Author Archives: SANS Internet Storm Center, InfoCON: green

Sinkholing Suspicious Scripts or Executables on Linux, (Fri, Jul 25th)

Posted on by

When you need to analyze some suspicious pieces of code, it&#;x26;#;39;s interesting to detonate them in a sandbox. If you don&#;x26;#;39;t have a complete sandbox environment available or you just want to avoid generatin noise on your network, why not route the traffic to a sinkhole or NULL-route (read: packets won&#;x26;#;39;t be sent across the normal network and default gateway).

Continue reading Sinkholing Suspicious Scripts or Executables on Linux, (Fri, Jul 25th)

Posted in Uncategorized

New Tool: ficheck.py, (Thu, Jul 24th)

Posted on by

As I mention every time I teach FOR577, I have been a big fan of file integrity monitoring tools (FIM) since Gene Kim first released Tripwire well over 30 years ago. I&#;x26;#;39;ve used quite a few of them over the years including tripwire, OSSEC, samhain, and aide, just to name a few. For many years, I used the fcheck Perl script (by Michael A. Gumienny) that was available as an apt package on Ubuntu because it was lightning fast. Unfortunately, sometime between Ubuntu 16.04 and Ubuntu 20.04 (my memory fails me as to exactly when), it slowed down on many of the systems I managed to the point where instead of being able to run it 4-6 times a day, it would now sometimes take more than 24 hours to run. And that was just running it on select directories, not the entire system, the way I run tools like aide. Though I started writing Perl scripts in 1989, I didn&#;x26;#;39;t spend any time trying to figure out why fcheck was suddenly having so many issues. I let it go for quite a while, but a few months ago, I started thinking about it again and decided I&#;x26;#;39;d write a look-alike in python. What I&#;x26;#;39;m releasing today is not quite complete, hence the 0.9.0 version number, but I&#;x26;#;39;ve been using it an about a dozen systems (Debian and Ubuntu, though it shoud run just fine on any Linux with Python 3.9 or newer, probably older, too, but I again haven&#;x26;#;39;t tried it on anything older) for about 6 months. I still want to add a couple of things including the ability to include additional config files like the .local.cfg that fcheck had, rather than having to put all the additions into the primary config.

Continue reading New Tool: ficheck.py, (Thu, Jul 24th)

Posted in Uncategorized

Analyzing Sharepoint Exploits (CVE-2025-53770, CVE-2025-53771), (Wed, Jul 23rd)

Posted on by

A few days after the exploit originally became widely known, there are now many different SharePoint exploit attempts in circulation. We do see some scans by researchers to identify vulnerable systems (or to scan for common artifacts of compromise), and a few variations of the “ToolPane.aspx” URL being hit. Even for our “random” honeypots, the number of hits has increased significantly without having to emulate SharePoint better.

Continue reading Analyzing Sharepoint Exploits (CVE-2025-53770, CVE-2025-53771), (Wed, Jul 23rd)

Posted in Uncategorized