Research by Daniel B. Cid

Security Research

Most of my research and work has been focused on building (and some times breaking) security products and solutions. I have always been specially interested in website security, DNS, log analysis, malware and secure coding.

You can find most of my projects (and their code) here: https://dcid.me/projects.

Trunc Logging

After many years building OSSEC and using other logging solutions, decided to take all that experience and make it available on Trunc. A google-like search engine for your logs, with a strong log analysis and correlation engine in the back:
https://trunc.org

NOC.org

A swiss arm knife for network and sys admins. Monitoring, CDN, WAF, and authoritative DNS:
https://noc.org

CleanBrowsing

A free (with paid options) anycast and DNS-based content filtering for kids, families and schools:
https://cleanbrowsing.org

DNS over TLS/HTTPS clients

Built multiple client tools for DNS over TLS (DoT) and DNS over HTTPS (DoH) in PHP:
https://dcid.me/projects/dns-security
*Both DoH and DoT client (and server) side are now used on CleanBrowsing.

Sucuri WAF/CDN*

Different type of cloud-based WAF focused on protecting CMSs via white listing and virtual patching/hardening.
https://sucuri.net
*Sold to GoDaddy in 2017 (worked on it from 2011-2017)

Sucuri Labs*

A web malware repository with samples and domains we were seeing in the wild with Sucuri.
https://labs.sucuri.net
*Sold to GoDaddy in 2017 (worked on it from 2012-2017)

OSSEC*

My first born baby :) The open source log analysis and intrusion detection engine.
https://dcid.me/projects/ossec
*Sold to Trend Micro in 2008 (worked on it from 2003-2011, even after the acquisition).
**Resumed working on it in 2015+ with my own fork.

Sitecheck Scanner*

The sitecheck scanner was an experimental work developed between 2008/2009 to try to identify anomaly on web sites. This research lead to the creation of Sucuri and our free scanner that is widely used with millions of scans done per month.
https://sitecheck.sucuri.net
*Got merged into Sucuri in 2010 (worked on it from 2009-2010).

Rootcheck*

Rootcheck is an open source rootkit detection for Linux and BSD systems. It got merged into OSSEC, but you can still use it standalone.
https://dcid.me/projects/rootcheck
*Started in 2002. Merged into OSSEC in 2005.

Security Research

List of articles and papers posted on external sites (mostly sucuri, ossec.net and other sites).

2017

2017/Mar - GoDaddy+= Sucuri: Building a Security Platform For Every Website Owner (ext)
2017/Feb - WordPress REST API Vulnerability Abused in Defacement Campaigns (ext)

2016

2016/Oct - Joomla Exploits in the Wild Against CVE-2016-8870 and CVE-2016-8869 (ext)
2016/Oct - Security Through Confusion – The FUD Factor (ext)
2016/Sep - SSH Brute Force Compromises Leading to DDoS (ext)
2016/Sep - Product Update: Sucuri Firewall in Tokyo, Japan (ext)
2016/Sep - IoT Home Router Botnet Leveraged in Large DDoS Attack (ext)
2016/Aug - IPv4 vs IPv6 Performance Comparison (ext)
2016/Jul - PCI for SMB – Requirement 2- Do Not Use Defaults (ext)
2016/Jul - Realstatistics Malware Campaign Leads To Ransomware (ext)
2016/Jun - Large CCTV Botnet Leveraged in DDoS Attacks (ext)
2016/May - PCI for SMB: Requirement 1- Install and Maintain a Firewall (ext)
2016/May - Hacked Website Report – 2016/Q1 (ext)
2016/May - Analyzing ImageTragick Exploits in the Wild (ext)
2016/Apr - Sucuri Firewall: Free LetsEncrypt SSL Certs for Everyone (ext)
2016/Mar - Ask Sucuri: How Does Sucuri Clean a Website? (ext)
2016/Mar - Server Security: Indicators of Compromised Behavior with OSSEC (ext)
2016/Feb - Investigating a Compromised Server with Rootcheck (ext)
2016/Feb - WordPress Sites Leveraged in Layer 7 DDoS Campaigns (ext)
2016/Feb - Server Security: Import WordPress Events to OSSEC (ext)
2016/Jan - Server Security: OSSEC Integrates Slack and PagerDuty (ext)

