Principle of MD5 brute force cracking
First, collect some common passwords like 123456, and you can brute force crack websites. Encryption =, reverse, input the encrypted value, and you can look up the corresponding password, making it easier to crack.
Therefore, when using MD5 one-way encryption, it is important to add a salt.
Implementation of adding a salt is as follows:
For example, the initial code is: String pwd = "123456"
After adding a salt:
String value = DigestUtils.md5Hexdata: pwd + charles6666")
After adding a salt, online MD5 brute force cracking will not be able to look up the value, as the value of 123456 + ugcrles6666 is unknown, so it will not be found. Real brute force cracking is done by comparing simple data stored in a database.
Therefore, MD5 encryption is still very secure, but it is important to add a salt. Of course, remember that the salt value should not be made public, otherwise it can be cracked.
@egglamp
First, collect some common passwords like 123456, and you can brute force crack websites. Encryption =, reverse, input the encrypted value, and you can look up the corresponding password, making it easier to crack.
Therefore, when using MD5 one-way encryption, it is important to add a salt.
Implementation of adding a salt is as follows:
For example, the initial code is: String pwd = "123456"
After adding a salt:
String value = DigestUtils.md5Hexdata: pwd + charles6666")
After adding a salt, online MD5 brute force cracking will not be able to look up the value, as the value of 123456 + ugcrles6666 is unknown, so it will not be found. Real brute force cracking is done by comparing simple data stored in a database.
Therefore, MD5 encryption is still very secure, but it is important to add a salt. Of course, remember that the salt value should not be made public, otherwise it can be cracked.
@egglamp
Data tampering comes in two types
The first type: tampering with the request data, mainly to check how this interface handles the situation, tampering with the request data is suitable when it's inconvenient to directly call the interface, and I don't care about the page display, only looking at whether the interface request is normal, that is, whether this interface can normally process the data I have modified, and check whether the returned result is correct or not.
The second type: tampering with the returned data, the returned data means that we care about the display on the page (for example, the page displays this thing, after the returned result changes, whether the page displays normally, the page handling situation)
Stealing information from the isolated network by infecting the internal network's exe program, then infecting the Word document, with the Word document being brought into the isolated network via a USB drive, infecting the files in the isolated network and persisting within the isolated network, collecting intelligence, packaging into an encrypted rar file, and then re-encrypting the rar file and attaching it to the end of the Word document, and then following the Word document out of the isolated network via a USB drive, the virus judges the instructions attached to the Word document each time and executes different code
Calling CMD to query computer information, network, query ports, etc.
Penetrating the backend permissions, database, server
Domestic and foreign sites APP script cracking customization, specific site taking over, penetration, attack paralysis, modifying orders, modifying data, listening, monitoring, and various other services
Intruding on the server, penetration testing, deleting the database, data deletion
The first type: tampering with the request data, mainly to check how this interface handles the situation, tampering with the request data is suitable when it's inconvenient to directly call the interface, and I don't care about the page display, only looking at whether the interface request is normal, that is, whether this interface can normally process the data I have modified, and check whether the returned result is correct or not.
The second type: tampering with the returned data, the returned data means that we care about the display on the page (for example, the page displays this thing, after the returned result changes, whether the page displays normally, the page handling situation)
Stealing information from the isolated network by infecting the internal network's exe program, then infecting the Word document, with the Word document being brought into the isolated network via a USB drive, infecting the files in the isolated network and persisting within the isolated network, collecting intelligence, packaging into an encrypted rar file, and then re-encrypting the rar file and attaching it to the end of the Word document, and then following the Word document out of the isolated network via a USB drive, the virus judges the instructions attached to the Word document each time and executes different code
Calling CMD to query computer information, network, query ports, etc.
Penetrating the backend permissions, database, server
Domestic and foreign sites APP script cracking customization, specific site taking over, penetration, attack paralysis, modifying orders, modifying data, listening, monitoring, and various other services
Intruding on the server, penetration testing, deleting the database, data deletion
MS-SQL server passwords are simple and open to the public, making them one of the main attack vectors targeting Windows systems. Find mismanaged MS-SQL servers and scan them, then perform brute-force or dictionary attacks to log in with administrator privileges. Install malware and take control of the infected system.
After logging in to the MS-SQL server with an administrator account, install malware using the xp_cmdshell command. Any malicious command running in a Windows environment can be executed through this command. There are also other methods, such as OLE stored procedures, MS-SQL agent jobs, extended stored procedures, and CLR stored procedures.
In general, abuse PowerShell, which provides various functionalities by default when executing commands; PowerShell can download and execute malware from external sources with simple commands.
Penetrate backend permissions, databases, servers
Custom cracking of APP scripts on domestic and foreign sites, specified website takeover,v penetration, attacks to paralyze, modify orders, modify data, listen, monitor, and various other services
@egglamp
After logging in to the MS-SQL server with an administrator account, install malware using the xp_cmdshell command. Any malicious command running in a Windows environment can be executed through this command. There are also other methods, such as OLE stored procedures, MS-SQL agent jobs, extended stored procedures, and CLR stored procedures.
In general, abuse PowerShell, which provides various functionalities by default when executing commands; PowerShell can download and execute malware from external sources with simple commands.
Penetrate backend permissions, databases, servers
Custom cracking of APP scripts on domestic and foreign sites, specified website takeover,v penetration, attacks to paralyze, modify orders, modify data, listen, monitor, and various other services
@egglamp
Threats and ransomware threats are unlikely to share or exchange information about affected systems or accounts. Ransomware threats may scan proxy servers of CoinMiner as one of many attack targets using TCP port 30 instead of TCP port 3389 for RDP.
