├── .gitignore ├── .travis.yml ├── .whitesource ├── LICENSE ├── README.md ├── application.config ├── build.fsx ├── c2_pulse.fs ├── hmm_honeypot.fs ├── indicator.exemptions ├── log.fs ├── otx_pulse.fs ├── owa_pulse.fs ├── paket.dependencies ├── requirements.txt ├── threat_crowd.fs ├── wwwids_rules.json ├── wwwids_rules.schema └── yara.fs /.gitignore: -------------------------------------------------------------------------------- 1 | .fake 2 | application.config 3 | c2_pulse.exe 4 | hmm_honeypot.exe 5 | owa_puse.exe 6 | otx_pulse.exe 7 | packages 8 | paket-files 9 | Paket.* 10 | paket.lock 11 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | lamguage: python 2 | python: 3 | - "3.7" 4 | install: 5 | - pip install -r requirements.txt 6 | script: 7 | - python -m json.tool wwwids_rules.json > /dev/null 8 | - python -m jsonschema -i wwwids_rules.json wwwids_rules.schema 9 | -------------------------------------------------------------------------------- /.whitesource: -------------------------------------------------------------------------------- 1 | { 2 | "checkRunSettings": { 3 | "vulnerableCheckRunConclusionLevel": "failure" 4 | }, 5 | "issueSettings": { 6 | "minSeverityLevel": "LOW" 7 | } 8 | } -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "{}" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright {yyyy} {name of copyright owner} 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # BurningDogs 2 | 3 | Tool to create OTX Pulse entries from honeypot logs 4 | 5 | ## Supported honeypots 6 | 7 | BurningDogs reads honeypot logs and determines attacking client IPs, malicious URLs, and hashes of downloaded files, and then uploads that to [AlienVault OTX](https://otx.alienvault.com/browse/pulses/). 8 | 9 | ### SSH honeypots 10 | 11 | BurningDogs supports Kippo and Cowrie logfiles to detect malicious client IPs, downloaded files, and malicious URLs. 12 | 13 | ### Apache 14 | 15 | BurningDogs uses the "wwwids" logfile analyzer to detect signs of web application abuse attempts. This is based in part on the principles in the SANS paper [Detecting Attacks on Web Applications from Log Files](https://www.sans.org/reading-room/whitepapers/logging/detecting-attacks-web-applications-log-files-2074). 16 | 17 | ### phpMySqlAdmin 18 | 19 | BurningDogs uses a custom PHP scipt (see the [ShoppingLeague repository](https://github.com/paralax/ShoppingLeague)) to detect abuse attempts of phpMySqlAdmin. Client IPs, URLs, and files are characterized. 20 | 21 | ### Wordpot 22 | 23 | BurningDogs uses a custom set of PHP scripts (see the [ShoppingLeague repository](https://github.com/paralax/ShoppingLeague)) to detect abuse attempts of Wordpress installations, including brute force intrusions and DDoS attempts via `xmlrpc.php` script abuse. 24 | 25 | ### Redispot 26 | 27 | BurningDogs uses the Redis honeypot from [NoSQLpot](https://github.com/torque59/nosqlpot) to detect brute force authentication abuse attempts. Client IPs and URLs are characterized. 28 | 29 | ### VncLowPot 30 | 31 | BurningDogs uses the VNC honeypot from [vnclowpot](https://github.com/magisterquis/vnclowpot) to detect brute force authentication attempts. 32 | 33 | ### Pghoney 34 | 35 | BurningDocs uses the PostgreSQL honeypot from [pghoney](https://github.com/betheroot/pghoney) to detect brute force authentication attempts. 36 | 37 | # Dependencies 38 | 39 | You'll need to [sign up at OTX](https://otx.alienvault.com/api/) to get an API key to upload pulses. 40 | 41 | BurningDogs depends on FAKE to build and NewtonSoft.Json for serialization. Use Paket to manage those via the `paket.dependencies` file. 42 | 43 | # Building 44 | 45 | BurningDogs uses FAKE to manage the build, simply issue a `fake` once dependencies are downloaded. 46 | 47 | # Running 48 | 49 | I run BurningDogs via `cron` every night near midnight. 50 | 51 | # Modifying 52 | 53 | Use the `application.config` file to manage paths, and you may have to edit code to address some of my local specifics (e.g. log file format). 54 | -------------------------------------------------------------------------------- /application.config: -------------------------------------------------------------------------------- 1 | apikey: APIKEY 2 | accesslog: /var/log/apache2/access_log 3 | httperrorrate: 3 4 | wwwids_rules: /Users/jose/code/fsharp/indicators/wwwids_rules.json 5 | wordpotlog: /Library/WebServer/Documents/wp/wordpot.log 6 | xmlrpc_ddoslog: /Library/WebServer/Documents/wp/ddos.log 7 | phpmyadminlog: /Library/WebServer/Documents/phpMyAdmin/scripts/phpmysqladmin_log.json 8 | kippodir: /Users/jose/honeynet/src/third-party/kippo-0.5 9 | kippodldir: /Users/jose/honeynet/src/third-party/cowrie/dl 10 | kippolog: /Users/jose/honeynet/src/third-party/cowrie/log/cowrie.log 11 | malwaredir: /Users/jose/vxcage/malware 12 | exemptions: /Users/jose/code/fsharp/indicators/indicator.exemptions 13 | redispotlog: /Users/jose/honeynet/src/third-party/nosqlpot-master/redis.log 14 | vncpotlog: /Users/jose/honeynet/src/third-party/magisterquis/vnclowpot/vnclowpot.log 15 | pghoneylog: /Users/jose/honeynet/src/third-party/betheroot/pghoney/pghoney.log 16 | rdppotlog: /Users/jose/honeynet/src/connlogger/connlog 17 | backdoorlog: /Library/WebServer/Documents/backdoor_log.json 18 | -------------------------------------------------------------------------------- /build.fsx: -------------------------------------------------------------------------------- 1 | // include Fake lib 2 | #r @"/Users/jose/dotnet/FAKE.3.5.4/tools/FakeLib.dll" 3 | open Fake 4 | open Fake.FscHelper 5 | 6 | Target "otx_pulse.exe" (fun _ -> 7 | ["log.fs"; "otx_pulse.fs"] 8 | |> Fsc (fun p -> 9 | {p with References = 10 | ["packages/Newtonsoft.Json/lib/net40/Newtonsoft.Json.dll" 11 | ]} 12 | ) 13 | ) 14 | 15 | Target "otx_pulse2.exe" (fun _ -> 16 | ["log.fs"; "otx_pulse2.fs"] 17 | |> Fsc (fun p -> 18 | {p with References = 19 | ["packages/Newtonsoft.Json/lib/net40/Newtonsoft.Json.dll" 20 | ]} 21 | ) 22 | ) 23 | 24 | Target "backdoor_test.exe" (fun _ -> 25 | ["log.fs"; "backdoor_test.fs"] 26 | |> Fsc (fun p -> 27 | {p with References = 28 | ["packages/Newtonsoft.Json/lib/net40/Newtonsoft.Json.dll" 29 | ]} 30 | ) 31 | ) 32 | 33 | Target "hmm_honeypot.exe" (fun _ -> 34 | ["log.fs"; "hmm_honeypot.fs"] 35 | |> Fsc (fun p -> 36 | {p with References = 37 | ["packages/Accord/lib/net40/Accord.dll"; 38 | "packages/Accord.Statistics/lib/net40/Accord.Statistics.dll"; 39 | "packages/Accord.Math/lib/net40/Accord.Math.dll" 40 | ]} 41 | ) 42 | ) 43 | 44 | 45 | Target "canary_pulse.exe" (fun _ -> 46 | ["canary_pulse.fs"; ] 47 | |> Fsc (fun p -> 48 | {p with References = 49 | ["packages/Newtonsoft.Json/lib/net40/Newtonsoft.Json.dll" 50 | ]} 51 | ) 52 | ) 53 | 54 | Target "owa_pulse.exe" (fun _ -> 55 | ["log.fs"; "owa_pulse.fs"; ] 56 | |> Fsc (fun p -> 57 | {p with References = 58 | ["packages/Newtonsoft.Json/lib/net40/Newtonsoft.Json.dll" 59 | ]} 60 | ) 61 | ) 62 | 63 | Target "c2_pulse.exe" (fun _ -> 64 | ["log.fs"; "c2_pulse.fs"; ] 65 | |> Fsc (fun p -> 66 | {p with References = 67 | ["packages/Newtonsoft.Json/lib/net40/Newtonsoft.Json.dll" 68 | ]} 69 | ) 70 | ) 71 | 72 | RunTargetOrDefault "otx_pulse.exe" -------------------------------------------------------------------------------- /c2_pulse.fs: -------------------------------------------------------------------------------- 1 | open System 2 | open System.IO 3 | open System.Net 4 | open System.Text 5 | open System.Web 6 | 7 | open Newtonsoft.Json 8 | 9 | type OtxIndicator = { 10 | Type : string; 11 | indicator : string; 12 | description : string; 13 | role : string 14 | } 15 | 16 | type OtxPulse = { 17 | name : string; 18 | description : string; 19 | Public : bool; 20 | TLP : string; 21 | indicators : OtxIndicator list; 22 | tags : string list; 23 | references : string list; 24 | attack_ids : string list 25 | } 26 | 27 | 28 | p.StartInfo.UseShellExecute <- false 29 | p.Start() |> ignore 30 | p.StandardOutput.ReadToEnd() |> ignore 31 | () 32 | 33 | let store (date:DateTime) (doSymlink: bool) (otx: OtxPulse) = 34 | let json = JsonConvert.SerializeObject(otx).Replace("Type", "type").Replace("Public", "public") 35 | let today = date.ToString("yyyyMMdd") 36 | let dir = createDir("/Library/WebServer/Documents/data/" + otx.name.Split(' ').[0]) 37 | let filename = dir.FullName + "/" + today + ".txt" 38 | File.WriteAllText(filename, json) 39 | match doSymlink with 40 | | true -> symlink (FileInfo(filename).Name) (dir.FullName + "/" + "latest.txt") 41 | | _ -> () 42 | 43 | [] 44 | let main args = 45 | let today = DateTime.Today 46 | let pulse = apachelogs today 47 | match List.isEmpty pulse.indicators with 48 | | true -> () 49 | | false -> store today true pulse 50 | 0 -------------------------------------------------------------------------------- /hmm_honeypot.fs: -------------------------------------------------------------------------------- 1 | // http://accord-framework.net/docs/html/T_Accord_Statistics_Models_Markov_Learning_BaumWelchLearning.htm 2 | 3 | open System 4 | open System.IO 5 | 6 | open Accord.Math 7 | open Accord.Statistics.Models.Markov.Learning 8 | open Accord.Statistics.Models.Markov 9 | 10 | open Log 11 | 12 | (* 13 | idea 14 | - train on a batch of honeypot log files, look for the sequence of commands 15 | - first build a set of commands 16 | - then turn it into an array 17 | - for each log file, turn it into a sequence like "[|3;5;10;2;3;2|]" indexed by commands for each session id 18 | - train an hmm like above on that data set 19 | - examine new log files 20 | - for each session id, build a sequence of commands like "[|10;4;1;16;3;2;3|]" 21 | - hmm.LogLikelihood() that sequence and look for improbable ones 22 | *) 23 | 24 | let parse_one(logfile: string) : (string [] * Map) = 25 | let getcmd(line: string) : string = 26 | // 2017-01-10T21:35:31-0500 [CowrieTelnetTransport,68691,::ffff:39.167.7.160] CMD: sh 27 | line.Split(' ').[3] 28 | let getsessionid(line: string) : string = 29 | line.Split(' ').[1].Split(',').[1] 30 | let addcmd(sessionid: string) (cmd: string) (sessions: Map) : Map = 31 | match Map.containsKey sessionid sessions with 32 | | true -> Map.add sessionid (sessions.[sessionid] @ [cmd]) sessions 33 | | false -> Map.add sessionid [cmd] sessions 34 | let rec parselines (cmds: Set) (sessions: Map) (lines: string list) = 35 | match lines with 36 | | h::t -> parselines (Set.add (getcmd h) cmds) (addcmd (getsessionid h) (getcmd h) sessions) t 37 | | [] -> (cmds |> Set.toArray, sessions) 38 | File.ReadAllLines logfile 39 | |> Array.toList 40 | |> List.filter (fun x -> x.Contains("[CowrieTelnetTransport") && x.Contains("CMD: ")) 41 | |> parselines Set.empty Map.empty 42 | 43 | let parse(logfiles: string list): (string [] * int [] []) = 44 | // from http://stackoverflow.com/questions/3974758/in-f-how-do-you-merge-2-collections-map-instances 45 | let join (p:Map<'a,'b>) (q:Map<'a,'b>) = 46 | Map(Seq.concat [ (Map.toSeq p) ; (Map.toSeq q) ]) 47 | let results = List.map parse_one logfiles 48 | let cmds = results 49 | |> List.map fst 50 | |> Array.concat 51 | |> Set.ofArray 52 | |> Set.toArray 53 | let sessions = results 54 | |> List.map snd 55 | |> List.fold join Map.empty 56 | let sequences = Map.toArray sessions 57 | |> Array.map (fun (_, x) -> List.toArray x 58 | |> Array.map (fun x -> Array.findIndex (fun y -> x = y) cmds )) 59 | (cmds, sequences) 60 | 61 | (* build the HMM model based on previous data 62 | *) 63 | let train(logfiles: string list) : (string [] * HiddenMarkovModel) = 64 | let cmds, sequences = parse logfiles 65 | let states = Array.map (fun x -> Array.length x) sequences 66 | |> Array.max 67 | let symbols = 1 + (Array.concat sequences |> Array.max) 68 | let hmm = new HiddenMarkovModel(states, symbols) 69 | let teacher = new BaumWelchLearning(hmm) 70 | teacher.Tolerance <- 0.0001 71 | teacher.Iterations <- 0 72 | teacher.Learn(sequences) |> ignore 73 | (cmds, hmm) 74 | 75 | (* now take a logfile and find the interesting sequences 76 | yields a map of interesting sessions keyed by session ID -> sequence of commands 77 | *) 78 | let unusual (hmm: HiddenMarkovModel) (cmds: string []) (threshold: float) (logfile: string) : Map = 79 | let tryFindCmd (cmds : string []) (cmd : string) : int = 80 | let res = Array.tryFindIndex (fun x -> x = cmd) cmds 81 | match res with 82 | | Some i -> i 83 | | None -> -1 84 | let session_to_sequence (cmds: string []) (session: string list) : int [] = 85 | List.map (fun x -> tryFindCmd cmds x) session |> Array.ofList 86 | let probability (sequence : int []) : float = 87 | Math.Exp(hmm.LogLikelihood(sequence)) 88 | parse_one logfile 89 | |> snd 90 | |> Map.map (fun _ v -> (v, probability (session_to_sequence cmds v))) 91 | |> Map.filter (fun _ (_,p) -> p < threshold) 92 | |> Map.map (fun _ (v,_) -> v) 93 | 94 | type CommandLineOptions = { 95 | threshold: float // -t F 96 | } 97 | let defaultOptions = { 98 | threshold= 0.001 99 | } 100 | 101 | let usage args = 102 | printfn "hmm_honeypot.exe ARGS" 103 | printfn "arguments and options:" 104 | printfn " -t F set the threshold for reporting to F (default:%f)" defaultOptions.threshold 105 | printfn " -h this text" 106 | 107 | // inspired via https://fsharpforfunandprofit.com/posts/pattern-matching-command-line/ 108 | let rec parseCommandLine args soFar : CommandLineOptions = 109 | match args with 110 | | [] -> soFar 111 | | "-t"::xs -> 112 | let t = float (List.head xs) 113 | let rem = List.tail xs 114 | parseCommandLine rem { soFar with threshold=t} 115 | | "-h"::xs -> 116 | usage args 117 | exit 0 118 | | x::xs -> 119 | printfn "WARNING option %s is not understood" x 120 | parseCommandLine xs soFar 121 | 122 | [] 123 | let main args = 124 | let options = parseCommandLine (List.ofArray args) defaultOptions 125 | let cmds, hmm = Directory.GetFiles("/Users/jose/honeynet/src/third-party/cowrie/log", "*.log.??") 126 | |> List.ofArray 127 | |> train 128 | Directory.GetFiles("/Users/jose/honeynet/src/third-party/cowrie/log", "*.log.?") 129 | |> Array.map (fun x -> unusual hmm cmds options.threshold x) 130 | |> Array.iter (fun x -> printfn "%A" x) 131 | 0 -------------------------------------------------------------------------------- /indicator.exemptions: -------------------------------------------------------------------------------- 1 | 8.8.8.8 2 | 1.1.1.1 3 | 9.9.9.9 4 | www.w3.org 5 | w3.org 6 | www.w3c.org 7 | w3c.org 8 | download.microsoft.com 9 | d41d8cd98f00b204e9800998ecf8427e 10 | 68b329da9893e34099c7d8ad5cb9c940 11 | 93b885adfe0da089cdf634904fd59f71 12 | da39a3ee5e6b4b0d3255bfef95601890afd80709 13 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 14 | 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b 15 | 127.0.0.1 16 | www.google.com 17 | tinyurl.com 18 | google.com 19 | 204.79.197.200 20 | bing.com 21 | www.bing.com 22 | www.yahoo.com 23 | yahoo.com 24 | help.yahoo.com 25 | www.baidu.com 26 | baidu.com 27 | 104.193.88.123 28 | 104.193.88.77 29 | 104.197.149.9 30 | 54.243.185.88 31 | 184.105.139.67 32 | 184.105.139.68 33 | 184.105.139.69 34 | 184.105.139.70 35 | 216.218.206.66 36 | 216.218.206.67 37 | 216.218.206.68 38 | 216.218.206.69 39 | 74.82.47.2 40 | 74.82.47.3 41 | 74.82.47.4 42 | 74.82.47.5 43 | 184.105.247.194 44 | 184.105.247.195 45 | 184.105.247.196 46 | 184.105.247.197 47 | 198.20.69.74 48 | 198.20.69.98 49 | 198.20.70.114 50 | 198.20.99.130 51 | 216.117.2.180 52 | 66.240.192.138 53 | 66.240.236.119 54 | 71.6.135.131 55 | 71.6.165.200 56 | 71.6.167.142 57 | 82.221.105.6 58 | 82.221.105.7 59 | 93.120.27.62 60 | d41d8cd98f00b204e9800998ecf8427e 61 | da39a3ee5e6b4b0d3255bfef95601890afd80709 62 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 63 | 68b329da9893e34099c7d8ad5cb9c940 64 | adc83b19e793491b1c6ea0fd8b46cd9f32e592fc 65 | 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b 66 | 81051bcc2cf1bedf378224b0a93e2877 67 | ba8ab5a0280b953aa97435ff8946cbcbb2755a27 68 | 7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6 69 | 93b885adfe0da089cdf634904fd59f71 70 | 5ba93c9db0cff93f52b521d7420e43f6eda2784f 71 | 6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d 72 | 0f343b0931126a20f133d67c2b018a3b 73 | 60cacbf3d72e1e7834203da608037b1bf83b40e8 74 | 5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef 75 | c99a74c555371a433d121f551d6c6398 76 | 605db3fdbaff4ba13729371ad0c4fbab3889378e 77 | e5a00aa9991ac8a5ee3109844d84a55583bd20572ad3ffcd42792f3c36b183ad 78 | fa8715078d45101200a6e2bf7321aa04 79 | d991c16949bd5e85e768385440e18d493ce3aa46 80 | 4b298058e1d5fd3f2fa20ead21773912a5dc38da3c0da0bbc7de1adfb6011f1c 81 | 620f0b67a91f7f74151bc5be745b7110 82 | 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d 83 | ad7facb2586fc6e966c004d7d1d16b024f5805ff7cb47c7a85dabd8b48892ca7 84 | c5e389341a0b19b6f045823abffc9814 85 | c82cee5f957ad01068f487eecd430a1389e0d922 86 | 995c770caeb45f7f0c1bc3affc60f11d8c40e16027df2cf711f95824f3534b6f 87 | 325472601571f31e1bf00674c368d335 88 | 2daeaa8b5f19f0bc209d976c02bd6acb51b00b0a 89 | b1442e85b03bdcaf66dc58c7abb98745dd2687d86350be9a298a1d9382ac849b 90 | e617348b8947f28e2a280dd93c75a6ad 91 | 125da188e26bd119ce8cad7eeb1fc2dfa147ad47 92 | 06f7826c2862d184a49e3672c0aa6097b11e7771a4bf613ec37941236c1a8e20 93 | 200ceb26807d6bf99fd6f4f0d1ca54d4 94 | b3aca92c793ee0e9b1a9b0a5f5fc044e05140df3 95 | 4194d1706ed1f408d5e02d672777019f4d5385c766a8c6ca8acba3167d36a7b9 96 | d3b07384d113edec49eaa6238ad5ff00 97 | fb360f9c09ac8c5edb2f18be5de4e80ea4c430d0 98 | b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c 99 | d3b07384d113edec49eaa6238ad5ff00 100 | f1d2d2f924e986ac86fdf7b36c94bcdf32beec15 101 | 8a798890fe93817163b10b5f7bd2ca4d25d84c52739a645a889c173eee7d9d3d 102 | 10400c6faf166902b52fb97042f1e0eb 103 | d583c3aa489ed954df3be71e71deae3a9895857e 104 | df4e26a04a444901b95afef44e4a96cfae34690fff2ad2c66389c70079cdff2b 105 | 4b6c7f3146f86136507497232d2f04a0 106 | deabe082bc0f0f503292e537b2675c7c93dca40f 107 | 4a15a6777284035dfd8df4ecf496b4f0557a9cc4ffaaf5887659031e843865e1 108 | a11a2f0cfe6d0b4c50945989db6360cd 109 | e2516fcd1573e70334c8f50bee5241cdfdf48a00 110 | fc4623b113a1f603c0d9ad5f83130bd6de1c62b973be9892305132389c8588de 111 | 16e8e953c65d610c3bfc595240f3f5b7 112 | 231a802e6ff1fae42f2b12561fff2767d473210b 113 | 048846ed8ed185a26394adeb3f63274d1029bbd59cffa8e73a4ef8b19456de1d 114 | e24133dd836d99182a6227dcf6613d08 115 | 72c2dbbb1fe642073002b30987fcd68921a6b140 116 | 4dde54cfc600dbd9a610645d197a632e064115ffaa3a1b595c3a23036e501678 117 | 41f958d2d3e9ed4504b6a8863fd72b49 118 | f6d380b256b0e66ef347adc78195fd0f228b3e33 119 | c929701c67a05f90827563eedccf5eba8e65b2da970189a0371f28cd896708b8 120 | d378bffb70923139d6a4f546864aa61c 121 | f00aa51c2ed8b2f656318fdc01ee1cf5441011a4 122 | c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102 123 | 86f1895ae8c5e8b17d99ece768a70732 124 | d5502a1d00787d68f548ddeebbde1eca5e2b38ca 125 | 8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe 126 | b6f9aa44c5f0565b5deb761b1926e9b6 127 | 183d0929423da2aa83441ee625de92b213f33948 128 | 07c4c7ae2c4c7cb3ccd2ba9cd70a94382395ca8e2b0312c1631d09d790b6db33 129 | 94.102.49.193 130 | 104.128.144.131 131 | 98.143.148.107 132 | 155.94.254.133 133 | 155.94.254.143 134 | 155.94.222.12 135 | 98.143.148.135 136 | 71.6.158.166 137 | 93.174.95.106 138 | cdn.d-trust-cloudcrl.net 139 | cdp.elektronicznypodpis.pl 140 | cdp1.disig.sk 141 | cdp2.disig.sk 142 | crl-ssl.certificat2.com 143 | crl.affirmtrust.com 144 | crl.buypass.no 145 | crl.camerfirma.com 146 | crl.certsign.ro 147 | crl.cfca.com.cn 148 | crl.comodoca.com 149 | crl.d-trust.net 150 | crl.e-tugra.com 151 | crl.entrust.net 152 | crl.firmaprofesional.com 153 | crl.gdca.com.cn 154 | crl.globalsign.com 155 | crl.godaddy.com 156 | crl.igc-g3.certinomis.com 157 | crl.infocert.it 158 | crl.izenpe.com 159 | crl.luxtrust.lu 160 | crl.managedpki.com 161 | crl.netsolssl.com 162 | crl.pki.goog 163 | crl.quovadisglobal.com 164 | crl.sbca.telesec.de 165 | crl.serverpass.telesec.de 166 | crl.starfieldtech.com 167 | crl.swisssign.net 168 | crl.trust-provider.com 169 | crl.trustcor.ca 170 | crl.trustwave.com 171 | crl.usertrust.com 172 | crl09.actalis.it 173 | crl1.camerfirma.com 174 | crl1.e-tugra.com 175 | crl1.hongkongpost.gov.hk 176 | crl1.netlock.hu 177 | crl2.firmaprofesional.com 178 | crl2.netlock.hu 179 | crl3.digicert.com 180 | crl3.netlock.hu 181 | crl4.digicert.com 182 | crls.ssl.com 183 | crlv1.harica.gr 184 | depo.kamusm.gov.tr 185 | epscd.catcert.net 186 | evcrl1.managedpki.com 187 | fe.symcb.com 188 | fi.symcb.com 189 | fj.symcb.com 190 | gca.nat.gov.tw 191 | gk.symcb.com 192 | gm.symcb.com 193 | gn.symcb.com 194 | pki-crl.atos.net 195 | public.wisekey.com 196 | repo1.secomtrust.net 197 | repository.ev.hinet.net 198 | rtcrl.managedpki.ne.jp 199 | sh.symcb.com 200 | sn.symcb.com 201 | sr.symcb.com 202 | ss.symcb.com 203 | sslca2014-crl1.e-szigno.hu 204 | sslca2014-crl2.e-szigno.hu 205 | sslca2014-crl3.e-szigno.hu 206 | sslserver.twca.com.tw 207 | sureseries-crl.cybertrust.ne.jp 208 | tf.symcb.com 209 | ti.symcb.com 210 | tq.symcb.com 211 | validation.identrust.com 212 | www.accv.es 213 | www.cert.fnmt.es 214 | www.certinomis.com 215 | www.certsign.ro 216 | www.trustis.com 217 | aces.ocsp.identrust.com 218 | commercial.ocsp.identrust.com 219 | ev.ocsp.quovadisglobal.com 220 | ev2.ocsp.secomtrust.net 221 | evocsp1.managedpki.com 222 | evsslocsp.twca.com.tw 223 | fe.symcd.com 224 | fi.symcd.com 225 | fj.symcd.com 226 | g2ocsp.managedpki.com 227 | g3ocsp.managedpki.com 228 | gca.nat.gov.tw 229 | gk.symcd.com 230 | gm.symcd.com 231 | gn.symcd.com 232 | gold-ev-g2.ocsp.swisssign.net 233 | igc-g3.certinomis.com 234 | jcsitlssignpublicca-ocsp.managedpki.ne.jp 235 | ocsp-ssl.certificat2.com 236 | ocsp.accv.es 237 | ocsp.affirmtrust.com 238 | ocsp.buypass.com 239 | ocsp.buypass.no 240 | ocsp.camerfirma.com 241 | ocsp.catcert.cat 242 | ocsp.certsign.ro 243 | ocsp.cfca.com.cn 244 | ocsp.comodoca.com 245 | ocsp.digicert.com 246 | ocsp.e-tugra.com 247 | ocsp.entrust.net 248 | ocsp.epki.external.trustcor.ca 249 | ocsp.ev.hinet.net 250 | ocsp.firmaprofesional.com 251 | ocsp.godaddy.com 252 | ocsp.harica.gr 253 | ocsp.int-x3.letsencrypt.org 254 | ocsp.izenpe.com 255 | ocsp.netsolssl.com 256 | ocsp.ovcf.ca3.infocert.it 257 | ocsp.pki.goog 258 | ocsp.quovadisglobal.com 259 | ocsp.sca0a.amazontrust.com 260 | ocsp.sca1a.amazontrust.com 261 | ocsp.sca2a.amazontrust.com 262 | ocsp.sca3a.amazontrust.com 263 | ocsp.sca4a.amazontrust.com 264 | ocsp.serverpass.telesec.de 265 | ocsp.starfieldtech.com 266 | ocsp.trust-provider.com 267 | ocsp.trustcor.ca 268 | ocsp.trustwave.com 269 | ocsp.usertrust.com 270 | ocsp.wisekey.com 271 | ocsp03.sbca.telesec.de 272 | ocsp09.actalis.it 273 | ocsp1.hongkongpost.gov.hk 274 | ocsp1.netlock.hu 275 | ocsp1.trustisfps.com 276 | ocsp2.globalsign.com 277 | ocsp2.netlock.hu 278 | ocsp2.wisekey.com 279 | ocsp3.gdca.com.cn 280 | ocsp3.netlock.hu 281 | ocspap.cert.fnmt.es 282 | ocsps.ssl.com 283 | ocspssls1.kamusm.gov.tr 284 | pki-ocsp.atos.net 285 | sh.symcd.com 286 | silver-server-g2.ocsp.swisssign.net 287 | sn.symcd.com 288 | sr.symcd.com 289 | ss.symcd.com 290 | ssl-c3-ca1-2009.ocsp.d-trust.net 291 | ssl-c3-ca1-ev-2009.ocsp.d-trust.net 292 | ssl.ocsp.luxtrust.lu 293 | sslca2014-ocsp1.e-szigno.hu 294 | sslca2014-ocsp2.e-szigno.hu 295 | sslca2014-ocsp3.e-szigno.hu 296 | subcar2i2-ocsp.disig.sk 297 | sureseries-ocsp.cybertrust.ne.jp 298 | tf.symcd.com 299 | ti.symcd.com 300 | tq.symcd.com 301 | 104.16.89.188 302 | 104.16.90.188 303 | 104.16.91.188 304 | 104.16.92.188 305 | 104.16.93.188 306 | 104.17.102.175 307 | 104.17.103.175 308 | 104.17.104.175 309 | 104.17.105.175 310 | 104.17.106.175 311 | 109.70.240.114 312 | 116.92.128.34 313 | 119.145.171.215 314 | 121.50.63.210 315 | 121.50.63.211 316 | 13.33.164.223 317 | 13.33.164.236 318 | 13.33.164.7 319 | 13.33.164.93 320 | 133.242.48.24 321 | 133.242.50.38 322 | 151.101.46.133 323 | 153.149.98.42 324 | 155.207.94.23 325 | 172.217.1.46 326 | 172.217.4.243 327 | 184.73.226.63 328 | 185.102.40.23 329 | 185.33.53.5 330 | 185.62.162.145 331 | 185.69.225.3 332 | 192.35.177.153 333 | 193.104.0.210 334 | 193.140.71.35 335 | 193.27.6.240 336 | 193.42.222.125 337 | 194.140.59.23 338 | 194.145.83.79 339 | 195.77.23.49 340 | 195.80.175.39 341 | 195.80.175.7 342 | 195.95.167.129 343 | 195.95.167.162 344 | 202.32.255.81 345 | 202.32.255.82 346 | 210.151.42.156 347 | 210.241.69.194 348 | 210.71.154.56 349 | 210.74.41.181 350 | 212.142.249.49 351 | 212.175.187.27 352 | 212.175.187.59 353 | 212.31.61.106 354 | 213.162.193.245 355 | 213.229.84.216 356 | 217.150.144.194 357 | 217.150.144.200 358 | 219.87.64.186 359 | 23.215.104.113 360 | 23.215.104.27 361 | 23.215.104.35 362 | 23.215.105.96 363 | 50.63.243.228 364 | 50.63.243.229 365 | 52.219.73.78 366 | 52.222.217.106 367 | 52.222.217.144 368 | 52.222.217.59 369 | 52.222.217.88 370 | 52.239.142.228 371 | 60.250.3.156 372 | 61.114.186.157 373 | 61.203.134.55 374 | 62.96.224.138 375 | 66.225.197.197 376 | 72.21.91.29 377 | 80.79.96.210 378 | 82.223.54.157 379 | 86.109.121.18 380 | 88.87.212.233 381 | 91.120.239.74 382 | 91.121.147.17 383 | 91.198.11.52 384 | 91.83.236.157 385 | 93.92.105.23 386 | 2001:4420:aa01:ff01:210:241:69:194 387 | 2001:4542:2064:7::1010 388 | 2001:b031:1306:ff00::1010 389 | 2600:9000:2044:4800:3:6aa6:6180:21 390 | 2600:9000:2044:a200:3:6aa6:6180:21 391 | 2600:9000:2044:ae00:3:6aa6:6180:21 392 | 2600:9000:2044:bc00:3:6aa6:6180:21 393 | 2600:9000:2044:e200:3:6aa6:6180:21 394 | 2600:9000:2044:ec00:3:6aa6:6180:21 395 | 2600:9000:2044:f800:3:6aa6:6180:21 396 | 2600:9000:2044:fc00:3:6aa6:6180:21 397 | 2606:4700::6810:59bc 398 | 2606:4700::6810:5abc 399 | 2606:4700::6810:5bbc 400 | 2606:4700::6810:5cbc 401 | 2606:4700::6810:5dbc 402 | 2606:4700::6811:66af 403 | 2606:4700::6811:67af 404 | 2606:4700::6811:68af 405 | 2606:4700::6811:69af 406 | 2606:4700::6811:6aaf 407 | 2607:f8b0:4009:80d::200e 408 | 2607:f8b0:4009:815::2013 409 | 2a04:4e42:b::645 410 | 104.215.29.84 411 | 104.215.54.174 412 | 104.41.179.244 413 | 104.91.166.106 414 | 104.91.166.112 415 | 104.91.166.82 416 | 104.91.166.89 417 | 104.91.166.96 418 | 104.91.166.98 419 | 109.70.240.114 420 | 113.52.156.18 421 | 116.92.128.12 422 | 119.145.171.206 423 | 13.114.126.114 424 | 13.33.164.100 425 | 13.33.164.105 426 | 13.33.164.164 427 | 13.33.164.37 428 | 13.78.114.232 429 | 133.242.68.56 430 | 151.101.46.133 431 | 153.120.128.154 432 | 153.127.215.13 433 | 153.127.216.172 434 | 153.149.154.120 435 | 153.149.17.219 436 | 153.149.96.48 437 | 155.207.94.25 438 | 178.255.83.1 439 | 18.194.140.191 440 | 184.73.226.63 441 | 185.102.40.212 442 | 185.33.53.5 443 | 185.62.162.144 444 | 185.69.225.4 445 | 192.35.177.117 446 | 192.35.177.155 447 | 193.104.0.178 448 | 193.140.71.141 449 | 193.42.222.125 450 | 194.140.12.241 451 | 194.145.83.75 452 | 194.30.48.30 453 | 195.77.23.39 454 | 195.80.175.18 455 | 195.95.167.163 456 | 210.241.69.194 457 | 210.71.154.56 458 | 210.74.41.123 459 | 212.175.187.26 460 | 212.31.61.102 461 | 213.162.193.244 462 | 213.61.227.196 463 | 216.58.216.78 464 | 217.150.144.202 465 | 217.170.186.113 466 | 217.170.186.115 467 | 219.127.237.69 468 | 219.87.64.165 469 | 23.215.104.10 470 | 23.215.104.16 471 | 23.215.104.19 472 | 23.215.104.49 473 | 23.215.104.65 474 | 23.34.78.114 475 | 23.4.43.27 476 | 23.5.251.27 477 | 23.54.187.27 478 | 23.62.227.64 479 | 23.62.227.72 480 | 23.62.227.9 481 | 35.163.43.72 482 | 46.137.168.218 483 | 46.137.183.10 484 | 46.29.101.81 485 | 46.29.101.82 486 | 46.29.101.83 487 | 46.29.101.84 488 | 50.63.243.230 489 | 52.207.77.222 490 | 54.199.233.192 491 | 59.106.216.193 492 | 60.250.3.135 493 | 72.21.91.29 494 | 80.79.96.44 495 | 88.87.212.243 496 | 91.120.239.74 497 | 91.194.146.110 498 | 91.198.11.79 499 | 91.198.11.87 500 | 91.83.236.157 501 | 93.92.105.115 502 | 2001:4420:aa01:ff01:210:241:69:194 503 | 2001:4542:2064:7::1013 504 | 2001:559:19:5400::173e:e30b 505 | 2001:559:19:5400::173e:e319 506 | 2001:559:19:5400::173e:e361 507 | 2001:559:19:5400::173e:e36a 508 | 2001:559:19:5400::173e:e378 509 | 2001:559:19:5400::173e:e380 510 | 2001:559:19:5c96::201a 511 | 2001:559:19:5c98::201a 512 | 2001:559:19:6483::201a 513 | 2001:559:19:648f::201a 514 | 2001:559:19:e000::b854:f46a 515 | 2001:b031:1306:ff00::1013 516 | 2600:1407:21:2a1::1b01 517 | 2600:1407:21:2b3::1b01 518 | 2607:f8b0:4009:816::200e 519 | 2620:108:700f::22d4:f675 520 | 2620:108:700f::22d6:45ab 521 | 2620:108:700f::3426:765e 522 | 2a00:17f0:1300:3285::2 523 | 2a00:17f0:1300:3285::3 524 | 2a02:1788:2fd::b2ff:5301 525 | 2a04:4e42:2c::645 526 | -------------------------------------------------------------------------------- /log.fs: -------------------------------------------------------------------------------- 1 | namespace Log 2 | 3 | open System 4 | 5 | [] 6 | module Logger = 7 | 8 | // from http://www.fssnip.net/8j 9 | /// Log levels. 10 | let Error = 0 11 | let Warning = 1 12 | let Information = 2 13 | let Debug = 3 14 | 15 | let LevelToString level = 16 | match level with 17 | | 0 -> "Error" 18 | | 1 -> "Warning" 19 | | 2 -> "Information" 20 | | 3 -> "Debug" 21 | | _ -> "Unknown" 22 | 23 | /// The current log level. 24 | let mutable current_log_level = Debug 25 | 26 | /// The inteface loggers need to implement. 27 | type ILogger = abstract Log : int -> Printf.StringFormat<'a,unit> -> 'a 28 | 29 | /// Writes to console. 30 | let ConsoleLogger = { 31 | new ILogger with 32 | member __.Log level format = 33 | Printf.kprintf (printfn "[%s][%A] %s" (LevelToString level) DateTime.Now) format 34 | } 35 | 36 | /// Defines which logger to use. 37 | let mutable DefaultLogger = ConsoleLogger 38 | 39 | /// Logs a message with the specified logger. 40 | let logUsing (logger: ILogger) = logger.Log 41 | 42 | /// Logs a message using the default logger. 43 | let log level message = logUsing DefaultLogger level message -------------------------------------------------------------------------------- /otx_pulse.fs: -------------------------------------------------------------------------------- 1 | open System 2 | open System.IO 3 | open System.Net 4 | open System.Security.Cryptography 5 | open System.Text 6 | open System.Web 7 | 8 | open Newtonsoft.Json 9 | open Newtonsoft.Json.Linq 10 | 11 | open Log 12 | 13 | type OtxIndicator = { 14 | Type : string; 15 | indicator : string; 16 | description : string 17 | } 18 | 19 | type OtxPulse = { 20 | name : string; 21 | description : string; 22 | Public : bool; 23 | TLP : string; 24 | indicators : OtxIndicator list; 25 | tags : string list; 26 | references : string list; 27 | } 28 | 29 | type CowrieRecord = { 30 | dst_ip : string; 31 | dst_port : int; 32 | eventid : string; 33 | isError : int; 34 | message : string; 35 | outfile : string; 36 | sensor : string; 37 | session : string; 38 | shasum : string; 39 | mutable src_ip : string; 40 | src_port : int; 41 | mutable system : string; 42 | timestamp : string; 43 | url : string; 44 | } 45 | 46 | type WwwidsRule = { 47 | ref : string; 48 | cve : string; 49 | pat : string; 50 | checkurl: int; 51 | name : string; 52 | } 53 | 54 | type PghoneyRecord = { 55 | level : string; 56 | msg : string; 57 | source_ip : string; 58 | source_port : int; 59 | time : string; 60 | username: string; 61 | } 62 | 63 | type BackdoorRecordPayload = { 64 | timestamp : string; 65 | client_ip : string; 66 | user_agent : string; 67 | headers : Map; 68 | payload : Map; 69 | } 70 | 71 | let config = File.ReadAllLines("application.config") 72 | |> Array.map(fun x -> x.Split(':') |> Array.map (fun y -> y.Trim())) 73 | |> Array.map(fun x -> (x.[0], x.[1])) 74 | |> Map.ofArray 75 | 76 | let exemptions = File.ReadAllLines(config.["exemptions"]) 77 | |> Set.ofArray 78 | 79 | let md5 (data : byte array) : string = 80 | use md5 = MD5.Create() 81 | (StringBuilder(), md5.ComputeHash(data)) 82 | ||> Array.fold (fun sb b -> sb.Append(b.ToString("x2"))) 83 | |> string 84 | 85 | let sha1 (data : byte array) : string = 86 | use sha1 = SHA1.Create() 87 | (StringBuilder(), sha1.ComputeHash(data)) 88 | ||> Array.fold (fun sb b -> sb.Append(b.ToString("x2"))) 89 | |> string 90 | 91 | let sha256 (data : byte array) : string = 92 | use sha256 = SHA256.Create() 93 | (StringBuilder(), sha256.ComputeHash(data)) 94 | ||> Array.fold (fun sb b -> sb.Append(b.ToString("x2"))) 95 | |> string 96 | 97 | let urlpat = RegularExpressions.Regex("(ftp://[^ ;\"]*[ \"]|http://[^ ;\"]*)[ \";$>)&]?") 98 | let matchToUrl (urlMatch : RegularExpressions.Match) = urlMatch.Value.Trim().Replace("\"", "").Replace(";", "").Replace(")", "").Replace(">", "") 99 | let getUrl (row : string) : seq = 100 | let matches = urlpat.Matches(HttpUtility.UrlDecode(row)) 101 | Seq.map matchToUrl (Seq.cast matches) 102 | 103 | let ippat = RegularExpressions.Regex("[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}") 104 | let getMatches (ipMatch: RegularExpressions.Match) = ipMatch.Value.Trim() 105 | let getIp (code : string) : seq = 106 | let matches = ippat.Matches(code) 107 | Seq.map getMatches (Seq.cast matches) 108 | 109 | let ipportpat = RegularExpressions.Regex("([0-9]{1,3}\.){3}[0-9]{1,3}:\d+") 110 | let getIpPort (code: byte []) : seq = 111 | let matches = ipportpat.Matches(Encoding.ASCII.GetString(code)) 112 | Seq.map getMatches (Seq.cast matches) 113 | 114 | let ipToIndicator (ipstr: string) (description: string) : OtxIndicator option = 115 | try 116 | let ip = Net.IPAddress.Parse(ipstr) 117 | match ip.AddressFamily.ToString() with 118 | | "InterNetworkV6" -> Some({Type = "IPv6"; indicator = ipstr; description = description}) 119 | | "InterNetwork" -> Some({Type = "IPv4"; indicator = ipstr; description = description}) 120 | with 121 | | :? FormatException as ex -> None 122 | | :? System.ArgumentNullException as ex -> None 123 | 124 | let isIrcBot(code: string) : bool = 125 | code.Contains("NICK") && code.Contains("JOIN") 126 | 127 | let botToServer(code: string) : seq = 128 | code.Split(' ') // tokenize 129 | |> Seq.windowed 5 130 | |> Seq.filter(fun x -> (String.concat " " x).Contains("server")) // find things near the server specification 131 | |> Seq.concat 132 | |> Set.ofSeq 133 | |> Seq.map getIp 134 | |> Seq.filter (fun x -> Seq.length x > 0) 135 | |> Seq.concat 136 | 137 | let botToIndicator(code: byte array) : OtxIndicator list = 138 | match isIrcBot (Encoding.ASCII.GetString code) with 139 | | false -> [] 140 | | true -> Encoding.ASCII.GetString code 141 | |> botToServer 142 | |> Seq.map(fun x -> ipToIndicator x ("Possible IRC server for " + (md5 code))) 143 | |> Seq.choose id 144 | |> List.ofSeq 145 | 146 | let fileToIndicator (data: byte array) (description: string) : OtxIndicator list = 147 | [(md5, "FileHash-MD5"); (sha1, "FileHash-SHA1"); (sha256, "FileHash-SHA256")] 148 | |> List.map (fun (fn, fntype) -> (fn data, fntype)) 149 | |> List.map (fun (ind, indtype) -> {Type = indtype; indicator = ind; description = description}) 150 | 151 | (* 152 | let tryDownload(url : string) : byte [] option = 153 | try 154 | let client = new Net.WebClient() 155 | Some(client.DownloadData(url)) 156 | with 157 | | :? Net.WebException as ex -> None 158 | *) 159 | 160 | (* 161 | // try this instead http://furuya02.hatenablog.com/entry/20111121/1321834314 162 | let myCallback (reader:IO.BinaryReader) url = 163 | let rec loop (sofar: byte []) : byte [] = 164 | let data = reader.ReadBytes(1024) 165 | match data.Length with 166 | | 0 -> data 167 | | _ -> loop (Array.append sofar data) 168 | loop (reader.ReadBytes(1024)) 169 | *) 170 | 171 | let tryDownload(url : string) : byte [] option = 172 | let doFetch callback url = 173 | let req = WebRequest.Create(Uri(url)) 174 | req.Timeout <- 5000 175 | use resp = req.GetResponse() 176 | use stream = resp.GetResponseStream() 177 | use reader = new IO.BinaryReader(stream) 178 | callback reader (resp.ContentLength) url 179 | 180 | let myCallback (reader:IO.BinaryReader) len url = reader.ReadBytes(int len) 181 | let fetchUrl = doFetch myCallback 182 | 183 | log 3 ">>>> tryDownload %s" url 184 | 185 | try 186 | Some(fetchUrl url) 187 | with 188 | | :? Net.WebException as ex -> None 189 | | :? System.UriFormatException as ex -> None 190 | | :? System.ArgumentNullException as ex -> None 191 | | :? System.ArgumentOutOfRangeException as ex -> None 192 | 193 | let createDir(dirname: string) : DirectoryInfo = 194 | let p = new Diagnostics.Process() 195 | p.StartInfo.FileName <- "/bin/mkdir" 196 | p.StartInfo.Arguments <- String.Format("-p {0}", dirname) 197 | p.StartInfo.RedirectStandardOutput <- true 198 | p.StartInfo.UseShellExecute <- false 199 | p.Start() |> ignore 200 | p.StandardOutput.ReadToEnd() |> ignore 201 | new DirectoryInfo(dirname) 202 | 203 | let storeMalware(data : byte []) : string = 204 | let h = sha256 data 205 | let a = h.ToCharArray() 206 | let dir = createDir(String.Format("{0}/{1}/{2}/{3}/{4}", config.["malwaredir"], a.[0], a.[1], a.[2], a.[3])) 207 | let filename = String.Format("{0}/{1}", dir.FullName, h) 208 | File.WriteAllBytes(filename, data) 209 | filename 210 | 211 | let urlToIndicators (urlstr: string) (description: string) : OtxIndicator list = 212 | log 3 ">>>> urlToIndicators - %s" urlstr 213 | try 214 | let url = new Uri(urlstr.Split('\n').[0]) 215 | let domainToIndicator (uri: Uri) : OtxIndicator list = 216 | try 217 | { Type = "hostname"; indicator = uri.Host; description = ("Hostname associated with " + description)}::( Array.map (fun x -> ipToIndicator (x.ToString()) ("IP address associated with " + description)) (Net.Dns.GetHostAddresses(uri.Host)) |> Array.choose id |> List.ofArray) 218 | with 219 | | :? Net.Sockets.SocketException as ex -> [{ Type = "hostname"; indicator = uri.Host; description = ("Hostname associated with " + description)}] 220 | | :? StackOverflowException as ex -> [] 221 | let netlocToIndicator (uri: Uri) : OtxIndicator list = 222 | match uri.HostNameType.ToString() with 223 | | "Dns" -> domainToIndicator uri 224 | | _ -> List.choose id [ ipToIndicator uri.Host ("IP addresses associated with " + description) ] 225 | match Set.contains (url.Host) exemptions with 226 | | true -> [] 227 | | false -> {Type = "URL"; indicator = urlstr; description = description}::(netlocToIndicator url) 228 | with 229 | | :? UriFormatException as ex -> [] 230 | | :? StackOverflowException as ex -> [] 231 | | :? System.ArgumentNullException as ex -> [] 232 | 233 | 234 | let getKippoRecords (system : string): CowrieRecord list = 235 | let convertLine (line:string) : CowrieRecord = JsonConvert.DeserializeObject(line) 236 | (* we have to do this because records that show downloads don't have the system field, wtf *) 237 | let rewriteNullSystem (r : CowrieRecord) : CowrieRecord = 238 | match r.system with 239 | | null -> { r with system = ""} 240 | | _ -> r 241 | let rewriteSrcIp (r : CowrieRecord) : CowrieRecord = 242 | {r with src_ip = r.src_ip.Replace("::ffff:", "") } 243 | let records = File.ReadAllLines(config.["kippojson"]) 244 | |> Array.map convertLine 245 | |> List.ofArray 246 | |> List.map rewriteNullSystem 247 | |> List.map rewriteSrcIp 248 | |> List.filter (fun x -> x.system.Contains(system) || x.eventid.Contains("cowrie.session.file_download")) 249 | let sessions = records 250 | |> List.map (fun x -> x.session) 251 | |> Set.ofList 252 | |> Set.filter (fun x -> x <> null) 253 | records 254 | |> List.filter (fun x -> Set.contains x.session sessions = true) 255 | 256 | (* we do it this way to make sure we don't block on fetching 257 | content from websites that causes a delay, and logs roll over. 258 | *) 259 | let telnets = getKippoRecords "Telnet" 260 | let sshs = getKippoRecords "SSH" 261 | 262 | let telnetlogs (date:DateTime): OtxPulse = 263 | log 3 ">>> telnetlogs" 264 | let today = date.ToString("yyyy-MM-dd") 265 | let records = telnets 266 | let ips = records 267 | |> List.map (fun x -> x.src_ip) 268 | |> Set.ofList 269 | |> Set.map(fun x -> ipToIndicator x "Telnet bruteforce client IP") 270 | |> Set.toList 271 | |> List.choose id 272 | log 3 ">>> read IPs" 273 | let urls = records 274 | |> List.map (fun x -> x.url) 275 | |> List.filter (fun x -> x <> null && x <> "redir") 276 | |> Set.ofList 277 | |> Set.toSeq 278 | |> Seq.map (fun x -> urlToIndicators x "URL injected into Telnet honeypot") 279 | |> List.concat 280 | |> Set.ofList 281 | |> Set.toList 282 | log 3 ">>> read urls" 283 | let contents = urls 284 | |> List.map(fun x -> tryDownload x.indicator) 285 | |> List.choose id 286 | log 3 ">>> read first contents" 287 | let extraurls = contents 288 | |> List.map (fun x -> Encoding.ASCII.GetString x) 289 | |> List.map getUrl 290 | |> Seq.concat 291 | |> Set.ofSeq 292 | |> Set.toSeq 293 | |> Seq.map (fun x -> urlToIndicators x "URL injected into Telnet honeypot") 294 | |> List.concat 295 | log 3 ">>> read extraurls" 296 | let contents = extraurls 297 | |> List.map(fun x -> tryDownload x.indicator) 298 | |> List.choose id 299 | log 3 ">>> read second contents" 300 | let _ = contents 301 | |> List.map storeMalware 302 | log 3 ">>> stored contents" 303 | let filehashes = contents 304 | |> List.map(fun x -> fileToIndicator x "Telnet honeypot downloaded file") 305 | |> Seq.concat 306 | |> Set.ofSeq 307 | |> Set.toList 308 | log 3 ">>> hashed files" 309 | let c2indicators = contents 310 | |> List.map getIpPort 311 | |> Seq.concat 312 | |> Seq.distinct 313 | |> Seq.map (fun x -> x.Split(':')) 314 | |> Seq.map (fun [|x; y|] -> ipToIndicator x ("Suspected malware C2 on port " + y)) 315 | |> Seq.toList 316 | |> List.choose id 317 | log 3 ">>> got c2 indicators" 318 | let allurls = urls @ extraurls 319 | |> Set.ofList 320 | |> Set.toList 321 | GC.Collect() 322 | {name = "Telnet honeypot logs for " + today; 323 | Public = true; 324 | tags = ["Telnet"; "bruteforce"; "honeypot"]; 325 | references = []; 326 | TLP = "green"; 327 | description = "Telnet honeypot logs for brute force attackers from a US /32"; 328 | indicators = List.filter (fun x -> Set.contains x.indicator exemptions <> true) (ips @ allurls @ filehashes @ c2indicators)} 329 | 330 | let kippologs (date:DateTime): OtxPulse = 331 | log 3 ">>> kippologs" 332 | let today = date.ToString("yyyy-MM-dd") 333 | // 2016-11-03T09:21:29-0400 [cowrie.ssh.factory.CowrieSSHFactory] New connection: 42.114.236.213:63526 (::ffff:192.168.1.50:2222) [session: a4f8ed71] 334 | let records = sshs 335 | let ips = records 336 | |> List.map (fun x -> x.src_ip) 337 | |> Set.ofList 338 | |> Set.map(fun x -> ipToIndicator x "SSH bruteforce client IP") 339 | |> Set.toList 340 | |> List.choose id 341 | log 3 ">>> read IPs" 342 | let urls = records 343 | |> List.map (fun x -> x.url) 344 | |> List.filter (fun x -> x <> null && x <> "redir") 345 | |> Set.ofList 346 | |> Set.toSeq 347 | |> Seq.map (fun x -> urlToIndicators x "URL injected into SSH honeypot") 348 | |> List.concat 349 | |> Set.ofList 350 | |> Set.toList 351 | let contents = urls 352 | |> List.map(fun x -> tryDownload x.indicator) 353 | |> List.choose id 354 | log 3 ">>>> now calling fileToIndicator on downloaded content" 355 | let dlfilehashes = contents 356 | |> List.map(fun x -> fileToIndicator x "SSH honeypot downloaded file") 357 | |> Seq.concat 358 | |> Set.ofSeq 359 | |> Set.toList 360 | let dir = new DirectoryInfo(config.