2015

2015/Dec - Server Security: OSSEC Updated With GeoIP Support (ext)
2015/Nov - Sucuri += HTTP/2 — Announcing HTTP/2 Support (ext)
2015/Oct - Joomla SQL Injection Attacks in the Wild (ext)
2015/Oct - Brute Force Amplification Attacks Against WordPress XMLRPC (ext)
2015/Sep - WordPress Malware – Active VisitorTracker Campaign (ext)
2015/Sep - WordPress Brute Force Attacks – 2015 Threat Landscape (ext)
2015/Sep - Analyzing Popular Layer 7 Application DDoS Attacks (ext)
2015/Aug - Ask Sucuri: How Did My WordPress Website Get Hacked? – A Tutorial (ext)
2015/May - Introducing Free Global Website Performance Tool (ext)
2015/Apr - Magento Shoplift (SUPEE-5344) Exploits in the Wild (ext)
2015/Apr - Critical Magento Shoplift Vulnerability (SUPEE-5344) – Patch Immediately. (ext)
2015/Mar - Intro to E-Commerce and PCI Compliance – Part I (ext)
2015/Feb - Vulnerability Disclosures – A Note To Developers (ext)
2015/Jan - DDoS from China – Facebook, WordPress and Twitter Users Receiving Sucuri Error Pages (ext)
2015/Jan - Serious Vulnerability in VBSEO (ext)

2014

2014/Dec - RevSlider Vulnerability Leads To Massive WordPress SoakSoak Compromise
2014/Oct - Highly Critical SQL Injection Vulnerability Patched in Drupal Core (ext)
2014/Oct - WordPress Websites Continue to Get Hacked via MailPoet Plugin Vulnerability (ext)
2014/Sep - Anatomy of 2,000 Compromised Web Servers used in DDoS Attack (ext)
2014/Sep - Slider Revolution Plugin Critical Vulnerability Being Exploited (ext)
2014/Jul - New Brute Force Attacks Exploiting XMLRPC in WordPress (ext)
2014/Jun - SPAM Hack Targets WordPress Core Install Directories (ext)
2014/Mar - JCE Joomla Extension Attacks in the Wild (ext)
2014/Mar - More Than 162,000 WordPress Sites Used for Distributed Denial of Service Attack (ext)
2014/Feb - Sucuri CloudProxy Website Firewall Improvements (ext)
2014/Feb - PHP Backdoors: Hidden With Clever Use of Extract Function (ext)
2014/Jan - Website Mesh Networks Distributing Malware (ext)

2013

2013/Oct - Backdoor Evasion Using Encrypted Content (ext)
2013/Jun - New Apache Module Injection (ext)
2013/Jun - Apache PHP Injection to JavaScript Files (ext)
2013/Apr - Apache Binary Backdoors on Cpanel-based servers (ext)
2013/Apr - The WordPress Brute Force Attack Timeline (ext)
2013/Apr - When the metadata matters more than the data itself - Comment spam detection
2013/Mar - 2012 Web Malware Trends Report Summary (ext)
2013/Feb - Payday Loan Spam affecting Thousands of Sites (ext)
2013/Jan - Server Compromises – Understanding Apache Module iFrame Injections and Secure Shell Backdoor (ext)

2012

2012/Sep - Compromised Websites Hosting Calls to Java Exploit (ext)
2012/Aug - WordPress and Server Hardening – Taking Security to Another Level (ext)
2012/Jul - Analysis of Yahoo Voice Password Leak – 453,441 Passwords Exposed (ext)
2012/Jul - Distributed Malware Network Outbreak Using Stats.php (ext)
2012/Apr - Setting up OSSEC - Step by step
2012/Mar - A little tale about web site cross contamination (ext)
2012/Mar - Ask Sucuri: Talk More About Web-Based Malware (ext)

2011

2011/Sep - ASK Sucuri: What about the backdoors? (ext)
2011/Aug - Timthumb.php Security Vulnerability – Just the Tip of the Iceberg (ext)
2011/Jun - Phishing phone calls – Onlinesupport.com (ext)
2011/Mar - Good passwords
2011/Mar - Brute force attacks against WordPress sites (ext)
2011/Feb - Blocking repeated offenders with OSSEC

2010

2010/Oct - Contributing to Open Source Projects
2010/Jun - Cleaning SPAM from your WordPress blog (ext)
2010/Feb - Removing Malware from a WordPress blog – Case Study (ext)
2010/Feb - Colombia Government sites hacked (and spreading malware) (ext)
2010/Jan - Using OSSEC for the forensic analysis of log files (ext)
2010/Jan - Honeypot analysis – Looking at SSH scans (ext)
2010/Jan - Fingerprinting web applications

2007

2007/Jul - Attacking Log analysis tools (log injection)
2007/Jan - Chinese hacking and desinformation warfare

2006

2006/May - Log Analysis for Intrusion Detection

2004

2004/Feb - Primeiros passos no roteador Cisco - PDF (Cisco routers in pt-br)

2003

2003/Dec - 8 steps to secure your Cisco router - PDF
2003/Oct - Setting up a VPN with the the Cisco PIX firewall - PDF
2003/Jun - Introduction to the Cisco PIX Firewall - PDF

Coding for fun and profit. Often fun and little profit.