Ransomware is unlikely to know the proxy servers of the CoinMiner threat and intentionally attack them, so this situation may be a ransomware infection, and the ransomware threat may not realize they are attacking the proxy server until the end.
@egglamp
Ransomware is unlikely to know the proxy servers of the CoinMiner threat and intentionally attack them, so this situation may be a ransomware infection, and the ransomware threat may not realize they are attacking the proxy server until the end.
@egglamp
Fast Reverse Proxy is an open-source reverse proxy tool. The standard version requires users to import target server information from a configuration file or input the information when executing. CoinMiner modified the code of the Fast Reverse Proxy file to automatically connect to the proxy server and use it for attacks.
RDP Port Scanning
The proxy server is exposed on the internet. Ransomware checks all ports exposed on systems on the internet to see if they are using RDP and launches brute-force attacks on all targets exposing RDP ports with administrator privileges. In this case, the proxy server of the CoinMiner threat actor seems to be exposed by chance, making it a target for scanning attacks on RDP ports.
@egglamp
RDP Port Scanning
The proxy server is exposed on the internet. Ransomware checks all ports exposed on systems on the internet to see if they are using RDP and launches brute-force attacks on all targets exposing RDP ports with administrator privileges. In this case, the proxy server of the CoinMiner threat actor seems to be exposed by chance, making it a target for scanning attacks on RDP ports.
@egglamp
Backdoor programs (backdoors) are a type of Trojan malware used to create illegal access channels on already compromised computer systems. They are typically used to maintain control over the infected computer, allowing attackers to enter the system at any time and perform various malicious operations such as stealing sensitive information and implanting other malware.
Backdoor programs usually have the following characteristics:
1. Stealth: Backdoors often hide their presence to avoid detection by users or security tools. They may disguise themselves as legitimate system processes or services, or achieve self-concealment by modifying system files and registry entries.
2. Remote control functionality: Backdoors provide attackers with remote control privileges over the infected computer, enabling them to access the system and perform various operations without being detected, such as downloading and installing other malware, st
@egglampnsitive information, etc.
3. Cross-platform compatibility: Backdoors can run on various operating systems, including Windows, MacOSX, and Linux.
4. Social engineering techniques: Attackers often use social engineering methods, such as tricking users into clicking malicious links or opening malicious attachments, to allow backdoors to enter the system.
Penetration of backend permissions, databases, servers
Domestic and overseas sites, APP script cracking and customization, targeted site acquisition, penetration, attack paralysis, order modification, data alteration, eavesdropping, monitoring, and various other services
Backdoor programs usually have the following characteristics:
1. Stealth: Backdoors often hide their presence to avoid detection by users or security tools. They may disguise themselves as legitimate system processes or services, or achieve self-concealment by modifying system files and registry entries.
2. Remote control functionality: Backdoors provide attackers with remote control privileges over the infected computer, enabling them to access the system and perform various operations without being detected, such as downloading and installing other malware, st
@egglampnsitive information, etc.
3. Cross-platform compatibility: Backdoors can run on various operating systems, including Windows, MacOSX, and Linux.
4. Social engineering techniques: Attackers often use social engineering methods, such as tricking users into clicking malicious links or opening malicious attachments, to allow backdoors to enter the system.
Penetration of backend permissions, databases, servers
Domestic and overseas sites, APP script cracking and customization, targeted site acquisition, penetration, attack paralysis, order modification, data alteration, eavesdropping, monitoring, and various other services
After being packed, the virus's original characteristics (code and data) are altered by the 'shell' (such as compression, encryption, etc.), allowing it to evade detection by antivirus engines. By using techniques commonly employed by infective viruses, such as polymorphism and metamorphism, private 'shells' are written to protect the virus code. These 'shells' often include the functionalities of the aforementioned public 'protection shells' and may further interfere, mislead, or counteract the identification of antivirus engines through various means. Typical methods include code transformation, entry point camouflage, and high-level language wrapping (High-Level Language Wrapper).
trojan.generic is the name of a computer trojan. After activation, it releases virus files from its internal resources. Some trojan programs under WINDOWS bind a file, bundling the virus program and a normal application into one program, releasing both the virus and the normal program, using the normal program to cover the virus. The virus runs in the background of the computer and sends data to us. Besides the usual harm, the virus can cause mainstream antivirus software and personal firewalls to fail to open, and even cause system "blue screen", automatic restart, or crash during virus scanning.
The core module "UpdateServer.exe" registers itself as a system service upon startup, first checking the current system environment to prevent running in a virtual machine, packet capture detection, or debugging analysis. It then checks the core files in the update directory: "UpData.db", "Notify.exe", and "info.db". It decrypts (RC4+ZLib) the "UpData.db" module and loads it into memory, calling its exported function "update_init".
@egglamp
The core module "UpdateServer.exe" registers itself as a system service upon startup, first checking the current system environment to prevent running in a virtual machine, packet capture detection, or debugging analysis. It then checks the core files in the update directory: "UpData.db", "Notify.exe", and "info.db". It decrypts (RC4+ZLib) the "UpData.db" module and loads it into memory, calling its exported function "update_init".
@egglamp
Betting odds name (Dong Yan): Security code: 89465lp
Members who have won the bet, please contact us as soon as possible.
@egglamp
Members who have won the bet, please contact us as soon as possible.
@egglamp