["kippodldir"]) 361 | let todaystr = date.ToString("yyyyMMdd*") 362 | log 3 ">>>> gathering today's files for analysis" 363 | let files = dir.EnumerateFiles(todaystr) 364 | |> Seq.toList 365 | |> List.filter(fun x -> x.FullName.Contains("-redir__var") <> true && x.Length > 0L) 366 | |> List.map(fun x -> File.ReadAllBytes(x.FullName)) 367 | log 3 ">>>> now hashing today's files" 368 | let filehashes = files 369 | |> List.map(fun x -> fileToIndicator x "SSH honeypot downloaded file") 370 | |> Seq.concat 371 | |> Set.ofSeq 372 | |> Set.toList 373 | log 3 ">>>> now looking for today's IRC servers" 374 | let ircservers = files 375 | |> List.map botToIndicator 376 | |> Seq.concat 377 | |> Set.ofSeq 378 | |> Set.toList 379 | GC.Collect() 380 | {name = "SSH honeypot logs for " + date.ToString("yyyy-MM-dd"); 381 | Public = true; 382 | tags = ["SSH"; "bruteforce"; "honeypot"]; 383 | references = []; 384 | TLP = "green"; 385 | description = "SSH honeypot logs for brute force attackers from a US /32"; 386 | indicators = List.filter (fun x -> Set.contains x.indicator exemptions <> true) (ips @ filehashes @ dlfilehashes @ urls @ ircservers)} 387 | 388 | let pmalogs (date:DateTime): OtxPulse = 389 | log 3 ">>> pmalogs" 390 | let today = date.ToString("yyyy-MM-dd") 391 | let lines = File.ReadAllLines(config.["phpmyadminlog"]) 392 | |> Array.filter(fun x -> x.StartsWith(today)) 393 | |> Array.filter(fun x -> x.Length > 100) 394 | |> Array.map(fun x -> x.Replace("\\", "")) 395 | let ips = lines 396 | |> Array.map(fun x -> x.Split(' ').[1]) 397 | |> Set.ofArray 398 | |> Set.toList 399 | |> List.map(fun x -> ipToIndicator x "phpMyAdmin attacker client IP") 400 | |> List.choose id 401 | let urls = lines 402 | |> Array.map getUrl 403 | |> Seq.concat 404 | |> Seq.distinct 405 | |> Seq.map(fun x -> urlToIndicators x "URL injected into phpMyAdmin page") 406 | |> Seq.toList 407 | |> List.concat 408 | let contents = urls 409 | |> List.map(fun x -> tryDownload x.indicator) 410 | |> List.choose id 411 | let _ = contents 412 | |> List.map storeMalware 413 | let filehashes = contents 414 | |> List.map(fun x -> fileToIndicator x "phpMyAdmin injected malware hash") 415 | |> Seq.concat 416 | |> Seq.distinct 417 | |> Seq.toList 418 | let ircservers = contents 419 | |> List.collect botToIndicator 420 | |> Set.ofList 421 | |> Set.toList 422 | GC.Collect() 423 | {name = "phpMyAdmin honeypot logs for " + today; 424 | Public = true; 425 | tags = ["phpMyAdmin"; "honeypot"]; 426 | references = []; 427 | TLP = "green"; 428 | description = "phpMyAdmin honeypot logs from a US /32"; 429 | indicators = List.filter (fun x -> Set.contains x.indicator exemptions <> true) (ips @ urls @ filehashes @ ircservers)} 430 | 431 | let wordpotlogs (date:DateTime): OtxPulse = 432 | log 3 ">>> wordpotlogs" 433 | let today = date.ToString("yyyy-MM-dd") 434 | let lines = File.ReadAllLines(config.["wordpotlog"]) 435 | |> Array.filter(fun x -> x.StartsWith(today)) 436 | let ips = lines 437 | |> Array.map(fun x -> x.Split(' ').[1]) 438 | |> Set.ofArray 439 | |> Set.toList 440 | |> List.map(fun x -> ipToIndicator x "WordPress bruteforce login client IP") 441 | |> List.choose id 442 | let lines = File.ReadAllLines(config.["xmlrpc_ddoslog"]) 443 | |> Array.filter(fun x -> x.StartsWith(today)) 444 | let ddosips = lines 445 | |> Array.map(fun x -> x.Split(' ').[1]) 446 | |> Set.ofArray 447 | |> Set.toList 448 | |> List.map(fun x -> ipToIndicator x "WordPress xmlrpc.php DDoS client IP") 449 | |> List.choose id 450 | let ddosvictims = lines 451 | |> Array.map(fun x -> x.Split(' ').[4]) 452 | |> Array.map(fun x -> urlToIndicators x "Wordpress xmlrpc.php DDoS victim" ) 453 | |> List.concat 454 | |> Set.ofList 455 | |> Set.toList 456 | GC.Collect() 457 | {name = "WordPress honeypot logs for " + today; 458 | Public = true; 459 | tags = ["wordpress"; "honeypot"; "bruteforce"]; 460 | references = []; 461 | TLP = "green"; 462 | description = "WordPress honeypot logs for DDoS tracking and authentcation brute force from a US /32"; 463 | indicators = List.filter (fun x -> Set.contains x.indicator exemptions <> true) (ips @ ddosips @ ddosvictims)} 464 | 465 | let apachelogs (date:DateTime): OtxPulse = 466 | log 3 ">>> apachelogs" 467 | let today = date.ToString("dd/MMM/yyyy") 468 | let a = File.ReadAllLines(config.["accesslog"]) 469 | |> Array.filter(fun x -> x.Contains("[" + today)) 470 | let b = File.ReadAllLines(config.["accesslog"] + ".0") 471 | |> Array.filter(fun x -> x.Contains("[" + today)) 472 | let lines = [| a; b |] |> Array.concat 473 | let rules_json = File.ReadAllText(config.["wwwids_rules"]) 474 | let rules = JsonConvert.DeserializeObject(rules_json) 475 | let checkOneRule(rule:WwwidsRule) (row:string []) : (WwwidsRule * string []) option = 476 | match Web.HttpUtility.UrlDecode(row.[6]).Contains(rule.pat) || Web.HttpUtility.UrlDecode(row.[11]).Contains(rule.pat) with 477 | | true -> Some(rule, row) 478 | | false -> None 479 | let checkRules (rules:WwwidsRule list) (row:string []) : (WwwidsRule * string []) option list = 480 | List.map(fun x -> checkOneRule x row) rules 481 | let checkedRowToIndicator(rule:WwwidsRule, row:string []) : OtxIndicator option = 482 | try 483 | let ip = Net.IPAddress.Parse(row.[0]) 484 | ipToIndicator (ip.ToString()) (rule.name + " attempt client IP") 485 | with 486 | | :? StackOverflowException as ex -> None 487 | let rulehits = lines 488 | |> Array.map(fun x -> x.Split([|' '|], 12)) 489 | |> Array.filter (fun x -> x.[8].StartsWith("40")) 490 | |> Array.map(fun x -> checkRules rules x) 491 | |> Seq.concat 492 | |> Seq.choose id 493 | let indicators = rulehits 494 | |> Seq.map checkedRowToIndicator 495 | |> Seq.choose id 496 | |> Set.ofSeq 497 | |> Set.toList 498 | let unwind rule urls = Seq.map (fun x -> (rule, x)) urls 499 | let urls = rulehits 500 | |> Seq.filter(fun (rule, _) -> rule.checkurl > -1) 501 | |> Seq.map(fun (rule, row) -> (rule, getUrl (Uri.UnescapeDataString(row.[rule.checkurl])))) 502 | |> Seq.collect (fun (rule, urls) -> unwind rule urls) 503 | |> Set.ofSeq 504 | |> Set.toList 505 | |> List.collect (fun (rule, x) -> urlToIndicators x ("Injected URL - " + rule.name)) 506 | |> Set.ofList 507 | |> Seq.toList 508 | let contents = urls 509 | |> List.map(fun x -> tryDownload x.indicator) 510 | |> List.choose id 511 | let _ = contents 512 | |> List.map storeMalware 513 | let fileindicators = contents 514 | |> Seq.collect (fun x -> fileToIndicator x "Injected URL file hash") 515 | |> Set.ofSeq 516 | |> Set.toList 517 | let ircservers = contents 518 | |> List.collect botToIndicator 519 | let errorclients = lines 520 | |> Array.map(fun x -> x.Split([|' '|], 12)) 521 | |> Array.filter (fun x -> x.[8].StartsWith("20") <> true) 522 | |> Array.map (fun x -> x.[0]) 523 | |> Array.sort 524 | |> Seq.groupBy (fun x -> x) 525 | |> Map.ofSeq 526 | |> Map.map (fun _ v -> Seq.length v) 527 | |> Map.filter (fun _ v -> v > int(config.["httperrorrate"])) 528 | |> Map.toList 529 | |> List.map (fun (x,_) -> ipToIndicator x "Excessive errors - possible probe activity" ) 530 | |> List.choose id 531 | GC.Collect() 532 | {name = "Apache honeypot logs for " + today; 533 | Public = true; 534 | tags = ["apache"; "honeypot"; "exploits"]; 535 | references = []; 536 | TLP = "green"; 537 | description = "Apache honeypot logs for common exploit attempts from a US /32"; 538 | indicators = List.filter (fun x -> Set.contains x.indicator exemptions <> true) (indicators @ fileindicators @ ircservers @ urls @ errorclients)} 539 | 540 | let redislogs (date:DateTime): OtxPulse = 541 | log 3 ">>> redislogs" 542 | let today = date.ToString("yyyy-MM-dd") 543 | let lines = File.ReadAllLines(config.["redispotlog"]) 544 | |> Array.filter(fun x -> x.StartsWith(today)) 545 | let clients = lines 546 | |> Array.filter(fun x -> x.Contains("[redispot.redisdeploy.RedisServerFactory] New connection")) 547 | |> Array.map(fun x -> x.Split() |> Array.rev |> Array.toList |> List.head) 548 | |> Set.ofArray 549 | |> Set.map (fun x -> ipToIndicator x "Redis brute force authentication activity") 550 | |> Set.toList 551 | |> List.choose id 552 | let urls = lines 553 | |> Array.filter(fun x -> x.Contains("[RedisServer")) 554 | |> Array.map getUrl 555 | |> Seq.concat 556 | |> Set.ofSeq 557 | |> Set.map (fun x -> urlToIndicators x "URL injected into Redis honeypot") 558 | |> Set.toSeq 559 | |> Seq.concat 560 | |> Set.ofSeq 561 | |> Set.toList 562 | let upstreams = lines 563 | |> Array.filter(fun x -> x.ToLower().Contains("slaveof")) 564 | |> Array.map (fun x -> x.Split(']').[1]) 565 | |> Array.map getIp 566 | |> Seq.concat 567 | |> Set.ofSeq 568 | |> Set.map (fun x -> ipToIndicator x "IP injected into Redis honeypot with 'slaveof' command") 569 | |> Set.toList 570 | |> List.choose id 571 | 572 | {name = "Redis honeypot logs for " + today; 573 | Public = true; 574 | tags = ["redis"; "honeypot"]; 575 | references = []; 576 | TLP = "green"; 577 | description = "Redis honeypot authentication attempts from a US /32"; 578 | indicators = List.filter(fun x -> Set.contains x.indicator exemptions <> true) (clients @ urls @ upstreams)} 579 | 580 | let vnclogs (date:DateTime): OtxPulse = 581 | log 3 ">>> vnclogs" 582 | let today = date.ToString("yyyy/MM/dd") 583 | let lines = File.ReadAllLines(config.["vncpotlog"]) 584 | |> Array.filter(fun x -> x.StartsWith(today)) 585 | let clients = lines 586 | |> Array.filter (fun x -> x.Contains("uth response:") || x.Contains("bad version")) 587 | |> Array.map (fun x -> x.Split().[2].Split(':').[0]) 588 | |> Set.ofArray 589 | |> Set.map (fun x -> ipToIndicator x "VNC brute force authentication activity") 590 | |> Set.toList 591 | |> List.choose id 592 | {name = "VNC honeypot logs for " + today; 593 | Public = true; 594 | tags = ["vnc"; "honeypot"]; 595 | references = []; 596 | TLP = "green"; 597 | description = "VNC honeypot authentication attempts from a US /32"; 598 | indicators = List.filter(fun x -> Set.contains x.indicator exemptions <> true) clients} 599 | 600 | let psqllogs (date:DateTime): OtxPulse = 601 | log 3 ">>> psqllogs" 602 | let today = date.ToString("yyyy-MM-dd") 603 | let convertLine (line:string) : PghoneyRecord = JsonConvert.DeserializeObject(line) 604 | let lines = File.ReadAllLines(config.["pghoneylog"]) 605 | |> Array.map convertLine 606 | |> Array.filter(fun x -> x.time.StartsWith(today)) 607 | let clients = lines 608 | |> Array.filter (fun x -> x.level = "info") 609 | |> Array.map (fun x -> x.source_ip) 610 | |> Set.ofArray 611 | |> Set.map (fun x -> ipToIndicator x "PostgresQL brute force authentication activity") 612 | |> Set.toList 613 | |> List.choose id 614 | {name = "PostgresQL honeypot logs for " + today; 615 | Public = true; 616 | tags = ["postgres"; "honeypot"]; 617 | references = []; 618 | TLP = "green"; 619 | description = "PostgresQL honeypot authentication attempts from a US /32"; 620 | indicators = List.filter(fun x -> Set.contains x.indicator exemptions <> true) clients} 621 | 622 | let rdplogs (date:DateTime): OtxPulse = 623 | log 3 ">>> rdplogs" 624 | let today = date.ToString("yyyy/MM/dd") 625 | let clients = File.ReadAllLines(config.["rdppotlog"]) 626 | |> Array.filter(fun x -> x.StartsWith(today)) 627 | |> Array.filter(fun x -> x.Contains("Connection received from")) 628 | |> Array.map (fun x -> x.Split().[6].Split(':').[0]) 629 | |> Set.ofArray 630 | |> Set.map (fun x -> ipToIndicator x "RDP brute force authentication activity") 631 | |> Set.toList 632 | |> List.choose id 633 | {name = "RDP honeypot logs for " + today; 634 | Public = true; 635 | tags = ["RDP"; "honeypot"]; 636 | references = []; 637 | TLP = "green"; 638 | description = "RDP honeypot authentication attempts from a US /32"; 639 | indicators = List.filter(fun x -> Set.contains x.indicator exemptions <> true) clients} 640 | 641 | let webshellbackdoorlogs (date:DateTime): OtxPulse = 642 | log 3 ">>> webshellbackdoorlogs" 643 | let today = date.ToString("yyyy/MM/dd") 644 | 645 | let convertLine (line: string) : BackdoorRecordPayload = 646 | try 647 | JsonConvert.DeserializeObject(line) 648 | with 649 | | :? Newtonsoft.Json.JsonSerializationException -> JsonConvert.DeserializeObject(line.Replace(":[]}", ":{}}")) 650 | | :? System.InvalidOperationException -> JsonConvert.DeserializeObject("{}") 651 | 652 | let lines = File.ReadAllLines(config.["backdoorlog"]) 653 | 654 | let clients = lines 655 | |> Array.map (fun x -> x.Replace(":[]}", ":{}}")) 656 | |> Array.map convertLine 657 | |> Array.map (fun x -> x.client_ip) 658 | |> Set.ofArray 659 | |> Set.map (fun x -> ipToIndicator x "Webshell backdoor injection activity client") 660 | |> Set.toList 661 | |> List.choose id 662 | 663 | {name = "Webshell backdoor honeypot logs for " + today; 664 | Public = true; 665 | tags = ["webshell"; "backdoor"; "honeypot"]; 666 | references = []; 667 | TLP = "green"; 668 | description = "Webshell backdoor injection attempts from a US /32"; 669 | indicators = List.filter(fun x -> Set.contains x.indicator exemptions <> true) clients} 670 | 671 | let upload (otx: OtxPulse) = 672 | log 2 "uploading ..." 673 | let json = JsonConvert.SerializeObject(otx).Replace("Type", "type").Replace("Public", "public") 674 | log 3 "%s" json 675 | use wc = new Net.WebClient() 676 | wc.Headers.Add("X-OTX-API-KEY", config.["apikey"]) 677 | wc.Headers.Set("User-Agent", "OTX .Net SDK") 678 | wc.Headers.Set("Content-Type", "application/json") 679 | try 680 | let reply = wc.UploadString("https://otx.alienvault.com:443/api/v1/pulses/create", json) 681 | log 3 "%A" reply 682 | with 683 | | :? Net.WebException as ex -> log 0 "%A" ex 684 | otx 685 | 686 | let symlink (source:string) (dest:string) = 687 | log 2 "symlinking ..." 688 | let p = new Diagnostics.Process() 689 | p.StartInfo.FileName <- "/bin/ln" 690 | p.StartInfo.Arguments <- String.Format("-fs {0} {1}", source, dest) 691 | p.StartInfo.RedirectStandardOutput <- true 692 | p.StartInfo.UseShellExecute <- false 693 | p.Start() |> ignore 694 | p.StandardOutput.ReadToEnd() |> ignore 695 | () 696 | 697 | let store (date:DateTime) (doSymlink: bool) (otx: OtxPulse) = 698 | log 2 "storing ..." 699 | let json = JsonConvert.SerializeObject(otx).Replace("Type", "type").Replace("Public", "public") 700 | let today = date.ToString("yyyyMMdd") 701 | let dir = createDir("/Library/WebServer/Documents/data/" + otx.name.Split(' ').[0]) 702 | let filename = dir.FullName + "/" + today + ".txt" 703 | File.WriteAllText(filename, json) 704 | match doSymlink with 705 | | true -> symlink (FileInfo(filename).Name) (dir.FullName + "/" + "latest.txt") 706 | | _ -> () 707 | 708 | [] 709 | let main args = 710 | let today = DateTime.Today 711 | let results = [pmalogs; wordpotlogs; apachelogs; redislogs; vnclogs; psqllogs; rdplogs; webshellbackdoorlogs; kippologs; telnetlogs; ] 712 | |> List.map (fun fn -> fn today) 713 | |> List.filter (fun x -> not (List.isEmpty (x.indicators))) 714 | match Array.tryFind (fun x -> x = "-d") args with 715 | | None -> List.map (fun x -> upload x) results 716 | |> List.iter (fun x -> store today true x) 717 | |> ignore 718 | | Some(_) -> List.iter (fun x -> log 3 "%A" x) results |> ignore 719 | results 720 | |> List.iter (fun x -> store today false x) 721 | |> ignore 722 | 0 723 | -------------------------------------------------------------------------------- /owa_pulse.fs: -------------------------------------------------------------------------------- 1 | open System 2 | open System.IO 3 | open System.Text 4 | 5 | open Newtonsoft.Json 6 | 7 | open Log 8 | 9 | type OtxIndicator = { 10 | Type : string; 11 | indicator : string; 12 | description : string; 13 | role : string 14 | } 15 | 16 | type OtxPulse = { 17 | name : string; 18 | description : string; 19 | Public : bool; 20 | TLP : string; 21 | indicators : OtxIndicator list; 22 | tags : string list; 23 | references : string list; 24 | attack_ids : string list 25 | } 26 | 27 | (* 28 | { 29 | "timestamp": "2022-04-14T03:50:56+00:00", 30 | "action": "authenticate", 31 | "REMOTE_ADDR": "46.246.122.77", 32 | "username": "destinee46", 33 | "password": "Idell2013!", 34 | "passwordText": "", 35 | "HTTP_USER_AGENT": "Mozilla/5.0 (iPhone; CPU iPhone OS 15_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/99.0.4844.59 Mobile/15E148 Safari/604.1" 36 | } 37 | *) 38 | 39 | type OwapotEvent = { 40 | timestamp : string; 41 | action : string; 42 | REMOTE_ADDR : string; 43 | username : string; 44 | password : string; 45 | p.Start() |> ignore 46 | p.StandardOutput.ReadToEnd() |> ignore 47 | () 48 | 49 | let store (date:DateTime) (doSymlink: bool) (otx: OtxPulse) = 50 | let json = JsonConvert.SerializeObject(otx).Replace("Type", "type").Replace("Public", "public") 51 | let today = date.ToString("yyyyMMdd") 52 | let dir = createDir("/Library/WebServer/Documents/data/" + otx.name.Split(' ').[0]) 53 | let filename = dir.FullName + "/" + today + ".txt" 54 | File.WriteAllText(filename, json) 55 | match doSymlink with 56 | | true -> symlink (FileInfo(filename).Name) (dir.FullName + "/" + "latest.txt") 57 | | _ -> () 58 | 59 | [] 60 | let main args = 61 | let today = DateTime.Today 62 | [ owalogs; ] 63 | |> List.map (fun fn -> fn today) 64 | |> List.filter (fun x -> not (List.isEmpty (x.indicators))) 65 | |> List.map (fun x -> store today true x) 66 | |> ignore 67 | 0 -------------------------------------------------------------------------------- /paket.dependencies: -------------------------------------------------------------------------------- 1 | source http://nuget.org/api/v2 2 | 3 | nuget Accord = 3.4.0 4 | nuget Accord.Extensions.Math = 3.0.1 5 | nuget Newtonsoft.Json = 8.0.3 6 | nuget FAKE ~> 3.4 7 | 8 | // figure out how to integrate 9 | http http://www.fssnip.net/8j log.fs 10 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | jsonschema==2.6.0 2 | -------------------------------------------------------------------------------- /threat_crowd.fs: -------------------------------------------------------------------------------- 1 | open System 2 | open System.IO 3 | open System.Text 4 | 5 | open Newtonsoft.Json 6 | open Newtonsoft.Json.Linq 7 | 8 | 9 | // from http://www.fssnip.net/8j 10 | /// Log levels. 11 | let Error = 0 12 | let Warning = 1 13 | let Information = 2 14 | let Debug = 3 15 | 16 | let LevelToString level = 17 | match level with 18 | | 0 -> "Error" 19 | | 1 -> "Warning" 20 | | 2 -> "Information" 21 | | 3 -> "Debug" 22 | | _ -> "Unknown" 23 | 24 | /// The current log level. 25 | let mutable current_log_level = Debug 26 | 27 | /// The inteface loggers need to implement. 28 | type ILogger = abstract Log : int -> Printf.StringFormat<'a,unit> -> 'a 29 | 30 | /// Writes to console. 31 | let ConsoleLogger = { 32 | new ILogger with 33 | member __.Log level format = 34 | Printf.kprintf (printfn "[%s][%A] %s" (LevelToString level) System.DateTime.Now) format 35 | } 36 | 37 | /// Defines which logger to use. 38 | let mutable DefaultLogger = ConsoleLogger 39 | 40 | /// Logs a message with the specified logger. 41 | let logUsing (logger: ILogger) = logger.Log 42 | 43 | /// Logs a message using the default logger. 