Hal Pomeranz @hal_pomeranz

I am retiring this social media account. Find me as @hal_pomeranz@infosec.exchange

 Orlando, FL
deer-run.com/~hal/
Joined November 2008
  • Tweets 19,311
  • Following 237
  • Followers 13,672
228 Photos and videos
Filter
Exclude
Time range
-
Near
Load newest
You can also use these pipelines for other data sources. The ""cat access.log | sed 's/.*"\([^"]*\)"$/\1/'" is how I'm extracting the user agent strings from the Apache log format. Everything after that is shell idioms you can apply to any data.
1
1
Encoded #log4j user agents are longer than normal user agent strings: "cat access.log | sed 's/.*"\([^"]*\)"$/\1/' | sort -u | while read str; do len=$(echo $str | wc -c); echo -e $len\\t$str; done | sort -n" Sort unique user agent strings by length, ascending
1
1
2
Looking for #log4j encoded user agents in Apache "combined" access log format: "cat access.log | sed 's/.*"\([^"]*\)"$/\1/' | sort | uniq -c | sort -rn" Histogram of all user agents in descending order (unique encoded user agents right above your shell prompt)
1
5
5
You want to see what LD_PRELOAD is set to? "grep -l LD_PRELOAD /proc/[0-9]*/environ | while read file; do echo $file:; cat $file | tr \\000 \\n | grep LD_PRELOAD; echo; done"
1
7
Haven't yet been seeing this with #log4j but be aware that LD_PRELOAD rootkits are circulating in the wild. Use of LD_PRELOAD is uncommon, so spot suspicious processes with "grep -l LD_PRELOAD /proc/[0-9]*/environ"
gwillem @gwillem
13 Dec 2021
Replying to @hal_pomeranz @CraigHRowland
FYI recent malware uses LD_PRELOAD to hide behind legit exe paths. sansec.io/research/nginrat
1
2
9
Replying to @d3tm4r @strandjs
The units for "-mtime" etc are in days
3
Or just try: "ls -l /proc/[0-9]*/exe 2>/dev/null | awk '/ -> / {print $NF}' | sort" Shows all EXE paths in sorted order making it easier to spot outliers #log4j
5
32
Another fun Linux command line: "sudo ls -l /proc/[0-9]*/exe 2>/dev/null | awk '/ -> / && !/\/usr\/(lib(exec)?|s?bin)\// {print $9, $10, $11}' | sed 's,/proc/\([0-9]*\)/exe,\1,'" Display PIDs with non-standard EXE paths
2
54
2
284
Another vuln where strict egress filtering would have greatly reduced possible impact to your environment. Make sure implementing egress filtering is part of your recovery plan. #log4j
2
1
8
Helpful Linux command-lines: “find /tmp /var/tmp /dev/shm -type f \( -perm -0100 -o -perm -0001 \)” Looks through tmpdirs for files with execute set for self or others—coin miners, install scripts, etc. #log4j
8
19
If you’re struggling with the Linux forensics in the wake of #log4j, archive.org/details/HalLinux… may help. As always, feel free to reach out—I’m here to help with everything from simple syntax questions all the way up to full consulting engagements.
4
30
There may be earlier exploitation, but “find / -mtime -4” is a good way to look for weekend #log4j carnage on your Linux servers. RCE is likely unprivileged, so focus first on [/var]/tmp, /dev/shm, and similar world-write directories.
2
45
102
Replying to @TimMedin
Tactical error there, good buddy. You should have just shown up without warning them first.
1
7
Me: Hey our friend just had a baby! @JBeanDesign: What’s the baby’s name? Me: um…yeah…
1
1
2
Replying to @EricRZimmerman
Very exciting news! Well done!
1
1
Instead of vilifying those who don’t vaccinate, we need to document them as human beings, interconnected with family and friends, who leave huge voids when they pass. If we create a library of these very human stories, maybe we can shift the conversation.
1
Replying to @josephwshaw
Even the most beautiful tapestries of life have their dark threads. Joy is coming.
1
Replying to @josephwshaw @hacks4pancakes
My standard Zoom background is the Sanctum Sanctorum from the MCU collection. Dr. Strange is my spirit animal.
1
Replying to @printmag @JBeanDesign
I wonder if you can get a mani pedi with Very Peri?
I mentioned to @JBeanDesign that I was feeling a bit punky after my booster. We’re both old enough that the obvious “Punky Booster” joke is hilarious to us.
1
8
Load more