ET SHELLCODE Rothenburg Shellcode flood in log...
-
@jagdtigger Stop the minecraft server and log again....
-
@cool_corona
Will do, ill get back to this tomorrow. I think i have a pcengines apu board somewhere so i can basically use suricata to do the logging then use my switch to do the capture via port mirroring. -
Ill have to postpone to tomorrow, darned apu board is a real slowpoke when it comes to updating, installing stuff, and applying settings.....
-
Okay, apu board in transparent bridge mode and suricata running on the bridge, straight between the proxmox minipc and switch. I set up an another minipc to dump the mirrored traffic to a hdd. Left the minecraft jail up just to see if it is really what is causing the issues. (Im not worried about leaving it up, the network it is on is specifically used for stuff that is exposed to the net, it is restricted from talking to anything besides 2 NAS, but those have proper FW rules in place to not expose the mgmt interface to this network .) Ill reinstall windows (in a new vm) and let it sit overnight while capturing traffic. (During install the VM wont have internet to get around the pesky ms account enforcement.)
-
Okay, stopped capture and downloaded suricata alert log. Capture anded up 68 GB in size. I can already see the same alerts but i noticed something strange. They started showing up during install, when i have the virtual nic disconnected. The ISO is downloaded directly from MS so i dont think it could be infected...
-
Still crawling through the capture concentrating on traffic from the VM, so far its only chatter between w10 and MS, plus the traffic resulting from installing ff and steam. No suspicious domain names or ip addresses so far.
-
@jagdtigger LEft over from the Solarwinds attack??
-
@cool_corona
Which is lingering to this day in their iso downloads? (Im just a simple home user who likes to tinker with things so i never used their products.) So far the only thing that is out of place is in the traffic between proxmox and the nas hosting the iscsi share.... Could it be defender reading its database? -
Finished crawling though the capture, only looked at the VM's traffic. Nothing out of the ordinary. A lot of chatter between ms and windows, some from AVG (<i installed it after i seen the alerts in suricata) and the rest of the installed sw. Did not spot any suspicious IP or DNS name.... I still have the apu board inspecting the traffic bu8t since i shut off the vm the only warning it generates is triggered by proxmox looking for updates.
-
I see you're dealing with the Rothenburg shellcode flood in your logs. That sounds frustrating! Have you tried analyzing the logs to see if you can identify patterns or signatures specific to this shellcode? It might help you create filters or rules to block or mitigate the flood. Also, ensuring your system is up-to-date with patches and using strong passwords can help prevent future attacks. You can find more detailed guides and discussions about shellcode and security on https://guidedhacking.com/threads/how-to-find-shellcode-in-malware-memory.20588/ . They have a supportive community that can offer insights and advice based on their experiences.