44 | let log level message = logUsing DefaultLogger level message 45 | 46 | // https://github.com/threatcrowd/ApiV2 47 | 48 | type ThreatCrowdHashReport = { 49 | response_code: string; 50 | md5: string; 51 | sha1: string; 52 | scans: string list; 53 | ips: string list; 54 | domains: string list; 55 | references: string list; 56 | permalink: string;} 57 | 58 | type ThreatCrowdIpResolution = { 59 | last_resolved: string; 60 | domain: string;} 61 | 62 | type ThreatCrowdIpReport = { 63 | response_code: string; 64 | resolutions: ThreatCrowdIpResolution list; 65 | hashes : string list; 66 | references: string list; 67 | votes: int; 68 | permalink: string;} 69 | 70 | type ThreatCrowdEmailReport = { 71 | response_code: string; 72 | domains: string list; 73 | references: string list; 74 | permalink: string;} 75 | 76 | type ThreatCrowdDomainResolution = { 77 | last_resolved: string; 78 | ip_address: string;} 79 | 80 | type ThreatCrowdDomainReport = { 81 | response_code: string; 82 | resolutions: ThreatCrowdDomainResolution list; 83 | hashes: string list; 84 | emails: string list; 85 | subdomains: string list; 86 | references: string list; 87 | votes: int; 88 | permalink: string;} 89 | 90 | type ThreatCrowdAVReport = { 91 | response_code: string; 92 | hashes: string list; 93 | references: string list; 94 | permalink: string;} 95 | 96 | let downloadJson (url : string ) : string = 97 | let p = new Diagnostics.Process() 98 | p.StartInfo.FileName <- "/usr/bin/curl" 99 | p.StartInfo.Arguments <- String.Format("-s -k {0}", url) 100 | p.StartInfo.RedirectStandardOutput <- true 101 | p.StartInfo.UseShellExecute <- false 102 | p.Start() |> ignore 103 | p.StandardOutput.ReadToEnd() 104 | 105 | let dataByHash(hash: string): ThreatCrowdHashReport = 106 | let url = String.Format("https://www.threatcrowd.org/searchApi/v2/file/report/?resource={0}", hash) 107 | log 3 "%s" url 108 | let res = downloadJson url 109 | JsonConvert.DeserializeObject(res) 110 | 111 | let dataByEmail(email: string) : ThreatCrowdEmailReport = 112 | let url = String.Format("https://www.threatcrowd.org/searchApi/v2/email/report/?email={0}", email) 113 | log 3 "%s" url 114 | let res = downloadJson url 115 | JsonConvert.DeserializeObject(res) 116 | 117 | let dataByDomain(domain: string) : ThreatCrowdDomainReport = 118 | let url = String.Format("https://www.threatcrowd.org/searchApi/v2/domain/report/?domain={0}", domain) 119 | log 3 "%s" url 120 | let res = downloadJson url 121 | JsonConvert.DeserializeObject(res) 122 | 123 | let dataByIp(ip: string) : ThreatCrowdIpReport = 124 | let url = String.Format("https://www.threatcrowd.org/searchApi/v2/ip/report/?ip={0}", ip) 125 | log 3 "%s" url 126 | let res = downloadJson url 127 | JsonConvert.DeserializeObject(res) 128 | 129 | let dataByAntivirus(avname: string) : ThreatCrowdAVReport = 130 | let url = String.Format("https://www.threatcrowd.org/searchApi/v2/antivirus/report/?antivirus={0}", avname) 131 | log 3 "%s" url 132 | let res = downloadJson url 133 | JsonConvert.DeserializeObject(res) 134 | -------------------------------------------------------------------------------- /wwwids_rules.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ref": "http://www.frsirt.com/english/advisories/2005/2473", 4 | "cve": "CVE-2005-3738", 5 | "pat": "index.php?option=com_sef&Itemid=&mosConfig_absolute_path=", 6 | "checkurl": 6, 7 | "name": "Mambo \"mosConfig_absolute_path\" Remote File Inclusion Vulnerability" 8 | }, 9 | { 10 | "ref": "https://vulners.com/seebug/SSV:97118", 11 | "cve": "CVE-NOMATCH", 12 | "pat": "../../mnt/custom/ProductDefinition", 13 | "checkurl": -1, 14 | "name": "HiSilicon directory traversal" 15 | }, 16 | { 17 | "ref": "", 18 | "cve": "CVE-NOMATCH", 19 | "pat": "/cowedit/class.cowedit.php?ToDo=InsertFunction&DEP=", 20 | "checkurl": -1, 21 | "name": "CowEdit file include" 22 | }, 23 | { 24 | "ref": "http://eromang.zataz.com/2011/08/14/suc027-muieblackcat-setup-php-web-scanner-robot/", 25 | "cve": "CVE-NOMATCH", 26 | "pat": "/muieblackcat", 27 | "checkurl": -1, 28 | "name": "muieblackcat script scan" 29 | }, 30 | { 31 | "ref": "http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php", 32 | "cve": "CVE-2009-1151", 33 | "pat": "/scripts/setup.php", 34 | "checkurl": -1, 35 | "name": "phpMyAdmin '/scripts/setup.php' PHP Code Injection RCE" 36 | }, 37 | { 38 | "ref": "http://www.nessus.org/plugins/index.php?view=single&id=21189", 39 | "cve": "CVE-2004-2740", 40 | "pat": "/phprojekt/lib/config.inc.php?path_pre=", 41 | "checkurl": 6, 42 | "name": "PHProjekt path_pre Parameter Remote File Include Vulnerability" 43 | }, 44 | { 45 | "ref": "http://www.exploit-db.com/exploits/33803/", 46 | "cve": "CVE-2014-4019", 47 | "pat": "/rom-0", 48 | "checkurl": -1, 49 | "name": "ZyNOS ROM-0 Exploit Scan" 50 | }, 51 | { 52 | "ref": "http://www.iss.net/security_center/reference/vuln/HTTP_testcgi.htm", 53 | "cve": "CVE-1999-0070", 54 | "pat": "/cgi-bin/test", 55 | "checkurl": -1, 56 | "name": "Test-cgi sample CGI script allows remote retrieval of file listings" 57 | }, 58 | { 59 | "ref": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1823", 60 | "cve": "CVE-2012-1823", 61 | "pat": "/hndUnblock.cgi", 62 | "checkurl": -1, 63 | "name": "theMoon malware" 64 | }, 65 | { 66 | "cve": "CVE-2014-6271", 67 | "pat": "() { :;};", 68 | "name": "shellshock exploit", 69 | "checkurl": 11, 70 | "ref": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271" 71 | }, 72 | { 73 | "ref": "http://osvdb.org/show/osvdb/44453", 74 | "cve": "CVE-2008-1893", 75 | "pat": "index.php?ilang=", 76 | "checkurl": -1, 77 | "name": "W2B Online Banking index.php ilang Variable Remote File Inclusion" 78 | }, 79 | { 80 | "ref": "http://digital-era.net/plaintext-supermicro-ipmi-credentials-exposed/", 81 | "cve": "CVE-NOMATCH", 82 | "pat": "/PSBlock", 83 | "checkurl": -1, 84 | "name": "Supermicro IPMI PSBlock Scan" 85 | }, 86 | { 87 | "ref": "http://downloads.securityfocus.com/vulnerabilities/exploits/woltlab_sql_poc.pl", 88 | "cve": "CVE-NOMATCH", 89 | "pat": "from+bb1_users", 90 | "checkurl": -1, 91 | "name": "Woltlab Burning Board SQL Injection Vulnerability" 92 | }, 93 | { 94 | "ref": "", 95 | "cve": "CVE-NOMATCH", 96 | "pat": "/index.php?error=", 97 | "checkurl": 6, 98 | "name": "index.php error Parameter Remote File Include Vulnerability" 99 | }, 100 | { 101 | "ref": "http://www.securityfocus.com/bid/32051/info", 102 | "cve": "CVE-NOMATCH", 103 | "pat": "from+netrisk_users+where", 104 | "checkurl": -1, 105 | "name": "NetRisk SQL Injection Vulnerability" 106 | }, 107 | { 108 | "ref": "http://www.tripwire.com/state-of-security/latest-security-news/supermicro-motherboards-broadcast-admin-passwords/", 109 | "cve": "CVE-NOMATCH", 110 | "pat": "/IPMIdevices.xml", 111 | "checkurl": -1, 112 | "name": "Supermicro Onboard IPMI Admin Password" 113 | }, 114 | { 115 | "ref": "http://blog.imperva.com/2014/03/threat-advisory-php-cgi-at-your-command.html", 116 | "cve": "CVE-2012-1823", 117 | "pat": "/cgi-bin/php", 118 | "checkurl": -1, 119 | "name": "PHP CGI command injection" 120 | }, 121 | { 122 | "ref": "http://forum.joomla.org/viewtopic.php?f=267&t=552124", 123 | "cve": "CVE-NOMATCH", 124 | "pat": "/administrator/index.php", 125 | "checkurl": -1, 126 | "name": "Joomla brute force scan" 127 | }, 128 | { 129 | "ref": "https://www.acunetix.com/vulnerabilities/web/jboss-httpadaptor-jmxinvokerservlet", 130 | "cve": "CVE-2007-1036", 131 | "pat": "/invoker/JMXInvokerServlet", 132 | "checkurl": -1, 133 | "name": "JBoss HttpAdaptor JMXInvokerServlet WAR deployment exploit" 134 | }, 135 | { 136 | "ref": "http://www.securityfocus.com/bid/18327", 137 | "cve": "CVE-2006-2644", 138 | "pat": "/awstats.pl?logfile=", 139 | "checkurl": -1, 140 | "name": "AWStats LFI exploit" 141 | }, 142 | { 143 | "ref": "http://www.securityfocus.com/bid/12298", 144 | "cve": "CVE-2005-0116", 145 | "pat": "/awstats.pl?configdir=|", 146 | "checkurl": -1, 147 | "name": "AWStats command injection exploit" 148 | }, 149 | { 150 | "ref": "https://www.exploit-db.com/exploits/6368/", 151 | "cve": "CVE-2008-3922", 152 | "pat": "/awstatstotals.php?sort=%7b%24%7bpassthru", 153 | "checkurl": -1, 154 | "name": "AWStats Totals (awstatstotals.php sort) Remote Code Execution Exploit" 155 | }, 156 | { 157 | "ref": "http://stackoverflow.com/questions/12367317/tomcat-7-security-attempt-to-login", 158 | "cve": "CVE-NOMATCH", 159 | "pat": "/manager/html", 160 | "checkurl": -1, 161 | "name": "Tomcat '/manager/html' bruteforce login" 162 | }, 163 | { 164 | "ref": "https://www.saotn.org/joomla-websites-abused-open-proxy-denial-service-attacks/", 165 | "cve": "", 166 | "pat": "/plugin_googlemap2/plugin_googlemap2_proxy.php?url=", 167 | "checkurl": 6, 168 | "name": "Joomla! Googlemaps plugin proxy abuse" 169 | }, 170 | { 171 | "ref": "https://www.exploit-db.com/exploits/27048/", 172 | "cve": "CVE-2006-0125", 173 | "pat": "/appserv/main.php?appserv_root=", 174 | "checkurl": 6, 175 | "name": "AppServ Open Project Remote File Include exploit" 176 | }, 177 | { 178 | "ref": "https://cwe.mitre.org/data/definitions/23.html", 179 | "cve": "CVE-NOMATCH", 180 | "pat": "/../", 181 | "checkurl": -1, 182 | "name": "Generic directory traversal attack" 183 | }, 184 | { 185 | "ref": "https://ensourced.wordpress.com/2011/02/25/zmeu-attacks-some-basic-forensic/", 186 | "cve": "CVE-NOMATCH", 187 | "pat": "/w00tw00t.at.blackhats.romanian.anti-sec:)", 188 | "checkurl": -1, 189 | "name": "Generic /w00tw00t.at.blackhats.romanian.anti-sec:) ZmEu probe" 190 | }, 191 | { 192 | "ref": "http://www.securityfocus.com/bid/36002/info", 193 | "cve": "CVE-NOMATCH", 194 | "pat": "/sqlite/main.php", 195 | "checkurl": -1, 196 | "name": "SQLiteManager 'main.php' Cross Site Scripting Vulnerability" 197 | }, 198 | { 199 | "ref": "https://jenkins.io/blog/2015/11/06/mitigating-unauthenticated-remote-code-execution-0-day-in-jenkins-cli/", 200 | "cve": "CVE-NOMATCH", 201 | "pat": "/hudson/script", 202 | "checkurl": -1, 203 | "name": "Jenkins CLI RCE probe" 204 | }, 205 | { 206 | "ref": "https://www.exploit-db.com/exploits/18775/", 207 | "cve": "CVE-2012-1495", 208 | "pat": "/webcalendar/install/index.php", 209 | "checkurl": -1, 210 | "name": "WebCalendar <= 1.2.4 - (install/index.php) Remote Code Execution" 211 | }, 212 | { 213 | "ref": "", 214 | "cve": "CVE-NOMATCH", 215 | "pat": "login.cgi?uri=/", 216 | "checkurl": -1, 217 | "name": "AirOS login bypass" 218 | }, 219 | { 220 | "ref": "", 221 | "cve": "CVE-NOMATCH", 222 | "pat": "/nagiosxi/login.php?redirect=/nagiosxi/index.php0.000000&noauth=1", 223 | "checkurl": -1, 224 | "name": "Nagios XI login bypass" 225 | }, 226 | { 227 | "ref": "http://plugins.openvas.org/nasl.php?oid=803720", 228 | "cve": "CVE-NOMATCH", 229 | "pat": "/stssys.htm", 230 | "checkurl": -1, 231 | "name": "TRENDnet IP camera probe" 232 | }, 233 | { 234 | "ref": "https://www.exploit-db.com/exploits/27755/", 235 | "cve": "CVE-2013-0632", 236 | "pat": "/CFIDE/administrator/", 237 | "checkurl": -1, 238 | "name": "Adobe ColdFusion 9 - Administrative Login Bypass" 239 | }, 240 | { 241 | "ref": "https://www.exploit-db.com/exploits/31173/", 242 | "cve": "CVE-NOMATCH", 243 | "pat": "pChart2/examples/index.php?Action=View&Script=", 244 | "checkurl": -1, 245 | "name": "pChart 2.1.3 Directory Traversal" 246 | }, 247 | { 248 | "ref": "http://www.idiot-attacker.com/2015/09/wordpress-themes-purevision-file-upload.html", 249 | "cve": "CVE-NOMATCH", 250 | "pat": "/wp-content/themes/purevision", 251 | "checkurl": -1, 252 | "name": "Wordpress Themes Purevision File Upload Vulnerability" 253 | }, 254 | { 255 | "ref": "https://www.pluginvulnerabilities.com/2016/07/14/local-file-inclusion-lfi-vulnerability-in-mailpress/", 256 | "cve": "CVE-NOMATCH", 257 | "pat": "/wp-content/plugins/mailpress/mp-includes/action.php", 258 | "checkurl": -1, 259 | "name": "Local File Inclusion (LFI) Vulnerability in MailPress" 260 | }, 261 | { 262 | "ref": "https://www.exploit-db.com/exploits/39501/", 263 | "cve": "CVE-NOMATCH", 264 | "pat": "/centreon/index.php", 265 | "checkurl": -1, 266 | "name": "Unauthenticated Remote Command Execution in Centreon Web Interface" 267 | }, 268 | { 269 | "ref":"http://code.freepbx.org/changelog/FreePBX_SVN/freepbx/branches/2.4/amp_conf/htdocs/admin/i18n/readme.txt", 270 | "cve": "CVE-NOMATCH", 271 | "pat": "/admin/i18n/readme.txt", 272 | "checkurl": -1, 273 | "name": "FreePBX install marker" 274 | }, 275 | { 276 | "ref": "https://www.cvedetails.com/vulnerability-list/vendor_id-5667/Zabbix.html", 277 | "cve": "CVE-NOMATCH", 278 | "pat": "/zabbix/", 279 | "checkurl": -1, 280 | "name": "Zabbix probe" 281 | }, 282 | { 283 | "ref": "http://www.cvedetails.com/vulnerability-list/vendor_id-9865/Dedecms.html", 284 | "cve": "CVE-NOMATCH", 285 | "pat": "/templets/default/style/dedecms.css", 286 | "checkurl": -1, 287 | "name": "Dedecms fingerprint probe" 288 | }, 289 | { 290 | "ref": "https://www.exploit-db.com/exploits/11218/", 291 | "cve": "CVE-NOMATCH", 292 | "pat": "/uploadify.css", 293 | "checkurl": -1, 294 | "name": "Uploadify fingerprint probe" 295 | }, 296 | { 297 | "ref": "http://www.securityfocus.com/bid/13793/info", 298 | "cve": "CVE-NOMATCH", 299 | "pat": "/console/login/LoginForm.jsp", 300 | "checkurl": -1, 301 | "name": "BEA WebLogic Administration Console LoginForm.jsp Cross-Site Scripting Vulnerability probe" 302 | }, 303 | { 304 | "ref": "https://www.exploit-db.com/exploits/10448/", 305 | "cve": "CVE-NOMATCH", 306 | "pat": "/OA_HTML/OA.jsp", 307 | "checkurl": -1, 308 | "name": "Oracle E-Business Suite authentication bypass probe" 309 | }, 310 | { 311 | "ref": "https://www.cvedetails.com/vulnerability-list/vendor_id-2724/Fckeditor.html", 312 | "cve": "CVE-NOMATCH", 313 | "pat": "/fckeditor/fckeditor.js", 314 | "checkurl": -1, 315 | "name": "FCKEditor fingerprint probe" 316 | }, 317 | { 318 | "ref": "", 319 | "cve": "CVE-NOMATCH", 320 | "pat": "/cgi_bin/user_network_connection.asp", 321 | "checkurl": -1, 322 | "name": "Router fingerprint probe" 323 | }, 324 | { 325 | "ref": "https://perishablepress.com/scanning-for-backup-files/", 326 | "cve": "CVE-NOMATCH", 327 | "pat": "/.git", 328 | "checkurl": -1, 329 | "name": "Backup file discovery probe" 330 | }, 331 | { 332 | "ref": "http://www.securiteam.com/unixfocus/6Z00L1F00K.html", 333 | "cve": "CVE-NOMATCH", 334 | "pat": "/phpinfo.php", 335 | "checkurl": -1, 336 | "name": "phpinfo probe" 337 | }, 338 | { 339 | "ref": "", 340 | "cve": "CVE-NOMATCH", 341 | "pat": "/shell", 342 | "checkurl": 6, 343 | "name": "/shell probe" 344 | }, 345 | { 346 | "ref": "http://www.securityfocus.com/archive/1/539567", 347 | "cve": "CVE-NOMATCH", 348 | "pat": "/Config.cgi?.cab&action=get&category=Account.*", 349 | "checkurl": -1, 350 | "name": "AVTech Authentication bypass attempt" 351 | }, 352 | { 353 | "ref": "http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php", 354 | "cve": "CVE-2009-1151", 355 | "pat": "/phpmyadmin/", 356 | "checkurl": -1, 357 | "name": "phpMyAdmin PHP Code Injection RCE" 358 | }, 359 | { 360 | "ref": "http://www.exploit-id.com/web-applications/joomla-component-com_ccboard-multiple-vulnerabilities", 361 | "cve": "CVE-NOMATCH", 362 | "pat": "/index.php?option=com_user&task=register", 363 | "checkurl": -1, 364 | "name": "Joomla File/Shell Upload Check" 365 | }, 366 | { 367 | "ref": "http://www.kerneronsec.com/2016/02/remote-code-execution-in-cctv-dvrs-of.html", 368 | "cve": "CVE-NOMATCH", 369 | "pat": "/language/Swedish${IFS}&&echo${IFS}", 370 | "checkurl": -1, 371 | "name": "Remote Code Execution in CCTV-DVR" 372 | }, 373 | { 374 | "ref": "https://www.exploit-db.com/exploits/34507/", 375 | "cve": "CVE-NOMATCH", 376 | "pat": "/nagiosxi/login.php", 377 | "checkurl": -1, 378 | "name": "Nagios XI vulnerability probe" 379 | }, 380 | { 381 | "ref": "", 382 | "cve": "CVE-NOMATCH", 383 | "pat": "/Http/DataLayCfg.xml", 384 | "checkurl": -1, 385 | "name": "/Http/DataLayCfg.xml probe" 386 | }, 387 | { 388 | "ref": "https://wpvulndb.com/vulnerabilities/8198", 389 | "cve": "CVE-NOMATCH", 390 | "pat": "/wp-cache.php", 391 | "checkurl": -1, 392 | "name": "WP Cache PHP object injection attempt" 393 | }, 394 | { 395 | "ref": "", 396 | "cve": "CVE-NOMATCH", 397 | "pat": "/wp-login.php", 398 | "checkurl": -1, 399 | "name": "WordPress login probe" 400 | }, 401 | { 402 | "ref": "https://www.exploit-db.com/exploits/36575/", 403 | "cve": "CVE-NOMATCH", 404 | "pat": "/jmx-console/HtmlAdaptor?action=inspectMBean", 405 | "checkurl": -1, 406 | "name": "JBoss AS 3/4/5/6 - Remote Command Execution attempt" 407 | }, 408 | { 409 | "ref": "https://blog.fox-it.com/2016/11/28/recent-vulnerability-in-eir-d1000-router-used-to-spread-updated-version-of-mirai-ddos-bot/", 410 | "cve": "CVE-2014-2840", 411 | "pat": "/UD/act?1", 412 | "checkurl": -1, 413 | "name": "Exploit - TR-069 SOAP RCE NewNTPServer exploit attempt" 414 | }, 415 | { 416 | "checkurl": -1, 417 | "cve": "CVE-2015-7991", 418 | "name": "SAP HANA password retrieval probe", 419 | "pat": "/sap/hana/xs/wdisp/admin/", 420 | "ref": "https://www.troopers.de/media/filer_public/b2/22/b222b93e-49d3-4e89-8926-c78c0a47ecd2/troopers_2016_-_onapsis_presentation_final.pdf" 421 | }, 422 | { 423 | "checkurl": -1, 424 | "cve": "CVE-2014-8356", 425 | "name": "ZHONE Insecure Direct Object Reference probe", 426 | "pat": "/menuBcm.js", 427 | "ref": "https://www.exploit-db.com/exploits/38453/" 428 | }, 429 | { 430 | "checkurl": -1, 431 | "cve": "CVE-2014-8357", 432 | "name": "ZHONE Admin Password Disclosure probe", 433 | "pat": "/backupsettings.html", 434 | "ref": "https://www.exploit-db.com/exploits/38453/" 435 | }, 436 | { 437 | "checkurl": -1, 438 | "cve": "CVE-NOMATCH", 439 | "name": "Phpcms authkey leak vulnerability probe", 440 | "pat": "/api.php?op=get_menu&act=ajax_getlist&callback=aaaaa&parentid=0&key=authkey&cachefile=..\\..\\..\\phpsso_server\\caches\\caches_admin\\caches_data\\applist&path=admin", 441 | "ref": "http://longscan.com/#!/n/1197" 442 | }, 443 | { 444 | "checkurl": -1, 445 | "cve": "CVE-2009-1151", 446 | "name": "PHP phpMyAdmin PHP code injection probe", 447 | "pat": "?session_to_unset=123&token=&_SESSION", 448 | "ref": "https://www.exploit-db.com/exploits/8921/" 449 | }, 450 | { 451 | "checkurl": -1, 452 | "cve": "CVE-2012-4870", 453 | "name": "FreePBX 2.9 cross site scripting probe", 454 | "pat": "/recordings/index.php", 455 | "ref": "https://vuldb.com/?id.4906" 456 | }, 457 | { 458 | "ref": "https://github.com/arall/JoomlaVulnScanner/blob/master/joomlaVulnScanner.php", 459 | "cve": "CVE-NOMATCH", 460 | "pat": "/language/en-GB/en-GB.xml", 461 | "checkurl": -1, 462 | "name": "Joomla! version probe" 463 | }, 464 | { 465 | "ref": "https://github.com/bikashdash/Axis_Vuln_Webcam/blob/master/Axis_vuln_webcam.nse", 466 | "cve": "CVE-NOMATCH", 467 | "pat": "/axis-cgi/", 468 | "checkurl": -1, 469 | "name": "Axis IP Camera probe" 470 | }, 471 | { 472 | "ref": "https://wiki.apache.org/httpd/ProxyAbuse", 473 | "cve": "CVE-NOMATCH", 474 | "pat": "/check_proxy", 475 | "checkurl": -1, 476 | "name": "Open proxy probe" 477 | }, 478 | { 479 | "ref": "https://translate.google.com/translate?hl=en&sl=zh-CN&u=https://www.meipian.cn/c7xz4ci&prev=search", 480 | "cve": "CVE-NOMATCH", 481 | "pat": "/MJKCustomer/CLogin.aspx", 482 | "checkurl": -1, 483 | "name": "MagicLife login probe" 484 | }, 485 | { 486 | "ref": "", 487 | "cve": "CVE-NOMATCH", 488 | "pat": "/mainAction.action", 489 | "checkurl": -1, 490 | "name": "Apache Struts exploit probe" 491 | }, 492 | { 493 | "ref": "http://www.voidcn.com/blog/nixawk/article/p-6515010.html", 494 | "cve": "CVE-NOMATCH", 495 | "pat": "/current_config/", 496 | "checkurl": -1, 497 | "name": "Dahua camera backdoor probe" 498 | }, 499 | { 500 | "checkurl": -1, 501 | "cve": "CVE-2015-0002", 502 | "name": "D-Link Onvif service camera stack overflow probe", 503 | "pat": "/onvif/device_service", 504 | "ref": "https://github.com/ud2/advisories/tree/master/embedded/dlink/nocve-2015-0002" 505 | }, 506 | { 507 | "checkurl": -1, 508 | "cve": "CVE-NOMATCH", 509 | "name": "FreePBX directory probe", 510 | "pat": "/recordings/theme/", 511 | "ref": "https://community.freepbx.org/t/whats-going-on-with-this-alleged-security-exploit-in-fpbx/13637" 512 | }, 513 | { 514 | "ref": "https://gist.github.com/gerry/d977490319a474b9d777538452018b54", 515 | "cve": "CVE-2013-2618", 516 | "pat": "/plugins/weathermap/editor.php", 517 | "checkurl": -1, 518 | "name": "Weathermap Editor (cacti plugin) Arbitrary Code Execution probe" 519 | }, 520 | { 521 | "checkurl": -1, 522 | "cve": "CVE-2015-2825", 523 | "name": "Wordpress plugin Simple Ads Manager - Arbitrary File Upload", 524 | "pat": "/wp-content/plugins/simple-ads-manager/sam-ajax-admin.php", 525 | "ref": "https://www.exploit-db.com/exploits/36614/" 526 | }, 527 | { 528 | "ref": "https://jira.atlassian.com/browse/BAM-14516?page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel", 529 | "cve": "CVE-NOMATCH", 530 | "pat": "/userlogin!default.action", 531 | "checkurl": -1, 532 | "name": "Bamboo redirect probe" 533 | }, 534 | { 535 | "ref": "https://cxsecurity.com/issue/WLB-2011100126", 536 | "cve": "CVE-2010-4859", 537 | "pat": "/wbsadmin/html/scripts/", 538 | "checkurl": -1, 539 | "name": "webAsyst installation probe" 540 | }, 541 | { 542 | "checkurl": -1, 543 | "cve": "CVE-NOMATCH", 