Security – techish.net

June 6, 2022 0 comments

Disable TLS 1.0 and TLS 1.1 on Nginx and Enable TLS 1.2 and TLS 1.3

SSL/TLS protocol settings may be specified in the primary Nginx configuration file (usually located at /etc/nginx/nginx.conf), or in your site configuration files. Look for a line beginning with ssl_protocols. For example, the following is from the default nginx.conf file from a fresh Nginx install on Ubuntu: ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE You can edit…

June 6, 2022 0 comments

Enumerate SSL Ciphers Using nmap

A quick method to scan your network and enumerate the SSL Ciphers in use on systems is with nmap. nmap –script ssl-enum-ciphers -p 443 192.168.0.1/24 This will scan the entire 192.168.0.0 subnet for open port 443 and if found enumerate the SSL Ciphers enabled. You can also use openssl if the command is installed in…

May 25, 2017 8 comments

Ransomware: id-3509099450_[mk.goro@aol.com].0oxr4

A new variant of Dharma seems to have hit a server; here are some of the details I’ve been gathering.

April 27, 2017 33 comments

CPU-miner Installed via Windows OS Vulnerability

I have triaged a handful of Windows servers this week that started out being ticketed as high CPU / performance issues.
Upon investigation, I have found XMR cryptocurrency miners being installed through a Windows OS Vulnerability.

April 26, 2017 3 comments

Fail2ban + fail2sql + Ban Hammer + PHP7

I recently revisited a project from some time ago that I found and modified the code to support PHP7 which dropped support for mysql extension in favor of mysqli.

December 12, 2016 0 comments

CrySiS Reborn, Not Decryptable: [stopper@india.com].wallet

Break-fix call on a CrySiS Ransomware infection. It’s actually not CrySiS, but a fork of it, which is not decryptable at this time. CrySiS shut down its operation a month or so ago and dumped the master encryption key so victims could decrypt their files. Not so much with this variant. After infection, it drops…

December 9, 2016 0 comments

Part 1: Analysis of a WordPress Malware

I had some time at lunch to kill, so I decided to see how Malware techniques were improving in the land of WordPress and free premium theme download sites. Enter the Darknet. A simple Google search got me a theme ZIP file pretty quickly. Now, it was time to see what malicious happenings this thing…

November 29, 2016 0 comments

CryptoLocker Database Search

I found the database dump of the CryptoLocker release from May 30, 2015 by the ransomware’s author. I decided to put it into a database and make a lame front-end for it to be queried against by either the bitcoin address or the public RSA key from the infected computer. Hope it helps someone out…

April 27, 2016 0 comments

GPO to block regsvr32 AppLocker Bypass Vulnerability

A recently discovered method of bypassing AppLocker by using regsvr32.exe, poses a threat to users on Windows 7, 8/8.1, and 10 (Professional or Enterprise editions). To work around this issue and prevent regsvr32 from accessing remote resources, you can block regsvr32.exe in the Windows Firewall. Taking it a step further, I have added a new…

July 22, 2014 0 comments

Crypto Ransomware CTB-Locker (Critroni.A)

Move over CryptoLocker, there’s a newer and meaner kid on the block. CTB-Locker, or Curve-Tor-Bitcoin Locker, makes use of the Tor ((Tor is free software and an open network that helps you defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security.))…