felmoltor

#!/bin/bash

if [[ ! -f $1 || $# -ne 2 ]];then
    echo "Usage: $0 <file> <resultfile>"
else
    resultfile=$2
    echo -n "" > $resultfile
    for line in `cat $1`; do
        line=$(echo $line | tr -d ' ')
        if [[ $(echo $line | grep "-"| wc -l) > 0 ]];then

felmoltor

# With this two lines of bash you will donwload the last malware samples extracted from the public lists of www.malwaredomainlist.com
# and you'll submit automatically the alive samples (check if the response was an executable or not) to totalhash.com (contribute to
# the community) and obtain the detection rate of the sample # from Virus Total (virustotal.com).
# As a result you'll get a bunch of executable files and their detection rate in the log "output.virustotal.txt"
 
# Download all the samples detected and listed in the public CSV of mdl.com
$ curl -s http://www.malwaredomainlist.com/mdlcsv.php | awk 'BEGIN {FS="\",\""} {print $2}' | strings -n 3 | grep -E "\.exe$|\.so$|\.bin$|\.src$|\.pdf$|\.docx$|\.vb$|\.sh$" | xargs -I% bash -c 'echo "Downloading: %" && curl -s -O %' | tee $(date +%Y%m%d_%H%M)_malware_download.log
 
# Upload the downloaded samples to totalhash.com and query virustotal.com with it MD5 checksum to obtain the detection ratio
$ ls *_malware_download.log -ltr | tail -n1 | cat $(awk '{pr

felmoltor

####################################################
# List all the files recursively under a directory #
####################################################
 
def ls_r_files(path)
  path.gsub!(/\/+$/,"")
  if path[-2,2] != "/." and path[-2,3] != "/.."
    if File.directory?(path)
      fentries = []
      entries = Dir.entries(path)

felmoltor

Top domains leaked in 5M password dump of Gmail accounts. Mainly gmail.com and yandex.ru, another similar domains that seems like bug in the phishing or keylogger program:

4800946 gmail.com
 123213 yandex.ru
    608 gmail.com777
    338 gmail.com.vn
    256 gmail.com.br
    238 gmail.com.au
    188 gmail.com7777
    174 gmail.com.com

felmoltor

--------------------
---- 1º Million ----
--------------------

Analyzing a file with user, passwords and separator ':'
Loading the whole dump file. Be patient...
Spliting the dump information...
Analycing the password frecuency...
Analycing the domains frecuency...
Analycing passwords complexity...

felmoltor

--------------
- 1º Million -
--------------

________________ __________         ____    _______   
\_   _____/  _  \\______   \ ___  _/_   |   \   _  \  
 |    __)/  /_\  \|     ___/ \  \/ /|   |   /  /_\  \ 
 |    | /    |    \    |      \   / |   |   \  \_/   \
 \__  | \____|__  /____|       \_/  |___| /\ \_____  /
    \/          \/                        \/       \/ 

felmoltor

/admin.cgi
/administrator.cgi
/agora.cgi
/aktivate/cgi-bin/catgy.cgi
/analyse.cgi
/apps/web/vs_diag.cgi
/axis-cgi/buffer/command.cgi
/bandwidth/index.cgi
/bigconf.cgi
/cartcart.cgi

felmoltor

Keybase proof

I hereby claim:

• I am felmoltor on github.
• I am felmoltor (https://keybase.io/felmoltor) on keybase.
• I have a public key whose fingerprint is 1485 9C64 36C5 CA4F 236B C04A 990A 3B4D BB7C FB45

To claim this, I am signing this object:

felmoltor

#!/bin/bash

TOPIP=15
TOPUP=30
TOPU=30
TOPP=30
TOPLU=15
TOPLP=15
GEOLITEDB="/home/<username>/maxmind/GeoIPCountryWhois.db" # Use the sqlite3 db created with http://pastebin.com/9WxCy5ks

felmoltor

#!/bin/bash

# Author: Felipe Molina (@felmoltor)
# Date: January 2015
# Purpose: This scripts checks for new binaries captured by kippo and send an email when an attacker drops a new one

#############################

LASTLS='lastls.txt'
CURRENTLS='currentls.txt'