544 | "name": "Proxy CONNECT probe", 545 | "pat": "CONNECT", 546 | "ref": "https://www.kb.cert.org/vuls/id/150227" 547 | }, 548 | { 549 | "checkurl": -1, 550 | "cve": "CVE-NOMATCH", 551 | "name": "Netgear router probe", 552 | "pat": "/currentsetting.htm", 553 | "ref": "https://superuser.com/questions/939644/strange-http-requests-from-computer-running-netgear-genie" 554 | }, 555 | { 556 | "checkurl": -1, 557 | "cve": "CVE-2012-5469", 558 | "name": "WordPress Portable phpMyAdmin Plugin 'wp-pma-mod' Security Bypass Vulnerability", 559 | "pat": "/wp-content/plugins/portable-phpmyadmin/wp-pma-mod", 560 | "ref": "https://www.acunetix.com/vulnerabilities/network/vulnerability/wordpress-portable-phpmyadmin-plugin-wp-pma-mod-security-bypass-vulnerability/" 561 | }, 562 | { 563 | "checkurl": -1, 564 | "cve": "CVE-NOMATCH", 565 | "name": "WordPress Plugin Viper's Video Quicktags Unspecified Vulnerability probe", 566 | "pat": "/wp-includes/js/quicktags.js", 567 | "ref": "https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-viper-s-video-quicktags-unspecified-vulnerability-6-4-4" 568 | }, 569 | { 570 | "ref": "https://bitsonline.com/jaxx-vulnerability-bitcoin-risk/", 571 | "cve": "CVE-NOMATCH", 572 | "pat": "/wallet.dat", 573 | "checkurl": -1, 574 | "name": "Crypto currency wallat.dat probe" 575 | }, 576 | { 577 | "ref": "", 578 | "cve": "CVE-NOMATCH", 579 | "pat": "/SnapshotJPEG", 580 | "checkurl": -1, 581 | "name": "SmartThings SmartApps probe" 582 | }, 583 | { 584 | "checkurl": -1, 585 | "cve": "CVE-NOMATCH", 586 | "name": "Old Nmap service detection probe", 587 | "pat": "/nice%20ports%2C/Tri%6Eity.txt%2ebak", 588 | "ref": "http://seclists.org/nmap-dev/2006/q2/207" 589 | }, 590 | { 591 | "ref": "https://www.exploit-db.com/exploits/26256/", 592 | "cve": "CVE-2005-2953", 593 | "pat": "/m5/merchant.mvc", 594 | "checkurl": -1, 595 | "name": "MIVA Merchant 5 - Merchant.MVC Cross-Site Scripting probe" 596 | }, 597 | { 598 | "checkurl": -1, 599 | "cve": "CVE-NOMATCH", 600 | "name": "Jenkins Hudson probe", 601 | "pat": "/hudson/script", 602 | "ref": "http://www.cvedetails.com/cve/CVE-2014-2067/" 603 | }, 604 | { 605 | "checkurl": -1, 606 | "cve": "CVE-NOMATCH", 607 | "name": "JBoss login and status probe", 608 | "pat": "/servlet?p=login&q=loginForm&jumpto=status", 609 | "ref": "https://www.rapid7.com/db/modules/auxiliary/scanner/http/jboss_status" 610 | }, 611 | { 612 | "checkurl": -1, 613 | "cve": "CVE-NOMATCH", 614 | "name": "Joomla backup extraction attack", 615 | "pat": "/com_joomlaupdate/restore.php?task=stepRestore&factory", 616 | "ref": "https://www.akeebabackup.com/news/1605-security-update-sep-2014.html" 617 | }, 618 | { 619 | "checkurl": -1, 620 | "cve": "CVE-2017-9717", 621 | "name": "Apache Struts 2 Showcase Remote Code Execution probe", 622 | "pat": "/struts2-showcase/index.action", 623 | "ref": "https://devcentral.f5.com/articles/apache-struts-2-showcase-remote-code-execution-cve-2017-9791-27368" 624 | }, 625 | { 626 | "checkurl": -1, 627 | "cve": "CVE-NOMATCH", 628 | "name": "Axis05 root setuid .CGI scripts and binaries present", 629 | "pat": "/axis-cgi/admin/param.cgi", 630 | "ref": "http://seclists.org/fulldisclosure/2017/Mar/41" 631 | }, 632 | { 633 | "checkurl": -1, 634 | "cve": "CVE-NOMATCH", 635 | "name": "JBoss Information Leakage", 636 | "pat": "/status?full=true", 637 | "ref": "http://seclists.org/fulldisclosure/2011/Sep/139" 638 | }, 639 | { 640 | "checkurl": -1, 641 | "cve": "CVE-2017-9841", 642 | "name": "PHP Unit arbitrary RCE via stdin", 643 | "pat": "/Util/PHP/eval-stdin.php", 644 | "ref": "http://www.cvedetails.com/cve/CVE-2017-9841/" 645 | }, 646 | { 647 | "ref": "https://vuldb.com/?id.7843", 648 | "cve": "CVE-NOMATCH", 649 | "pat": "/getcfg.php", 650 | "checkurl": -1, 651 | "name": "D-Link DIR-645 getcfg.php Direct Request Cleartext Admin Password Disclosure" 652 | }, 653 | { 654 | "ref": "https://www.tkreiner.com/intelligence-404-errors/", 655 | "cve": "CVE-NOMATCH", 656 | "pat": "/js/mage/", 657 | "checkurl": -1, 658 | "name": "Magento probe" 659 | }, 660 | { 661 | "ref": "https://gist.github.com/avelardi/1338d9d7be0344ab7f4280618930cd0d", 662 | "cve": "CVE-NOMATCH", 663 | "pat": "/current_config/passwd", 664 | "checkurl": -1, 665 | "name": "Dahua backdoor probe" 666 | }, 667 | { 668 | "ref": "http://www.expku.com/web/5655.html", 669 | "cve": "CVE-NOMATCH", 670 | "pat": "/modules/attributewizardpro/file_upload.php", 671 | "checkurl": -1, 672 | "name": "Prestashop attributewizardpro module Arbitrary File Upload exploit probe" 673 | }, 674 | { 675 | "ref": "https://www.exploit-db.com/exploits/40500/", 676 | "cve": "CVE-NOMATCH", 677 | "pat": "/cgi-bin/user/Config.cgi?.cab&action=get&category=Account.*", 678 | "checkurl": -1, 679 | "name": "Avtech Device Authentication bypass probe" 680 | }, 681 | { 682 | "ref": "https://tomrobertshaw.net/2012/11/magento-security-check-your-appetclocal-xml-file/", 683 | "cve": "CVE-NOMATCH", 684 | "pat": "/app/etc/local.xml", 685 | "checkurl": -1, 686 | "name": "Magento fingerprint probe" 687 | }, 688 | { 689 | "ref": "http://www.newrocktech.com/down/667.html", 690 | "cve": "CVE-NOMATCH", 691 | "pat": "/hx4e/N0000P1.cfg", 692 | "checkurl": -1, 693 | "name": "New Rock IP PBX probe" 694 | }, 695 | { 696 | "ref": "https://community.polycom.com/t5/VoIP-SIP-Phones/Using-the-00000000-cfg-file/td-p/91454", 697 | "cve": "CVE-NOMATCH", 698 | "pat": "/000000000000", 699 | "checkurl": -1, 700 | "name": "Polycom configuration file probe" 701 | }, 702 | { 703 | "ref": "https://digwp.com/2009/06/xmlrpc-php-security/", 704 | "cve": "CVE-NOMATCH", 705 | "pat": "/wlwmanifest.xml", 706 | "checkurl": -1, 707 | "name": "Wordpress WLWManifest XML file probe" 708 | }, 709 | { 710 | "ref": "https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/csbpvga/spa100-200/provisioning/guide/SPA100-200_Provisioning.pdf", 711 | "cve": "CVE-NOMATCH", 712 | "pat": "/spa112.cfg", 713 | "checkurl": -1, 714 | "name": "Cisco Spa112 Configuration file probe" 715 | }, 716 | { 717 | "ref": "https://www.alertlogic.com/blog/beware-the-weblogic-wls-wsat-component-deserialization-rce-exploit/", 718 | "cve": "CVE-2017-10271", 719 | "pat": "/wls-wsat/CoordinatorPortType", 720 | "checkurl": -1, 721 | "name": "WebLogic WLS-WSAT Component Deserialization RCE probe" 722 | }, 723 | { 724 | "ref": "https://www.alertlogic.com/blog/beware-the-weblogic-wls-wsat-component-deserialization-rce-exploit/", 725 | "cve": "CVE-NOMATCH", 726 | "pat": "/webfig/roteros.info", 727 | "checkurl": -1, 728 | "name": "MicroTik RouteOS probe" 729 | }, 730 | { 731 | "ref": "https://github.com/nixawk/labs/issues/19", 732 | "cve": "CVE-2018-7600", 733 | "pat": "user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax", 734 | "checkurl": -1, 735 | "name": "Drupal unsanitized requests RCE probe" 736 | }, 737 | { 738 | "ref": "https://www.exploit-db.com/exploits/44576/", 739 | "cve": "CVE-2018-10561", 740 | "pat": "/GponForm/diag_Form?images/", 741 | "checkurl": -1, 742 | "name": "GPON Routers - Authentication Bypass / Command Injection probe" 743 | }, 744 | { 745 | "ref": "https://www.exploit-db.com/exploits/16318/", 746 | "cve": "CVE-2007-1036", 747 | "pat": "/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system%3Aservice%3DMainDeployer", 748 | "checkurl": -1, 749 | "name": "JBoss JMX - Console Deployer Upload and Execute probe" 750 | }, 751 | { 752 | "ref": "h://www.wordfence.com/blog/2017/07/wpsetup-attack/", 753 | "cve": "CVE-NOMATCH", 754 | "pat": "/wp-admin/setup-config?step=1", 755 | "checkurl": -1, 756 | "name": "Wordpress setup-config probe" 757 | }, 758 | { 759 | "ref": "https://secure.dshield.org/forums/diary/Scanning+for+Apache+Struts+Vulnerability+CVE20175638/23479/", 760 | "cve": "CVE-2017-5638", 761 | "pat": "/verifylogin.do", 762 | "checkurl": -1, 763 | "name": "Apache Struts verifylogin probe" 764 | }, 765 | { 766 | "ref": "https://github.com/CherryFramework/cherry-plugin/issues/6", 767 | "cve": "CVE-NOMATCH", 768 | "pat": "/wp-content/plugins/cherry-plugin", 769 | "checkurl": -1, 770 | "name": "Wordpress Cherry Plugin Arbitrary File Upload probe" 771 | }, 772 | { 773 | "ref": "https://vulners.com/packetstorm/PACKETSTORM:145644", 774 | "cve": "CVE-NOMATCH", 775 | "pat": "/ubus", 776 | "checkurl": -1, 777 | "name": "Iopsys Router /ubus probe" 778 | }, 779 | { 780 | "ref": "https://github.com/provisioner/Provisioner/blob/master/endpoint/aastra/aap9xxx6xxx/aastra.cfg", 781 | "cve": "CVE-NOMATCH", 782 | "pat": "/aastra.cfg", 783 | "checkurl": -1, 784 | "name": "Provisioner PBX Aastra config probe" 785 | }, 786 | { 787 | "ref": "https://github.com/WordPress/WordPress/blob/master/wp-admin/ms-upgrade-network.php", 788 | "cve": "CVE-NOMATCH", 789 | "pat": "/upgrade-network.php", 790 | "checkurl": -1, 791 | "name": "WordPress upgrade config probe" 792 | }, 793 | { 794 | "ref": "https://github.com/orthes/marvin", 795 | "cve": "CVE-NOMATCH", 796 | "pat": "/Marvins.php", 797 | "checkurl": -1, 798 | "name": "Marvins.php probe" 799 | }, 800 | { 801 | "ref": "https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-wp-super-cache-php-code-injection-1-2", 802 | "cve": "CVE-2013-2009", 803 | "pat": "/Marvins.php", 804 | "checkurl": -1, 805 | "name": "WordPress cache probe" 806 | }, 807 | { 808 | "ref": "https://blog.netlab.360.com/botnets-never-die-satori-refuses-to-fade-away-en/", 809 | "cve": "CVE-2018-10561", 810 | "pat": "/login.cgi?cli=", 811 | "checkurl": 6, 812 | "name": "Satori /login.cgi RCE probe" 813 | }, 814 | { 815 | "ref": "https://github.com/kkirsche/CVE-2017-10271", 816 | "cve": "CVE-2017-10271", 817 | "pat": "/wls-wsat/RegistrationRequesterPortType", 818 | "checkurl": -1, 819 | "name": "Oracle WebLogic < 10.3.6 - 'wls-wsat' Component Deserialisation RCE probe" 820 | }, 821 | { 822 | "ref": "https://devcentral.f5.com/articles/apache-struts-2-showcase-remote-code-execution-cve-2017-9791-27368", 823 | "cve": "CVE-2017-9717", 824 | "pat": "/struts2-rest-showcase", 825 | "checkurl": -1, 826 | "name": "Apache Struts 2 Showcase Remote Code Execution probe" 827 | }, 828 | { 829 | "ref": "https://secure.surf/2017/10/10/word-press-hacked-pages/", 830 | "cve": "CVE-NOMATCH", 831 | "pat": "/ytt.php", 832 | "checkurl": -1, 833 | "name": "Wordpress Hacked Page Backdoor probe" 834 | }, 835 | { 836 | "ref": "https://access.redhat.com/security/cve/cve-2017-12149", 837 | "cve": "CVE-2017-12149", 838 | "pat": "/invoker/readonly", 839 | "checkurl": -1, 840 | "name": "JBoss ReadOnlyAccessFilter deserialiation vulnerability" 841 | }, 842 | { 843 | "ref": "https://www.acunetix.com/vulnerabilities/network/vulnerability/freepbx-admin-config-php-remote-code-execution-vulnerability/", 844 | "cve": "CVE-2014-1903", 845 | "pat": "/admin/config.php", 846 | "checkurl": -1, 847 | "name": "FreePBX 'admin/config.php' Remote Code Execution Vulnerability" 848 | }, 849 | { 850 | "ref": "https://www.exploit-db.com/exploits/41782/", 851 | "cve": "CVE-2017-6884", 852 | "pat": "/cgi-bin/luci/;stok=redacted/expert/maintenance/diagnostic/nslookup", 853 | "checkurl": 6, 854 | "name": "Zyxel, EMG2926 < V1.00(AAQT.4)b8 - OS Command Injection Vulnerability" 855 | }, 856 | { 857 | "ref": "https://secureyes.net/nw/assets/File-Upload-Vulnerability-in-FCKEditor.pdf", 858 | "cve": "CVE-2009-2265", 859 | "pat": "/fckeditor/editor/filemanager/connectors/php/upload.php?Type=", 860 | "checkurl": -1, 861 | "name": "FCKEditor Arbitrary File Upload Vulnerability" 862 | }, 863 | { 864 | "ref": "https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/csbpvga/spa100-200/provisioning/guide/SPA100-200_Provisioning.pdf", 865 | "cve": "CVE-NOMATCH", 866 | "pat": "/spa.cfg", 867 | "checkurl": -1, 868 | "name": "Cisco SPA Configuration file probe" 869 | }, 870 | { 871 | "ref": "https://isc.sans.edu/diary/Well%2C+Hello+Again+Peppa%21/23860", 872 | "cve": "CVE-NOMATCH", 873 | "pat": "/images.php", 874 | "checkurl": -1, 875 | "name": "Hello Peppa probe" 876 | }, 877 | { 878 | "ref": "https://vulners.com/search?query=yealink", 879 | "cve": "CVE-NOMATCH", 880 | "pat": "/yealink/y00000", 881 | "checkurl": -1, 882 | "name": "Yeahlink VoIP Phone config fingerprint probe" 883 | }, 884 | { 885 | "ref": "https://stackoverflow.com/questions/9348577/server-side-function-is-called-only-once-in-jqgrid", 886 | "cve": "CVE-NOMATCH", 887 | "pat": "/publicHandler.ashx", 888 | "checkurl": -1, 889 | "name": "Jqgrid handler probe" 890 | }, 891 | { 892 | "ref": "https://httpd.apache.org/docs/2.4/mod/mod_status.html", 893 | "cve": "CVE-NOMATCH", 894 | "pat": "/status?full", 895 | "checkurl": -1, 896 | "name": "Apache mod-status fullstatus probe" 897 | }, 898 | { 899 | "ref": "", 900 | "cve": "CVE-NOMATCH", 901 | "pat": "/modules/mod_feed/tmpl/mod_feed.php?ms-load=", 902 | "checkurl": -1, 903 | "name": "Joomla mod_feed ms-load probe" 904 | }, 905 | { 906 | "ref": "https://github.com/cldrn/nmap-nse-scripts/blob/master/nselib/http.lua", 907 | "cve": "CVE-NOMATCH", 908 | "pat": "/nmaplowercheck", 909 | "checkurl": -1, 910 | "name": "Nmap HTTP probe" 911 | }, 912 | { 913 | "checkurl": -1, 914 | "cve": "CVE-NOMATCH", 915 | "name": "Internal WebLogic applications exposed to the public Internet probe", 916 | "pat": "/bea_wls_deployment_internal", 917 | "ref": "http://www.security-explorations.com/materials/SE-2013-01-ORACLE.pdf" 918 | }, 919 | { 920 | "checkurl": -1, 921 | "cve": "CVE-2017-17106", 922 | "name": "Zivif PR115-204-P-RS V2.3.4.2103 credential disclosure", 923 | "pat": "/cgi-bin/hi3510/param.cgi?cmd=", 924 | "ref": "https://nvd.nist.gov/vuln/detail/CVE-2017-17106" 925 | }, 926 | { 927 | "checkurl": -1, 928 | "cve": "CVE-NOMATCH", 929 | "name": "WordPress Twenty Fifteen theme probe", 930 | "pat": "/wp-content/themes/twentyfifteen/", 931 | "ref": "https://wpvulndb.com/vulnerabilities/7979" 932 | }, 933 | { 934 | "ref": "https://wpvulndb.com/themes/sketch", 935 | "cve": "CVE-NOMATCH", 936 | "pat": "/wp-content/themes/sketch", 937 | "checkurl": -1, 938 | "name": "WordPress Sketch theme probe" 939 | }, 940 | { 941 | "ref": "http://seclist.us/loubia-python-script-to-exploit-java-unserialize-on-t3-weblogic.html", 942 | "cve": "CVE-2018-2628", 943 | "pat": "/console/css/dashboard-min.css", 944 | "checkurl": -1, 945 | "name": "dashboard-min.css exploit script java unserialize on t3 (Weblogic)" 946 | }, 947 | { 948 | "ref": "https://www.exploit-db.com/exploits/40500/", 949 | "cve": "CVE-NOMATCH", 950 | "pat": "/cgi-bin/nobody/Search.cgi", 951 | "checkurl": -1, 952 | "name": "AVTECH Unauthenticated command injection in DVR devices" 953 | }, 954 | { 955 | "ref": "https://www.exploit-db.com/exploits/45025", 956 | "cve": "CVE-NOMATCH", 957 | "pat": "/ws/v1/cluster/apps/new-application", 958 | "checkurl": -1, 959 | "name": "Hadoop YARN ResourceManager - Command Execution" 960 | }, 961 | { 962 | "checkurl": 6, 963 | "cve": "CVE-NOMATCH", 964 | "name": "ThinkPHP5.x version remote code execution", 965 | "pat": "think\\\\app", 966 | "ref": "https://www.cesafe.com/8433.html" 967 | }, 968 | { 969 | "ref": "https://hydrasky.com/network-security/php-functions-that-can-lead-to-vulnerabilities/", 970 | "cve": "CVE-NOMATCH", 971 | "pat": "call_user_func_array", 972 | "checkurl": -1, 973 | "name": "PHP shell command injection" 974 | }, 975 | { 976 | "ref": "https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/increased-use-of-powershell-in-attacks-16-en.pdf", 977 | "cve": "CVE-NOMATCH", 978 | "pat": "new-object", 979 | "checkurl": -1, 980 | "name": "PowerShell New-Object script injection" 981 | }, 982 | { 983 | "ref": "https://www.alibabacloud.com/blog/threat-alert-multiple-cryptocurrency-miner-botnets-start-to-exploit-the-new-thinkphp-vulnerability_594369", 984 | "cve": "CVE-NOMATCH", 985 | "pat": "FxCodeShell.jsp", 986 | "checkurl": -1, 987 | "name": "FxCodeShell backdoor probe" 988 | }, 989 | { 990 | "ref": "", 991 | "cve": "CVE-NOMATCH", 992 | "pat": "/wp/wp-login.php;", 993 | "checkurl": -1, 994 | "name": "Malformed wp-login probe, semicolon" 995 | }, 996 | { 997 | "ref": "https://www.wordfence.com/blog/2019/03/hackers-abusing-recently-patched-vulnerability-in-easy-wp-smtp-plugin/", 998 | "cve": "CVE-NOMATCH", 999 | "pat": "/wp-ajax-hook.php", 1000 | "checkurl": -1, 1001 | "name": "WordPress ajax-hook attempt" 1002 | }, 1003 | { 1004 | "ref": "https://blogs.oracle.com/security/security-alert-cve-2019-2725-released", 1005 | "cve": "CVE-2019-2725", 1006 | "pat": "/_async/AsyncResponseService", 1007 | "checkurl": -1, 1008 | "name": "WebLogic AsyncResponseService attack attempt" 1009 | }, 1010 | { 1011 | "ref": "http://misteralfa-hack.blogspot.com/2018/04/tbk-vision-dvr-login-bypass.html", 1012 | "cve": "CVE-2018-9995", 1013 | "pat": "/device.rsp?opt=user&cmd=list", 1014 | "checkurl": -1, 1015 | "name": "[TBK Vision] DVR Login Bypass" 1016 | }, 1017 | { 1018 | "ref": "https://www.exploit-db.com/exploits/36653", 1019 | "cve": "CVE-2010-1871", 1020 | "pat": "/admin-console/login.seam", 1021 | "checkurl": -1, 1022 | "name": "JBoss Seam 2 File Upload and Execute" 1023 | }, 1024 | { 1025 | "ref": "https://www.exploit-db.com/exploits/42788", 1026 | "cve": "CVE-NOMATCH", 1027 | "pat": "/page/maintenance/lanSettings/dns", 1028 | "checkurl": -1, 1029 | "name": "FLIR Systems FLIR Thermal Camera FC-S/PT Authenticated OS Command Injection" 1030 | }, 1031 | { 1032 | "ref": "https://www.exploit-db.com/exploits/40856", 1033 | "cve": "CVE-NOMATCH", 1034 | "pat": "/actionHandler/ajax_network_diagnostic_tools.php", 1035 | "checkurl": -1, 1036 | "name": "Xfinity Gateway: Remote Code Execution" 1037 | }, 1038 | { 1039 | "ref": "https://snyk.io/vuln/composer:phpunit%2Fphpunit", 1040 | "cve": "CVE-NOMATCH", 1041 | "pat": "/vendor/phpunit/phpunit/composer.json", 1042 | "checkurl": -1, 1043 | "name": "PHP Unit Probe" 1044 | }, 1045 | { 1046 | "ref": "https://www.exploit-db.com/exploits/42293", 1047 | "cve": "CVE-NOMATCH", 1048 | "pat": "/webadmin/script?command=", 1049 | "checkurl": -1, 1050 | "name": "OpenDreamBox 2.0.0 - Plugin WebAdmin RCE" 1051 | }, 1052 | { 1053 | "ref": "https://www.exploit-db.com/exploits/37298", 1054 | "cve": "CVE-NOMATCH", 1055 | "pat": "cgi-bin/get_status.cgi", 1056 | "checkurl": -1, 1057 | "name": "Apexis IP CAM - Information Disclosure" 1058 | }, 1059 | { 1060 | "ref": "https://www.exploit-db.com/exploits/33136", 1061 | "cve": "CVE-2014-9727", 1062 | "pat": "/cgi-bin/webcm?getpage=", 1063 | "checkurl": -1, 1064 | "name": "Fritz!Box - Remote Command Execution" 1065 | }, 1066 | { 1067 | "ref": "https://medium.com/@ruvlol/rce-in-jira-cve-2019-11581-901b845f0f", 1068 | "cve": "CVE-2019-11581", 1069 | "pat": "/secure/ContactAdministrators!default.jspa", 1070 | "checkurl": -1, 1071 | "name": "Jira contact Admin RCE" 1072 | }, 1073 | { 1074 | "ref": "https://perchsecurity.com/perch-news/threat-report-friday-february-22nd-2019/", 1075 | "cve": "CVE-NOMATCH", 1076 | "pat": "/elrekt.php", 1077 | "checkurl": -1, 1078 | "name": "Rekt botnet probe" 1079 | }, 1080 | { 1081 | "ref": "https://www.cvedetails.com/vulnerability-list/vendor_id-874/opxss-1/Juniper.html", 1082 | "cve": "CVE-NOMATCH", 1083 | "pat": "/dana-na/", 1084 | "checkurl": -1, 1085 | "name": "Juniper Networks Secure Access 2000 probe" 1086 | }, 1087 | { 1088 | "ref": "https://pastebin.com/xCB4GCYz", 1089 | "cve": "CVE-NOMATCH", 1090 | "pat": "/imgs/ms_check_license", 1091 | "checkurl": -1, 1092 | "name": "/imgs/ms_check_license probe, unknown purpose" 1093 | }, 1094 | { 1095 | "ref": "https://dl.packetstormsecurity.net/1505-exploits/hikvisionds7108-xmlinject.txt", 1096 | "cve": "CVE-NOMATCH", 1097 | "pat": "/doc/page/login.asp", 1098 | "checkurl": -1, 1099 | "name": "Hikvision Backdoor probe" 1100 | }, 1101 | { 1102 | "ref": "https://www.exploit-db.com/exploits/43055", 1103 | "cve": "CVE-NOMATCH", 1104 | "pat": "/setup.cgi?next_file=netgear.cfg", 1105 | "checkurl": -1, 1106 | "name": "Netgear DGN1000 Setup.cgi Unauthenticated RCE" 1107 | }, 1108 | { 1109 | "ref": "https://ssd-disclosure.com/archives/3590/ssd-advisory-hack2win-cisco-rv132w-multiple-vulnerabilities", 1110 | "cve": "CVE-2018-0125", 1111 | "pat": "/dumpmdm.cmd", 1112 | "checkurl": -1, 1113 | "name": "Cisco RV132W dumpmdm info disclosure" 1114 | }, 1115 | { 1116 | "ref": "http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Supported_Manager_Commands", 1117 | "cve": "CVE-NOMATCH", 1118 | "pat": "/manager/text/list", 1119 | "checkurl": -1, 1120 | "name": "Apache Tomcat 7.0 Manager Commands Probe" 1121 | }, 1122 | { 1123 | "ref": "https://www.exploit-db.com/exploits/46792", 1124 | "cve": "CVE-NOMATCH", 1125 | "pat": "/cgi-bin/webctrl.cgi", 1126 | "checkurl": -1, 1127 | "name": "Blue Angel Software Suite RCE Probe" 1128 | }, 1129 | { 1130 | "ref": "https://www.exploit-db.com/exploits/46073", 1131 | "cve": "CVE-NOMATCH", 1132 | "pat": "/v1/agent/self", 1133 | "checkurl": -1, 1134 | "name": "Hashicorp Consul probe" 1135 | }, 1136 | { 1137 | "ref": "https://www.ncsc.gov.sa/wps/portal/ncsc/home/Alerts/!ut/p/z1/lVLRboJAEPwaH8kud-cBj2elYKkxYgpyLwYR67VyaEts-_c9apM2aYS6T3PJ3O7szIKEJUidn9Rj3qha53vzziRf2fbYDUmA9zMnGqMYzRe3QxpQMUVIQIIsdHNodpDp4rXYq_UAWzDAXV2VZ7xq4arULflQqA1khBPGiyGxkOWOxYiXW57tEWvLGS9dToi33kD6NR0njIU2I9EsRkRBkzCk7o2NAQX5W5w7cgTOEZOJmER0HvHv_x0E2b1cz3zyv_l4oQReqf-vQNndfmEcvzuTLntoIlZPx6MUJsdaN-V7A8v-INM2yh5z-uRlZj3nZ70g8bjpEDt-Evt0ljBIT6p8gwddv1TmFhdXXk-IcKgql34oU1aQWs_bqU_ZJ0-OxIA!