Hi,
The Special feed of Shadowserver was dedicated to reports on SocGholish Compromised WordPress sites a few days ago and https://github.com/The-Shadowserver-Foundation/report_schema/tree/main/intel... was updated accordingly. Today's reports contained a few more optional fields that were caught by our checker, namely,
extra.account extra.estimated_server_first_seen_time, extra.estimated_server_last_seen_time extra.machine_name
Will intelmq.json be updated to reflect this change? The two extra.estimated_* are probably thought of as replacements to the initial extra.first_seen_time and extra.last_seen_time.
Maybe it would make sense to define a feed of its own for this instead of using Special. Especially if we expect to see remnant cases of SocGholish later.
And if this is in fact a problem of our checker, my apologies, please let me know. There's so much hallucination going on these days so it would not be a surprise.
Br, Mika
The information in this email may be confidential and is intended solely for the use of the individual or entity to whom it is intended. If you are not the intended recipient of this message, please delete the message and notify the sender immediately. For information on how we process personal data and our contact information, please see CSC's website: Privacyhttps://csc.fi/en/privacy
T?m?n s?hk?postin tiedot voivat olla luottamuksellisia ja ne on tarkoitettu yksinomaan sen henkil?n tai yhteis?n k?ytt??n, jolle ne on osoitettu. Jos et ole viestiss? tarkoitettu vastaanottaja, tuhoa viesti ja ilmoita asiasta v?litt?m?sti viestin l?hett?j?lle. Tietoja henkil?tietojen ja yhteystietojen k?sittelyst? l?yd?t CSC:n verkkosivuilta: Tietosuojahttps://csc.fi/tietosuoja