Hello, welcome to the Friday, September 15th, 2017 edition of the Santonet Storm Center's Stormcast.

My name is Johannes Ulrich, and the day I'm recording from Las Vegas, Nevada.

Xavier today took a quick look at a web shell that he found on Pastebin.

Now, web shells, of course, are often installed in the aftermath of a web application compromise.

Kind of interesting how this particular web shell downloaded part of its configuration as an image from Google user content.

The image then included XIF data, which actually decoded

to some of the configuration parameters for this particular web shell. In particular,

the email address to which details about infected hosts are being sent. Many of these web shells do have backdoors

like this that essentially report back whenever the web shell is installed on a system.

And earlier this week, a number of severe vulnerabilities were disclosed in the D-Link 850L router.

Now, these vulnerabilities were not disclosed responsibly, instead they were just posted as a

blog without first notifying D-Link.

D-Link now announced that they have a patch ready for these vulnerabilities and they will release it early next week.

So if you do have a D-Link 850L router, make sure you check sometime next week for this patch,

supposed to come out on the 19th.

Now, if you don't run a D-Link router and if you don't run this particular model from D-Link,

I recommend just for good measure, check if there is a firmware update for your router.

We did have a large number of router vulnerabilities disclosed over the last few months.

Really too many to mention them all here in the podcast.

So there is a pretty good chance that there may be an update for your router available.

And as usual, make sure that remote access to your admin interface is disabled.

And web browsers in recent months have become more and more stringent on what they call a secure site

...