Deobfuscating PHP malware
So while I am not full time on web server investigations anymore I still like to try and keep current and also maintain my scanner and signature projects. Just a few days ago a kind soul uploaded a malicious php file using
So while I am not full time on web server investigations anymore I still like to try and keep current and also maintain my scanner and signature projects. Just a few days ago a kind soul uploaded a malicious php file using
Originally published at Eforensics magazine: Today when you look at the market of malware you will find an overwhelming domination of malicious windows software. So looking for security products you can find many that exist for Windows, and write up after write
Today saw some new exploit attempts from out of Chile, targeting what appears to be a preexisting backdoor called payload.php. From there it then tries to check the Linux system version and download a file called biru.gif. After downloading the file it
So this past month I have set up the Wazuh fork of Ossec across my infrastructure and have begun to play with its capabilities. Part of my infrastructure includes web servers, and I was happy to see while reviewing the alert feed
Or how your sever gets used in a reflective DDOS, an anecdote… So many platitudes in the infosec community go : As a defender you need to be right 100% of the time, the attack only needs to get it right
So after investigating hundreds of compromised websites, you begin to get a feel for what malware is pretty garden variety, like if I see another WSO shell, color me extremely unsuprised. But every once in a while something novel shows up. This
Well with hacker summer camp now over the research presented can now start to sink in and be digested. Two things stood out to me with my background in supporting websites and content management systems (CMS), those were vulnerabilities that affect the
Update time, I added a few additional features to blazescan. One requested feature was the ability to email a report produced by blazescan, this has been added to the -m flag. The mail address is set in the blazescand.conf file: Additionally a
So for the past few years I have worked front line as a Sysadmin, and specialized in web server security investigations. This culminated in the blazescan, minerchk, lw-yara, and other tools. These significantly increased our capabilities within my organization to investigate incidents.
So I am speaking again, this time I am presenting on my workflow for incident response using free and open source tools. I’ll update this after the talk but for those attending here is the link to the slides: https://laskowski-tech.com/downloads/FOSSv1.pdf
Update: Much deeper dive and new features So as of late, I’ve felt a little let down by my traditional malware scanners for my compromised web server investigations. I’ve used clamAV, Maldet, and an internal tool. But as with any AV product
So this past week I attended the information security conference call Converge in Detroit. Based on information that I learned while there as well as projects I was already started down I will be working to build a malware signature data set
So if you have perused here much, you know that I investigate many cases of malicious crypto mining on servers. Well after speaking at a local meetup I was invited to give the talk at the conference Converge in Detroit. It was
So late last week Troy Mursch (@bad_packets) revealed a crypto-jacking campaign targeting out of date Drupal sites. He quite helpfully laid out the extent of the campaign and created a Google doc with around 350 (now looks close to 400) sites confirmed to
Hello there interwebs. If you don’t know or perhaps if you do I’ve been working on a project to assist Incident Responders and Systems Administrators detect and remediate malicious cryptomining. Development has come quite away since the first beta release. So since
So I’ve worked on around 10-15 eitest incident response and cleanups so far and we have been able to do that thus far by using the bash script my associate Mark Cunnungham wrote up to watch for the connections the malware was
So If you haven’t heard the news the Drupal Core Team released a critical patch back in March to close a Remote Code Execution vulnerability. In the beginning of April scanning started and POC’s exploits became available. At this time if you
So recently Abuse.ch, BrillantIT, and Proofpoint partnered up to take down the botnet known as EITest. https://www.bleepingcomputer.com/news/security/researchers-take-down-network-of-52-000-infected-servers-distributing-malware/ The group behind the botnet have been in operation since around 2011 according to the researchers. After the take down Spamhaus was given control of the
So here I ran into a rather interesting case of and infected server spamming recently. Generally if we come across an infected server sending spam we see 2 primary vectors. Password compromise of a user on the server php mailer scripts uploaded
So I investigate a lot of compromised WordPress sites. Pretty much all of these investigations end in one of two places for a cause. Out of date software and/or plugin, or a password compromise. Unless you have been under a rock, you
So if you haven’t been here before, I’ve been looking into instances of malware using crypto-mining as a means of monetizing hacked servers on the network I work on. In that research, we found that compromised servers had been mining over
Here’s part 2. of the Holiday minerware write ups, you can check out part 1 here. So lets dig in to Case 2. Alert method: Load on the server This case was first reported as a load investigation on a web
Hello, and happy holidays! I have a few binaries to unwrap for you today. These are 2 separate incidents from the prior week of some more miners in the wild. First up we have Case 1. Alert method: Hacked site and
Update: See a more complete demo using a malware tool set I’ve created called Blazescan So I’ve been examining my techniques that I apply to investigating hacked websites, a common task in my day to day work. And this ended up becoming