Hello and welcome to the Friday, May 1st, 2006 edition of the Sands Internet Storms, Stormcast.

My name is Johannes Ulrich, recorded today from Jacksonville, Florida.

And this episode is brought you by the Sands.edu credit certificate program in cyber security

leadership. Well, and we do have another diary by one of our undercreated interns. James Roberts

is writing about Redtail. Now, Redtail is usually known as a matter that installs crypto coin miners via SSH.

So typical password brute forcing, trying some weak passwords in order to figure out what gets them in,

and then they're taking over various devices, servers and such, to install their crypto miner.

But what James is talking about is not so much the S-H part of this Malber.

Well, they are also attempting to exploit web application vulnerabilities.

In particular, some older web application vulnerabilities like PHP unit flaws,

other some older like PHP directory reversal

and remote code execution flaws

if PHP is run as a ZGI on Windows.

So a lot of these flaws are older

or often only affect some home window systems,

experimental systems, death systems and the like. This may a little bit

be part of the strategy here where they are also going after these older vulnerabilities, just

because they typically happen in less monitored systems, so their malware is more likely going to

survive. The problem with this, of course, is that they're probably not the first one to find these vulnerable systems.

James is summarizing some of his findings here where these attacks are coming from,

and what particular vulnerabilities and such they're exploiting.

If you do find a crypto coin miner of any kind on your system,

...