You might have read about the backdoor that was released with the xz command (versions 5.6.0 and 5.6.1). A malevolent committer gained the trust of his maintainer, and achieved to insert at build time some code that [is targeting sshd and creates a backdoor](https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27) . Other .o files of any Linux distribution can be also affected with the same kind of backdoor. What a malevolent committer has successfully done here, he can have done it elsewhere. And maybe years ago... How should the designers of a Linux distribution, if they are willing to to wipe out such backdoor, should proceed to find any corrupted executable of this kind (made by a diverted build process)? At this moment, the ways I see are: 1. to check every build process of every Linux command created: it's a lot of git repository to check, I think 2. but also, disassemble every existing .o file and have a look to their assembly code, to see if it's coherent with what that executable is supposed to do. What other ways should they use to hunt down this backdoor everywhere it can be?

Today I received an alert from AlibabaCloud that libprocesshider.so is installed on my bastion server. They told me that it is a backdoor rootkit. I researched for a bit and found out that libprocesshider.so is usually used to hide backdoor processes and it's a common practice to add the module to /etc/ld.so.preload, and it was indeed added on my server. --- Questions: - Can I trace all hidden processes that was ran with libprocesshider module? - How can I track the damages it caused on my servers? I looked into journalctl, /var/log/secure and history, but couldn't find any trace of attack. - The session that installed libprocesshider.so is still alive. I think the session was hijacked/stolen from a legit remote user. As the person is currently not connected to the bastion server. Should I kill the session ASAP, or can I trace some information from it? - Is there a chance that libprocesshider.so was automatically installed by a non-malware application? --- Please feel free to ask if you need more info.

So AMD and Intel have built-in autonomous subsystems that have the ability to spy on users (IME and PSP). I heard that Apple has some new thing that scans the files that users store on their servers to look for illegal photographs, and I speculate that will soon be used to look for more than crime. But besides this, is it known that Apple has any other spying —ware in the Apple Silicon Mac? I’m not asking ‘whether it is likely full of spying devices’, but rather ‘which spying services that are known on Apple silicon’.

I would like to collect logs of all network communications between my home devices (laptops, phones etc.) and the outside world in this format: Timestamp / Device MAC Address / Source IP:Port / Destination IP:Port / Protocol (Internet/Transport Layers) / Amount of data in bytes The idea is to setup a physical Linux box ("Logging Server") just for the logging and run tcpdump on it: Internet ⟺ Logging Server ⟺ Wi-Fi/Ethernet Switch ⟺ Devices (the box will have two Ethernet interfaces — for the Internet connection and for the local switch). Assuming that I take care of handling the log files (rotation, parsing, feeding to reporting tools), **how the tcpdump command will look like?** To be clear, I know that this question most likely can be answered by digging the man page; I just would like to take advantage of someone's extensive experience with tcpdump to save time, avoid common mistakes etc. P. S. The main purpose of this is to monitor/investigate potentially existing backdoors or otherwise unwanted/unexpected network activity.

I'm using netcat to create a backdoor running a python script with the following command: netcat -l -p 1234 -e 'python /script.py' then I'm connecting to the backdoor with another shell using: netcat localhost 1234 script.py is a simple loop that reads input, saves it to a file, and then prints it back. Now whatever I write in the second shell goes to the script and is successfully saved to a file. However, I don't see the output of the script on the second shell. I tried both the print and sys.stdout.write methods of python and both seem to fail. I don't know why the output is relayed back to the second shell if I use this: netcat localhost 1234 /bin/bash But not with my script. I'm obviously missing something important. Here is my script: import sys while 1: kbInput = sys.stdin.readline() sys.stdout.write( 'Input: '+kbInput) f = open("output.txt", "w") f.write(kbInput) f.close() print

We test our system day by day checking about php allowing bad formats in upload routines. I discovered recently that developers uploaded a plugin with examples, that allow peoples to send php files to the server. I know the best way is to delete this files (and block the php execution on upload folders). We are following all the very best practices, but still this pass in someway through our eyes, for example the official plugin folder are blocked by php execution. But i want to increase the security more, without depending on the developers. I am searching for some way to block in php.ini the uploads by extensions, is that possible? How can we do that? Thank you.