Deutsch | English
This blog does not contain official statements of CERT.at, only personal opinions of the individual contributors.
Completed: Maintenance work on Tuesday, Sep. 30th, 2014
2014/09/29

Because of required changes in our firewall infrastructure, all Internet-reachable services of CERT.at will be unavailable for some time on Tuesday, September 30th, 2014, starting at about 9am CEST. An "emergency" website with restricted functionality will be made available.

In urgent cases please contact us by telephone: +43 1 505 64 16 78.

We will update this post once the work is completed.

Update: work was completed at around 10am; overall outage was about 15 minutes.

Author: Robert Waldner

Elastic Search being hacked automatically today
2014/07/09

At the moment we are seeing a lot of automatic scanning and hacking of Elastic Search installations worldwide.  Please make sure that port 9200 is locked down in case you run ES.

IOCs:

  • C&C IP address:   119.1.109.43  (China)
  • C&C Port: 10991
  • AV analysis: Zillya: Trojan.Agent.Linux.5 Avast: ELF:Elknot-H [Trj] Kaspersky: Backdoor.Linux.Mayday.g DrWeb: Linux.DDoS.7 VIPRE: Backdoor.Linux.Elknot.f (v) Jiangmin: Backdoor/Linux.ju Microsoft: DoS:Linux/Elknot.F ESET-NOD32: Linux/Agent.F.Gen Ikarus: DoS.Linux.Elknot Scanned: 2014-07-09 00:47:38 - 53 scans - 9 detections (16.0%)
  • Analysis of similar malware: http://blog.malwaremustdie.org/2014/05/linux-reversing-is-fun-toying-with-elf.html 

Author: L. Aaron Kaplan

Transforming JSON to CSV
2014/06/14

CERTs are all about processing information security notifications. Most of the time, these arrive in the form of CSV files. However, occasionally we do get some JSON data. While CSV is line oriented, JSON allows for more complex structures (arrays, objects, objects in objects, etc.)

So how to you easily transform complex JSON structures to CSV? Most programmers would look at the specific JSON format and start writing a converter. However, there is a smarter way: JQ!

JQ is a JSON filter / transform mechanism.

To quote JQ's homepage: "A jq program is a 'filter': it takes an input, and produces an output. There are a lot of builtin filters for extracting a particular field of an object, or converting a number to a string, or various other standard tasks."

In short: JQ is like awk and xargs for JSON. Mightly practical stuff!

Author: L. Aaron Kaplan

New PGP keys
2014/03/28

At CERT.at we had to phase out some old 1024 bit DSA keys as well as create new master-signing keys.  This turned out to be a major effort. Key roll-overs are never easy.

In order to easy the key roll-over pains, we created a key transition document. This document is signed by the old keys in order to prove authorship.

TL;DR Version:

wget -q -O- http://www.cert.at/static/pgpkeys.asc  | gpg --import -
Please also consider signing our new keys. Thank you for helping us getting our new keys back into the web of trust.

Author: L. Aaron Kaplan

<< Previous Next >>
Email: reports@cert.at
Phone: +43 1 5056416 78
more ...
Heartbleed: (Almost) three years later
2017/01/27 | Shodan recently ...
DROWN update
2016/04/11 | As I wrote ...
more ...
Last Change: 2017/1/27 - 16:33:17
Haftungsausschluss