Goodbye Peppa, Hello January!
Eniko Toth

Goodbye Peppa, Hello January!

A few months ago our Attack Vector Miner discovered a new botnet, that we simply call „Hello Peppa botnet”. Now, this botnet welcomes the new year in a new mask. Specifics of this botnet Its behaviour stayed the same, like what we mentioned in the case of the Hello Peppa: Checks backdoors which remained from a previous infection. Uses the Mozilla/5.0 User Agent The most targeted URLs are: /7788.php /8899.php /9678.php /conflg.php /db.init.php /db__...
Read more
How to protect your web hosting business during the holiday season attack wave
Boglarka Angalet

How to protect your web hosting business during the holiday season attack wave

For devops in the web hosting business, holiday season is not exactly the most wonderful time of the year. If you’ve ever sneaked out from Christmas dinner to check on your servers’ status, or been woken up by attack alerts when only Santa Claus is supposed to be awake, you know what I mean. The Rise of Holiday Hacking Holiday season is peak period for cyber attacks, and we’ve written about it several times. But we’re not the only ones analyzing historical data and finding any indication of what’s to come. Just taking a look at last year, The SSL Store predicted over 50 millio...
Read more
New SenseLog rules against WordPress and Joomla vulnerabilities
Eniko Toth

New SenseLog rules against WordPress and Joomla vulnerabilities

A few days ago, we released a new agent version (1.23.3), which contains very important developments: We added two new SenseLog rules. The first one detects arbitrary file uploader bots, and the second one is for Joomla Spam regers. SenseLog is prepared for future remote config update. Instant blacklist action added to WAF Manager. It can be enabled for rules in the config.ini. Virtual WAF honeypotify command added to CLI. It could be useful for blocking web shell access. We'd like to talk a bit more about the first point; the new SenseLog rules. SenseLog rule agai...
Read more
The Most Famous Vulnerabilities: SQL injection
Jozsef Konnyu

The Most Famous Vulnerabilities: SQL injection

As a member of the BitNinja Development Team, one of our most important tasks is to develop the protection of BitNinja. When we deal with such a process we can see how an attack works or how a botnet can exploit a vulnerability. It's almost like watching these events behind the scenes. That's why this blog series started—because there are some vulnerabilities we need to talk about. The first patient is SQL injection. My previous blog article which was about the Hackerone also encouraged me to make this blog series. On this platform, there is a lot of public report for SQL injection...
Read more
Drupalgeddon 3 in retrospect
Nikolett Hegedüs

Drupalgeddon 3 in retrospect

As you know, recently we’ve released multiple security patches for the Drupalgeddon vulnerabilities. The last one was Drupal Remote Code Execution - SA-CORE-2018-004, CVE-2018-7602, patched only 2 days after it was first discovered. We’re very proud of our quick reaction time and would like to share some statistics with you about the attacks that were prevented since then - with the help of BitNinja. The data from the first incident that we’ve caught looks like this (the URL is masked for privacy purposes): Url: [###.hu//] Headers: [array ( 'User-Agent' => 'Mozilla/5.0 (X...
Read more
GPON routers – new elements of your botnet attacks?
Lazlo Takacs

GPON routers – new elements of your botnet attacks?

People can never rest. We thought that after the last serious Drupal vulnerablity finally we can rest, but a new threat came up which is including GPON routers made by Dasan. GPON is a type of Passive Optical Network (PON) used to provide fiber connections. It is being used to provide short haul fiber connections for cellulas base stations, home access points, DAS. Primary regions with GPON devices include Vietnam, Mexico, Kazakhstan. Top countries Number of Devices Mexico 492,080 Kazak...
Read more
Server security on point – 5 +1 best practices for Linux sysadmins
Boglarka Angalet

Server security on point – 5 +1 best practices for Linux sysadmins

No matter if you’re a Linux security veteran or you’re just about to get your feet wet, you’ll face the same security threats and upcoming attacks forms. Here we come with a security cheat sheet with ultimate checkpoints that no sysadmins should miss. When meeting new company, usually the very first thing I’m asked about is „How should I get rid of hackers? Show me the silver bullet.” But it’s a little bit like asking an economist on „Where to invest my money?”. It depends. To get a grip in the jungle of security recommendations, here I collected some guidelines...
Read more
Which are the most scanned ports?
Eniko Toth

Which are the most scanned ports?

What is a port? Ever since computers are able to run more programs at the same time and can connect to modern networks, ports became important. 3 things are needed for the communication between two machines: IP address of the host Port number Type of protocol (e.g. TCP, UDP) A port number is a 16-bit number between 0 and 65535. There are some specific ports which identify some exact services, e.g. port 80 is used for HTTP communication. Types of ports: Well Known Ports: 0 - 1023 Registered Ports: 1024 - 49151 Dynamic/Private : 49152 - 65535 W...
Read more
Old botnets aren’t harmless - the presence of Cutwail botnet nowadays
Anita Batari

Old botnets aren’t harmless - the presence of Cutwail botnet nowadays

Server operator faces many different types of attacks every day. Brute force, spam, CMS hacks and SQL injections are the most common - and the majority of them are automated botnet attacks. I think none of us can estimate how many servers and PCs are being unprotected against even the most simple botnets. But it’s not necessary to be a victim of an easily defendable attack. But even being careful, one thing you can fail about server security is underestimating the risk of old vulnerabilities and botnets. Thinking they’re doing no harm anymore, since they have been exposed and tracked d...
Read more
Castle Vs Airport Model in security
George Egri

Castle Vs Airport Model in security

Apart from changing the way we live, this virtual connectivity has exposed us to an array of attacks. Cyber risks are a growing concern in virtually every aspect of our lives. The integration of technology into our everyday tasks has paved way for more efficient work performance yet left us vulnerable to many cyber-attacks.  To combat the situation, easy-to-use server security tool was introduced into the equation with BitNinja being one of the top contenders.  With more and more malicious programs and hackers trying to penetrate systems on a daily basis via the use of latest tech...
Read more