Discover and read the best of Twitter Threads about #linux

Most recents (13)

Let's go step-by-step and do some basic live process forensics for #Linux. Today's contestant is a bindshell backdoor waiting for a connection on Ubuntu. We saw something odd when we ran:

netstat -nalp

#DFIR #threathunting #forensics
netstat -nalp shows a process named "x7" PID with a listening port that we don't recognize. #DFIR
First thing we'll do is list out /proc/<PID> to see what is going on. Our PID is 5805:

ls -al /proc/5805

The current working directory is /tmp. The binary was in /tmp, but was deleted. A lot of exploits work out of /tmp and /dev/shm on Linux. This is a major red flag. #DFIR
Read 13 tweets
Did you ever ask yourself if cgroups (containers, pods, whathaveyou) can impact the @golang runtime? I did and here's what I learned... (thread) 👇#Docker #Kubernetes #Linux
So ~2y ago, while working with a lot of customers moving into containers and #Kubernetes, I naturally hit the (now well-known) Java/JVM cgroups issues (all you need to know ->… and ).
Now, @golang being the language of my (your?) choice, this made me curious and I started to ask questions:
Read 25 tweets
For those who want to learn about #infosec 🔐 here is a #thread that includes all my #infographics.
An easy way to learn new things 📖Feel free to share with your community🌐

Follow @Guillaume_Lpl for more things about #CyberSecurity #startup #ITsecurity #security #technologies
Some good tools useful in Infosec

Follow @Guillaume_Lpl for more things about #infosec #cybersecurity
Some good tools useful for OSINT

Follow @Guillaume_Lpl for more things about #infosec #cybersecurity
Read 20 tweets
Here's how to recover a #Linux binary from a malicious process that has deleted itself from the disk.

cp /proc/<PID>/exe /tmp/recovered_bin

Let's see how this works. #DFIR #threathunting #forensics
Often, malware deletes itself after it starts so file scanners and integrity checks won't find it. It can make analysis harder if you can't get to the binary easily.

But if you remember /proc/<PID>/exe you can recover any deleted binary.

#DFIR #threathunting #forensics
Use the sleep command to simulate a deleted process:

cd /tmp
cp /bin/sleep x
./x 3600 &
[1] 32031
rm x

This copies the sleep command as "x" under /tmp and runs for 3600 seconds. Then, delete "x" so the binary appears removed. Practice on it.

#DFIR #threathunting #forensics
Read 7 tweets
Bir yazılım geliştiricinin bilmesi gerekenlerle ilgili 15 maddelik flood geliyor.. Mümkün olduğunca fazla keywordü bir araya toplamaya çalıştım.
Hadi Başlıyoruz!

#Developer #Software #Java #code #kod #yazılım #development #computer #bilgisayar #tool #PC #IT #web #tech #data
1-Temel veri yapıları (linkedList, map, tree vb) ve temel algoritmalar (sıralama, arama vb)

Sıfırdan kodlama ihtiyacınız büyük ihtimalle hiç olmayacak. Ancak ihtiyaç anında doğru yerde doğrusunu seçebilmek için o veri yapısının veya algoritmanın nasıl çalıştığını bilmeniz şart
2- Network Temelleri

OSI Modelini ve 7 katmanı; temel protokolleri(#TCP-IP, TCP-UDP, #HTTP, #FTP), güvenlik protokollerini(#HTTPS, #SFTP, #SSL), monitoring protokolleri(#SNMP, ICMP) bilmekte fayda var. Ayrıca ağ ekipmanlarının görevlerini tanımak ve 7Layer yerlerini bilmek lazım
Read 16 tweets
I’ve shifted everything to @Windows 10, the Subsystem for Linux #WSL, @WLinuxApp, a lightweight #zsh package manager #Antibody, and @code via a local X server. Windows stuff syncs via #OneDrive. #Linux stuff syncs via a #dotfiles repo.
I’ve been using WSL off-and-on since it came out, and the pace of improvement is really remarkable. The Windows dev team is seriously hustling to make their platform a good foundation for modern open-source development.
One think I really like is the ease of blowing away and rebuilding the entire Linux side of things. It really pairs well with the dotfiles movement to incrementally improve my use tool chain. I’ve automated the build of my stack so I can rebuild over lunch break.
Read 6 tweets
#linux #bash #obfuscation #technique #bashfuscation
padding commands with history expansion characters (#exclamation mark (!))
! ! ! ! echo this is test
(removed the previous tweet as I revealed too much info !)
#linux #bash #obfuscation #bashfuscation

using history expansion character -> !! (i.e. last command)

