malware – Can I check the content of a suspicious file directly on the server using an editor, e.g. vim?

In order for the opening of the file to pose a risk, the file would need to include an exploit for the specific text editor you use. Then when you open the file, the exploit would trigger.

While possible that’s not very likely. It certainly isn’t common.

The far more likely threat is that there is malicious PHP code in the file that triggers when the file is executed by a PHP server.

But all that aside, I’m not sure why you are questioning whether you have been infected when you are looking at files being served that you did create and there are links to malware. You’ve been infected. Start with that assumption…

data mining – building a unsupervised learning model to detect suspicious transactions using DBSCAN

I am working for the first time on building a unsupervised learning model to detect suspicious transactions using DBSCAN, Do I train the model on all data columns(Columns like account number, transaction date, transaction details ) or only on the ones that I want to detect suspicion (money withdrawal and deposit columns)?

This is the data set that I am working on https://www.kaggle.com/apoorvwatsky/bank-transaction-data

Please help me

ZH960 tablet, suspicious hardware parameters, what to do?

This is a fake.

Probably the “producer” bought tablet with 1 GB RAMs, and flashed them with a firmware lying about their hardware. However, some simple adb shell commands show the real hardware capacity:

enter image description here

Fact is that the device has 1GB RAM and a 16GB flash. It is today a low-end device, overwritten with a faked firmware.

The internet is full with

  • Unclear / contradicting “specifications” of this hardware.
  • Warnings about the scam (example).

I could not find any trace of the producer. Most likely, the model does not even exist.

If you bought this table, here is the time to initiate a customer complain. If you can not, my sincere condolences.

lvm – Monitor Linux Server filesystem health and suspicious activities

I run my own, small server here. The server runs on Ubuntu 18.04. There is one single HDD using LVM on a partition together with EXT4. LVM is used for taking snapshots. I also use Webmin with Virtualmin for administration.

During the past weeks, I were faced with some strange problems. I run this server for many years and I never had any serious data loss problems except for some rare cases where it was my own mistake.

A few weeks ago i tried to browse to one of my pages and encountered an error message like “the file system needs cleaning”.

Ok, I have googled for it and I have run e2fsck on my LVM volume. It found several errors and fixed them. Unfortunately, after fixing these errors, there was a loss of one of the server’s web directories. Thanks to my backup concept I was able to restore all data.

The server was up and running again… Some weeks later, I encountered a breach into my WordPress instance due to a bad plugin. I have got the wp-tmp.php malware https://stackoverflow.com/questions/52897669/what-can-do-virus-wp-tmp-php-on-wordpress

After the detection of this breach, I have changed all relevant passwords and moved the whole folder out of the reachability from the web… Due to the fact that every web project is assigned to its own account on the server, I hope that this script (which has shown some javascript to the user) was not able to do a lot of damage…

One week later I just recognized that another directory was completely missing (another user). e2fschk again there were also errors about missing or corrupted inodes that needed to get fixed.

Now I am asking my self the following question:

  1. What can cause such a significant EXT4 data loss?
  2. Can it be related to the fact, that I do LVM snapshots every midnight and backup the snapshot to an external drive? (I have read about problem using LVM and snapshots when there is an HDD Cache enabled)
  3. Are there any monitoring tools for such behaviors? I would like to be able to trace all the things that happened before the files were lost or the EXT4 has gone corrupt… Is there anything like that?

Thank you!

Instagram – Suspicious Acitvity

I have got a second account on Instagram and I know the username and the password, but when I log in it says "Suspicious Acitvity".

I have no longer access to the e-mail adress or to the telephone number, what can I do?

malware – Suspicious icon appeared by itself on main screen

so a suspicious looking icon appeared, as you can see(to the left) it does not have any image, it’s just some presumably random text.
The only thing I was able to do with it is to delete it.
HTC u11 running android9. I did not install anything weird and malware-bytes scan turned up clean.