/dz/d5/L2dBISEvZ0FBIS9nQSEh/", 1138 | "cve": "CVE-2019-0604", 1139 | "pat": "/Temporary_Listen_Addresses/SMSSERVICE", 1140 | "checkurl": -1, 1141 | "name": "Sharepoint SMSSERVICE RCE" 1142 | }, 1143 | { 1144 | "ref": "https://www.tenable.com/security/research/tra-2017-33", 1145 | "cve": "CVE-NOMATCH", 1146 | "pat": "/cgi-bin/hi3510/getidentify.cgi", 1147 | "checkurl": -1, 1148 | "name": "Master IP CAM 01" 1149 | }, 1150 | { 1151 | "ref": "https://seclists.org/fulldisclosure/2017/Jan/40", 1152 | "cve": "CVE-NOMATCH", 1153 | "pat": "/ViewLog.asp", 1154 | "checkurl": -1, 1155 | "name": "Zyxel P660HN Remote Command Execution probe" 1156 | }, 1157 | { 1158 | "ref": "https://www.exploit-db.com/exploits/45448", 1159 | "cve": "CVE-2018-17173", 1160 | "pat": "/qsrserver/device/getThumbnail?", 1161 | "checkurl": -1, 1162 | "name": "LG Supersign TVs Remote Command Execution probe" 1163 | }, 1164 | { 1165 | "ref": "https://www.exploit-db.com/exploits/41935", 1166 | "cve": "CVE-NOMATCH", 1167 | "pat": "/cgi-bin/rdfs.cgi", 1168 | "checkurl": -1, 1169 | "name": "WePresent WiPG-1000 Command Injection probe" 1170 | }, 1171 | { 1172 | "ref": "https://www.exploit-db.com/exploits/39437", 1173 | "cve": "CVE-2018-17173", 1174 | "pat": "/setSystemCommand", 1175 | "checkurl": -1, 1176 | "name": "DLink DCS-930L Remote Command Execution probe" 1177 | }, 1178 | { 1179 | "ref": "https://www.exploit-db.com/exploits/24956", 1180 | "cve": "CVE-NOMATCH", 1181 | "pat": "/diagnostic.php", 1182 | "checkurl": -1, 1183 | "name": "DLink diagnostic.php Remote Command Execution probe" 1184 | }, 1185 | { 1186 | "ref": "https://www.exploit-db.com/exploits/45909", 1187 | "cve": "CVE-2016-1555", 1188 | "pat": "/boardDataNA.php?writeData=true", 1189 | "checkurl": -1, 1190 | "name": "Netgreat /boardDataNA Remote Command Execution probe" 1191 | }, 1192 | { 1193 | "ref": "https://www.exploit-db.com/exploits/41394", 1194 | "cve": "CVE-2017-6077", 1195 | "pat": "/ping.cgi", 1196 | "checkurl": -1, 1197 | "name": "/ping.cgi Remote Command Execution probe" 1198 | }, 1199 | { 1200 | "ref": "https://github.com/threat9/routersploit/blob/master/routersploit/modules/exploits/routers/netgear/prosafe_rce.py", 1201 | "cve": "CVE-NOMATCH", 1202 | "pat": "/login_handler.php", 1203 | "checkurl": -1, 1204 | "name": "Netgear Prosafe Remote Command Execution probe" 1205 | }, 1206 | { 1207 | "ref": "https://seclists.org/fulldisclosure/2019/Sep/31", 1208 | "cve": "CVE-2019-16759", 1209 | "pat": "/index.php?routestring=ajax/render/widget_php", 1210 | "checkurl": -1, 1211 | "name": "vBulletin 5.x 0day pre-auth RCE exploit" 1212 | }, 1213 | { 1214 | "ref": "https://github.com/mcw0/PoC/blob/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt", 1215 | "cve": "CVE-NOMATCH", 1216 | "pat": "/editBlackAndWhiteList", 1217 | "checkurl": -1, 1218 | "name": "Shenzhen TVT Digital Technology Co. Ltd & OEM {DVR/NVR/IPC} API RCE" 1219 | }, 1220 | { 1221 | "ref": "https://vulners.com/openvas/OPENVAS:1361412562310105500", 1222 | "cve": "CVE-2016-10106", 1223 | "pat": "/scgi-bin/platform.cgi", 1224 | "checkurl": -1, 1225 | "name": "Multiple Devices '/scgi-bin/platform.cgi' Unauthenticated File Disclosure" 1226 | }, 1227 | { 1228 | "ref": "https://www.fireeye.com/blog/threat-research/2019/10/certutil-qualms-they-came-to-drop-fombs.html", 1229 | "cve": "CVE-NOMATCH", 1230 | "pat": "/weaver/bsh.servlet.BshServlet", 1231 | "checkurl": -1, 1232 | "name": "Weaver Beanshell code injection 0day" 1233 | }, 1234 | { 1235 | "ref": "https://www.sudokaikan.com/2019/11/cve-2019-16662-cve-2019-16663.html", 1236 | "cve": "CVE-2019-16663", 1237 | "pat": "/install/lib/ajaxHandlers/ajaxServerSettingsChk.php?rootUname", 1238 | "checkurl": -1, 1239 | "name": "Unauthenticated remote code execution vulnerabilities in rConfig" 1240 | }, 1241 | { 1242 | "ref": "https://nvd.nist.gov/vuln/detail/CVE-2019-1923?cpeVersion=2.2", 1243 | "cve": "CVE-2019-1923", 1244 | "pat": "/dms/cisco", 1245 | "checkurl": -1, 1246 | "name": "Cisco SPA 508/509 IP phone Command Injection" 1247 | }, 1248 | { 1249 | "ref": "https://www.exploit-db.com/exploits/47555", 1250 | "cve": "CVE-2019-16662", 1251 | "pat": "/ajaxserversettingschk.php?rootuname=", 1252 | "checkurl": -1, 1253 | "name": "rConfig 3.9.2 - Remote Code Execution" 1254 | }, 1255 | { 1256 | "ref": "https://www.exploit-db.com/exploits/37999", 1257 | "cve": "CVE-NOMATCH", 1258 | "pat": "/hudson/script", 1259 | "checkurl": -1, 1260 | "name": "Jenkins CSRF/Code Injection" 1261 | }, 1262 | { 1263 | "ref": "https://www.exploit-db.com/exploits/46073", 1264 | "cve": "CVE-NOMATCH", 1265 | "pat": "/v1/agent/self", 1266 | "checkurl": -1, 1267 | "name": "Hashicorp Consul - RCE via Rexec" 1268 | }, 1269 | { 1270 | "ref": "https://packetstormsecurity.com/files/128552/Advanced-Information-Security-Shellshock-Scanner.html", 1271 | "cve": "CVE-2014-6271", 1272 | "pat": "/cgi-sys/realsignup.cgi", 1273 | "checkurl": -1, 1274 | "name": "Shellchock.c probe" 1275 | }, 1276 | { 1277 | "ref": "https://www.paladion.net/blogs/weak-crossdomain-xml-and-its-exploitation-poc", 1278 | "cve": "CVE-NOMATCH", 1279 | "pat": "/clientaccesspolicy.xml", 1280 | "checkurl": -1, 1281 | "name": "ClientAccessPolicy XML file probe" 1282 | }, 1283 | { 1284 | "ref": "https://www.getastra.com/blog/911/wordpress-files-hacked-wp-config-php-hack/", 1285 | "cve": "CVE-NOMATCH", 1286 | "pat": "/wp-config.php", 1287 | "checkurl": -1, 1288 | "name": "WordPress wp-config LFI probe" 1289 | }, 1290 | { 1291 | "ref": "https://www.rcesecurity.com/2019/04/dell-kace-k1000-remote-code-execution-the-story-of-bug-k1-18652/", 1292 | "cve": "CVE-NOMATCH", 1293 | "pat": "/service/krashrpt.php", 1294 | "checkurl": -1, 1295 | "name": "Dell KACE K1000 Remote Code Execution" 1296 | }, 1297 | { 1298 | "ref": "", 1299 | "cve": "CVE-NOMATCH", 1300 | "pat": "/upgrade.aspx?a1=", 1301 | "checkurl": -1, 1302 | "name": "Unknown upgrade.aspx probe" 1303 | }, 1304 | { 1305 | "ref": "https://packetstormsecurity.com/files/141142/Geutebruck-testaction.cgi-Remote-Command-Execution.html", 1306 | "cve": "CVE-2017-5173", 1307 | "pat": "/uapi-cgi/viewer/admin/testaction.cgi", 1308 | "checkurl": 6, 1309 | "name": "Geutebruck testaction.cgi Remote Command Execution" 1310 | }, 1311 | { 1312 | "ref": "https://www.exploit-db.com/exploits/43055", 1313 | "cve": "CVE-NOMATCH", 1314 | "pat": "/setup.cgi?next_file=netgear.cfg", 1315 | "checkurl": 6, 1316 | "name": "Netgear DGN1000 1.1.00.48 - 'Setup.cgi' RCE" 1317 | }, 1318 | { 1319 | "ref": "https://securitynews.sonicwall.com/xmlpost/microsoft-sharepoint-server-flaw-cve-2019-0604-is-actively-being-exploited/", 1320 | "cve": "CVE-2019-0604", 1321 | "pat": "/Temporary_Listen_Addresses/", 1322 | "checkurl": -1, 1323 | "name": "Microsoft SharePoint Remote Code Execution Vulnerability" 1324 | }, 1325 | { 1326 | "ref": "https://pentestlab.blog/2018/05/15/lateral-movement-winrm/", 1327 | "cve": "CVE-NOMATCH", 1328 | "pat": "/WSMAN", 1329 | "checkurl": -1, 1330 | "name": "Microsoft Windows Remote Shell (WinRS) probe" 1331 | }, 1332 | { 1333 | "ref": "https://securiteam.com/exploits/5cp391f95w/", 1334 | "cve": "CVE-NOMATCH", 1335 | "pat": "/external.php", 1336 | "checkurl": 6, 1337 | "name": "Moodle or ArrowChat /external.php probe" 1338 | }, 1339 | { 1340 | "ref": "https://www.exploit-db.com/exploits/46085", 1341 | "cve": "CVE-NOMATCH", 1342 | "pat": "/fileman", 1343 | "checkurl": 6, 1344 | "name": "Roxy Fileman probe" 1345 | }, 1346 | { 1347 | "ref": "https://www.tenable.com/plugins/nessus/102174", 1348 | "cve": "CVE-2017-8225", 1349 | "pat": "/system.ini", 1350 | "checkurl": 6, 1351 | "name": "GoAhead System.ini Leak" 1352 | }, 1353 | { 1354 | "ref": "https://www.blackhatworld.com/seo/great-little-backlink-exploit-for-you-all.816182/", 1355 | "cve": "CVE-NOMATCH", 1356 | "pat": "/js/netsoltrademark.php", 1357 | "checkurl": -1, 1358 | "name": "netsoltrademark URL reditrector scraping" 1359 | }, 1360 | { 1361 | "ref": "https://www.exploit-db.com/exploits/38728", 1362 | "cve": "CVE-NOMATCH", 1363 | "pat": "/download", 1364 | "checkurl": 6, 1365 | "name": "Allegrocart /download LFI/RFI" 1366 | }, 1367 | { 1368 | "ref": "https://www.exploit-db.com/exploits/43874", 1369 | "cve": "CVE-2017-11357", 1370 | "pat": "/Telerik.Web.UI.WebResource.axd", 1371 | "checkurl": 6, 1372 | "name": "Telerik UI for ASP.NET AJAX RadAsyncUpload uploader" 1373 | }, 1374 | { 1375 | "ref": "https://isc.sans.edu/diary/A+Quick+Update+on+Scanning+for+CVE-2019-19781+%28Citrix+ADC++Gateway+Vulnerability%29/25686", 1376 | "cve": "CVE-2019-19781", 1377 | "pat": "/vpn/../vpns/", 1378 | "checkurl": -1, 1379 | "name": "Citrix ADC / Gateway Vulnerability" 1380 | }, 1381 | { 1382 | "ref": "", 1383 | "cve": "CVE-NOMATCH", 1384 | "pat": "/Admind5b49149/Login.php", 1385 | "checkurl": -1, 1386 | "name": "Unknown AdminHEX probe" 1387 | }, 1388 | { 1389 | "ref": "", 1390 | "cve": "CVE-NOMATCH", 1391 | "pat": "/VSServices", 1392 | "checkurl": -1, 1393 | "name": "Unknown /VSServices probe" 1394 | }, 1395 | { 1396 | "ref": "https://www.exploit-db.com/exploits/44956", 1397 | "cve": "CVE-2018-0296", 1398 | "pat": "/+CSCOE+/logon.html", 1399 | "checkurl": -1, 1400 | "name": "Cisco Adaptive Security Appliance - Path Traversal" 1401 | }, 1402 | { 1403 | "ref": "https://www.exploit-db.com/exploits/47572", 1404 | "cve": " CVE-2019-17558", 1405 | "pat": "/solr/admin/cores", 1406 | "checkurl": -1, 1407 | "name": "Solr 8.2.0 RCE nodes probe" 1408 | }, 1409 | { 1410 | "ref": "https://www.zdnet.com/article/exploit-code-published-for-two-dangerous-apache-solr-remote-code-execution-flaws/", 1411 | "cve": " CVE-2017-12629", 1412 | "pat": "/solr", 1413 | "checkurl": -1, 1414 | "name": "Solr probe" 1415 | }, 1416 | { 1417 | "ref": "", 1418 | "cve": " CVE-NOMATCH", 1419 | "pat": "/.env", 1420 | "checkurl": -1, 1421 | "name": ".env probe" 1422 | }, 1423 | { 1424 | "ref": "https://nvd.nist.gov/vuln/detail/CVE-2013-5936", 1425 | "cve": " CVE-2013-5936", 1426 | "pat": "/hazelcast/rest/cluster", 1427 | "checkurl": -1, 1428 | "name": "Hazelcast cluster API probe" 1429 | }, 1430 | { 1431 | "ref": "https://nvd.nist.gov/vuln/detail/CVE-2013-5936", 1432 | "cve": " CVE-2013-5936", 1433 | "pat": "< NTP/1.", 1434 | "checkurl": -1, 1435 | "name": "Hazelcast cluster API probe" 1436 | }, 1437 | { 1438 | "ref": "https://www.mdsec.co.uk/2020/02/cve-2020-0618-rce-in-sql-server-reporting-services-ssrs/", 1439 | "cve": " CVE-2020-0618", 1440 | "pat": "/ReportServer", 1441 | "checkurl": -1, 1442 | "name": "RCE in MS-SQL Server Reporting Services (SSRS)" 1443 | }, 1444 | { 1445 | "ref": "https://hackaday.io/project/22162-arduino-fritzbox-login", 1446 | "cve": " CVE-NOMATCH", 1447 | "pat": "/login_sid.lua", 1448 | "checkurl": -1, 1449 | "name": "Fritzbox Login session ID leak" 1450 | }, 1451 | { 1452 | "ref": "https://nvd.nist.gov/vuln/detail/CVE-2018-16793", 1453 | "cve": "CVE-2018-16793", 1454 | "pat": "/owa/auth/logon.aspx", 1455 | "checkurl": -1, 1456 | "name": "MSFT OWS SSRF on login page" 1457 | }, 1458 | { 1459 | "ref": "", 1460 | "cve": "CVE-NOMATCH", 1461 | "pat": "/hudson", 1462 | "checkurl": -1, 1463 | "name": "Hudson probe" 1464 | }, 1465 | { 1466 | "ref": "", 1467 | "cve": "CVE-NOMATCH", 1468 | "pat": "/portal/redlion", 1469 | "checkurl": -1, 1470 | "name": "/portal/redlion probe" 1471 | }, 1472 | { 1473 | "ref": "https://blog.darwinapps.com/my-site-was-hacked-9640e3986e9e", 1474 | "cve": "CVE-NOMATCH", 1475 | "pat": "/wp-admin/plugin-install.php?tab=upload", 1476 | "checkurl": -1, 1477 | "name": "Checking for WordPress plugin installations" 1478 | }, 1479 | { 1480 | "ref": "https://www.cybersecurity-help.cz/vdb/SB2017032102", 1481 | "cve": "CVE-NOMATCH", 1482 | "pat": "/bitrix/admin", 1483 | "checkurl": -1, 1484 | "name": "Checking for Bitrix CMS installations" 1485 | }, 1486 | { 1487 | "ref": "https://codewhitesec.blogspot.com/2020/03/liferay-portal-json-vulns.html", 1488 | "cve": "CVE-2020-7961", 1489 | "pat": "/api/jsonws/invoke", 1490 | "checkurl": -1, 1491 | "name": "Liferay Portal JSON Web Service RCE Vulnerabilities" 1492 | }, 1493 | { 1494 | "ref": "https://www.exploit-db.com/exploits/48225", 1495 | "cve": "CVE-NOMATCH", 1496 | "pat": "/boaform/admin/formPing", 1497 | "checkurl": -1, 1498 | "name": "Netlink GPON Router 1.0.11 - Remote Code Execution" 1499 | }, 1500 | { 1501 | "ref": "https://www.exploit-db.com/exploits/43683", 1502 | "cve": "CVE-2018-5715", 1503 | "pat": "crm//index.php?action=Login&module=Users", 1504 | "checkurl": -1, 1505 | "name": "SugarCRM 3.5.1 - Cross-Site Scripting" 1506 | }, 1507 | { 1508 | "ref": "https://www.exploit-db.com/exploits/48268", 1509 | "cve": "CVE-2020-8515", 1510 | "pat": "/cgi-bin/mainfunction.cgi", 1511 | "checkurl": -1, 1512 | "name": "Multiple DrayTek Products - Pre-authentication Remote Root Code Execution" 1513 | }, 1514 | { 1515 | "ref": "https://www.exploit-db.com/exploits/43414", 1516 | "cve": "CVE-2017-17215", 1517 | "pat": "/ctrlt/DeviceUpgrade_1", 1518 | "checkurl": -1, 1519 | "name": "Huawei Router HG532 - Arbitrary Command Execution" 1520 | }, 1521 | { 1522 | "ref": "https://www.exploit-db.com/exploits/43984", 1523 | "cve": "CVE-NOMATCH", 1524 | "pat": "/incl/image_test.shtml?camnbr", 1525 | "checkurl": -1, 1526 | "name": "Axis SSI - Remote Command Execution / Read Files" 1527 | }, 1528 | { 1529 | "ref": "", 1530 | "cve": "CVE-NOMATCH", 1531 | "pat": "/is-sending", 1532 | "checkurl": -1, 1533 | "name": "Unknown /is-sending LFI" 1534 | }, 1535 | { 1536 | "ref": "https://github.com/elastic/elasticsearch/issues/27046", 1537 | "cve": "CVE-NOMATCH", 1538 | "pat": "/_cat/indices", 1539 | "checkurl": -1, 1540 | "name": "elasticsearch probe" 1541 | }, 1542 | { 1543 | "ref": "https://www.tenable.com/blog/duplicator-wordpress-plugin-vulnerability-exploited-in-the-wild", 1544 | "cve": "CVE-NOMATCH", 1545 | "pat": "action=duplicator_download", 1546 | "checkurl": -1, 1547 | "name": "Wordpress Duplicator LFI" 1548 | }, 1549 | { 1550 | "ref": "https://github.com/bediger4000/php-malware-analysis/tree/master/apikey.php", 1551 | "cve": "CVE-NOMATCH", 1552 | "pat": "/wp-content/plugins/apikey/apikey.php", 1553 | "checkurl": -1, 1554 | "name": "BabaYaga apikey.php probe" 1555 | }, 1556 | { 1557 | "ref": "https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml", 1558 | "cve": "CVE-2020-9054", 1559 | "pat": "/adv,/cgi-bin/weblogin.cgi?username=admin", 1560 | "checkurl": 6, 1561 | "name": "Zyxel NAS RCE Attempt" 1562 | }, 1563 | { 1564 | "ref": "https://www.exploit-db.com/exploits/41782", 1565 | "cve": "CVE-2017-6884", 1566 | "pat": "/cgi-bin/luci", 1567 | "checkurl": -1, 1568 | "name": "Zyxel, EMG2926 < V1.00(AAQT.4)b8 - OS Command Injection" 1569 | }, 1570 | { 1571 | "ref": "https://routersecurity.org/bugs.php", 1572 | "cve": "CVE-NOMATCH", 1573 | "pat": "/htmlV/welcomeMain.htm", 1574 | "checkurl": -1, 1575 | "name": "GoAhead router default password probe" 1576 | }, 1577 | { 1578 | "ref": "https://www.cybersecurity-help.cz/vdb/SB2020042711", 1579 | "cve": "CVE-NOMATCH", 1580 | "pat": "/plugins/simple-file-list/ee-upload-engine.php", 1581 | "checkurl": -1, 1582 | "name": "WordPress Simple File List File Upload PHP RCE probe" 1583 | }, 1584 | { 1585 | "ref": "https://topic.alibabacloud.com/a/axis2-using-gadgets-cataar_8_8_31338697.html", 1586 | "cve": "CVE-NOMATCH", 1587 | "pat": "/axis2/services/Cat/exec?cmd=", 1588 | "checkurl": 6, 1589 | "name": "Apache Axis2 CMD injection" 1590 | }, 1591 | { 1592 | "ref": "https://labs.detectify.com/2012/11/16/local-file-inclusions-in-perlcgi/", 1593 | "cve": "CVE-NOMATCH", 1594 | "pat": "/cgi-bin/", 1595 | "checkurl": 6, 1596 | "name": "cgi-bin RFI attempt" 1597 | }, 1598 | { 1599 | "ref": "https://www.ispyconnect.com/man.aspx?n=china", 1600 | "cve": "CVE-NOMATCH", 1601 | "pat": "/snapshot.cgi?user=&pwd=", 1602 | "checkurl": 6, 1603 | "name": "Lorex IP camera password probe" 1604 | }, 1605 | { 1606 | "ref": "http://pierrekim.github.io/blog/2015-07-01-poc-with-RCE-against-127-iptime-router-models.html", 1607 | "cve": "CVE-NOMATCH", 1608 | "pat": "/sess-bin/login_session.cgi", 1609 | "checkurl": 6, 1610 | "name": "ipTIME firmware exploit" 1611 | }, 1612 | { 1613 | "ref": "https://blog.netlab.360.com/multiple-botnets-are-spreading-using-lilin-dvr-0-day-en/", 1614 | "cve": "CVE-NOMATCH", 1615 | "pat": "/dvr/cmd", 1616 | "checkurl": -1, 1617 | "name": "LILIN DVR 0-day /dvr/cmd" 1618 | }, 1619 | { 1620 | "ref": "https://www.exploit-db.com/exploits/39683", 1621 | "cve": "CVE-NOMATCH", 1622 | "pat": "/operator/basic.shtml", 1623 | "checkurl": -1, 1624 | "name": "AXIS 206 Network Camera basic.shtml" 1625 | }, 1626 | { 1627 | "ref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/axis_login.rb", 1628 | "cve": "CVE-2010-0219", 1629 | "pat": "/axis2/axis2-admin/login", 1630 | "checkurl": -1, 1631 | "name": "AXIS2 default user and password exploit" 1632 | }, 1633 | { 1634 | "ref": "https://www.exploit-db.com/exploits/21220", 1635 | "cve": "CVE-NOMATCH", 1636 | "pat": "/vicidial/admin.php?ADD=", 1637 | "checkurl": -1, 1638 | "name": "Vicidialer SQLi" 1639 | }, 1640 | { 1641 | "ref": "https://www.exploit-db.com/exploits/47626", 1642 | "cve": "CVE-NOMATCH", 1643 | "pat": "/card_scan_decoder.php", 1644 | "checkurl": 6, 1645 | "name": "eMerge E3 Access Controller 4.6.07 - Remote Code Execution" 1646 | }, 1647 | { 1648 | "ref": "https://github.com/kubeflow/kubeflow/commit/f5250b017f126c63cca4c38114860f63b71c66d1", 1649 | "cve": "CVE-NOMATCH", 1650 | "pat": "/api/workgroup/exists", 1651 | "checkurl": -1, 1652 | "name": "K8s Kubeflow workflow probe" 1653 | }, 1654 | { 1655 | "ref": "https://www.f5.com/labs/articles/threat-intelligence/application-protection-report-2019-episode-5-api-breaches-and-the-visibility-problem", 1656 | "cve": "CVE-NOMATCH", 1657 | "pat": "/stalker_portal", 1658 | "checkurl": -1, 1659 | "name": "Infomir Stalker probe" 1660 | }, 1661 | { 1662 | "ref": "https://codegym.cc/groups/posts/51-creating-the-simplest-web-project-in-intellij-idea-enterprise-step-by-step-with-pictures", 1663 | "cve": "CVE-NOMATCH", 1664 | "pat": "/.idea/WebServers.xml", 1665 | "checkurl": -1, 1666 | "name": "IntelliJ IDEAz IDE WebServers config file probe" 1667 | }, 1668 | { 1669 | "ref": "https://stackoverflow.com/questions/3671685/how-to-run-a-specific-phpunit-xml-testsuite", 1670 | "cve": "CVE-NOMATCH", 1671 | "pat": "/phpunit.xml", 1672 | "checkurl": -1, 1673 | "name": "PHP Unit config file probe" 1674 | }, 1675 | { 1676 | "ref": "https://www.wordfence.com/blog/2020/03/zero-day-vulnerability-in-themerex-addons-now-patched/", 1677 | "cve": "CVE-NOMATCH", 1678 | "pat": "/trx_addons/v2/get/sc_layout", 1679 | "checkurl": -1, 1680 | "name": "ThemeREX RCE in sc_layout" 1681 | }, 1682 | { 1683 | "ref": "https://twitter.com/vijithvellora/status/1279632391850455041", 1684 | "cve": "CVE-2020-5902", 1685 | "pat": "/tmui/login.jsp/..;/tmui/", 1686 | "checkurl": 6, 1687 | "name": "F5 TMUI RCE" 1688 | }, 1689 | { 1690 | "ref": "", 1691 | "cve": "CVE-NOMATCH", 1692 | "pat": "/admin/login.", 1693 | "checkurl": 6, 1694 | "name": "Looking for admin login pages" 1695 | }, 1696 | { 1697 | "ref": "https://www.techrepublic.com/article/access-cisco-command-output-from-your-web-browser/", 1698 | "cve": "CVE-NOMATCH", 1699 | "pat": "/level/15/exec/-/sh/run", 1700 | "checkurl": 6, 1701 | "name": "Cisco web /sh/run RCE" 1702 | }, 1703 | { 1704 | "ref": "https://www.techrepublic.com/article/access-cisco-command-output-from-your-web-browser/", 1705 | "cve": "CVE-NOMATCH", 1706 | "pat": "/goform/webLogin", 1707 | "checkurl": 6, 1708 | "name": "goform webLogin brute force attempt" 1709 | }, 1710 | { 1711 | "ref": "https://wpvulndb.com/vulnerabilities/10293", 1712 | "cve": "CVE-NOMATCH", 1713 | "pat": "/wp-content/plugins/angwp", 1714 | "checkurl": -1, 1715 | "name": "Adning Advertising < 1.5.6 - Unauthenticated Arbitrary File Upload/Deletion" 1716 | }, 1717 | { 1718 | "ref": "https://github.com/bediger4000/php-malware-analysis/tree/master/apikey.php/t_file_wp", 1719 | "cve": "CVE-NOMATCH", 1720 | "pat": "/t_file_wp.php?test=hello", 1721 | "checkurl": -1, 1722 | "name": "PHP backdoor probe" 1723 | }, 1724 | { 1725 | "ref": "https://www.securityfocus.com/bid/66443/exploit", 1726 | "cve": "CVE-NOMATCH", 1727 | "pat": "/kcfinder//browse.php", 1728 | "checkurl": -1, 1729 | "name": "KCFinder 'browse.php' Arbitrary File Upload Vulnerability" 1730 | }, 1731 | { 1732 | "ref": "https://www.securityfocus.com/bid/33702/exploit", 1733 | "cve": "CVE-2009-0545", 1734 | "pat": "/cgi-bin/kerbynet?", 1735 | "checkurl": 6, 1736 | "name": "ZeroShell 'cgi-bin/kerbynet' RCE" 1737 | }, 1738 | { 1739 | "ref": "https://qiita.com/hidenorly/items/b251cfb5d3985d7a794b", 1740 | "cve": "CVE-NOMATCH", 1741 | "pat": "/tmpfs/auto.jpg", 1742 | "checkurl": -1, 1743 | "name": "SV3C IP Camera picture grab" 1744 | }, 1745 | { 1746 | "ref": "https://twitter.com/aboul3la/status/1286012324722155525", 1747 | "cve": "CVE-2020-3452", 1748 | "pat": "/+CSCOT+/", 1749 | "checkurl": -1, 1750 | "name": "Unauthenticated file read in Cisco ASA & Cisco Firepower" 1751 | }, 1752 | { 1753 | "ref": "https://srcincite.io/blog/2020/07/20/sharepoint-and-pwn-remote-code-execution-against-sharepoint-server-abusing-dataset.html", 1754 | "cve": "CVE-2020-1147", 1755 | "pat": "/quicklinks", 1756 | "checkurl": -1, 1757 | "name": "Sharepoint CVE-2020-1147 deserialization RCE" 1758 | }, 1759 | { 1760 | "ref": "https://srcincite.io/blog/2020/07/20/sharepoint-and-pwn-remote-code-execution-against-sharepoint-server-abusing-dataset.html", 1761 | "cve": "CVE-2019-0604", 1762 | "pat": "/_layouts/15/Picker.aspx", 1763 | "checkurl": -1, 1764 | "name": "Sharepoint CVE-2019-0604 deserialization RCE" 1765 | }, 1766 | { 1767 | "ref": "https://s3tools.org/kb/item14.htm", 1768 | "cve": "CVE-NOMATCH", 1769 | "pat": "/.s3cfg", 1770 | "checkurl": -1, 1771 | "name": "Amazon s3cmd .s3cfg file access attempt" 1772 | }, 1773 | { 1774 | "ref": "https://nvd.nist.gov/vuln/detail/CVE-2020-13640", 1775 | "cve": "CVE-2020-13640", 1776 | "pat": "/wp-content/plugins/wpdiscuz", 1777 | "checkurl": -1, 1778 | "name": "wpDiscuz plugin for WordPress fingerprinting" 1779 | }, 1780 | { 1781 | "ref": "https://wordpress.org/support/topic/rest-api-exposed-user-data-for-all-users/", 1782 | "cve": "CVE-2017-5487", 1783 | "pat": "/wp-json/wp/v2/users", 1784 | "checkurl": -1, 1785 | "name": "WordPress expose users through the API" 1786 | }, 1787 | { 1788 | "ref": "https://www.tenable.com/blog/do-you-know-where-your-upnp-is", 1789 | "cve": "CVE-NOMATCH", 1790 | "pat": "/UPnP/IGD.xml", 1791 | "checkurl": -1, 1792 | "name": "Home router UPnP IGD config probe" 1793 | }, 1794 | { 1795 | "ref": "https://www.cisco.com/c/en/us/td/docs/ios/12_2/12_2y/12_2yt11/feature/guide/ft_its21.html", 1796 | "cve": "CVE-NOMATCH", 1797 | "pat": "/telephony-service.html", 1798 | "checkurl": -1, 1799 | "name": "Cisco IOS Telephony Service probe" 1800 | }, 1801 | { 1802 | "ref": "https://seravo.com/blog/0-day-vulnerability-in-wp-file-manager/", 1803 | "cve": "CVE-NOMATCH", 1804 | "pat": "/wp-file-manager/lib/php/connector.minimal.php", 1805 | "checkurl": -1, 1806 | "name": "WordPress WP File Manager RCE in connector.minimal" 1807 | }, 1808 | { 1809 | "ref": "https://securityaffairs.co/wordpress/107826/hacking/file-manager-wordpress-plugin-flaw.html", 1810 | "cve": "CVE-NOMATCH", 1811 | "pat": "/wp-file-manager/lib/files/x.php", 1812 | "checkurl": 6, 1813 | "name": "WordPress WP File Manager RCE in x.php" 1814 | }, 1815 | { 1816 | "ref": "https://www.wordfence.com/blog/2017/07/wpsetup-attack/", 1817 | "cve": "CVE-NOMATCH", 1818 | "pat": "/wp-admin/setup-config.php?step=1", 1819 | "checkurl": -1, 1820 | "name": "WordPress setup-config probe" 1821 | }, 1822 | { 1823 | "ref": "https://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html", 1824 | "cve": "CVE-2017-18377", 1825 | "pat": "/set_ftp.cgi?loginuse=&loginpas=&next_url=ftp.htm&port=", 1826 | "checkurl": 6, 1827 | "name": "Wireless IP Camera (P2P) WIFICAM RCE in /set_ftp.cgi" 1828 | }, 1829 | { 1830 | "ref": "https://twitter.com/obsecurus/status/1309490069930217474", 1831 | "cve": "CVE-NOMATCH", 1832 | "pat": "/link?url=", 1833 | "checkurl": 6, 1834 | "name": "Goblin Panda C2 Crawler" 1835 | }, 1836 | { 1837 | "ref": "https://twitter.com/chybeta/status/1316416189527068672", 1838 | "cve": "CVE-2020-15227", 1839 | "pat": "/nette.micro?callback=shell_exec", 1840 | "checkurl": 6, 1841 | "name": "PHP framework nette callback RCE" 1842 | }, 1843 | { 1844 | "ref": "https://codecanyon.net/item/super-interactive-maps-for-wordpress/15712620", 1845 | "cve": "CVE-NOMATCH", 1846 | "pat": "/wp-content/plugins/super-interactive-maps", 1847 | "checkurl": -1, 1848 | "name": "Probe for Super Interactive Maps for WordPress" 1849 | }, 1850 | { 1851 | "ref": "https://twitter.com/sans_isc/status/1322131189612843010", 1852 | "cve": "CVE-2020-14882", 1853 | "pat": "/console/images/%252E%252E%252Fconsole.portal", 1854 | "checkurl": 6, 1855 | "name": "Oracle WebLogic RCE" 1856 | }, 1857 | { 1858 | "ref": "https://wpscan.com/vulnerability/10471", 1859 | "cve": "CVE-NOMATCH", 1860 | "pat": "/wp-content/plugins/ait-csv-import-export/admin/upload-handler.php", 1861 | "checkurl": -1, 1862 | "name": "AIT CSV Import / Export <= 3.0.3 - Unauthenticated Arbitrary File Upload" 1863 | }, 1864 | { 1865 | "ref": "", 1866 | "cve": "CVE-NOMATCH", 1867 | "pat": "/stalker_portal/c/", 1868 | "checkurl": -1, 1869 | "name": "Ministra IPTV Stalker Portal abuse attempt" 1870 | }, 1871 | { 1872 | "ref": "https://blog.quttera.com/post/exploitation-new-bug-wordpress-duplicator-plugin/", 1873 | "cve": "CVE-NOMATCH", 1874 | "pat": "/wp-admin/admin-ajax.php?action=duplicator_download&file=", 1875 | "checkurl": 6, 1876 | "name": "Wordpress Duplicator plugin arbitrary file read vuln" 1877 | }, 1878 | { 1879 | "ref": "https://blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html", 1880 | "cve": "CVE-NOMATCH", 1881 | "pat": "/wp-admin/admin-ajax.php?action=revslider_show_image&img=", 1882 | "checkurl": 6, 1883 | "name": "Wordpress Slider Revolution plugin arbitrary file read vuln" 1884 | }, 1885 | { 1886 | "ref": "", 1887 | "cve": "CVE-NOMATCH", 1888 | "pat": "/composer.", 1889 | "checkurl": -1, 1890 | "name": "Fingerprinting PHP software installed via a call to /composer.*" 1891 | }, 1892 | { 1893 | "ref": "http://h.foofus.net/?p=793", 1894 | "cve": "CVE-NOMATCH", 1895 | "pat": "/Autodiscover/Autodiscover.xml", 1896 | "checkurl": -1, 1897 | "name": "Microsoft Exchange Client Access Server (CAS) Autodiscover Enumeration Vulnerability probe" 1898 | }, 1899 | { 1900 | "ref": "https://cxsecurity.com/issue/WLB-2019030198", 1901 | "cve": "CVE-NOMATCH", 1902 | "pat": "/wp-content/plugins/easy-wp-smtp-master/", 1903 | "checkurl": -1, 1904 | "name": "Easy WP SMTP plugin RCE" 1905 | }, 1906 | { 1907 | "ref": "https://swarm.ptsecurity.com/vulnerabilities-in-mcafee-epolicy-orchestrator/", 1908 | "cve": "CVE-2020-7318", 1909 | "pat": "/PolicyMgmt/policyDetailsCard.do?poID=19", 1910 | "checkurl": -1, 1911 | "name": "McAfee ePolocyOrcheestrator reflected XSS" 1912 | }, 1913 | { 1914 | "ref": "https://vulners.com/myhack58/MYHACK58:62201994757", 1915 | "cve": "CVE-NOMATCH", 1916 | "pat": "/seeyon/htmlofficeservlet", 1917 | "checkurl": -1, 1918 | "name": "Zhiyuan OA A8 Getshell emote arbitrary file upload vulnerability" 1919 | }, 1920 | { 1921 | "ref": "https://vuldb.com/?id.94801", 1922 | "cve": "CVE-NOMATCH", 1923 | "pat": "/cgi-bin/ViewLog.asp", 1924 | "checkurl": -1, 1925 | "name": "ZyXEL ViewLog.asp command injection vulnerability" 1926 | }, 1927 | { 1928 | "ref": "https://www.webhostinghub.com/help/learn/wordpress/wordpress-emergency-password-reset-script", 1929 | "cve": "CVE-NOMATCH", 1930 | "pat": "/emergency.php", 1931 | "checkurl": -1, 1932 | "name": "Probe for emergency.php WP password reset trick" 1933 | }, 1934 | { 1935 | "ref": "", 1936 | "cve": "CVE-NOMATCH", 1937 | "pat": "/boaform/admin/formLogin?username", 1938 | "checkurl": -1, 1939 | "name": "Netlink GPON password guessing" 1940 | }, 1941 | { 1942 | "ref": "", 1943 | "cve": "CVE-NOMATCH", 1944 | "pat": "/typo3conf/ext/systemfile/Classes/Controller/data.php", 1945 | "checkurl": -1, 1946 | "name": "Unknown Typo3 systemfile probe" 1947 | }, 1948 | { 1949 | "ref": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:26496", 1950 | "cve": "CVE-NOMATCH", 1951 | "pat": "/tools.cgi", 1952 | "checkurl": -1, 1953 | "name": "IP camera /tools.cgi probe" 1954 | }, 1955 | { 1956 | "ref": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:26496", 1957 | "cve": "CVE-NOMATCH", 1958 | "pat": "/upload_json.ashx", 1959 | "checkurl": -1, 1960 | "name": "kindeditor arbitrary file upload vulnerability" 1961 | }, 1962 | { 1963 | "ref": "https://www.exploit-db.com/exploits/43984", 1964 | "cve": "CVE-NOMATCH", 1965 | "pat": "/incl/image_test.shtml?camnbr", 1966 | "checkurl": 6, 1967 | "name": "Axis SSI - Remote Command Execution / Read Files probe" 1968 | }, 1969 | { 1970 | "ref": "https://www.exploit-db.com/exploits/47407", 1971 | "cve": "CVE-2019-16679", 1972 | "pat": "/gila/?c=admin", 1973 | "checkurl": -1, 1974 | "name": "Gila CMS < 1.11.1 - Local File Inclusion" 1975 | }, 1976 | { 1977 | "ref": "https://www.exploit-db.com/exploits/49390", 1978 | "cve": "CVE-NOMATCH", 1979 | "pat": "/auth/requestreset", 1980 | "checkurl": -1, 1981 | "name": "Cockpit CMS 0.6.1 - password reset probe" 1982 | }, 1983 | { 1984 | "ref": "https://www.exploit-db.com/exploits/47280", 1985 | "cve": "CVE-NOMATCH", 1986 | "pat": "/module/tool_all/select_tool.php", 1987 | "checkurl": -1, 1988 | "name": "EyesOfNetwork 5.1 - Authenticated Remote Command Execution probe" 1989 | }, 1990 | { 1991 | "ref": "https://pagely.com/blog/unauthenticated-remote-code-execution-in-e-signature-plugin/", 1992 | "cve": "CVE-NOMATCH", 1993 | "pat": "/wp-admin/admin-ajax.php?action=sif_upload_file", 1994 | "checkurl": -1, 1995 | "name": "WordPress Unauthenticated Remote Code Execution in e-signature plugin probe" 1996 | }, 1997 | { 1998 | "ref": "https://blog.csdn.net/csdn_Pade/article/details/112974809", 1999 | "cve": "CVE-NOMATCH", 2000 | "pat": "/_ignition/execute-solution", 2001 | "checkurl": -1, 2002 | "name": "laravel <= 8.4.2 Debug RC" 2003 | }, 2004 | { 2005 | "ref": "", 2006 | "cve": "CVE-NOMATCH", 2007 | "pat": "/terminals/main", 2008 | "checkurl": -1, 2009 | "name": "Unknown /terminals/main probe" 2010 | }, 2011 | { 2012 | "ref": "https://www.exploit-db.com/exploits/48149", 2013 | "cve": "CVE-2019-19356", 2014 | "pat": "/cgi-bin-igd/netcore_set.cgi", 2015 | "checkurl": -1, 2016 | "name": "Netis WF2419 2.2.36123 - Remote Code Execution" 2017 | }, 2018 | { 2019 | "ref": "https://twitter.com/elhackernet/status/1351868875714015234", 2020 | "cve": "CVE-2021-2109", 2021 | "pat": "/console/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle", 2022 | "checkurl": 6, 2023 | "name": "Oracle WebLogic Server RCE via JNDI" 2024 | }, 2025 | { 2026 | "ref": "https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/", 2027 | "cve": "CVE-NOMATCH", 2028 | "pat": "/cgi-bin/jarrewrite.sh", 2029 | "checkurl": 6, 2030 | "name": "VisualDoor: SonicWall SSL-VPN Exploit" 2031 | }, 2032 | { 2033 | "ref": "https://vulners.com/openvas/OPENVAS:1361412562310114041", 2034 | "cve": "CVE-NOMATCH", 2035 | "pat": "/ISAPI/Security/userCheck", 2036 | "checkurl": -1, 2037 | "name": "Hikvision IP Camera Default Credentials" 2038 | }, 2039 | { 2040 | "ref": "https://www.programmersought.com/article/1033574325/", 2041 | "cve": "CVE-2017-7504", 2042 | "pat": "/jbossmq-httpil/HTTPServerILServlet", 2043 | "checkurl": -1, 2044 | "name": "JBOSS deserialization vulnerability recurrence" 2045 | }, 2046 | { 2047 | "ref": "https://twitter.com/sec715/status/1357985479862329344", 2048 | "cve": "CVE-NOMATCH", 2049 | "pat": "/v1/submissions/create", 2050 | "checkurl": -1, 2051 | "name": "Apache Spark RCE" 2052 | }, 2053 | { 2054 | "ref": "https://gist.github.com/FanqXu/36c5e0070fd8e0b6646993b4e386a6b1", 2055 | "cve": "CVE-2021-25646", 2056 | "pat": "/druid/indexer/v1/sampler", 2057 | "checkurl": -1, 2058 | "name": "Apache Druid RCE" 2059 | }, 2060 | { 2061 | "ref": "https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc", 2062 | "cve": "CVE-NOMATCH", 2063 | "pat": "/systembc/password.php", 2064 | "checkurl": -1, 2065 | "name": "SystemBC password probe" 2066 | }, 2067 | { 2068 | "ref": "https://github.com/HoangKien1020/CVE-2021-23132", 2069 | "cve": "CVE-2021-23132", 2070 | "pat": "/error.php?cmd=", 2071 | "checkurl": 6, 2072 | "name": "Joomla RCE in com_media Joomla core <=3.9.24" 2073 | }, 2074 | { 2075 | "ref": "https://streaming-servers.com/knowledgebase/33/XtreamUI-TROUBLESHOOTING.html", 2076 | "cve": "CVE-NOMATCH", 2077 | "pat": "/system_api.php", 2078 | "checkurl": -1, 2079 | "name": "XStreamUI unknown issue in system-api.php probe" 2080 | }, 2081 | { 2082 | "ref": "https://news.knowledia.com/US/en/articles/unknown-zero-day-used-by-moobot-ddos-malware-b082eab74f8127269683ee331d5b14f36bd674dd", 2083 | "cve": "CVE-NOMATCH", 2084 | "pat": "/op_type=ping&destination", 2085 | "checkurl": 6, 2086 | "name": "Unknown mootbot /op_type CMD injection" 2087 | }, 2088 | { 2089 | "ref": "https://www.mageni.net/vulnerability/laravel-telescope-information-disclosure-vulnerability-112808", 2090 | "cve": "CVE-NOMATCH", 2091 | "pat": "/telescope/requests", 2092 | "checkurl": -1, 2093 | "name": "Laravel Telescope Information Disclosure Vulnerability" 2094 | }, 2095 | { 2096 | "ref": "https://www.sitelock.com/blog/passwords-publicly-exposed-by-malware/", 2097 | "cve": "CVE-NOMATCH", 2098 | "pat": "/idx_config/", 2099 | "checkurl": -1, 2100 | "name": "IndoXploit Shell probe" 2101 | }, 2102 | { 2103 | "ref": "https://vulners.com/nessus/ILO_DETECT.NASL", 2104 | "cve": "CVE-NOMATCH", 2105 | "pat": "/upnp/BasicDevice.xml", 2106 | "checkurl": -1, 2107 | "name": "iLO4 <= 2.73 reveals HW serial and model unauthenticated request" 2108 | }, 2109 | { 2110 | "ref": "https://blogs.akamai.com/sitr/2020/06/stealthworker-golang-based-brute-force-malware-still-an-active-threat.html", 2111 | "cve": "CVE-NOMATCH", 2112 | "pat": "/wp-content/themes/alternate-lite/inc/customizer.php", 2113 | "checkurl": -1, 2114 | "name": "Stealthworker backdoor scan" 2115 | }, 2116 | { 2117 | "ref": "", 2118 | "cve": "CVE-NOMATCH", 2119 | "pat": "/wp-content/plugins/instagram-feed/inc/admin/PluginSilentPicker.php", 2120 | "checkurl": -1, 2121 | "name": "Unknown probe for WP Instgram Feed plugin in PluginSilentPicker.php" 2122 | }, 2123 | { 2124 | "ref": "https://www.iptvsat-forum.com/threads/xtream-ui-r22f-full-download-update.168/", 2125 | "cve": "CVE-NOMATCH", 2126 | "pat": "/system_api.php", 2127 | "checkurl": -1, 2128 | "name": "Unknown probe for Xtream" 2129 | }, 2130 | { 2131 | "ref": "https://github.com/PAGalaxyLab/VulInfo/blob/master/D-Link/DIR-816/remote_cmd_exec_0/README.md", 2132 | "cve": "CVE-2019-10040", 2133 | "pat": "/goform/SystemCommand", 2134 | "checkurl": -1, 2135 | "name": "D-Link DIR-816 A2 Remote Command Execute" 2136 | }, 2137 | { 2138 | "ref": "https://vulners.com/zdt/1337DAY-ID-14323", 2139 | "cve": "CVE-NOMATCH", 2140 | "pat": "/ckfinder/ckfinder.html", 2141 | "checkurl": -1, 2142 | "name": "Ckfinder remote file Upload Vulnerability" 2143 | }, 2144 | { 2145 | "ref": "https://github.com/ForbiddenProgrammer/CVE-2021-21315-PoC", 2146 | "cve": "CVE-2021-21315", 2147 | "pat": "/api/getServices?name", 2148 | "checkurl": -1, 2149 | "name": "Node.JS System Information Library RCE" 2150 | }, 2151 | { 2152 | "ref": "https://www.exploit-db.com/ghdb/4589", 2153 | "cve": "CVE-NOMATCH", 2154 | "pat": "/.ftpconfig", 2155 | "checkurl": -1, 2156 | "name": "Probe for /.ftpconfig, left behind by Atom text editor" 2157 | }, 2158 | { 2159 | "ref": "https://www.exploit-db.com/exploits/25138", 2160 | "cve": "CVE-2013-1599", 2161 | "pat": "/cgi-bin/rtpd.cgi", 2162 | "checkurl": 6, 2163 | "name": "D-Link IP Cameras command injection" 2164 | }, 2165 | { 2166 | "ref": "https://attackerkb.com/topics/iAOGl5JHyI/cve-2020-25078", 2167 | "cve": "CVE-2020-25078", 2168 | "pat": "/config/getuser?index=0", 2169 | "checkurl": -1, 2170 | "name": "D-LInk DCS-2530L password disclosure" 2171 | }, 2172 | { 2173 | "ref": "https://sypex.net/en/", 2174 | "cve": "CVE-NOMATCH", 2175 | "pat": "/sxd.js", 2176 | "checkurl": -1, 2177 | "name": "Sypex Dumper /sxd.js probe" 2178 | }, 2179 | { 2180 | "ref": "https://blog.sucuri.net/2012/11/psa-sftpftp-password-exposure-via-sftp-config-json.html", 2181 | "cve": "CVE-NOMATCH", 2182 | "pat": "/sftp-config.json", 2183 | "checkurl": -1, 2184 | "name": "SFTP config probe" 2185 | }, 2186 | { 2187 | "ref": "https://www.packer.io/guides/automatic-operating-system-installs/preseed_ubuntu", 2188 | "cve": "CVE-NOMATCH", 2189 | "pat": "/preseed.cfg", 2190 | "checkurl": -1, 2191 | "name": "Debian fingerprint probe via preseed.cfg" 2192 | }, 2193 | { 2194 | "ref": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0921", 2195 | "cve": "CVE-2006-0921", 2196 | "pat": "/connector.php?Command=GetFoldersAndFiles", 2197 | "checkurl": 6, 2198 | "name": "FCKeditor 2..0 FC directory traversal in GetFoldersAndFiles command" 2199 | }, 2200 | { 2201 | "ref": "https://vulners.com/dsquare/E-714", 2202 | "cve": "CVE-NOMATCH", 2203 | "pat": "/bscpgraph.jsp", 2204 | "checkurl": -1, 2205 | "name": "File disclosure vulnerability in Oracle E-Business bscpgraph.jsp" 2206 | }, 2207 | { 2208 | "ref": "", 2209 | "cve": "CVE-NOMATCH", 2210 | "pat": "/wifidog/logincheck/?authtype=web&user=asdf;`", 2211 | "checkurl": 6, 2212 | "name": "Wifidog user param command injection in logincheck" 2213 | }, 2214 | { 2215 | "ref": "", 2216 | "cve": "CVE-NOMATCH", 2217 | "pat": "/restapps/applications.php", 2218 | "checkurl": 6, 2219 | "name": "FreePBX command injection in user param" 2220 | }, 2221 | { 2222 | "ref": "https://packetstormsecurity.com/files/127522/Trixbox-XSS-LFI-SQL-Injection-Code-Execution.html", 2223 | "cve": "CVE-2014-5112", 2224 | "pat": "/maint/modules/home/index.php", 2225 | "checkurl": 6, 2226 | "name": "Trixbox XSS / LFI / SQL Injection / Code Execution" 2227 | }, 2228 | { 2229 | "ref": "https://www.exploit-db.com/raw/49927", 2230 | "cve": "CVE-2020-11978", 2231 | "pat": "/api/experimental/dags/example_trigger_target_dag/paused/false", 2232 | "checkurl": -1, 2233 | "name": "Apache Airflow 1.10.10 - 'Example Dag' Remote Code Execution" 2234 | }, 2235 | { 2236 | "ref": "https://www.joesandbox.com/analysis/369903/0/lighthtml", 2237 | "cve": "CVE-NOMATCH", 2238 | "pat": "/fb16/fre.php", 2239 | "checkurl": -1, 2240 | "name": "Lokibot C2 check" 2241 | }, 2242 | { 2243 | "ref": "https://www.exploit-db.com/exploits/49321", 2244 | "cve": "CVE-NOMATCH", 2245 | "pat": "/include/makecvs.php", 2246 | "checkurl": 6, 2247 | "name": "TerraMaster TOS 4.2.06 - RCE" 2248 | }, 2249 | { 2250 | "ref": "", 2251 | "cve": "CVE-NOMATCH", 2252 | "pat": "/images/Nxrs4tAtO", 2253 | "checkurl": -1, 2254 | "name": "Ursniff C2 probe" 2255 | }, 2256 | { 2257 | "ref": "", 2258 | "cve": "CVE-NOMATCH", 2259 | "pat": "/tot43/", 2260 | "checkurl": -1, 2261 | "name": "Trickbot C2 probe" 2262 | }, 2263 | { 2264 | "ref": "https://swarm.ptsecurity.com/unauth-rce-vmware/", 2265 | "cve": "CVE-2021-21972", 2266 | "pat": "/ui/vropspluginui/rest/services/uploadova", 2267 | "checkurl": -1, 2268 | "name": "VMware vCenter RCE" 2269 | }, 2270 | { 2271 | "ref": "https://vuldb.com/?id.169016", 2272 | "cve": "CVE-2020-25506", 2273 | "pat": "/cgi-bin/system_mgr.cgi", 2274 | "checkurl": -1, 2275 | "name": "D-Link DNS-320 2.06b01 Revision Ax /cgi-bin/system_mgr.cgi command injection" 2276 | }, 2277 | { 2278 | "ref": "https://www.exploit-db.com/exploits/45909", 2279 | "cve": "CVE-2016-1555", 2280 | "pat": "/boardDataWW.php", 2281 | "checkurl": -1, 2282 | "name": "Netgear WN604 before 3.3.3 RCCE in /boardDataWW.php" 2283 | }, 2284 | { 2285 | "ref": "https://www.tenable.com/blog/cve-2017-7391-vulnerability-in-magento-mass-import-magmi-plugin-exploited-in-the-wild", 2286 | "cve": "CVE-2017-7391", 2287 | "pat": "/conf/magmi.ini", 2288 | "checkurl": -1, 2289 | "name": "Magento Mass Import (MAGMI) Plugin Fingerprinting" 2290 | }, 2291 | { 2292 | "ref": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/zero-day-in-magmi-database-client-for-popular-e-commerce-platform-magento-targeted-in-the-wild/", 2293 | "cve": "CVE-NOMATCH", 2294 | "pat": "/magmi/web/download_file.php?file=", 2295 | "checkurl": -1, 2296 | "name": "Magento Mass Import (MAGMI) Plugin LFI Exploit Attempt" 2297 | }, 2298 | { 2299 | "ref": "https://cocojam.jp/wordpress/332", 2300 | "cve": "CVE-NOMATCH", 2301 | "pat": "/dup-installer/main.installer.php", 2302 | "checkurl": -1, 2303 | "name": "Wordpress Duplicator installer probe" 2304 | }, 2305 | { 2306 | "ref": "", 2307 | "cve": "CVE-NOMATCH", 2308 | "pat": "/3index.php?f=", 2309 | "checkurl": 6, 2310 | "name": "3index.php LFI" 2311 | }, 2312 | { 2313 | "ref": "https://twitter.com/GossiTheDog/status/1424673929382268932", 2314 | "cve": "CVE-2021-34473", 2315 | "pat": "autodiscover/autodiscover.json", 2316 | "checkurl": 6, 2317 | "name": "ProxyShell scanner (OWA vuln)" 2318 | }, 2319 | { 2320 | "ref": "https://wordpress.org/support/topic/how-to-stop-lock360-php/", 2321 | "cve": "CVE-NOMATCH", 2322 | "pat": "/lock360.php", 