Annotation about="www.bussink.net/*" timestamp="0x0005d7bc4022b026" href="ChF3d3cuYnVzc2luay5uZXQvKhCm4IqBxPf1Ag">
    <Label name="_cse_turlh5vi4xc"/>
    <AdditionalData attribute="original_url" value="https://www.bussink.net/"/>
  </Annotation>
  <Annotation about="*.thedfirreport.com/*" timestamp="0x0005d76dd5f8679d" href="ChUqLnRoZWRmaXJyZXBvcnQuY29tLyoQnc_hr93t9QI">
    <Label name="_cse_turlh5vi4xc"/>
    <AdditionalData attribute="original_url" value="https://thedfirreport.com/"/>
  </Annotation>

Neo23x0

#!/bin/bash 
# - Matches on source and compiled code
# - Searches in user home directories by default
# - Detects certain strings in files smaller 300 kbyte
# - Does not print anything if nothing was found
# - Appends the file's time stamp of the files in question > good indicator to spot false positives
# - Should work on most Linux systems with bash
# Old version
# for f in $(find /home/ -type f -size -300 2> /dev/null); do if [[ $(strings -a "$f" 2> /dev/null | egrep "/proc/(self|%d)/(mem|maps)") != "" ]];then m=$(stat -c %y $f); echo "Contains DirtyCOW string: $f MOD_DATE: $m"; fi; done;
for f in $(find /home/ -type f -size -300 2> /dev/null); do if [[ $(egrep "/proc/(self|%d)/(mem|maps)" "$f") != "" ]];then m=$(stat -c %y "$f"); echo "Contains DirtyCOW string: $f MOD_DATE: $m"; fi; done;