Suspicious icon

Regularly receiving suspicious certificate errors online

For the past few weeks, I have frequently been receiving error messages from websites stating that the certificate is invalid. This tends to happen for a while and then resolve itself. Other devices on the same network connection are also experiencing odd behaviour, including a very sporadic internet connection that is either very slow or turns on and off. We had an engineer visit this week to diagnose whether there was a faulty connection, but they left, happy that the connection is working properly.

I understand that receiving ‘bad’ certificates can sometimes be a sign of the system clock or internet settings being poorly configured. I had assumed this might be the case, until I interrogated one of these ‘invalid certificate’ messages more closely (from Firefox on Mac):

Web sites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for eur03.safelinks.protection.outlook.com. The certificate is only valid for the following names: cloudflare-dns.com, *.cloudflare-dns.com, one.one.one.one, 1.1.1.1, 1.0.0.1, <…>

The website I was trying to visit in this case has nothing to do with cloudflare, and the links above lead to a website that appears to be selling a VPN-type service.

Should I be concerned that my internet connection has been tapped, and what would be the appropriate action to take to shake this off?

javascript – Suspicious behavior by Google when verifying users via nodejs

I’m building a user authentication system in Nodejs and use a confirmation email to verify a new account is real.

The user creates an account, which prompts him/her to check the email for a URL that he/she clicks to verify the account.

It works great, no issues.

What’s unusual is that in testing, when I email myself (to simulate the new user process), and after I click the verify-URL, immediately afterward there are two subsequent connections to the endpoint. Upon inspection, it appears the source IPs belong to Google. What’s even more interesting is that the user agent strings are random versions of Chrome.

Here’s an example of the last sequence. The first one is the HTTP 200 request and the next two — the HTTP 400s are Google. (I remove upon user verification the user’s verification code from the database so that subsequence requests are HTTP 400s.)

162.158.78.180 - - (03/Jul/2020:20:35:40 +0000) "GET /v1/user/verify/95a546cf7ad448a18e7512ced322d96f HTTP/1.1" 200 70 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36" "hidden.com" "72.191.192.163" "US" "en-US,en;q=0.9"
162.158.187.117 - - (03/Jul/2020:20:35:43 +0000) "GET /v1/user/verify/95a546cf7ad448a18e7512ced322d96f HTTP/1.1" 400 28 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36" "hidden.com" "74.125.210.22" "US" "en-US,en;q=0.9"
162.158.187.117 - - (03/Jul/2020:20:35:43 +0000) "GET /v1/user/verify/95a546cf7ad448a18e7512ced322d96f HTTP/1.1" 400 28 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.122 Safari/537.36" "hidden.com" "74.125.210.8" "US" "en-US,en;q=0.9"

Now I’m using Cloudflare so the first IP address in each line is a Cloudflare IP address but the second one you see is the real one (as reported by Cloudflare) … I modified my “combined” log format in Nginx.

Anyhow, any idea what this is? Or why Google would be doing this?

It’s just incredibly suspicious given the use of randomized user agent strings.

And one last note, if I inspect my console w/Chrome and go into the network tab before I click a verification link from my email, the 2 subsequent connections never come. It’s like Google knows I’m monitoring … this is just so incredibly odd that I had to ask the community. I’m thinking maybe this is an extension that’s infected w/some kind of tracking, but how then do the IPs come back as Google?

Suspicious termination in some Windows Services names

Introduction

I’ve been poking around the Services tab on my Windows machine and saw some services with a “normal” name but this termination _1f699ad as in the next examples:

  • ConsentUX_1f699ad
  • CredentialEnrollmentManagerUserSvc_1f699ad
  • DevicePicker_1f699ad
  • and many more with the same termination

Here some pictures taken from the services tab.

enter image description here
enter image description here
enter image description here

My question is simple: Is this OK or should I be worried?

Because some of them have access to ScreenCapture and others which can potentially be harmful (i.e data theft) and I see no reason to add a meaningless termination other than supersede and stay hidden.

Can anyone look into wireshark logs and say if anything suspicious?

Is such type of question acceptable here?