Author Archives: SANS Internet Storm Center, InfoCON: green

Tool updates: lots of security and logic fixes, (Mon, Mar 23rd)

Posted on by

So, I&#;x26;#;39;ve been slow to get on the Claude Code/OpenCode/Codex/OpenClaw bandwagon, but I had some time last week so I asked Claude to review (/security-review) some of my python scripts. He found more than I&#;x26;#;39;d like to admit, so I checked in a bunch of updates. In reviewing his suggestions, he was right, I made some stupid mistakes, some of which have been sitting in there for a long time. It was nothing earth-shattering and it took almost no time for Claude, it took longer for me to read through the updates he wanted to make, figure out what he was seeing, and decide whether to accept them or tweak them. Here are a few of them.

Continue reading Tool updates: lots of security and logic fixes, (Mon, Mar 23rd)

Posted in Uncategorized

Interesting Message Stored in Cowrie Logs, (Wed, Mar 18th)

Posted on by

This activity was found and reported by BACS student Adam Thorman&#xc2&#x3b;&#xa0&#x3b;as part of one of his assignments which I posted his final paper &#x5b&#x3b;1&#x5d&#x3b; last week. This activity appeared to only have occurred on the 19 Feb 2026 where at least 2 sensors detected on the same day by DShield sensor in the cowrie logs an echo command that included: “MAGIC_PAYLOAD_KILLER_HERE_OR_LEAVE_EMPTY_iranbot_was_here“. My DShield sensor captured activity from source IP 64.89.161.198 between 30 Jan – 22 Feb 2026 that included portscans, a successful login via Telnet (TCP/23) and web access that included all the activity listed below captured by the DShield sensor (cowrie, webhoneypot & iptables logs).

Continue reading Interesting Message Stored in Cowrie Logs, (Wed, Mar 18th)

Posted in Uncategorized

Scans for “adminer”, (Wed, Mar 18th)

Posted on by

A very popular target of attackers scanning our honeypots is “phpmyadmin”. phpMyAdmin is a script first released in the late 90s, before many security concepts had&#;x26;#;xc2;&#;x26;#;xa0;been discovered. It&#;x26;#;39;s rich history of vulnerabilities made it a favorite target. Its alternative, “adminer”, began appearing about a decade later (https://www.adminer.org). One of its main “selling” points was simplicity. Adminer is just a single PHP file. It requires no configuration. Copy it to your server, and you are ready to go. “adminer” has a much better security record&#;x26;#;xc2;&#;x26;#;xa0;and claims to prioritize security in its development.

Continue reading Scans for “adminer”, (Wed, Mar 18th)

Posted in Uncategorized

IPv4 Mapped IPv6 Addresses, (Tue, Mar 17th)

Posted on by

Yesterday, in my diary about the scans for “/proxy/” URLs, I noted how attackers are using IPv4-mapped IPv6 addresses to possibly obfuscate their attack. These addresses are defined in RFC 4038. These addresses are one of the many transition mechanisms used to retain some backward compatibility as IPv6 is deployed. Many modern applications use IPv6-only networking code. IPv4-mapped IPv6 addresses can be used to represent IPv4 addresses in these cases. IPv4-mapped IPv6 addresses are not used on the network, but instead, translated to IPv4 before a packet is sent.

Continue reading IPv4 Mapped IPv6 Addresses, (Tue, Mar 17th)

Posted in Uncategorized