Recently I ran across a tweet from Packet Watcher @jinq102030 ( to keep an eye on HTTP error code 522 for possible malware check-ins. 522 code could mean several things, but as for IR its a potential malicious host has been pulled offline and you have a client still trying to connect. So I got our Intern to check bro logs and see what he could find.">
zcat http* | bro-cut ts id.orig_h id.resp_h host status_code | awk $5 == 522">">1467159441.247406 - 522
1467160356.407366 - 522
1467161271.647320 - 522
1467163102.087490 - 522
1467164017.337316 - 522
1467164932.547084 - 522
1467182323.201685 - 522
1467183238.447046 - 522
1467184153.641505 - 522
1467185068.903194 - 522

There was other traffic that was false positives, but you could easily tell that this IP was checking this site on a regular basis. Out of 4GB of compressed bro logs for the day we only had about 200 total lines that matched, so very low noise ratio.

When looking at the full packet capture of the system in question, we were able to tell that the system in question was compromised and downloaded a bot .

cat min ./sh.

This is certainly something we are going to keep looking at for finding more compromised system.


Tom Webb


(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

The leak over the weekend of advanced hacking tools contains digital signatures that are almost identical to those in software used by the state-sponsored Equation Group, according to a just-published report from security firm Kaspersky Lab.

"While we cannot surmise the attacker's identity or motivation nor where or how this pilfered trove came to be, we can state that several hundred tools from the leak share a strong connection with our previous findings from the Equation group," Kaspersky researchers wrote in a blog post published Tuesday afternoon.

The finding is significant because it lends credibility to claims made by a mysterious group calling itself ShadowBrokers. When members of the previously unknown group claimed in a blog post that they hacked Equation Group and obtained never-before-seen exploits and implants it used, outsiders were understandably skeptical. The publication of state-sponsored hacking tools is an extremely rare if not unprecedented event that is sure to catch the attention of leaders all over the world.

Read 4 remaining paragraphs | Comments

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

(credit: AK Rockefeller)

Two former employees of the National Security Agency—including exiled whistleblower Edward Snowden—are speculating that Monday's leak of what are now confirmed to be advanced hacking tools belonging to the US government is connected to the separate high-profile hacks and subsequent leaks of two Democratic groups.

Private security firms brought in to investigate the breach of the Democratic National Committee and a separate hack of the Democratic Congressional Campaign Committee have said that the software left behind implicates hackers tied to the Russian government. US intelligence officials have privately said they, too, have high confidence of Russian government involvement.

In the weeks following the reports, WikiLeaks and an unknown person using the moniker Guccifer 2.0 have published a steady stream of documents. One batch released just ahead of last month's Democratic National Convention contained embarrassing private conversations that led to the resignation of DNC Chair Debra Wasserman Schultz. A more recent installment included a spreadsheet detailing the cell phone numbers, e-mail addresses, and other personal information of every Democratic member of the House of Representatives. The Obama administration has signaled that it may impose new economic sanctions on Russia in response to what critics claim is Russian attempts to disrupt or influence the US presidential election.

Read 5 remaining paragraphs | Comments

cracklib CVE-2016-6318 Local Stack Buffer Overflow Vulnerability
[ERPSCAN-16-023] Potential backdoor via hardcoded system ID
[ERPSCAN-16-022] SAP Hybris E-commerce Suite VirtualJDBC â?? Default Credentials
[security bulletin] HPSBHF03441 rev.1 - HPE ilO 3 and iLO 4 and iLO 4 mRCA, Remote Multiple Vulnerabilities
[security bulletin] HPSBGN03634 rev.1 - HPE Enterprise Solution Sizers and Storage Sizer running Smart Update, Remote Arbitrary Code Execution
IBM Forms Experience Builder CVE-2016-0370 Unspecified Cross Site Scripting Vulnerability
Lepton CMS PHP Code Injection
Lepton CMS Archive Directory Traversal
Cybozu Mailwise CVE-2016-4843 Information Disclosure Vulnerability
Cybozu Mailwise CVE-2016-4842 Information Disclosure Vulnerability
Cybozu Mailwise CVE-2016-4841 Email Header Injection Vulnerability
OpenSSH CVE-2016-1908 Security Bypass Vulnerability
OpenSSH CVE-2016-3115 Remote Command Injection Vulnerability
PCRE CVE-2016-1283 Heap Buffer Overflow Vulnerability
Internet Storm Center Infocon Status