Skip to content

Instantly share code, notes, and snippets.

View gnanet's full-sized avatar

Gergely Nagy gnanet

32 followers · 198 following
View GitHub Profile
@gnanet
gnanet / README.md
Created June 19, 2026 08:00
Initial eggdrop analysis after got exploited by CVE-2026-10795

Having faced a mystery, where wordpress/woocommerce shops went nuts, i found out i was hit by the CVE-2026-10795

IOC were:

  • Found an "undeletable" mu-plugin: mu-plugins/turbo-watcher-x.php
  • 2 plugins got lost: w3-total-cache and woocommerce-german-market
  • Found a new user admin_{HASH},or adm_{HASH}
  • any administrator who logged in, got automatically the same session_tokens additionally to it's own login

Secondary IOC was inside options table

@gnanet
gnanet / workaround.md
Created June 14, 2026 00:43
strange prompt ssh ubuntu 26.04 systemd osc

Fresh install of Ubuntu 26.04 server

the terminal on my desktop system

gnome-terminal 3.28.2-1ubuntu1~18.04.1

the ssh client:

openssh-client 1:7.6p1-4ubuntu0.7+esm4

@gnanet
gnanet / git-sign-agent.md
Last active May 30, 2026 19:53
git sign with ssh public key from an ssh-agent - git version specifics

Sign git commits using ssh pulic keys from ssh-agent

Specify the key used by setting user.signingkey not to a file, but to the public key content.

It is supported since 2.34.0 by git, but the format requirement changed with time.

git version 2.34.1

user.signingkey = "ssh-rsa AAAAB...== comment"
@gnanet
gnanet / mirror-php-sury-ppa.sh
Last active May 3, 2026 02:53
Mirror php sury ppa to local, to e safe in case ondrej pulls the floor out of your server
#!/bin/bash
#
# source: https://www.reddit.com/r/PHP/comments/njwqpg/comment/gzc18jp/
# author: https://www.reddit.com/user/sleemanj/
#
# For a simple "first steps" with aptly read following sources:
# https://ahelpme.com/software/aptly/install-aptly-under-ubuntu-18-lts-with-nginx-serving-the-packages-and-the-first-steps/
# https://ahelpme.com/linux/ubuntu/mirror-a-ppa-repositories-using-aptly-php-ppaondrej-php/
#
@gnanet
gnanet / CVE-2025-60204_quickfix.patch
Created November 16, 2025 01:34
Un-official quickfix for WooCommerce Store Toolkit v 2.4.3 to CVE-2025-60204
--- includes/admin.php 2025-10-02 02:43:04.849905709 +0200
+++ includes/admin.php 2025-11-16 02:10:11.067950299 +0100
@@ -625,6 +625,8 @@
$tab = 'overview';
}
+ $tabs = array( 'overview', 'nuke', 'post_types', 'quick-enhancements', 'settings', 'growth-tools', 'tools' );
+
switch ( $tab ) {
case 'overview':
@gnanet
gnanet / shell-lint.sh
Created August 8, 2025 22:43
shellcheck - bashlint; with install on-demand
#!/bin/bash
#
# touch /usr/local/bin/shell-lint && chmod +x /usr/local/bin/shell-lint && nano /usr/local/bin/shell-lint
#
# ln -s /usr/local/bin/shell-lint /usr/local/bin/bashlint
#
if [ ! -x /usr/local/bin/shellcheck ]; then
wget https://github.com/koalaman/shellcheck/releases/download/v0.11.0/shellcheck-v0.11.0.linux.x86_64.tar.xz -O /usr/local/src/shellcheck-v0.11.0.linux.x86_64.tar.xz
if [ -f /usr/local/src/shellcheck-v0.11.0.linux.x86_64.tar.xz ]; then
@gnanet
gnanet / usr.share.netfilter-persistent.plugins.d.15-nft.sh
Created July 2, 2025 01:59
NFT Ruleset plugin for Netfilter-Persistent
#!/bin/sh
# usr.share.netfilter-persistent.plugins.d.15-nft.sh
# NFT Ruleset plugin for Netfilter-Persistent
# This file is part of netfilter-persistent
# Copyright (C) 2025, Gergely Nagy <gna@r-us.hu>
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
@gnanet
gnanet / fail2ban-sqlite3-to-vac-or-not2vac.md
Last active March 28, 2025 17:33
2vac or not2vac - fail2ban status persistence vs exploding diskusage of fail2ban.sqlite3

Faced recently storage shortage on a server again, so made my homework, its a Debian GNU/Linux 7.11 (wheezy)

An sqlite3 dump into a gzipped textfile shows an amazing size difference, that means without a reqular maintenance of the fail2ban database, the system may go low on free diskspace.

# du -hs fail2ban.sqlite3
2.5G    fail2ban.sqlite3
@gnanet
gnanet / hcloud_api.sh
Created February 23, 2025 23:21
acme.sh deploy-hook-script to deploy certificate to Hetzner Cloud API using hcloud command
#!/usr/bin/bash
# Here is a script to deploy cert to Hetzner Cloud API using hcloud command
#
# it requires the hcloud binary from
# https://github.com/hetznercloud/cli
#
# it requires following environment variables:
#
# HCLOUD_API_TOKEN - this contains the token to the hcloud API
@gnanet
gnanet / octopusrbl_monster.cf.sample
Created November 13, 2024 00:17
Spamassassin sample rules to use Octopus RBL Monster https://octopusrbl.monster/ - bl.octopusdns.com
# Spamassassin sample rules to use Octopus RBL Monster https://octopusrbl.monster/
# gist by Gergely Nagy (https://gist.github.com/gnanet) 2024-11-13
#
#
# IMPORTANT NOTE
#
# Citing Octopus RBL (https://octopusrbl.monster/blocklist-use.html):
# Small dns servers can use our blacklist for free.
# High Volume servers (more than 100 requests per second) need monthly subscription.
#