#opendir — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #opendir, aggregated by home.social.
-
Couple #reverseloader -> #xloader #opendir at:
http://107.175.246 .42/25/
http://89.40.31 .143/img/ -
Couple #reverseloader -> #xloader #opendir at:
http://107.175.246 .42/25/
http://89.40.31 .143/img/ -
Couple #reverseloader -> #xloader #opendir at:
http://107.175.246 .42/25/
http://89.40.31 .143/img/ -
Couple #reverseloader -> #xloader #opendir at:
http://107.175.246 .42/25/
http://89.40.31 .143/img/ -
Malicious #simplehelp #rmm #opendir at:
https://katz.adv\.br/dhl/
-
Malicious #simplehelp #rmm #opendir at:
https://katz.adv\.br/dhl/
-
Malicious #simplehelp #rmm #opendir at:
https://katz.adv\.br/dhl/
-
Malicious #simplehelp #rmm #opendir at:
https://katz.adv\.br/dhl/
-
Malicious #simplehelp #rmm #opendir at:
https://katz.adv\.br/dhl/
-
#reverseloader #xworm #opendir at:
http://158.94.211\.63/dealer/
-
#reverseloader #xworm #opendir at:
http://158.94.211\.63/dealer/
-
#reverseloader #xworm #opendir at:
http://158.94.211\.63/dealer/
-
#reverseloader #xworm #opendir at:
http://158.94.211\.63/dealer/
-
#reverseloader #xworm #opendir at:
http://158.94.211\.63/dealer/
-
-
Back in the rest of the #opendir, uploads/ is used by app.py, I don't see where downloads_cache is used, but similar agent-[0-9]+ structure. The SANS PDF "All-books-in-oneSANSSEC670RedTeamingTools-DevelopingCustomToolsforWindows.pdf" may be the inspiration behind app.py/agent.go
-
Interesting #OpenDir on #QuasarRat C2 server 185.208.159[.]161:8000 . The open web directory includes source code for a backdoor + misc development artifacts.
https://platform.censys.io/hosts/185.208.159.161
https://search.censys.io/hosts/185.208.159.161 -
#purecryptor #opendir at:
http://198.12.126].164/tst/
-
-
Unknown stealer botnet C2 targeting LATAM, having #opendir
-
If you're not blocking trycloudflare\.com at the perimeter, now's the time: #opendir 's:
https://em-ash-announcements-alpha.trycloudflare\.com/1DSAHJKSA/ ->
https://did-efficiency-than-lenses.trycloudflare\.com ->
https://reached-theoretical-regular-impact\.trycloudflare.com -
-
#webshell #opendir #netsupport #rat at:
https://appointedtimeagriculture\.com/wp-includes/blocks/post-content/
GatewayAddress=95.179.158.213:443
RADIUSSecret=dgAAAPpMkI7ke494fKEQRUoablcA -
#webshell #opendir #netsupport #rat at:
https://appointedtimeagriculture\.com/wp-includes/blocks/post-content/
GatewayAddress=95.179.158.213:443
RADIUSSecret=dgAAAPpMkI7ke494fKEQRUoablcA -
💡No #opendir? Why don't you check for .DS_Store files listing the structure ?
Our scans found 11,856,006 IPs and DNS exposing the file.
Link: https://leakix.net/search?scope=leak&q=%2Bplugin%3ADotDsStoreOpenPlugin
Ref: https://0day.work/parsing-the-ds_store-file-format/ -
#opendir at:
https:// superior-somalia-bs-leisure.trycloudflare\.com ->
http:// jsnybsafva\.biz:8030 -
-
#opendir at:
http://79.124.58.130
malicious #meshagent (https://github.com/Ylianst/MeshAgent);
c2: 94.232.43.185
-
http://trackingshipmentt\.xyz:9394/
http://trackmyshipeng\.site:9094/https://app.any.run/tasks/086f767d-cb57-46d0-80f6-1d771148444e/
-
#snakekelogger hta's at #opendir :
http://192.3.176\.138/xampp/ozon
drops
http://192.3.176\.138/105/sahost.exe (also 106)d9863b7b710599bc2b308a0b78970da8c42ee5bc6d3dcda05c2de52a88125726
exfils to: [email protected]
-
-
-
-
-
-
Two suspicious domain names possibly impersonating Anydesk anydeskwin[.]info and anydeskdownload[.]info
Both the websites are serving an #opendir at the moment and pointing at AS13335
-
📥 Interesting #opendir
45.84.1[.]161:8081
Hosted at AS44477 Stark Industries Solutions Ltd. 🗑️Obf. #Sliver Linux #Implant and a Powershell script which tries to bypass AMSI and runs #Sharphound
From the choice of hosting provider we infer malicious intent rather than #RedTeam
Artifacts (#IoC)
ff32a69075d9eb59ea5d25207d3ee775 rtn_default
2fe7fb5ff2679de37673997b96958d08 rtn_info.ps1Samples available @abuse_ch Bazaar:
https://bazaar.abuse.ch/sample/763bd227a5aef5ef98cd6b79649cb8737f8845fcc2a92e69109f042c975e4a4b/ -
📥 Interesting #opendir
45.84.1[.]161:8081
Hosted at AS44477 Stark Industries Solutions Ltd. 🗑️Obf. #Sliver Linux #Implant and a Powershell script which tries to bypass AMSI and runs #Sharphound
From the choice of hosting provider we infer malicious intent rather than #RedTeam
Artifacts (#IoC)
ff32a69075d9eb59ea5d25207d3ee775 rtn_default
2fe7fb5ff2679de37673997b96958d08 rtn_info.ps1Samples available @abuse_ch Bazaar:
https://bazaar.abuse.ch/sample/763bd227a5aef5ef98cd6b79649cb8737f8845fcc2a92e69109f042c975e4a4b/ -
📥 Interesting #opendir
45.84.1[.]161:8081
Hosted at AS44477 Stark Industries Solutions Ltd. 🗑️Obf. #Sliver Linux #Implant and a Powershell script which tries to bypass AMSI and runs #Sharphound
From the choice of hosting provider we infer malicious intent rather than #RedTeam
Artifacts (#IoC)
ff32a69075d9eb59ea5d25207d3ee775 rtn_default
2fe7fb5ff2679de37673997b96958d08 rtn_info.ps1Samples available @abuse_ch Bazaar:
https://bazaar.abuse.ch/sample/763bd227a5aef5ef98cd6b79649cb8737f8845fcc2a92e69109f042c975e4a4b/