@cR0w yeah

google: hey, go grab the push notification to log in to your account.

me: clicks the button, button clicker

google: "WHO THE FUCK IS THIS? YO, SOME DUDE LOGGED INTO MY ACCOUNT."

@xssfox hahaha what the fuck

anyway, I'm ready to fuck my life up today.

@xssfox I remember way back when, I ran some server 2003 VMs on vmware server, and I got negative round trip times for ping, but I've never seen anything like that.

@JenMsft cheese heals everyone! Except for the lactose intolerant

@cR0w that explains most of it. I've just noticed that they've been out and about way more than usual around this time.

I'm deathly afraid of them. If I hear them nearby, I lose my shit. I understand from the article that most the time they don't mean any harm still doesn't stop me from freaking the fuck out. I got stung one too many times as a kid.

what is it about this time of year that makes yellow jackets go apeshit

today I've learned that GET requests can technically have a request body. In most normal cases, the server ignores the client body on the get request.

Additionally if a content-length header is specified and you include a body on a GET request, that Snort2.9 and Suricata5+ will inspect the client body.

why do I bring this up?

This is a great write-up by ESET on GhostRedirectory and their Rungan backdoor:

https://www.welivesecurity.com/en/eset-research/ghostredirector-poisons-windows-servers-backdoors-side-potatoes/

I forged this pcap, and got my rule to fire:

alert http any any -> $HOME_NET any (msg:"ET MALWARE GhostRedirector Rungan Backdoor Access M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"action|3d|cmd"; fast_pattern; http.request_body; content:"cmdpath|3d|"; content:"ming1|3d|"; reference:url,www.welivesecurity.com/en/eset-research/ghostredirector-poisons-windows-servers-backdoors-side-potatoes/; classtype:trojan-activity; sid:1; rev:1;)