Guide to CryptoPHP Infections

Description of Issue CryptoPHP is a threat that uses backdoored CMS (such as Joomla, WordPress, Drupal etc.) themes and plug-ins to compromise webservers on a large scale. By publishing pirated themes and plug-ins free for anyone to use instead of having to pay for them, the CryptoPHP actor is social engineering site administrators into installing […]

Read more →

Malicious URL Troubleshooting and Guidelines

Issue Description Usually the hosting of malicious content is not intentional and is instead the result of a vulnerability of a service (such as a website, a user account etc.) or the operating system.  Malicious content must not only be removed but the method used by third parties (such as exploiting an unpatched software, weak permissions, […]

Read more →

OpenSSL vulnerability – The Heartbleed Bug

Description: The Heartbleed Bug is a very serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the internet for applications such as web, email, instant messaging (IM) and some […]

Read more →

Guide to Chargen Amplification Issues

What is Character Generator Protocol? The Character Generator Protocol (CHARGEN) is a service of the Internet Protocol Suite defined in RFC 864. It is intended for testing, debugging, and measurement purposes. A host may connect to a server that supports the Character Generator Protocol on either Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) […]

Read more →

Detecting Malicious Processes in Linux

Warnings: Be sure you are satisfied with your backups before you make any changes to your server. Modifying any part of a server with administrative access may cause services to fail or the system itself to become unbootable.  Only experienced and authorized administrators should perform any steps outlined in this guide. It is very possible […]

Read more →

Guide to Microsoft SQL Server Browser Service Access Amplification Issues

Description: The SQL Server Browser service enumerates SQL Server information on the network. In such way attackers can use SQL Server clients to browse the current infrastructure and retrieve a list of running SQL Server instances. Microsoft SQL Server Browser service listens on port 1434/udp and accepts unauthenticated requests by using SQL Server Resolution Protocol […]

Read more →

Guide to QOTD Amplification Issues

Description Quote of the Day (QOTD) is a service running on port 17. It returns the quotation of the day, which is a message composed of one of multiple lines. Attackers can use QOTD to launch denial of service attacks. (The Bandwidth Amplification Factor is about 140.3. Ref: http://www.us-cert.gov/ncas/alerts/TA14-017A ) How to test if your […]

Read more →

Guide to Ebury

Description of Issue Ebury is a SSH rootkit/backdoor trojan for Linux based operating systems. It is installed by an attacker on the root-level compromised hosts by either replacing SSH related binaries (ssh, sshd, ssh-add, etc.) or a shared library used by SSH (libkeyutils). On infected hosts, Ebury steals SSH login credentials (username+password) from incoming and outgoing SSH connections. The […]

Read more →