!!t really

is equivalent to
cat really

(only 4 interactive shell)
#linux #bash #obfuscation #bashfuscation

padding commands with empty commands (: ;)

: -> true (do nothing)
; -> command separator

: : ; : ; cat really
! ! ! : : ; : ; cat really
Read 8 tweets
Initially, #linuxgate won't have big effects on software quality. This is because most nerds are shitlibs, so there is a large pool of SJW-friendly programmers to draw from. /1
Maybe 10% to 15% of programmers are right-wing. You can run all of them out, and you can still have enough talented people to update glibc, git, curl, and all that. #linuxgate /2
Problems start to happen with the apolitical. Most people aren't political and resent having politics dragged into work. These are the people who foolishly think they can argue against a dumb policy or defend someone unjustly run out. #linuxgate /3
Read 9 tweets
Vai chegar ou já chegou na timeline de vocês uma discussão sobre os termos do novo Código de Conduta do #Linux. Aparentemente alguns desenvolvedores não gostaram do CdC e estão querendo cancelar suas contribuições ao kernel, supostamente ameaçando o Linux. Thread.
O Linux é gerenciado pela GPL2. A licença não menciona capacidade de cancelamento (revoke em inglês). Isso está mencionado como uma brecha que essas pessoas poderiam usar para cancelar o licenciamento do seu código. Na prática, isso é falso.
Essa thread do Stack Exchange dá as bases legais. Você pode ler pra se aprofundar.
Na prática somente se houvesse quebra dos termos da licença isso seria aplicável.
Read 13 tweets
Does AUSA Moira Kim Penza, prosecutor in the fed. #NXIVM #RICO criminal racketeering case, realize that her indictments of #NXIVM leader, Keith Raniere aka "Vanguard," last March, may have affected the outcome of the 2018 Mexican Presidential Election? #ArizonaMafia #Democrats
Moira Kim Penza is 1 of the main prosecutors in the federal #NXIVM #RICO criminal case. A #RICO case is very serious; it is 1 of the most complex types of prosecutions the U.S. Government can initiate. Moira's boss is Richard P. Donoghue, U.S. Atty for the Eastern District of NY.
Penza is a smart lawyer. According to publicly available information, she studied at Cornell Law School, a private Ivy League University located in Ithaca, New York. Cornell was ranked the #13 law school in America, out of 203 law schools, by U.S. News & World Report, in 2018.
Read 117 tweets
#linux #bash #path #obfuscation
goal: obfuscate /etc/passwd
1) #directorytraversal: /mnt/././../etc/././passwd
2) escape characher: /etc/.\/\/\/\/\/passwd /etc/.\/.\/.\/.\/passwd /\e\t\c/passwd
3) null character /et$'c/pa\u0000/notexist/path'sswd
#path #obfuscation using #symbolic #link
ln -s / anything
head -n 2 anything////../etc/passwd

ln -s ../../ wow
head -n 2 ././wow/../etc/passwd

* ../ after a sym link applies to the sym link not the current path
filename expansion #globbing

cat /et*/pa**wd

command expansion
$(echo /e)tc$(echo /pa*)wd

+ other string obfuscation techniques
Read 5 tweets
#linux #bash #obfuscation using shell parameter expansion:

${alphabet:2:1}at really
${alphabet: -24:-23}at really
${alphabet: -24:1}at really
${alphabet:2:-23}at really…
similar #bat #windows (…)
The goal is to obfuscate the following command:
cat really
in which, really is a file.
Using arithmetic (add, sub, mul, div, mod, and pow) for calculating index or lenght
${alphabet: 2:(-20-3)}at really
Read 6 tweets
#linux #bash #obfuscation using octal vals
$'\143\141\164' really…
"Words of the form $'string' are treated specially. The word expands to string, with backslash-escaped characters replaced as specified by the ANSI C standard."

$'\143'$'\141'$'\164' really
$'\143'''$'\141'''''''''''''$'\164' really
$'\143'''$'\141'''""''''""''$'\164' really

'' -> empty string
""-> empty string
'a''b' -> 'ab' (concatenation)

(deleted the previous one, as the picture had a problem)
To give you a headache

$'\143'''$'\141'$t''"$t"''`$t`''$'\164' really
Read 13 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!