2323 | "checkurl": -1, 2324 | "name": "/lock360.php backdoor probe" 2325 | }, 2326 | { 2327 | "ref": "https://nvd.nist.gov/vuln/detail/CVE-2018-20057", 2328 | "cve": "CVE-2018-20057", 2329 | "pat": "/goform/formSysCmd", 2330 | "checkurl": -1, 2331 | "name": "DLink formSysCmd RCE" 2332 | }, 2333 | { 2334 | "ref": "https://github.com/liferay/liferay-portal/tree/master/modules/apps/headless/headless-delivery", 2335 | "cve": "CVE-NOMATCH", 2336 | "pat": "/headless-delivery", 2337 | "checkurl": -1, 2338 | "name": "Liferay Portal /headless-delivery fingerprinting" 2339 | }, 2340 | { 2341 | "ref": "https://nvd.nist.gov/vuln/detail/CVE-2018-18441", 2342 | "cve": "CVE-2018-18441", 2343 | "pat": "/common/info.cgi", 2344 | "checkurl": -1, 2345 | "name": "D-Link Devices 'info.cgi' information exposure" 2346 | }, 2347 | { 2348 | "ref": "https://community.cloudflare.com/t/community-tip-tools-and-resources/44869", 2349 | "cve": "CVE-NOMATCH", 2350 | "pat": "1.1.1.1/cdn-cgi/trace", 2351 | "checkurl": -1, 2352 | "name": "Using CFlare DNS /trace endpoint to test proxying IP" 2353 | }, 2354 | { 2355 | "ref": "https://wordpress.org/support/topic/can-the-plugin-be-hacked/", 2356 | "cve": "CVE-NOMATCH", 2357 | "pat": "/xindex.php?idb=", 2358 | "checkurl": 6, 2359 | "name": "Unknown xindex.php RFI in idb param" 2360 | }, 2361 | { 2362 | "ref": "https://s3tools.org/kb/item14.htm", 2363 | "cve": "CVE-NOMATCH", 2364 | "pat": "s3cmd.ini", 2365 | "checkurl": -1, 2366 | "name": "s3cmd.ini AWS S3 config fetch" 2367 | }, 2368 | { 2369 | "ref": "", 2370 | "cve": "CVE-NOMATCH", 2371 | "pat": "/musicplayer/checkgp", 2372 | "checkurl": -1, 2373 | "name": "Unknown /musicplayer/checkgp probe" 2374 | }, 2375 | { 2376 | "ref": "", 2377 | "cve": "CVE-NOMATCH", 2378 | "pat": "/plugins/wp-file-manager/readme.txt", 2379 | "checkurl": -1, 2380 | "name": "Fingerprinting WP file manager plugin" 2381 | }, 2382 | { 2383 | "ref": "", 2384 | "cve": "CVE-NOMATCH", 2385 | "pat": "/servlet?m=mod_listener", 2386 | "checkurl": -1, 2387 | "name": "Tomcat mod_listener servelet info disclosure" 2388 | }, 2389 | { 2390 | "ref": "https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md", 2391 | "cve": "CVE-2021-26084", 2392 | "pat": "/pages/doenterpagevariables.action", 2393 | "checkurl": -1, 2394 | "name": "Remote Code Execution on Confluence Servers" 2395 | }, 2396 | { 2397 | "ref": "https://github.com/h3v0x/CVE-2021-26084_Confluence", 2398 | "cve": "CVE-2021-26084", 2399 | "pat": "/pages/createpage-entervariables.action?SpaceKey=", 2400 | "checkurl": -1, 2401 | "name": "Confluence Server Webwork OGNL injection" 2402 | }, 2403 | { 2404 | "ref": "", 2405 | "cve": "CVE-NOMATCH", 2406 | "pat": "/api/v/index/queryOfficePage?officeCode=customHomeLink", 2407 | "checkurl": -1, 2408 | "name": "Unknown queryOfficePage probe" 2409 | }, 2410 | { 2411 | "ref": "https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/", 2412 | "cve": "CVE-2021-35395", 2413 | "pat": "/goform/formWsc", 2414 | "checkurl": -1, 2415 | "name": "Realtek SDK - multiple home routers - formWsc command injection" 2416 | }, 2417 | { 2418 | "ref": "https://twitter.com/arkbird_solg/status/1153966583963951104?lang=en", 2419 | "cve": "CVE-NOMATCH", 2420 | "pat": "/recv4.php", 2421 | "checkurl": -1, 2422 | "name": "WebMonitor RAT C2 probe" 2423 | }, 2424 | { 2425 | "ref": "https://stackoverflow.com/questions/62651830/grok-filter-for-confluence-logs", 2426 | "cve": "CVE-NOMATCH", 2427 | "pat": "/login.action?os_destination=%2Findex.action", 2428 | "checkurl": -1, 2429 | "name": "Confluence login check" 2430 | }, 2431 | { 2432 | "ref": "https://gist.github.com/code-machina/bae5555a771062f2a8225fd4731ae3f7", 2433 | "cve": "CVE-2018-13379", 2434 | "pat": "/remote/fgt_lang?lang=", 2435 | "checkurl": 6, 2436 | "name": "path traversal vulnerability in the FortiOS SSL VPN web portal" 2437 | }, 2438 | { 2439 | "ref": "https://www.exploit-db.com/exploits/48483", 2440 | "cve": "CVE-2020-7209", 2441 | "pat": "/linuxki/experimental/vis/kivis.php?type=kitrace", 2442 | "checkurl": 6, 2443 | "name": "HP LinuxKI 6.01 - Remote Command Injection" 2444 | }, 2445 | { 2446 | "ref": "https://www.zerodayinitiative.com/blog/2020/5/8/details-on-the-oracle-weblogic-vulnerability-being-exploited-in-the-wild", 2447 | "cve": "CVE-2020-2883", 2448 | "pat": "/analytics/jbips/messagebroker/as", 2449 | "checkurl": -1, 2450 | "name": "Oracle Webkogic Deserialization Bug" 2451 | }, 2452 | { 2453 | "ref": "https://blog.nintechnet.com/critical-vulnerability-fixed-in-wordpress-pinterest-automatic-plugin/", 2454 | "cve": "CVE-NOMATCH", 2455 | "pat": "/wp-pinterest-automatic/process_form.php", 2456 | "checkurl": -1, 2457 | "name": "WordPress Pinterest Automatic plugin configuration injection" 2458 | }, 2459 | { 2460 | "ref": "", 2461 | "cve": "CVE-NOMATCH", 2462 | "pat": "/gbrgbr.php?a=", 2463 | "checkurl": 6, 2464 | "name": "Unknown gbrgbr.php command injection vulnerability" 2465 | }, 2466 | { 2467 | "ref": "", 2468 | "cve": "CVE-NOMATCH", 2469 | "pat": "/CGI/Execute", 2470 | "checkurl": -1, 2471 | "name": "Unknown Cisco Voip Phone CiscoIPPhoneExecute injection" 2472 | }, 2473 | { 2474 | "ref": "https://www.vmware.com/security/advisories/VMSA-2021-0020.html", 2475 | "cve": "CVE-2021-22005", 2476 | "pat": "/analytics/telemetry/ph/api/hyper/send?_c&_i", 2477 | "checkurl": -1, 2478 | "name": "VMware vCenter file upload and RCE" 2479 | }, 2480 | { 2481 | "ref": "https://blog.netlab.360.com/rimasuta-spread-with-ruijie-0day/", 2482 | "cve": "CVE-NOMATCH", 2483 | "pat": "/wget_test.asp?", 2484 | "checkurl": 6, 2485 | "name": "RUIJIE 0day, possible Mirai_peta_Rimasuta attempt" 2486 | }, 2487 | { 2488 | "ref": "https://www.hotelesestelar.com/sites/all/libraries/elfinder/README.txt", 2489 | "cve": "CVE-2019-9194", 2490 | "pat": "/all/libraries/elfinder/connectors/php/connector.php", 2491 | "checkurl": -1, 2492 | "name": "Drupal elFinder command injection vuln" 2493 | }, 2494 | { 2495 | "ref": "https://httpd.apache.org/security/vulnerabilities_24.html", 2496 | "cve": "CVE-2021-41773", 2497 | "pat": "%2e/", 2498 | "checkurl": 6, 2499 | "name": "Apache 2.4.49 path traversal bug" 2500 | }, 2501 | { 2502 | "ref": "https://httpd.apache.org/security/vulnerabilities_24.html", 2503 | "cve": "CVE-2021-42013", 2504 | "pat": ".%%32%65/", 2505 | "checkurl": 6, 2506 | "name": "Apache 2.4.50 path traversal bug" 2507 | }, 2508 | { 2509 | "ref": "", 2510 | "cve": "CVE-NOMATCH", 2511 | "pat": "/yealink/dialplan.xml", 2512 | "checkurl": 6, 2513 | "name": "Unknown Yealink dialplan.xml fetch" 2514 | }, 2515 | { 2516 | "ref": "https://packetstormsecurity.com/files/162993/OptiLink-ONT1GEW-GPON-2.1.11_X101-Remote-Code-Execution.html", 2517 | "cve": "CVE-NOMATCH", 2518 | "pat": "/boaform/admin/formLogin", 2519 | "checkurl": -1, 2520 | "name": "OptiLink ONT1GEW GPON 2.1.11_X101 Build 1127.190306 - Remote Code Execution (Authenticated)" 2521 | }, 2522 | { 2523 | "ref": "https://www.wordfence.com/blog/2021/10/1000000-sites-affected-by-optinmonster-vulnerabilities/", 2524 | "cve": "CVE-NOMATCH", 2525 | "pat": "/wp-json/omapp/v1/", 2526 | "checkurl": -1, 2527 | "name": "OptiMonster vulnerability probe" 2528 | }, 2529 | { 2530 | "ref": "https://github.com/ghost-nemesis/cve-2021-20837-poc", 2531 | "cve": "CVE-2021-20837", 2532 | "pat": "/cgi-bin/mt/mt-xmlrpc.cgi", 2533 | "checkurl": -1, 2534 | "name": "MovableType RCE in mt-xmlrpc.cgi" 2535 | }, 2536 | { 2537 | "ref": "https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776", 2538 | "cve": "CVE-NOMATCH", 2539 | "pat": "/sitecore/shell/ClientBin/Reporting/Report.ashx", 2540 | "checkurl": -1, 2541 | "name": "SiteCore Report.ashx RCE" 2542 | }, 2543 | { 2544 | "ref": "https://www.cybersecuritywebtest.com/google-hacking-database/dork-ghdb~6902", 2545 | "cve": "CVE-NOMATCH", 2546 | "pat": "/CSS/Miniweb.css", 2547 | "checkurl": -1, 2548 | "name": "Rockwell Automation Miniweb probe" 2549 | }, 2550 | { 2551 | "ref": "https://vulmon.com/vulnerabilitydetails?qid=CVE-2020-2950", 2552 | "cve": "CVE-2020-2950", 2553 | "pat": "/analytics/jbips/", 2554 | "checkurl": -1, 2555 | "name": "Oracle-BE AML deserialization flaw" 2556 | }, 2557 | { 2558 | "ref": "https://haxolot.com/posts/2021/manageengine_opmanager_pre_auth_rce/", 2559 | "cve": "CVE-2021-3287", 2560 | "pat": "/servlets/com.adventnet.tools.sum.transport.SUMCommunicationServlet", 2561 | "checkurl": -1, 2562 | "name": "Pre-Auth RCE in ManageEngine OPManager" 2563 | }, 2564 | { 2565 | "ref": "https://www.exploit-db.com/exploits/37166", 2566 | "cve": "CVE-NOMATCH", 2567 | "pat": "/wp-content/plugins/dzs-zoomsounds", 2568 | "checkurl": -1, 2569 | "name": "WordPress dzs-zoomsounds Plugins Remote File Upload Vulnerability" 2570 | }, 2571 | { 2572 | "ref": "", 2573 | "cve": "CVE-NOMATCH", 2574 | "pat": "/dispatch.asp", 2575 | "checkurl": -1, 2576 | "name": "Unknown /dispatch.asp probe" 2577 | }, 2578 | { 2579 | "ref": "http://forum.micasaverde.com/index.php?topic=12137.15", 2580 | "cve": "CVE-NOMATCH", 2581 | "pat": "/tmpfs/snap.jpg", 2582 | "checkurl": -1, 2583 | "name": "H.264 exploit for /tmpfs/snap.jpg" 2584 | }, 2585 | { 2586 | "ref": "https://manualzz.com/doc/60189684/juniper-jsa-series-virtual-appliance-admin-guide", 2587 | "cve": "CVE-NOMATCH", 2588 | "pat": "/admin.jsa", 2589 | "checkurl": -1, 2590 | "name": "Juniper JSA probe" 2591 | }, 2592 | { 2593 | "ref": "https://civicrm.org/blog/totten/advisory-openflashchart-attacks", 2594 | "cve": "CVE-NOMATCH", 2595 | "pat": "/php-ofc-library/ofc_upload_image.php", 2596 | "checkurl": -1, 2597 | "name": "OpenFlashChart CiviCRM upload vuln probe" 2598 | }, 2599 | { 2600 | "ref": "https://www.fastly.com/blog/digging-deeper-into-log4shell-0day-rce-exploit-found-in-log4j", 2601 | "cve": "CVE-2021-44228", 2602 | "pat": "jdni:", 2603 | "checkurl": 6, 2604 | "name": "Apache Log4j2 <=2.14.1 JNDI RCE" 2605 | }, 2606 | { 2607 | "ref": "https://www.programmerall.com/article/85042065389/", 2608 | "cve": "CVE-NOMATCH", 2609 | "pat": "/seeyon/thirdpartyController.do.css/..;/ajax.do", 2610 | "checkurl": -1, 2611 | "name": "Zhiyuan OA-ajax.do Any file upload vulnerability" 2612 | }, 2613 | { 2614 | "ref": "https://vulmon.com/vulnerabilitydetails?qid=CVE-2021-32682&scoretype=cvssv2", 2615 | "cve": "CVE-2021-32682", 2616 | "pat": "/elfinder/php/connector", 2617 | "checkurl": -1, 2618 | "name": "elFinder Archive Command Injection" 2619 | }, 2620 | { 2621 | "ref": "https://pentest-tools.com/blog/detect-zoho-rce-cve-2021-40539", 2622 | "cve": "CVE-NOMATCH", 2623 | "pat": "/showLogin.cc", 2624 | "checkurl": -1, 2625 | "name": "ManageEngine ADSelfService Plus probe" 2626 | }, 2627 | { 2628 | "ref": "", 2629 | "cve": "CVE-NOMATCH", 2630 | "pat": "/onebets-ecp/api/v1/floatingads", 2631 | "checkurl": -1, 2632 | "name": "Unknown Onebets ECP 'floatingads' API probe" 2633 | }, 2634 | { 2635 | "ref": "", 2636 | "cve": "CVE-NOMATCH", 2637 | "pat": "/altibaseIntSearch/common/login.jsp", 2638 | "checkurl": -1, 2639 | "name": "Unknown Altibase probe for login.jsp" 2640 | }, 2641 | { 2642 | "ref": "", 2643 | "cve": "CVE-NOMATCH", 2644 | "pat": "/elog.cfg", 2645 | "checkurl": -1, 2646 | "name": "Easylogger config probe" 2647 | }, 2648 | { 2649 | "ref": "", 2650 | "cve": "CVE-NOMATCH", 2651 | "pat": "/slicemap.php?wall=", 2652 | "checkurl": -1, 2653 | "name": "Unknown slicemap.php PHP injection probe" 2654 | }, 2655 | { 2656 | "ref": "https://twitter.com/AnnaViolet20/status/1523564632140509184", 2657 | "cve": "CVE-2022-1388", 2658 | "pat": "/mgmt/tm/util/bash", 2659 | "checkurl": -1, 2660 | "name": "F5 bash cmd injection" 2661 | }, 2662 | { 2663 | "ref": "", 2664 | "cve": "CVE-NOMATCH", 2665 | "pat": "/owa.zip", 2666 | "checkurl": -1, 2667 | "name": "Outlook ZIP backup probe" 2668 | }, 2669 | { 2670 | "ref": "https://packetstormsecurity.com/files/165366/Alfa-Team-Shell-Tesla-4.1-Remote-Code-Execution.html", 2671 | "cve": "CVE-NOMATCH", 2672 | "pat": "/alfacgiapi/perl.alfa", 2673 | "checkurl": -1, 2674 | "name": "ALFA TEAM SHELL TESLA 4.1 - 'cmd' Remote Code Execution (Unauthenticated)" 2675 | }, 2676 | { 2677 | "ref": "https://telemetr.me/content/sipvoip/3", 2678 | "cve": "CVE-NOMATCH", 2679 | "pat": "/Electron/download/windows/", 2680 | "checkurl": -1, 2681 | "name": "3cx-management-console Exploit vulnerability" 2682 | }, 2683 | { 2684 | "ref": "https://borncity.com/win/2022/09/30/exchange-server-werden-ber-0-day-exploit-angegriffen-29-sept-2022/", 2685 | "cve": "CVE-2022-41082", 2686 | "pat": "/owa/auth/RedirSuiteServiceProxy.aspx", 2687 | "checkurl": -1, 2688 | "name": "MS Exchange RCE with PowerShell and RedirSuiteServiceProxy" 2689 | }, 2690 | { 2691 | "ref": "https://socradar.io/threat-actors-exploit-unpatched-microsoft-exchange-zero-days/", 2692 | "cve": "CVE-2022-41082", 2693 | "pat": "/owa/auth/pxh4HG1v.ashx", 2694 | "checkurl": -1, 2695 | "name": "MS Exchange RCE with PowerShell dropped webshell pxh4HG1v.ashx probe" 2696 | }, 2697 | { 2698 | "ref": "https://github.com/wingo/esmtp/blob/master/sample.esmtprc", 2699 | "cve": "CVE-NOMATCH", 2700 | "pat": "/esmtprc", 2701 | "checkurl": -1, 2702 | "name": "ESMTP rc file probe" 2703 | }, 2704 | { 2705 | "ref": "https://cybersafenv.org/2021/08/13/scanning-for-microsoft-exchange-ediscovery-fri-aug-13th/", 2706 | "cve": "CVE-2021-42321", 2707 | "pat": "/ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application", 2708 | "checkurl": -1, 2709 | "name": "MS Exchange eDiscovery probe" 2710 | }, 2711 | { 2712 | "ref": "https://github.com/lucksec/VMware-CVE-2022-22954", 2713 | "cve": "CVE-2022-22954", 2714 | "pat": "/catalog-portal/ui/oauth/verify", 2715 | "checkurl": -1, 2716 | "name": "VMware CVE-2022-22954 Workspace ONE Access Freemarker RCE" 2717 | }, 2718 | { 2719 | "ref": "https://securitylab.github.com/advisories/GHSL-2020-325_326-nacos/", 2720 | "cve": "CVE-2021-29441", 2721 | "pat": "/nacos/v1/cs/configs", 2722 | "checkurl": -1, 2723 | "name": "Authentication bypass in Nacos" 2724 | }, 2725 | { 2726 | "ref": "https://twitter.com/jas502n/status/1316982337716908033", 2727 | "cve": "CVE-NOMATCH", 2728 | "pat": "/eam/vib?id=", 2729 | "checkurl": -1, 2730 | "name": "Unauthenticated Arbitrary File Read vulnerability in VMware vCenter" 2731 | }, 2732 | { 2733 | "ref": "https://packetstormsecurity.com/files/168328/InTouch-Access-Anywhere-Secure-Gateway-2020-R2-Path-Traversal.html", 2734 | "cve": "CVE-2022-23854", 2735 | "pat": "/AccessAnywhere/", 2736 | "checkurl": -1, 2737 | "name": "InTouch Access Anywhere Secure Gateway 2020 R2 Path Traversal" 2738 | }, 2739 | { 2740 | "ref": "https://github.com/alt3kx/CVE-2021-21985_PoC/blob/main/CVE-2021-21985.nse", 2741 | "cve": "CVE-2021-21985", 2742 | "pat": "/ui/h5-vsan/rest/proxy/service/com.vmware.vsan.client.services.capability.VsanCapabilityProvider/getClusterCapabilityData", 2743 | "checkurl": -1, 2744 | "name": "VMware vCenter Server CVE-2021-21985 Remote Code Execution Vulnerability" 2745 | }, 2746 | { 2747 | "ref": "https://github.com/chroblert/AssetManage/blob/1024c864fe3e0e1b5715ce742476dd2d1b2a67ae/Util/nmap-7.80/scripts/CVE-2019-19781.nse#L44", 2748 | "cve": "CVE-2019-19781", 2749 | "pat": "/logon/LogonPoint/tmindex.html", 2750 | "checkurl": -1, 2751 | "name": "CITRIX Application Delivery Controller (ADC) potencialmente vulnerables a CVE-2019-19781" 2752 | }, 2753 | { 2754 | "ref": "https://blog.sucuri.net/2023/05/vulnerability-in-essential-addons-for-elementor-leads-to-mass-infection.html", 2755 | "cve": "CVE-NOMATCH", 2756 | "pat": "/wp-content/plugins/hellopress/wp_mna.php", 2757 | "checkurl": -1, 2758 | "name": "Probe for fake Hellopress WP plugin - file uploader" 2759 | }, 2760 | { 2761 | "ref": "https://www.fortiguard.com/encyclopedia/ips/52884", 2762 | "cve": "CVE-2023-26801", 2763 | "pat": "/goform/set_LimitClient_cfg", 2764 | "checkurl": -1, 2765 | "name": "LB-LINK.goform.set_LimitClient_cfg.Command.Injection" 2766 | }, 2767 | { 2768 | "ref": "https://gist.github.com/blackknight36/9669f6c3cc74a1d15e2f35bda64fcab1", 2769 | "cve": "CVE-NOMATCH", 2770 | "pat": "/wp-admin/admin-ajax.php?action=showbiz_ajax_action&client_action=update_plugin", 2771 | "checkurl": -1, 2772 | "name": "WP Showbiz update_plugin attempt to upload a file" 2773 | }, 2774 | { 2775 | "ref": "https://beaglesecurity.com/blog/vulnerability/dockerrun-aws-configuration-exposure.html", 2776 | "cve": "CVE-NOMATCH", 2777 | "pat": "/Dockerrun.aws.json", 2778 | "checkurl": -1, 2779 | "name": "Dockerrun AWS Configuration Exposure" 2780 | }, 2781 | { 2782 | "ref": "https://unit42.paloaltonetworks.com/cobalt-strike-team-server/", 2783 | "cve": "CVE-NOMATCH", 2784 | "pat": "GET stager", 2785 | "checkurl": -1, 2786 | "name": "Attempt to get CobaltStrike stager" 2787 | }, 2788 | { 2789 | "ref": "https://adapt.to/2019/presentations/adaptto2019-securing-aem-webapps-by-hacking-them-mikhail-egorov.pdf", 2790 | "cve": "CVE-2016-0957", 2791 | "pat": "GET /bin/querybuilder.json", 2792 | "checkurl": -1, 2793 | "name": "AEM dispatcher bypass" 2794 | } 2795 | ] 2796 | -------------------------------------------------------------------------------- /wwwids_rules.schema: -------------------------------------------------------------------------------- 1 | { 2 | "properties" : { 3 | "ref": {"type" : "string"}, 4 | "cve": {"type" : "string"}, 5 | "pat": {"type" : "string"}, 6 | "checkurl": {"type": "number"}, 7 | "name": {"type" : "string"} 8 | } 9 | } 10 | -------------------------------------------------------------------------------- /yara.fs: -------------------------------------------------------------------------------- 1 | // https://github.com/maliceio/malice-yara 2 | 3 | open System 4 | open System.IO 5 | open System.Security.Cryptography 6 | open System.Text 7 | 8 | type YaraString = { 9 | Name : string; 10 | Offset : int; 11 | Data : string 12 | } 13 | 14 | type YaraMeta = { 15 | Description : string; 16 | Author : string; 17 | Date : System.DateTime; 18 | Reference : string; 19 | Filetype : string; 20 | } 21 | 22 | type YaraMatches = { 23 | Rule : string; 24 | Namespace : string; 25 | Tags : string list; 26 | Meta : YaraMeta; 27 | Strings : YaraString list; 28 | } 29 | 30 | (* 31 | suspicious_packer_section [packer,PE] [author="@j0sm1",date="2016/10/21",description="The packer/protector section names/keywords",reference="http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/",filetype="binary"] /Users/jose/honeynet/src/third-party/cowrie/dl/66db87ab10f7f6f8e4501d92039438527ced100bd43205b63b572ee51cfece61 32 | 0xcb9ea4:$s13: MEW 33 | 0x1c4ff0b:$s13: MEW 34 | 0x20c3a33:$s13: MEW 35 | 0x289510c:$s13: MEW 36 | 0x4f6ff86:$s13: MEW 37 | 0x624f37a:$s13: MEW 38 | 0x637908c:$s13: MEW 39 | 0x7102303:$s13: MEW 40 | 0x73e2acd:$s13: MEW 41 | 0x7c29a47:$s13: MEW 42 | 0x1bfea0c:$s61: .yP 43 | 0x3ab7ce8:$s61: .yP 44 | 0x4912dcb:$s61: .yP 45 | 0x4e11b65:$s61: .yP 46 | *) 47 | 48 | let yarascan (rulefile: string) (filename: string) : YaraMatches = 49 | let yaraStrings(input: string []) : YaraString list = 50 | let splitLine (line: string) : YaraString = 51 | let [|offset;name;data|] = line.Split([|':'|]) 52 | {Offset=offset |> int; 53 | Name=name; 54 | Data=System.Convert.ToBase64String(System.Text.Encoding.ASCII.GetBytes(data.Trim()))} 55 | input |> Array.map splitLine |> List.ofArray 56 | 57 | let yaraMeta(input: string) : YaraMeta = 58 | let meta = input.Split(',') 59 | |> Array.map (fun x -> x.Split('=')) 60 | |> Array.map (fun x -> (x.[0],x.[1].Replace("\"", ""))) 61 | |> Map.ofArray 62 | let getByKey(key: string) (meta : Map) : string = 63 | match Map.tryFind key meta with 64 | | Some(x) -> x 65 | | None -> "" 66 | let metaDate (date: string) : System.DateTime = 67 | match date with 68 | | "" -> System.DateTime.UtcNow 69 | | _ -> System.DateTime.Parse date 70 | {Description=getByKey "description" meta; 71 | Author=getByKey "author" meta; 72 | Date=getByKey "date" meta |> metaDate; 73 | Reference=getByKey "reference" meta; 74 | Filetype=getByKey "filetype" meta} 75 | 76 | let p = new Diagnostics.Process() 77 | p.StartInfo.FileName <- "/usr/local/bin/yara" 78 | p.StartInfo.Arguments <- String.Format("-sgm {0} {1}", rulefile, filename) 79 | p.StartInfo.UseShellExecute <- false 80 | p.StartInfo.RedirectStandardOutput <- true 81 | p.Start() |> ignore 82 | let output = p.StandardOutput.ReadToEnd().Split([|'\n'|]) // parse 83 | p.Close() 84 | let paren = System.Text.RegularExpressions.Regex("\[[^]]*\]") 85 | let matches = paren.Matches(output.[0]) 86 | let matchToValue (m : System.Text.RegularExpressions.Match) = m.Value.TrimStart('[').TrimEnd(']') 87 | let ms = Seq.map matchToValue (Seq.cast matches) 88 | {Rule=output.[0].Split(' ').[0]; 89 | Namespace=""; 90 | Meta=Seq.skip 1 ms |> Seq.head |> yaraMeta; 91 | Tags=(Seq.head ms).Split([|','|]) |> List.ofArray; 92 | Strings=output.[1..] |> yaraStrings} --------------------------------------------------------------------------------